This OBE tutorial describes and shows you how to perform the installation of Oracle Access Manager Access System. This process involves installing the Oracle Access Manager Policy Manager, Access Server, and WebGates. This OBE tutorial also lists the preinstallation requirements.
Approximately 2 hours
This OBE tutorial covers the following topics:
Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor over each individual icon in the following steps to load and view only the screenshot associated with that step.
The screenshots will not reflect the specific environment you are using. They are provided to give you an idea of where to locate specific functionality in Oracle Access Manager.
You use the Access System to configure single- and multidomain single sign-on to Web- and non-Web-based applications, Web pages, and other resources. You can configure user authentication schemes that require a username and password, and a certificate, or you can design a custom login form. Users are authorized based on the schemes that you define. The authorization schemes are based on criteria such as header variables, the time, or data retrieved from external sources. You can use external authorization plug-ins in an authorization scheme. You can configure audits and reports of authentication and authorization activity.
Linda works as a network administrator for Mydo Main Corporation. In Mydo Main, Linda is responsible for performing access management tasks on various user groups within the organization. To perform access administration and access control to resources, she needs to install Oracle Access Manager Policy Manager, Access Server, and WebGates. By using Oracle Access Manager, Linda can perform user and group management, delegated administration, password management, and self-service functions necessary to manage large user populations in a directory-centric environment. The Policy Manager application enables Linda to create, remove, and manage policies and resources, and test policy enforcement. In addition, she can use the Policy Manager to define the resources that she want to protect, the rules and policies for protection, and delegate administration rights. The Policy Manager primarily communicates with the Directory Server to write policy data. Linda can configure the Access Server to receive requests forwarded from a WebGate instance, query the authentication, authorization, and auditing rules stored in the Directory Server, and respond back to the WebGate. Further, WebGate (or AccessGate) acts as the interface to user requests. In addition, by integrating the Oracle Access Manager Policy Manager, Access Server, and WebGates with Oracle Virtual Directory (OVD)—for the Oracle Access Manager applications—the virtual directory looks and behaves just like any other LDAP directory. For the client applications or users, the user data accessed from various heterogeneous data sources through OVD is totally transparent.
The following image highlights the complete setup/architecture for the complete OAM-OVD integration scenario.
Before you start the installation task, make sure that your system environment meets the following requirements:
Software Requirements
The system should include the following installed products:
The system should include the installation files for the following products:
The Policy Manager is installed on a Web server with a WebPass (under the same parent directory where WebPass is installed). The Policy Manager communicates with the Directory Server to write policy data and communicates with the Access Server over the Oracle Access Protocol to update the Access Server for policy modifications. When the Policy Manager receives requests from a WebGate instance, the Policy Manager queries the authentication, authorization, and auditing rules stored in the directory server. Based on the rules, the Policy Manager responds to the WebGate.
To install Oracle Access Manager Policy Manager, perform the following steps:
|
1. |
In Windows Explorer, navigate to E:\install_files\oam101401
and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_OHS2_Policy_Manager.exe
|
|
2. |
You must have the administrative privileges to run the installation. If you are logged in as a different user, you need to exit the installation, log in as the Administrator, and restart the installation. Then, click Next.
|
| 3. |
In the Destination Name text box, set the installation directory to E:\oracle\webpass and click Next.
Note: The destination directory for WebPass installation further creates subdirectories for WebPass as E:\oracle\webpass\identity and for policy manager as E:\oracle\webpass\access.
|
| 4. |
Review the location to which Oracle Access Manager Policy Manager is getting installed and the total disk size it would take for the installation. Then, click Next.
|
| 5. |
The Policy Manager needs to connect to an LDAP server to store the policy data. Select Oracle Internet Directory from the drop-down list and click Next.
Note: The policy data (similar to configuration data) is being accessed directly from OID. Configuration and policy data is not virtualized while doing this integration between OAM and OVD. The only data that is virtualized through OVD is user data.
|
| 6. |
Notice that the installer prompts you to extend the LDAP schema with the Oracle schema. You have already extended the schema during the installation for identity server. Select the No option and click Next.
Note: Because you are storing both the configuration and policy data in the same instance of OID and you have already extended the schema for that instance of OID during the configuration data setup earlier, you choose not to extend the schema again. However, if you choose to store the policy data in a different instance of OID or in another LDAP directory, then you would need to extend the schema for that directory server instance in this step.
|
| 7. |
In this setup, you do not use SSL for any of the directory services. Leave the check box options deselected and click Next.
|
| 8. |
Select the Open Mode: No encryption option for the Access Manager and Access Server to communicate and click Next.
|
| 9. |
The installation of Policy Manager needs to update the Web server (OHS 2.x). In this case, the httpd.conf configuration file is updated. To confirm this update, retain the Yes option selected and then click Next.
Note: You have already updated the httpd.conf file during the WebPass installation and now you are again updating the same httpd.conf for Policy Manager installation.
|
| 10. |
Enter E:\Oracle\ohs\ohs\conf\httpd.conf in the file location and click Next.
|
| 11. |
You need to restart the Web server (OHS) so that changes performed by the Policy Manager installer takes effect. Execute the following commands in sequence from the <OHS_home>\opmn\bin and then click Next. E:\Oracle\ohs\opmn\bin>opmnctl status E:\Oracle\ohs\opmn\bin>opmnctl stopall E:\Oracle\ohs\opmn\bin>opmnctl startall E:\Oracle\ohs\opmn\bin>opmnctl status
|
| 12. |
You can view the read me and then click Next.
|
| 13. |
Notice that the Policy Manager has been successfully installed. Click Finish.
|
| 14. |
To verify the Policy Manager installation, access the Access Administration page from the following URL: http://<hostname>.<domainname>/access/oblix
|
| 15. |
To verify the update to the httpd.conf file, navigate to E:\Oracle\ohs\ohs\conf and open the httpd.conf file. You can view the changes made after the installer added the update for Policy Manager.
|
At this point, you can view the Oracle Access Manager - Access main page but most of the links would be nonoperational. To configure the Access System Console, perform the following steps:
| 1. |
To configure the Access System Console, click Access System Console and then click Setup.
|
||||||||||||
| 2. |
OVD will be the user directory server where access system can route the information for accessing user repositories. These repositories are configured at the backend as LDAP servers—in this setup, OID and AD. Select the Data Anywhere option from the drop-down menu and click Next.
|
||||||||||||
| 3. |
Provide the following information for the directory server hosting the user data and click Next.
|
||||||||||||
| 4. |
You need to select the directory server hosting the configuration data. For this setup, select the Oracle Internet Directory option and click Next.
|
||||||||||||
| 5. |
Provide the following information for the directory server hosting the configuration data, and click Next.
|
||||||||||||
| 6. |
You can store the configuration data and policy data either in the same LDAP server or in different LDAP servers. For this setup, you select the Store Policy and Configuration Data in the same directory server option and click Next.
|
||||||||||||
| 7. |
Provide the following information for the location for Oracle Access Manager Configuration data, Searchbase, and Policybase. Then, click Next.
Note: The o=oblix,dc=mydopartners,dc=com stores both the configuration and policy data.
|
||||||||||||
| 8. |
Enter the Person Object Class as inetOrgPerson and click Next.
|
||||||||||||
| 9. |
You need to restart the Web server (OHS 2.x). For this, perform the following steps and then click Next: E:\Oracle\ohs\opmn\bin>opmnctl status E:\Oracle\ohs\opmn\bin>opmnctl stopall E:\Oracle\ohs\opmn\bin>opmnctl startall E:\Oracle\ohs\opmn\bin>opmnctl status
|
||||||||||||
| 10. |
You need to specify the Root directory for the policy domains. The subdirectories for policy domains will be created under the location that you specify. Enter / and click Next.
|
||||||||||||
| 11. |
Select the Yes option to configure the authentication schemas and click Next.
|
||||||||||||
| 12. |
To configure the authentication schema, select the Basic over LDAP check box and click Next.
|
||||||||||||
| 13. |
Review the Basic Over LDAP authentication scheme configuration (retain all the default values) and click Next.
|
||||||||||||
| 14. |
Select the Yes option to configure policies that will protect the NetPoint Identity System and Access manager and click Next.
|
||||||||||||
| 15. |
The installation for Policy Manager is complete. View the note that you need to restart the identity server and the Web server (from the next three steps).
|
||||||||||||
| 16. |
To stop the identity server, click Start > Control Panel > Administrative
Tools and double-click Services. Right-click the Oracle
Access Manager Identity Server (identity) service and select Stop.
|
||||||||||||
| 17. |
You need to restart the Web server (OHS). For this, perform the following steps and then click Next: E:\Oracle\ohs\opmn\bin>opmnctl status E:\Oracle\ohs\opmn\bin>opmnctl stopall E:\Oracle\ohs\opmn\bin>opmnctl startall E:\Oracle\ohs\opmn\bin>opmnctl status
|
||||||||||||
| 18. |
To start the identity server, click Start > Control Panel > Administrative
Tools and double-click Services.
|
||||||||||||
| 19. |
To verify the Policy Manager configuration, access the Access Administration page from the following URL and click Policy Manager: http://<hostname>.<domainname>/access/oblix
|
||||||||||||
| 20. |
You can authenticate as a Master Administrator. Enter the username as tina.hart and password as abcd1234, and click Login.
|
||||||||||||
| 21. |
Click My Policy Domains to view the policy domain information.
|
||||||||||||
| 22. |
Click Logout and again access the following URL, and click Access System Console: http://<hostname>.<domainname>/access/oblix
|
||||||||||||
| 23. |
Enter the username as tina.hart and password as abcd1234, and click Login.
|
||||||||||||
| 24. |
You can view the Access System Console information.
|
The Access Server plays a key role in authentication and authorization. Authentication involves determining what authentication method is required for a resource and gathering credentials from the Directory Server, and then returning an HTTP response based on the results of credential validation to the access client (WebGate or AccessGate). Authorization involves gathering access information and granting access based on a policy domain stored in the directory and the identity established during authentication. To install the Oracle Access Manager Access Server, perform the following steps:
|
1. |
Before you can install an Access Server, you need to create an instance for it within the Access System Console. Failure to do so will cause your Access Server installation to fail. To create an instance for the Access Server, open the Access Administration page from the following URL and click Access System console: http://<hostname>.<domainname>/access/oblix
|
||||||||||||||
|
2. |
Enter the username as tina.hart and password as abcd1234, and then click Login.
|
||||||||||||||
|
3. |
In the left pane, click Access Server Configuration, and then click Add.
|
||||||||||||||
|
4. |
In the Add a new Access Server section, provide the following values and click Save.
Note: Leave all the other values in the form in their default state.
|
||||||||||||||
|
5. |
Note that the AccessServer server instance is configured for the ten.mydomain.com server on port 6035. Click Logout and then OK to exit the Access administration console.
|
||||||||||||||
|
6. |
In Windows Explorer, navigate to E:\install_files\oam101401 and double-click the Oracle_Access_Manager10_1_4_0_1_Win32_Access_Server.exe file, and then click Next. This command launches the Oracle Access Manager installer that will install the Access Manager.
|
||||||||||||||
|
7. |
To install Access Server, you must have the administrative privileges. If you are logged in as a different user, then you must exit the installation, log in as the Administrator, and then restart the installation. Then, click Next.
|
||||||||||||||
| 8. |
In the Destination Name text box, set the installation directory to E:\oracle\access and click Next.
|
||||||||||||||
| 9. |
Review the location to which Access Server is getting installed and the total disk size it would take for the installation. Then, click Next.
|
||||||||||||||
| 10. |
Notice that the installer begins copying the Access Server files. Next, select the Open Mode: No encryption option for the Access client (Web gates) and Access Server to communicate, and click Next.
|
||||||||||||||
| 11. |
You need to provide configuration information for the Access Server connection to the directory server containing Oracle configuration data. For this installation, you can provide the following values and then click Next.
Note: You can use your own values for all these parameters on the basis of any changes made to the environment setup.
|
||||||||||||||
| 12. |
The policy data is stored in OID. Select the Oracle Directory option and click Next.
Note: The policy data and configuration data are both stored in same directory server instance of OID.
|
||||||||||||||
| 13. |
Provide the following values for the access server configuration details and click Next.
|
||||||||||||||
| 14. |
You can view the read me and then click Next.
|
||||||||||||||
| 15. |
You can review the Access Server configuration settings and click Finish. Next you need to start the Access Server service.
|
||||||||||||||
| 16. |
Start the Oracle Access Manager Identity Server (AccessServer) service.
Note: You can start it by navigating to Start > Control Panel > Administrative Tools > Services, right-clicking the Oracle Access Manager Identity Server (AccessServer) service, and selecting Start.
|
Access Server uses a Web server plug-in to communicate with the Web server. Some plug-ins for standard Web servers are provided with Oracle Access Manager. These plug-ins are referred to as WebGates. In addition, using the APIs provided, additional plug-ins can be implemented. Such customized plug-ins are referred to as AccessGates. Because of their similarity of purpose, the terms WebGate and AccessGate are often used interchangeably. A WebGate performs these functions:
To install the WebGate for OHS 1.x (that comes from the Oracle Application Server 10.1.4.1.0 Infrastructure installation), perform the following steps:
|
1. |
Similar to the Access Server installation, a WebGate must be defined in the configuration store before the WebGate can be installed. Open the browser and enter the URL to open the Access System in the following format, and then click Access System Console. http://<hostname>.<domainname>/access/oblix
|
||||||||||||||||||
|
2. |
Enter the username as tina.hart and password as abcd1234, and click Login.
|
||||||||||||||||||
| 3. |
Click Add New Access Gate, provide the following values, and click Save.
Note: Leave all the other values in the form in their default state.
|
||||||||||||||||||
| 4. |
Note the warning regarding associating an Access Server with this AccessGate. Scroll down and click List Access Servers to associate the AccessGate with an Access Server.
|
||||||||||||||||||
| 5. |
Click Add to select a new Access Server for the AccessGate.
|
||||||||||||||||||
| 6. |
Select the ten.mydomain.com:6035 from the drop-down menu and then click Add. Note that the AccessServer you installed previously is now associated with this AccessGate and will accept communication requests from the AccessGate.
|
||||||||||||||||||
| 7. |
You can now create the new AccessGate instance for IIS also. Click Add New Access Gate, provide the following values, and click Save.
|
||||||||||||||||||
| 8. |
Note the warning regarding associating an Access Server with this AccessGate. Scroll down and click List Access Servers to associate the AccessGate with an Access Server.
|
||||||||||||||||||
| 9. |
Click Add to select a new Access Server for the AccessGate.
|
||||||||||||||||||
| 10. |
Select the ten.mydomain.com:6035 from the drop-down menu and then click Add. Note that the AccessServer you installed previously is now associated with the IIS AccessGate and will accept communication requests from the AccessGate.
|
||||||||||||||||||
| 11. |
To view the newly created AccessGates for OHS and IIS, click Access Gate Configuration and then click Go to search for all the configured AccessGates.
Note: Both the WebGates on OHS 1.x and IIS are now communicating with the same instance of access server running on port 6035
|
||||||||||||||||||
| 12. |
Click Logout and then OK to exit the console.
|
||||||||||||||||||
| 13. |
In Windows Explorer, navigate to E:\install_files\oam101401 and
double-click the Oracle_Access_Manager10_1_4_0_1_Win32_OHS_WebGate.exe
file, and then click Next. This command launches the Oracle Access Manager
installer that will install the WebGate for OHS.
|
||||||||||||||||||
| 14. |
You must have the administrative privileges to run the installation. If you are logged in as a different user, then you need to exit the installation, log in as the Administrator, and then restart the installation. Then, click Next.
|
||||||||||||||||||
| 15. |
In the Destination Name text box, set the installation directory to E:\oracle\webgate_ohs and click Next.
|
||||||||||||||||||
| 16. |
Review the location to which WebGate for OHS is getting installed and the total disk size it would take for the installation. Then, click Next.
|
||||||||||||||||||
| 17. |
Notice that the installer begins copying the WebGate files for OHS. Next, select the Open Mode: No encryption option for the transport security mode and click Next.
|
||||||||||||||||||
| 18. |
Provide the following values for the WebGate configuration and click Next.
|
||||||||||||||||||
| 19. |
The Web server needs to be configured by modifying the configuration of the Web server directory. This change is reflected in the httpd.conf file for the OHS 1.x instance. To automatically update this configuration, retain the automatic update selection and click Next.
|
||||||||||||||||||
| 20. |
You need to provide the absolute path for the httpd.conf file to the installer for WebGate. Click Browse and navigate to E:\infra\Apache\Apache\conf\httpd.conf, and then click Next.
|
||||||||||||||||||
| 21. |
Notice that the Web server configuration has been modified. To restart the HTTP server, perform the following steps and click Next. E:\infra\opmn\bin>opmnctl status E:\infra\opmn\bin>opmnctl restartproc process-type=HTTP_Server E:\infra\opmn\bin>opmnctl status
|
||||||||||||||||||
| 22. |
You can view the read me and then click Next.
|
||||||||||||||||||
| 23. |
You can review the WebGate for OHS configuration settings and click Finish.
|
||||||||||||||||||
| 24. |
To verify the status of the installed WebGate, access the following URL: http://ten.mydomain.com:7777/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
|
||||||||||||||||||
| 25. |
To verify the update to the httpd.conf file, navigate to E:\infra\Apache\Apache\conf and open the httpd.conf file. You can view the changes made after the installer added the update for WebGate.
|
The instance for the WebGate on IIS must first be defined. This is highlighted from step 7 through 11 of the previous task. After defining the instance, to install the WebGate for IIS, perform the following steps:
| 1. |
In Windows Explorer, navigate to E:\install_files\oam101401 and
double-click the Oracle_Access_Manager10_1_4_0_1_Win32_ISAPI_WebGate.exe
file and click Next. This command launches the Oracle Access Manager
installer that will install the WebGate for IIS.
|
||||||||||||
| 2. |
You must have the administrative privileges to run the installation. If you are logged in as a different user, then you need to exit the installation, log in as the Administrator and then restart the installation. Then, click Next.
|
||||||||||||
| 3. |
You need to select the server for which the WebGate will be installed. For this setup, select the IIS option and click Next.
|
||||||||||||
| 4. |
In the Destination Name text box, set the installation directory to E:\oracle\webgate_iis and click Next.
|
||||||||||||
| 5. |
Review the location to which WebGate for IIS is getting installed and the total disk size it would take for the installation. Then, click Next.
|
||||||||||||
| 6. |
Notice that the installer begins copying the WebGate files for IIS. Next, select the Open Mode: No encryption option for the transport security mode and click Next.
Note: You might be prompted to replace few old *.DLL files in C:\Windows\system32 folder. If prompted, click Yes to All.
|
||||||||||||
| 7. |
Provide the following values for the WebGate configuration and click Next.
|
||||||||||||
| 8. |
The Web server needs to be configured by modifying the configuration of the Web server directory. This change is reflected in an update to IIS configuration. To automatically update this configuration, retain the automatic update selection and click Next.
|
||||||||||||
| 9. |
Notice that the IIS configuration has been updated for IIS. You need to restart the IIS and then click Next.
Note: To restart the IIS click Start > Control Panel > Administrative Tools and double-click Services. Right-click the IIS Admin Service service and select Restart.
|
||||||||||||
| 10. |
You can view the read me and then click Next.
|
||||||||||||
| 11. |
You can review the WebGate for IIS configuration settings and click Next.
|
||||||||||||
| 12. |
The wizard requires a restart for the computer. Retain the Yes, Restart my computer option and click Finish.
Note: This complete installation can work without the restart. Incase you restart, you would be required to start the components for both OHS 1.x and OHS 2.x.
|
||||||||||||
| 13. |
To verify the status of the installed WebGate, access the following URL: http://ten.mydomain.com:/access/oblix/apps/webgate/bin/webgate.dll?progid=1
|
In this lesson, you learned how to:
|
Install the Oracle Access Manager Policy Manager | |
|
Install the Oracle Access Manager Access Server | |
|
Install the Oracle Access Manager WebGate on Oracle HTTP Server | |
|
Install the Oracle Access Manager WebGate on Internet Information Server | |
|
To ask a question about this OBE tutorial, post a query on the OBE Discussion Forum. |
Place the cursor over this icon to hide all screenshots.