Thursday, May 3, 2012

WebGate 11g Fails after OAM-OIM Integration

After reading through several documents finally got a setup up and running with OAM 11g and OIM 11g Integrated with WebGate 11g.

The following is the setup and this is certified as of April 2012 but this may change in future.



Oracle Internet Directory LDAP Store is OID version 11.1.1.5.0
Oracle Access Manager 11.1.1.5.0 + OAM Bundle Patch 02 ( 11.1.1.5.2 )
Oracle Identity Manager 11.1.1.5.0 + OIM Bundle Patch 02 ( 11.1.1.5.2 )
Oracle HTTP Server 11.1.1.5.0
Oracle Webgate 11.1.1.5.0 + Webgate Bundle Patch 02 (11.1.1.5.2)


I would suggest that any one who does the integration or installation to follow Oracle Documentation for the version you are working on because the integration steps keeps changing for every version. There are lots of good blogs and books out there in the market and internet but I would honestly tell some of them are outdated even though the steps are very good and presented in a better way than Oracle Documentation.


After following the complete integration as recommended by Oracle Documentation there is a recommended testing for the integrated environment. Some of the major integration testing are
1. User created in OIM should be propagated to the LDAP Store which is in my case OID
2. Webgate validatation
3. User end to end single sign on


The first point worked good in my case without any issues. The problem started with the second step and then the third. 


After reading through several notes and I came across one similar to my setup.
Note 1447494.1

As from OAM 11.1.1.5.2 (Bundle Patch 2) and OIM 11.1.1.5.2 (Bundle Patch 2), use of 11g WebGate is supported for integrated OAM and OIM environments. The settings would then be e.g.:
WEBGATE_TYPE: ohsWebgate11g
ACCESS_GATE_ID: Webgate_IDM


Note: additional, currently undocumented configuration will be required if 11g WebGate is used. It is recommended to register the 11g WebGate with auto-create policies unchecked and Preferred Host set to IAMSuiteAgent. Also resources the following resources will need to be added to the IAM Suite Application Domain because 11g WebGate implements Deny On Not Protected:
/oam -- excluded resource
/oam/.../* -- excluded resource
/oim/ -- Public Authentication Policy, Protected Authorization Policy




I tried to set the preferred host to IAMSuiteAgent and then also added the resources as described under the undocumented configuration.
Now the http://ohs:port is getting to the authentication page.



So now with the additional undocumented steps my Webgate11g validation passed.

But still I could not get the User authenticated and perform a complete end-to-end SSO. I will make a short write up on the same on the up coming post.

Good luck then with the ConFusion Middleware.



Popular Posts