| Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager 11g Release 1 (11.1.1) Part Number E15478-02 | 
 | 
| 
 | View PDF | 
This chapter summarizes activities that you need to perform to configure 10.1.4 WebGate with a Microsoft Internet Information Server (IIS Web server for Windows environments). Unless explicitly stated, information and steps in this chapter apply equally to 32-bit and 64-bit WebGate installations. Topics include:
Installing and Configuring Multiple 10g WebGates for a Single IIS 7 Instance
Installing and Configuring Multiple WebGates for a Single IIS 6 Instance
Ensure that your OAM 11g Administration Console is running and get familiar with:
ISAPI is an Internet Web server extension that the WebGate that communicates with the IIS Web server. For example, you will need the following package to install the Oracle Access Manager WebGates for IIS:
Oracle_Access_Manager10_1_4_3_0_Win32_ISAPI_WebGate
64-bit WebGate: Oracle_Access_Manager10_1_4_3_0_Win64_ISAPI_WebGate.exe
Updating the IIS Web server configuration file is required when installing Oracle Access Manager WebGates. With IIS Web servers, a configuration update involves updating the Web server directly by adding the ISAPI filter and creating extensions required by Oracle Access Manager. A filter listens to all requests to the site on which it is installed. Filters can examine and modify both incoming and outgoing streams of data to enhance IIS functionality. ISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. Like ASP and HTML pages, IIS uses the virtual location of the DLL file in the file system to map the ISAPI extension into the URL namespace that is served by IIS.
Oracle recommends that you update the IIS Web server configuration file automatically during Oracle Access Manager Web component installation. Automatic updates may take more than a minute. However, updating the IIS Web server configuration file manually takes longer and could introduce unintended errors.
For more specific guidelines, see:
General WebGate preparation and installation details apply to ISAPI WebGates. Additionally, this topic provides specific guidelines for ISAPI WebGates installed with an IIS Web server. You can install multiple WebGates with a single IIS Web server instance or you might have a 64-bit WebGate.
Note:
Unless explicitly stated, details apply equally to 32-bit and 64-bit WebGates.lockdown Mode: Before installing the WebGate, ensure that your IIS Web server is not in lockdown mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lockdown.
Permissions: Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.
Virtual Hosts: Each IIS Virtual Web server can have it's own WebGate.dll file installed at the virtual level, or can have one WebGate affecting all sites installed at the site level. Either install the WebGate.dll at the site level to control all virtual hosts or install the WebGate.dll for one or all virtual hosts.
postgate.dll: You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \WebGate_install_dir, as described in "Installing the Postgate ISAPI Filter". If you perform multiple installations, multiple versions of this file may be created which may cause unusual Oracle Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist.
Note:
The postgate.dll is always installed at the site level. If for some reason the WebGate is reinstalled, the postgate.dll is also reinstalled. In this case, ensure that only one copy of the postgate.dll exists at the site level.Updating Web Server Configuration for WebGate: As with other Oracle Access Manager WebGates, your Web server must be configured to operate with the WebGate. Oracle recommends automatically updating your Web server configuration during installation. However, you can decline the automatic update and instead manually configure your Web server as described in "Provisioning a 10g WebGate with OAM 11g".
FAT32 file system: You may receive special instructions to perform during WebGate installation. For example: Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions can be ignored.
SSL and Client Certificate Authentication: On IIS, if you are using client certificate authentication you must enable SSL on the IIS Web server hosting the WebGate before enabling client certificates for WebGate. You must also ensure that various filters are installed in a particular order. In addition, you may need to install the postgate.dll as an ISAPI filter.
Web Server Releases: Web server details in this chapter apply to the stated release. If the release is not stated, you can presume it is IIS v5. Details specific to IIS v6 or IIS v7 are identified.
See Also:
32-bit versus 64-bit WebGates: Unless explicitly stated, all information applies equally to both 32-bit and 64-bit WebGates.
General WebGate Preparation and Installation Details: Refer to this chapter for IIS-specific guidelines. Refer to Chapter 17 for general preparation and installation details.
Completing and Confirming WebGate Installation: Perform tasks relevant to your ISAPI WebGate and IIS version:
See Also:
General guidelines and WebGate installation are usually the same regardless of the IIS release for which you are installing a WebGate. However, there are several specific topics to review when you are installing one or more WebGates for IIS v7:
General guidelines and WebGate installation are usually the same regardless of the IIS release for which you are installing a WebGate. However, there are several specific topics of interest.
Multiple WebGates with a Single IIS 6 Instance: IIS v6.0 supports hosting multiple Web sites on a single Web server instance and Oracle Access Manager ISAPI WebGate allows you to protect each Web site with a different WebGate.
64-bit IIS v6 WebGate: Perform installation as you do for all others, using instructions available in Chapter 17. If you choose manual Web server configuration during WebGate installation, you can access details in the following path:
WebGate_install_dir\access\oblix\lang\en-us\docs\dotnet_isapi.htm
Following WebGate installation and IIS configuration, perform tasks in "Finishing 64-bit WebGate Installation".
Earlier Release WebGate Installations: Previously Oracle recommended that WebGate be installed in the same physical directory location as Policy Manager. This required a virtual directory named “access” for both Policy Manager and WebGate, which is mapped to the physical location of both Policy Manager and WebGate.
Note:
You can install WebGate 10g (10.1.4.3) for IIS in any location, separate from that of Policy Manager.If you have an earlier, combined WebGate and Policy Manager installation, you can de-couple the components using the following steps.
To de-couple an earlier WebGate/Policy Manager installation
Uninstall any patches applied to the earlier WebGate and Policy Manager, if any.
Uninstall the earlier Policy Manager and WebGate combination.
Install Policy Manager 10g (10.1.4.3).
In a separate directory location, install WebGate 10g (10.1.4.3)
Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.
IIS v6.0 supports hosting multiple Web sites on a single Web server and Oracle Access Manager ISAPI WebGate allows you to protect each Web site with a different WebGate.
Note:
Previous ISAPI WebGate releases did not support multiple WebGates with a single IIS Web server instance. You either had to install one WebGate for all Web sites at the top level, or protect a single Web site by configuring WebGate at the Web site level.IIS 6 provides application pools that are used to run virtual servers. You can think of an application pool as a group of one or more URLs that are served by a worker process or a set of worker processes. An application pool is a configuration that links one or more applications to a set of one or more worker processes. Because applications in this pool are separated from other applications by worker process boundaries, an application in one application pool is not affected by problems caused by applications in other application pools. Today, WebGate instances can run in different process spaces.
When you have multiple Web sites on a single IIS v6.0 Web server instance, you need to ensure that user requests reach the correct Web site. To do this, you need to configure a unique identity for each site on the server using at least one of three unique identifiers:
Host header name
IP address
TCP port number
Note:
If you have multiple Web sites on a single server and these are distinguished by IP address and port, multiple WebGates are not required. Starting with release 10.1.4.2.0 virtual hosts on Apache and IIS 6.0 are supported. As a result, a single WebGate on the top level can protect all the Web sites even if the IP addresses are different. This is handled by using different Host Identifiers for each Web site.You can install multiple WebGates on different Web sites of the same IIS Web server instance. However, several manual steps are required.
This section provides prerequisites for installing WebGates with IIS v7 Web servers. It includes the following topics:
The following procedure applies to 32-bit and 64-bit WebGates equally.
With WebGate for IIS v7 Web Server, you can use Form-based authentication without enabling pass through functionality only when the <add segment="bin"/> entry is not present in the applicationHost.config file. For example, if you have access/oblix/apps/webgate/bin/webgate.dll as an action in the Form-based authentication scheme, ensure that the <add segment="bin"/> entry is not present in the applicationHost.config file. If the entry is present, you must remove it, as described next
To locate and remove the <add segment="bin"/> entry
Go to Windows\System32\inetsrv\config and open the applicationHost.config file.
Search for the <hiddenSegments> module.
Remove the entry <add segment="bin"/> if it is present.
Save the file.
The following procedure applies to 32-bit WebGates only.
The following procedure provides steps to configure a 32-bit WebGate for IIS 7 Web Server to use either Simple or Cert transport security mode. This configuration requires that the IIS 6 Management Compatibility module be installed.
To add the IIS 6 Management Compatibility module for a 32-bit WebGate for IIS 7 and Simple or Cert security
From the State menu, click Administrative Tools, and then click Server Manager.
In the Server Manager tree, expand Roles, and then click Web Server (IIS).
In the Web Server (IIS) pane, Role Services section, click Add Role Services.
On the Select Role Services page of the Add Role Services Wizard, click IIS6 Management Compatibility under Management Tools.
On the Confirm Installation Selections page, click Install.
On the Results page, click Close.
You can display these steps when you decline automatic Web server updates during Oracle Access Manager WebGate installation.
To display steps to configure IIS 7 Web server on Windows 2008 for ISAPI WebGates
When installing WebGate, click No when asked if you want the automatic Web server update and:
Read information on a new screen to assist in manually setting up your Web server for the WebGate.
Click the following item in the table that appears perform the steps that are displayed.
After performing steps to update the IIS 7 Web server on Windows 2008, return to the WebGate installation screen and click Next, as described in the chapter on WebGate installation.
Proceed with "Completing WebGate Installation with IIS".
Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.
See Also:
As needed, see:
If you have IIS v7, Oracle recommends the following topics:
Completing WebGate installation with an IIS Web server, includes the following activities after the installation is complete.
Task overview: Completing IIS WebGate installations includes
Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.
If you are using client certificate authentication, you must enable SSL on the IIS Web server. If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters.
Note:
The procedures here reflect the sequence for IIS v5. Your environment might be different.To enable SSL on the IIS Web server
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Expand the Default Web Site (or the appropriate Web site), then expand \access\oblix\apps\webgate\bin.
Right click cert_authn.dll and select Properties.
In the Properties panel, select the File Security tab.
In the Secure Communications sub-panel, click Edit.
In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.
Click OK in the cert_authn.dll Properties panel.
Proceed to the next procedure: "To add cert_authn.dll as an ISAPI filter".
To add cert_authn.dll as an ISAPI filter
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right click the appropriate Web Site to display the Properties panel.
Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel.
Enter filter name "cert_authn".
Click the Browse button and navigate to the following directory:
\WebGate_install_dir\access\oblix\apps\webgate\bin
Select cert_authn.dll as the executable.
Click OK on the Filter Properties panel.
Click Apply on the ISAPI Filters panel.
Click OK.
Ensure the filters are listed in the correct order.
Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.
It is important to ensure that the WebGate ISAPI filters are included in the right order.
Note:
This task is the same whether you are installing one or more WebGates per IIS Web server instance.To order the WebGate ISAPI filters
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right-click the Web Site and select Properties.
Click Properties, select ISAPI filters.
Confirm the following .dll files appear.
For example:
Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5.
WARNING:
Confirm that there is only one webgate.dll and one postgate.dll filter. If you perform multiple WebGate installations on one computer, multiple versions of the postgate.dll file might be created and cause unusual Oracle Access Manager behavior.
This section describes how the WebGate can be set up in conjunction with IIS 6.0 Worker Process Isolation Mode. It also covers configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode.
Note:
This section supersedes information in "Installing Postgate.dll on IIS Web Servers" in the Oracle Access Manager Installation Guide. For the IIS 5.0 Web server, the existing functionality using postgate.dll continues to be supported.Topics here include:
Implementing Pass-Through: IIS 6.0 in Worker Process Isolation Mode
Implementing Pass-Through with IIS 6.0 Web Server in IIS 5.0 Isolation Mode
Starting with ISAPI WebGate release 10.1.4.2.3, Oracle Access Manager pass-through functionality is supported with IIS 6.0 running in a Worker Process Isolation Mode. ISAPI WebGate 10.1.4.2.3 also operates with IIS 6.0 running in IIS 5.0 Isolation Mode using postgate.dll.
Note:
Oracle recommends using Worker Process Isolation Mode for new or existing implementations. Worker Process Isolation Mode is a default setting for the IIS 6.0 Web server. For the IIS 5.0 Web server, the existing functionality (using postgate.dll) continues to be supported.This section describes how to set up ISAPI WebGate release 10.1.4.2.3 in conjunction with IIS 6.0 Worker Process Isolation Mode. It also provides configuration steps required for IIS 6.0 running in IIS 5.0 Isolation Mode. This section supersedes information in Section 19-6 (Installing Postgate.dll on IIS Web Servers) of the Oracle Access Manager Installation Guide.
POST data is required for pass through during a form login on the IIS Web server when using the WebGate extension method (where the WebGate is the action of the form). In other words, if a form authentication scheme on the IIS Web server is configured with the pass-through option, and the target of the login form requires the data posted by the form, the WebGate extension method (where the WebGate DLL is the action of the form) cannot be used. The WebGate filter method (where the action of the form is a protected URL that is not the WebGate DLL) must be used instead, and based on IIS version, the postgate.dll must be installed or configure webgate.dll as ISAPI extension.
IIS 6.0 in Worker Process Isolation Mode: webgate.dll must be configured as an ISAPI filter and also as an ISAPI extension to achieve pass-through functionality. (This does not apply to ISA server integration.) Pass-through functionality is supported with 10.1.4.2.3 and higher ISAPI WebGates. However, you must also set a new user-defined parameter "UseWebGateExtForPassthrough" to true in the WebGate configuration profile in the Access System Console.
IIS 5.0 or IIS6.0 running in IIS 5.0 Isolation Mode: postgate.dll must be configured as an ISAPI filter to achieve the pass-through functionality.
The following steps outline this task.
Task overview: Implementing Pass-Through Functionality with IIS 6.0 Web Server in Worker Process Isolation Mode
Install WebGate as described in "Locating and Installing the Latest OAM 10g WebGate for OAM 11g".
Set the pass-through parameter as described in "Setting the UseWebGateExtForPassthrough Parameter in the WebGate Profile".
Configure webgate.dll as described in "Configuring webgate.dll as an ISAPI Extension".
You must set the new user-defined parameter, UseWebGateExtForPassthrough, in the WebGate profile to implement pass-through functionality with the IIS 6.0 Web server in Worker Process Isolation Mode. You must set UseWebGateExtForPassthrough to true. If this parameter is set to false, pass-through functionality will not work.
See Also:
"IIS Web Server Issues"To set the UseWebGateExtForPassthrough Parameter in the WebGate Profile
Launch the Access System Console and click Access System Configuration.
Click AccessGate Configuration.
Enter your search criteria for the WebGate, and then click Go.
In the Search Results table, click a WebGate name.
At the bottom of the Details for AccessGate page, click Modify.
On the Modify AccessGate page, locate the User Defined Parameters section of the page, enter the following parameter, and value, and then click the Add button:
Parameter: UseWebGateExtForPassthrough
Value: true
Click the Add button if you want to add more user-defined parameters.
Save to save this new information.
Repeat for each WebGate in your deployment.
Proceed to "Configuring webgate.dll as an ISAPI Extension".
The webgate.dll is part of the WebGate installation. The following procedure describes how to configure webgate.dll as an ISAPI extension. This task must also be performed to implement pass-through functionality with IIS 6.0 Web Server in Worker Process Isolation Mode.
Note:
You can have multiple webgate.dlls configured at different website levels from the top level Web Sites. In this case, you also need to configure webgate.dll as an ISAPI extension for each website protected by WebGate.To configure webgate.dll as an ISAPI extension
Go to websites, right click, and select Properties.
In the Properties dialog box, select the Home Directory tab.
Click the Configurations button to open the Application Configurations dialog box.
In Wild Card Application Maps, click the Inset button.
Provide the path to webgate.dll. For example:
WebGate_install_dir/access/oblix/apps/webgate/bin/webgate.dll
Uncheck the "verify that file exists" box.
Confirm and finalize the changes: click OK, then click OK again; click Apply, and then click OK.
Stop the IIS Administration Server from Services and restart the IIS Web server.
The following steps outline this task.
Note:
Skip this task if you are using IIS 6.0 Web server in Worker Process Isolation Mode.Task overview: Implementing Pass-Through Functionality with IIS 6.0 Web Server in IIS 5.0 Isolation Mode
Install WebGate as described in the Oracle Access Manager Installation Guide.
Set up IIS 6.0 as described in "Setting Up IIS 6.0 Web Server in IIS 5.0 Isolation Mode".
Install postgate.dll as described in "Installing the Postgate ISAPI Filter""Installing the Postgate ISAPI Filter".
The following information is updated for the 10.1.4.2.3 WebGate.
When IIS 6.0 Web server is used, the following steps outline how to set up the WWW Service to run in IIS 5.0 Isolation Mode. This is required by the ISAPI postgate filter.
To set IIS 5.0 isolation on IIS 6 Web servers
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right-click the Web Site and select Properties.
Select the Service tab in the Web Site Properties window.
Check the box beside Run WWW service in IIS 5.0 Isolation Mode.
Click OK.
Proceed with "Installing the Postgate ISAPI Filter".
The following information is updated for the 10.1.4.2.3 WebGate.
For single WebGate installations, you should install the filters in the following order:
The ISAPI WebGate filter should be installed after the sspifilt filter and before any others.
The postgate filter should be installed before the WebGate filter, only if needed.
All other Oracle Access Manager filters can be installed at the end.
Note:
Before installation (or after uninstallation) the filters must be removed manually. If multiple copies of a filter are installed, this means that they were not manually removed before installing the new filters.You can have multiple webgate.dlls configured at different levels from the top level Web Sites. However, they share the same postgate.dll. If you perform multiple WebGate installations on one computer, multiple versions of the postgate.dll file can be created which might cause unusual Oracle Access Manager behavior. There can only be one postgate.dll configured at the (top) Web Sites level of a computer
Note:
postgate.dll is not supported when you have more than one WebGate installed and configured for a single IIS Web server instance.The following procedures guide as you install and position the postgate ISAPI filter when you have a single WebGate installed with a single IIS Web server instance.
To install the postgate ISAPI filter
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right-click the Web Site and select Properties.
Select the ISAPI Filters tab in the Web Site Properties window.
Click the Add button to display the Filter Properties panel.
Enter the filter name "postgate".
Click the Browse button and navigate to the following directory:
\WebGate_install_dir\access\oblix\apps\webgate\bin
Select postgate.dll as the executable.
Click OK on the Filter Properties panel.
Click Apply on the ISAPI Filters panel.
Reposition the postgate ISAPI filter, as follows:
Start the Internet Information Services console, if needed.
Right-click your local computer, then select All Tasks, select Restart IIS.
Select the ISAPI Filters tab on the Properties panel.
Select the postgate filter and move it before WebGate, using the up arrow.
For example:
Restart IIS.
Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates.
When you install a WebGate on an IIS Web server that does not have the "Default Web Site" configured, the installer does not create "Virtual Directory access", which must be done manually using the following procedure.
To protect a Web site (not the default site)
Start the Internet Information Services console, if needed
Select the name of the Web site to protect.
Right-click the name of the Web site to protect and select New, and then select Virtual Directory in the menu.
Click Next.
Select Alias: access, then click Next.
Directory: Enter the full path to the /access directory, then click Next.
WebGate_install_dir\access
Select Read, Run Scripts, and Execute, then click Next.
Click Finish.
Restart IIS. For example:
net start w3svc.This section describes how to install and configure multiple WebGates for different Web sites on the same IIS 7 Web server instance. Several steps are manual and will differ from those that are performed when you install a single WebGate with a single IIS instance. When installing multiple WebGates for a single IIS instance:
The webgate.dll must be configured as an ISAPI filter at the individual Web site level, not the default (top) Web server level
The /access virtual directory is mapped at the Web site level to the respective /access directory in the WebGate installation.
When configuring the impersonation DLL for multiple WebGates, you need to configure a user to act as the operating system.
Task overview: Installing and configuring multiple WebGates for a single IIS 7 instance
Installing Each IIS 7 WebGate in a Multiple WebGate Scenario
Perform the following tasks, which are the same whether you install one or more WebGates per IIS Web server instance:
After installing the ISAPI WebGate, there are several manual steps to perform as described here.
By default, webgate.dll is configured as an ISAPI filter at the host name (top) level. When installing multiple WebGates with a single IIS 7 instance, you need to remove the respective webgate.dll from the top level and configure it for the appropriate individual Web site after each WebGate installation.
To install each WebGate when you will have several with one IIS 7 instance
Install the ISAPI 7 WebGate as described in Chapter 17.
Go to the Web site to protect, and configure webgate.dll as the ISAPI filter using these steps:
Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Select the hostname from the Connections pane.
From the hostname Home pane, double-click ISAPI Filters, look for any WebGate.dll; if it is present, select it and click Remove from the Action pane.
In the Connection pane, under Sites, click the name of the Web Site for which you want to configure a WebGate filter.
In the Home pane, double-click ISAPI Filters.
In the Actions pane, click Add…
In the Filter name text box of the Add ISAPI Filter dialog box, type "WebGate" as name for the ISAPI filter.
In the Executable box, type the file system path of the WebGate ISAPI filter file or click the ellipsis button (...) to go to the folder that contains the WebGate.dll ISAPI filter file, and then click OK.
WebGate_install_dir\access\oblix\apps\webgate\bin\webgate.dll
Creating a Virtual Directory:
Expand the Sites pane and select the Web Site for which you just configured the ISAPI filter (WebGate.dll).
On the Action pane, click View Virtual Directories and then select Add Virtual Directory.
Specify access in the Alias text box and the physical path to the WebGate access folder of WebGate or click the ellipsis button (...) to go to the "access" folder, and then click OK.
WebGate_install_dir\access\
Save and apply these changes.
Setting permissions to the Virtual Directory:
Select the "access" virtual directory created in Step 3.
From the access Home pane, double click Handler Mappings; from the Action pane, select Edit Feature Permissions….
Check boxes beside Read, Script, and Execute, then click OK.
Setting Directory Permissions for WebGate:
In Explorer, right click the WebGate installation directory WebGate_install_dir\access and select Properties.
Click the Security tab and click the Edit button.
Add user "IUSR", select "Allow" for "Modify".
Add user "IIS_IUSRS", select "Allow" for "Modify".
Add user "NETWORK", select "Allow" for "Modify".
Add user "NETWORK SERVICE", select "Allow" for "Modify".
For group "Administrators" select "Allow" for "Modify".
WebGate in Simple or Cert Mode:
In the file system, locate and right-click the "password.xml" file in WebGate_install_dir\access\oblix\config\password.xml, and select Properties.
Click the Security tab.
Give "Allow" for "Read" rights to users "IUSR", "NETWORK SERVICE", "IIS_WPG", "IIS_IUSRS".
Ensure that there is no webgate.dll in the top level (the hostname level).
Perform the next set of tasks using instructions in the following topics:
Repeat these steps when you install the next WebGate for the IIS instance.
The client's access token is known as an impersonation token. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf.
The Access System authenticates and authorizes the user. IISImpersonationExtension.dll of Oracle Access Manager in the wildcard extension behaves like a filter for each request to the Web server. The Access System designates a special user that does have the right to impersonate another user by configuring it using the impersonation username/password on the AccessGate Configuration page. That designated user must have "act as operating system" rights. DLL impersonates the user authenticated and authorized by Oracle Access Manager and generates the impersonation token.
You perform the following steps to set the impersonation DLL for each WebGate that protects a Web site for a single IIS 7 Web server instance. You can do this either immediately after the installation task in the previous topic or all at one time.
Note:
This task must be performed for each WebGate that protects an individual Web site for a single IIS Web server instance.To add the impersonation DLL to IIS 7 configuration for individual Web sites
Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Add "IISImpersonationExtension.dll" as a Wildcard Script Map to the required Web Site:
Expand Sites in the connection pane.
Click the Web Site name to which you want to add IISImpersonationExtension.dll.
Double click Handler Mappings from the selected Web Site's "home" pane.
From the Action pane, click Add Wildcard Script Map.
In the Name text box of the Add Wildcard Script Map dialog box, type "Oracle Impersonation Plugin" as name for the dll.
In the Executable box, type the file system path of the WebGate IISImpersonationExtension.dll or click the ellipsis button (...) to go to the folder that contains IISImpersonationExtension.dll, and then click OK.
WebGate_install_dir/access/oblix/apps/WebGate/bin/ 
IISImpersonationExtension.dll
This example shows the default path, where WebGate_install_dir is the file system directory where you have installed this particular WebGate.
Proceed as follows:
Client Certificate Authentication: "Enabling Client Certification for Multiple IIS 7 WebGates"
You perform this task to set the enable client certification for each WebGate that protects a Web site for a single IIS 7 Web server instance. You can do this either immediately after the adding the impersonation DLL to an individual Web site or all at one time.
Note:
SSL should be enabled on the Web Site before configuring the client certification for WebGate. Follow these steps after the Web Site is SSL enabled.If you select client certificate authentication during setup, you must also enable and then add the cert_authn.dll as one of the ISAPI filters in the respective Web site.
To enable cert_authn.dll on the IIS 7 Web server
Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Expand Sites in the connection pane.
Expand the Web Site to \access\oblix\apps\webgate\bin.
Right click the "bin" directory and select Switch To Content View.
Right click the "cert_authn.dll".and from the drop down menu, select Switch To Feature View.
From the cert_authn.dll Home pane, double click SSL Settings.
From SSL Settings pane, select Require SSL check-box and select Accept from Client Certificates.
Select Apply from Action pane.
Repeat for each WebGate installed on this host, for which you want to enable client certification.
Restart the IIS 7 Web server.
Proceed to the next task: "To add cert_authn.dll as an ISAPI v7 filter".
To add cert_authn.dll as an ISAPI v7 filter
Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Expand Sites in the connection pane.
Click on the Web Site name for which you want to add "cert_authn.dll".
In the Home pane, double-click ISAPI Filters.
In the Actions pane, click Add.
In the Filter name box of the Add ISAPI Filter dialog box, type Oracle Certification Authentication Plugin as name for the ISAPI filter.
In the Executable box, type the file system path of the WebGate cert_authn.dll or click the ellipsis button (...) to go to the folder that contains cert_authn.dll, and then click OK.
WebGate_install_dir/access/oblix/apps/WebGate/bin/cert_authn.dll 
This example shows the default path, where WebGate_install_dir is the file system directory where you have installed this particular WebGate.
Click View Ordered List from the Action pane and arrange the filters as shown here by using "Move Up" or "Move Down":
cert_authn.dll webgate.dll
Select Apply from Action pane.
Repeat for each WebGate installed on this host, for which you want to enable client certification.
Restart the IIS 7 Web server.
Proceed as needed for your deployment:
Here you will add WebGate.dll as a Wildcard Script Map to the required Web Site. While configuring WebGate to work with pass through functionality, you must ensure that "Physical Path" of the Web sites on which you are installing WebGates differ. Otherwise, the changes in "Handler Mappings" are reflected in all the Web Sites sharing the same physical path.
Note:
"Physical Path" is the path that is provided at the time of creating the Web Site. To check this path after the creation of the Web Site, , In Action pane click on Basic Settings..., you will be presented with a window showing the physical path of the Web Site.Click the Web Site name.
In the Action pane, click Basic Settings.
To configure WebGate for pass through functionality
Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Expand Sites in the connection pane.
Click the Web Site name for which you want to enable pass through.
Double click Handler Mappings from the selected Web Site's "home" pane.
From the Action pane, click Add Wildcard Script Map.
In the Name text box of the Add Wildcard Script Map dialog box, type WebGate as name for the ISAPI filter.
In the Executable box, type the file system path of the WebGate ISAPI filter file (WebGate.dll) or click the ellipsis button (...) to go to the folder that contains the WebGate.dll ISAPI filter file, and then click OK.
WebGate_install_dir/access/oblix/apps/WebGate/bin/WebGate.dll
In the Access System Console:
Locate the Web Gate profile and click Modify.
Under User Defined Parameters, enter the following parameter and value:
UseWebGateExtForPassthrough
true
Save the profile.
Repeat for each WebGate installed on this host, for which you want to enable pass through.
Restart the IIS 7 Web server.
Proceed to the next task: "Confirming IIS 7 WebGate Installation".
You can use the following procedure to confirm IIS 7 WebGate installation.
To verify IIS 7 WebGate installation
Go to the URL:
http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1
where hostname refers to the name of the computer hosting the WebGate; port refers to the Web server instance port number.
The WebGate diagnostic page should appear.
Successful: If the WebGate diagnostic page appears, the WebGate is functioning properly and you can dismiss the page.
Unsuccessful: If the WebGate diagnostic page does not open, the WebGate is not functioning properly. In this case, the WebGate should be uninstalled and reinstalled. For more information about removing Oracle Access Manager see the OAM Installation Guide Chapter 22, then return to the chapter on installing a WebGate.
Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates.
This section describes how to install and configure multiple WebGates for different Web sites on same IIS Web server instance. Several steps are manual and will differ from those that are performed when you install a single WebGate with a single IIS instance. When installing multiple WebGates for a single IIS instance:
The webgate.dll must be configured as an ISAPI filter at the individual Web site level, not the default (top) Web server level
The /access virtual directory is mapped at the Web site level to the respective /access directory in the WebGate installation.
When configuring the impersonation DLL for multiple WebGates, you need to configure a user to act as the operating system.
There can only be one postgate.dll configured at the (top) Web Sites level of a machine. However, you might have multiple webgate.dlls configured at different levels below the top level Web Sites. If you perform multiple WebGate installations on one machine, multiple versions of the postgate.dll file might be created that can cause unusual Oracle Access Manager behavior.
Task overview: Installing and configuring multiple WebGates for a single IIS instance
Perform the following tasks, which are the same whether you install one or more WebGates per IIS Web server instance:
Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates.
After installing the ISAPI WebGate, there are several manual steps to perform as described here.
By default, webgate.dll is configured as an ISAPI filter at the Web sites (top) level. When installing multiple WebGates with a single IIS instance, you need to remove the respective webgate.dll from the top level and configure it for the appropriate individual Web site after each WebGate installation.
Note:
If you perform multiple WebGate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Oracle Access Manager behavior. The postgate.dll is not supported in environments where you have multiple WebGates configured with a single IIS v6 web server instance.To install each WebGate when you will have several with one IIS instance
Install the ISAPI WebGate as described in Chapter 17.
Go to the Web site to protect, and configure webgate.dll as the ISAPI filter using these steps:
Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager
Right click Web Sites, and then click the Properties option.
Click the ISAPI filter tab, look for the path to webgate.dll; if it is present in the filter, then select it and click the Remove button.
Under Web Sites, right-click the name of the Web site to protect, and select the Properties option.
Click the ISAPI filter tab to add the filter DLLs.
Add the following filter to identify the path to the webgate.dll file, and name it "webgate".
WebGate_install_dir/access/oblix/apps/webgate/bin/webgate.dll
Save and apply these changes.
Go to the Directory Security tab.
Confirm that "anonymous access" and "basic authentication" are selected so that Oracle Access Manager provides authentication for this Web server.
Save and apply these changes.
Go to Web sites level to protect and create an /access virtual directory that points to the newly installed WebGate_install_dir:
Under Web Sites, right-click the name of the Web site to be protected.
Select New and create a new virtual directory named access that points to the appropriate WebGate_install_dir/access.
Under Access Permissions, check Read, Run Scripts, and Execute.
Save and apply these changes.
In the file system, set directory permissions for Oracle Access Manager:
In the file system, locate and right-click WebGate_install_dir\access, and the select Properties.
Click the Security tab.
Add user "IUSR_machine_name" and then select "Allow" for "Modify".
For example, for a machine_name of Oracle, select IUSR_ORACLE.
Add user "IWAM_machine_name" and then select "Allow" for "Modify"
For example, for a machine_name Oracle, select IWAM_ORACLE.
Add user "IIS_WPG" and then select "Allow" for "Modify".
Add user "NETWORK SERVICE" and then select "Allow" for "Modify".
For the group "Administrators", select "Allow" for "Modify".
If Webgate has been set up in Simple or Cert mode, perform the follow steps:
In the file system, locate and right-click the "password.xml" file in WebGate_install_dir\access\oblix\config\password.xml.
Click the Security tab.
Give "Allow" for "Read" rights to users "IUSR_machine_name", IWAM_machine_name, "IIS_WPG", and "NETWORK SERVICE".
Add a new Web service extension using the following steps:
Right click Web Service Extensions, and then select Add a new Web service extension....
Add the Extension name Oracle WebGate.
Click Add to add the path to the extension file, and then enter the path to the appropriate webgate.dll.
WebGate_install_dir\access\access\oblix\apps\webgate\bin\webgate.dll
Click OK to save the changes.
Check box beside Set extension status to allowed.
Click OK to save the changes.
Ensure that there is no webgate.dll in the ISAPI filter at the top Web site level (“web sites”).
Perform the next set of tasks using instructions in the following topics:
Repeat these steps when you install the next WebGate for the IIS instance.
Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates and IIS v6.
The client's access token is known as an impersonation token. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf.
The Access System authenticates and authorizes the user. IISImpersonationExtension.dll of Oracle Access Manager in the wildcard extension behaves like a filter for each request to the Web server. The Access System designates a special user that does have the right to impersonate another user by configuring it using the impersonation username/password on the AccessGate Configuration page. That designated user must have "act as operating system" rights. DLL impersonates the user authenticated and authorized by Oracle Access Manager and generates the impersonation token.
You perform the following steps to set the impersonation DLL for each WebGate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the installation task in the previous topic or all at one time.
Note:
This task must be performed for each WebGate that protects an individual Web site for a single IIS Web server instance.To add the impersonation DLL to IIS configuration for individual Web sites
Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Click the plus icon (+) beside the Local Computer icon in the left pane to display your Web Sites.
Click Web Service Extensions in the left pane.
Double-click WebGate in the right pane to open the Properties panel.
Click the Required Files tab.
Click Add.
In the Path to file text box, type the full path to IISImpersonationExtension.dll, and then click OK. For example:
WebGate_install_dir\access\oblix\apps\webgate\bin\IISImpersonationExtension.dll
This example shows the default path, where WebGate_install_dir is the file system directory where you have installed this particular WebGate.
Verify that the Allow button beside the WebGate icon is grayed out, which indicates that the dll is allowed to run as a Web service extension.
Right click the Web site name, and then click Properties.
Click the Home Directory tab, and then click the Configuration button.
In the list box for Wildcard application maps, click the entry for IISImpersonationExtension.dll to highlight it, then click Edit.
Ensure that the box is unchecked, and then click OK.
Repeat these steps for each WebGate and Web site pair for the IIS Web server instance.
Proceed as follows:
Client Certificate Authentication: "Enabling SSL and Client Certification for Multiple WebGates"
You perform this task to set the enable client certification for each WebGate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the adding the impersonation DLL to an individual Web site or all at one time.
Note:
Procedures in this topic apply equally to 32-bit and 64-bit WebGates, and IIS 6, unless stated otherwise.If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters in the respective Web site.
To enable SSL on the IIS v6 Web server
Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Expand the local computer icon to display your Web Sites.
Expand the appropriate individual Web Site, then expand \access\oblix\apps\webgate\bin.
Right click cert_authn.dll and select Properties.
In the Properties panel, select the File Security tab.
In the Secure Communications sub-panel, click Edit.
In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.
Click OK in the cert_authn.dll Properties panel.
Repeat for each WebGate installed on this host.
Proceed to the next task: "To add cert_authn.dll as an ISAPI filter".
To add cert_authn.dll as an ISAPI filter
Start the Internet Information Services console, if needed.
Expand the local computer to display your Web Sites.
Right click the appropriate Web Site to display the Properties panel.
Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel.
Enter filter name "cert_authn".
Click the Browse button and navigate to the following directory:
\WebGate_install_dir\access\oblix\apps\webgate\bin
Select cert_authn.dll as the executable.
Click OK on the Filter Properties panel.
Click Apply on the ISAPI Filters panel.
Click OK.
Repeat for each WebGate installed on this host.
Ensure the filters are listed in the correct order.
Proceed to "Confirming Multiple WebGate Installation".
This task applies equally to 32-bit and 64-bit WebGates, and IIS v6 Web servers.
If you perform multiple WebGate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Oracle Access Manager behavior. the postgate.dll is not supported in environments where you have multiple WebGates configured with a single IIS v6 web server instance.
This section describes how to complete installation of a 64-bit WebGate. You can skip this section if you are installing a 32-bit WebGate. In this case, see instead, "Completing WebGate Installation with IIS".
Before you start tasks here, be sure that you have completed WebGate installation according to information in Chapter 17. You must also have completed Web server configuration updates for this WebGate either automatically during WebGate installation or manually, as described in "WebGates for IIS v6".
Task overview: Finishing installation of a 64-bit WebGate
Perform steps in "Setting Access Permissions, ISAPI filters, and Directory Security Authentication".
Enable client certificates, if desired. See "Setting Client Certificate Authentication".
When finished, you can:
Confirm operations as described in "Confirming WebGate Installation on IIS"
Create a policy domain to protect this domain as described in the Oracle Access Manager Access Administration Guide.
Implement Windows Impersonation, as described in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates. It describes setting access permissions for the Web site that you are using as a default.
To set or confirm access Permissions, ISAPI filters, and Directory Security Authentication
Start the Internet Service Manager. For example, from the Start menu click Programs then click Administrative Tools, and click Internet Service Manager.
Expand the local computer by clicking +, in the left panel.
Click to expand the Web Sites tab.
Right-click Default Web Site (or the site you are using as a default), and create a virtual directory as described in "Protecting a Web Site When the Default Site is Not Setup".
Right-click Web Sites in the Internet Information Services tab, click Properties, and perform the following steps:
From the Internet Information Services tab, click the Edit button.
Locate the ISAPI filter tab to confirm (or add) the filter DLLs, as follows:
Filter: If you updated the IIS Web server configuration file, webgate.dll should be properly located.
No Filter: Add the webgate.dll filter from WebGate_install_dir\oblix\access\apps\webgate\bin\webgate.dll
Save and apply any changes.
Click the Directory Security tab and confirm that both Anonymous Access and Basic Authentication are selected.
Selected: Proceed to Step 6.
Not Selected: Select Anonymous Access and Basic Authentication, then save and apply these changes.
Proceed as follows:
"Setting Client Certificate Authentication", if desired
No Client Certificate Authentication: Restart the IIS Web server.
Filter Positions: Perform instructions in "Ordering the ISAPI Filters" to ensure that all filters have been added and are in the proper order.
This task is optional and should be performed only if you want to use client certificate authentication. In this case, IIS and WebGate must be SSL-enabled.
Information in this topic is a sub set of details in "Enabling Client Certificate Authentication on the IIS Web Server".
To add cert_authn.dll as an ISAPI filter
Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Service Manager.
Expand the local computer to display your Web Sites.
Right-click the Default Web Site (or the Web site that you use as a default), then expand \access\oblix\apps\webgate\bin.
Right click cert_authn.dll and select Properties, then:
In the Properties panel, select the File Security tab.
In the Secure Communications sub-panel, click Edit.
In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.
Click OK in the Secure Communications panel.
Click OK in the cert_authn.dll Properties panel.
Click the ISAPI Filters tab, click the Add button to display the Filter Properties panel, and then:
Ensure the filters are listed in the correct order, as described in "Ordering the ISAPI Filters".
Proceed to "Confirming WebGate Installation on IIS".
After installing WebGate and updating the IIS Web server configuration file, you can use the WebGate diagnostics to verify the WebGate is properly installed.
Note:
This task is the same for both 32-bit and 64-bit WebGates. It is the same whether you are installing one or more WebGates per IIS Web server instance.To verify WebGate installation
Go to the URL:
http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1
where hostname refers to the name of the computer hosting the WebGate; port refers to the Web server instance port number.
The WebGate diagnostic page should appear.
Successful: If the WebGate diagnostic page appears, the WebGate is functioning properly and you can dismiss the page.
Unsuccessful: If the WebGate diagnostic page does not open, the WebGate is not functioning properly. In this case, the WebGate should be uninstalled and reinstalled. For more information about removing Oracle Access Manager see "Removing a 10g WebGate from the OAM 11g Deployment", in the chapter on installing a 10g WebGate Chapter 17.
When instructed to restart your IIS Web server during Oracle Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, consider using net stop iisadmin and net start w3svc are good ways to stop and start the Web server. The net commands help to ensure that the Metabase does not become corrupted following an installation.
The information in this section applies equally to 32-bit and 64-bit WebGates.
Web server configuration changes that occur during installation must be manually reverted after uninstalling the WebGate. For example, the ISAPI transfilter will be installed for IIS WebGate. However, if you uninstall WebGate this is not removed automatically. Also, the created Web service extension and the link to the identity directory will not be removed. This type of information must be removed manually. These are examples of information to remove, not a complete list.
Further, you must remove any changes that you manually made to your Web server configuration file for the WebGate should be removed. For more information about what is added for each component, look elsewhere in this chapter.
To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. There is also a tool available, MetaEdit, to edit the metabase. MetaEdit looks like Regedit and has a consistency checker and a browser/editor. To fully remove a WebGate from IIS, use MetaEdit to edit the metabase.