12 Changing Network Configurations

This chapter provides procedures for changing the network configuration, such as the host name, domain name, or IP address, of an Oracle Fusion Middleware host.

This chapter includes the following topics:

12.1 Changing the Network Configuration

This section describes how to change the host name, domain name, IP address, or any combination of these, of a host that contains the following installation types:

  • Oracle WebLogic Server. When you change the host name, domain name, or IP address of Oracle WebLogic Server, you also automatically change the information for Java components, such as Oracle SOA Suite and Oracle WebCenter components that are deployed to Oracle WebLogic Server.

  • Oracle Fusion Middleware Web Tier components, Oracle Web Cache and Oracle HTTP Server. You can change the host name or the IP address.

The following topics describe how to change the host name, domain name, or IP address:

12.1.1 Changing the Network Configuration of a WebLogic Managed Server

To change the host name, domain name, or IP address of a WebLogic Managed Server:

  1. Display the Administration Console, as described in Section 3.4.1.

  2. In the Change Center, click Lock & Edit.

  3. Create a machine, which is a logical representation of the computer that hosts one or more WebLogic Servers, and point it to the new host. (From the Home page, select Machines. Then, click New.) Follow the directions in the Administration Console help.

    You must disable Host Name Verification on Administration Servers that access Node Manager, as described in the Help.

  4. Change the Managed Server configuration to point to the new machine:

    1. From the left pane of the Console, expand Environment and then Servers. Then, select the name of the server.

    2. Select the Configuration tab, then the General tab. In the Machine field, select the machine to which you want to assign the server.

    3. Change Listen Address to the new host.

      Click Save.

  5. Start the Managed Server. You can use the Oracle WebLogic Server Administration Console, WLST, or the following command:

    DOMAIN_NAME/bin/startManagedWeblogic.sh managed_server_name 
              admin_url username password
    

    The Managed Server connects to the Administration Server and updates its configuration changes.

12.1.2 Changing the Network Configuration of Web Tier Components

If you change the host name, domain name or IP address of a host that contains multiple Oracle instances, you must change the network configuration of each Oracle instance that resides on that host. You do not need to make changes to any system component that resides on another host.

You can change the network configuration of Oracle HTTP Server and Oracle Web Cache by using the following command:

(UNIX) ORACLE_HOME/chgip/scripts/chpiphost.sh
(Windows) ORACLE_HOME\chgip\scripts\chpiphost.bat

The format of the command is:

chgiphost.sh | chgiphost.bat 
             [-noconfig] [-version] [-help]
             [ -oldhost old_host_name -newhost new_host_name] 
             [-oldip old_IP_address -newip new_IP_address] 
              -instanceHome Instance_path

The parameters have the following meanings:

  • noconfig: The default for changing the network parameters.

  • version: Displays the version of the chgiphost tool.

  • help: Displays help for the command.

  • oldhost: The fully qualified name of the old host. Use this parameter, with newhost, to change the host name or domain name, or both.

  • newhost: The fully qualified name of the new host. Use this parameter, with oldhost, to change the host name or domain name, or both.

  • oldip: The old IP address.

  • newip: The new IP address.

  • instanceHome: The full path of the Oracle instance.

For example, to change the host name, domain name, and IP address of a host that contains either Oracle HTTP Server or Oracle Web Cache, or both, take the following steps:

Task 1   Prepare Your Host

Prepare your host for the change:

  1. Perform a backup of your environment before you start this procedure. See Chapter 14.

  2. Shutdown all Oracle Fusion Middleware processes. See Chapter 4.

Task 2   Change the Hostname, Domain Name, or IP Address

Update your operating system with the new hostname, domain name, IP address, or any combination of these. Consult your operating system documentation for information on how to perform the following steps.

  1. Make the updates to your operating system to properly change the host name, domain name, or IP address.

  2. Restart the host, if necessary for your operating system.

  3. Verify that you can ping the host from another host in your network. Be sure to ping using the new hostname to make sure everything is resolving properly.

Task 3   Run the chgiphost Command

Follow these steps for each Oracle instance that contains Oracle HTTP Server or Oracle Web Cache on your host. Be sure to complete the steps entirely for one Oracle instance before you move on to the next.

  1. Log in to the host as the user that installed Oracle Fusion Middleware.

  2. Run the chgiphost command.

    The following example changes the host name from host_a to host_b and the domain name from dom_1 to dom_2 for an Oracle instance named inst_a. It also changes the IP address:

    chgiphost.sh  -noconfig
                 -oldhost host_a.dom_1 -newhost host_b.dom_2 
                 -oldip old_IP_address -newip new_IP_address 
                 -instanceHome /scratch/Oracle/Middleware/inst_a
    
Task 4   Restart Processes

Restart all Oracle Fusion Middleware processes. See Chapter 4.

12.2 Changing the IP Address of a Metadata Repository Installation

This section describes how to change the IP address of a host that contains a metadata repository:

The following sections describe the procedure:

Task 1   Stop All Oracle Fusion Middleware Components

Stop all components that use the Metadata Repository, even if they are on other hosts. Stop the Administration Server, the Managed Servers, and all components, as described in Chapter 4.

Task 2   Shut Down the Database

Prepare your host for the change by stopping the database:

  1. Set the ORACLE_HOME and ORACLE_SID environment variables.

  2. Shut down the listener and database:

    lsnrctl stop
    
    sqlplus /nolog
    SQL> connect SYS as SYSDBA
    SQL> shutdown
    SQL> quit
    
  3. Verify that all Oracle Fusion Middleware processes have stopped.

  4. To make sure Oracle Fusion Middleware processes do not start automatically after a restart of the host, disable any automated startup scripts you may have set up, such as /etc/init.d scripts.

Task 3   Change the IP Address

Update your operating system with the new IP address, restart the host, and verify that the host is functioning properly on your network. Consult your operating system documentation for information on how to perform the following steps:

  1. Make the updates to your operating system to properly change the IP address.

  2. Restart the host, if required by your operating system.

  3. Verify that you can ping the host from another host in your network. Be sure to ping using the new IP address to make sure everything is resolving properly.

Task 4   Start the Database

Start the database:

  1. Log in to the host as the user that installed the database.

  2. Set the ORACLE_HOME and ORACLE_SID environment variables.

  3. On UNIX systems, set the LD_LIBRARY_PATH, LD_LIBRARY_PATH_64, LIB_PATH, or SHLIB_PATH environment variables to the proper values, as shown in Table 3-1. The actual environment variables and values that you must set depend on the type of your UNIX operating system.

  4. Start the database and listener:

    sqlplus /nolog
    SQL> connect SYS as SYSDBA
    SQL> startup
    SQL> quit
    
    lsnrctl start
    
Task 5   Change the System Data Source

If you use the IP address in the data source definition, change the system data source to use the new IP address for the metadata repository. To do so, you use Oracle WebLogic Server Administration Console:

  1. In the Change Center, click Lock & Edit.

  2. In the Domain Structure section, expand Services, then JDBC, and select Data Sources.

    The Summary of JDBC Data Sources page is displayed.

  3. Select the data source you want to change.

    The Settings page is displayed.

  4. Select the Connection Pool tab.

  5. To change the IP address, modify the URL field. For example:

    jdbc:oracle:thin:@hostname.domainname.com:1522/orcl
    
  6. Click Save.

  7. Restart the servers that use this data source. (Click the Target tab to see the servers that use this data source.)

Task 6   Restart Your Environment

Start the components that use the Metadata Repository:

  1. Start all components that use the Metadata Repository, even if they are on other hosts. Start the Administration Server, the Managed Servers, and all components, as described in Chapter 4.

  2. If you disabled any processes for automatically starting Oracle Fusion Middleware at the beginning of this procedure, enable them.

12.3 Moving Between On-Network and Off-Network

This section describes how to move an Oracle Fusion Middleware host on and off the network. The following assumptions and restrictions apply:

  • The host must contain an instance that does not use an Infrastructure, or both the middle-tier instance and Infrastructure must be on the same host.

  • DHCP must be used in loopback mode. Refer to Oracle Fusion Middleware Installation Planning Guide for more information.

  • Only IP address change is supported; the host name must remain unchanged.

  • Hosts in DHCP mode should not use the default host name (localhost.localdomain). The hosts should be configured to use a standard host name and the loopback IP should resolve to that host name.

  • A loopback adapter is required for all off-network installations (DHCP or static IP). Refer to Oracle Fusion Middleware Installation Planning Guide for more information.

12.3.1 Moving from Off-Network to On-Network (Static IP Address)

This procedure assumes you have installed Oracle Fusion Middleware on a host that is off the network, using a standard host name (not localhost), and would like to move on the network and use a static IP address. The IP address may be the default loopback IP, or any standard IP address.

To move on to the network, you can simply connect the host to the network. No updates to Oracle Fusion Middleware are required.

12.3.2 Moving from Off-Network to On-Network (DHCP)

This procedure assumes you have installed on a host that is off the network, using a standard host name (not localhost), and would like to move on the network and use DHCP. The IP address of the host can be any static IP address or loopback IP address, and should be configured to the host name.

To move on to the network:

  1. Connect the host to the network using DHCP.

  2. Configure the host name to the loopback IP address only.

12.3.3 Moving from On-Network to Off-Network (Static IP Address)

Follow this procedure if your host is on the network, using a static IP address, and you would like to move it off the network:

  1. Configure the /etc/hosts file so the IP address and host name can be resolved locally.

  2. Take the host off the network.

  3. There is no need to perform any steps to change the host name or IP address.

12.4 Changing Between a Static IP Address and DHCP

This section describes how to change between a static IP address and DHCP. The following assumptions and restrictions apply:

  • The host must contain all Oracle Fusion Middleware components, including Identity Management components, and any metadata repository associated with those components. That is, the entire Oracle Fusion Middleware environment must be on the host.

  • DHCP must be used in loopback mode. Refer to Oracle Fusion Middleware Installation Planning Guide for more information.

  • Only IP address change is supported; the host name must remain unchanged.

  • Hosts in DHCP mode should not use the default host name (localhost.localdomain). The hosts should be configured to use a standard host name and the loopback IP should resolve to that host name.

12.4.1 Changing from a Static IP Address to DHCP

To change a host from a static IP address to DHCP:

  1. Configure the host to have a host name associated with the loopback IP address before you convert the host to DHCP.

  2. Convert the host to DHCP. There is no need to update Oracle Fusion Middleware.

12.4.2 Changing from DHCP to a Static IP Address

To change a host from DHCP to a static IP address:

  1. Configure the host to use a static IP address.

  2. There is no need to update Oracle Fusion Middleware.

12.5 Using IPV6

Oracle Fusion Middleware supports Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6.) Among other features, IPv6 supports a larger address space (128 bits) than IPv4 (32 bits), providing an exponential increase in the number of computers that can be addressable on the Web.

An IPv6 address is expressed as 8 groups of 4 hexadecimal digits. For example:

2001:0db8:85a3:08d3:1319:8a2e:0370:7334

Table 12-1 describes support for IPv6 by Oracle Fusion Middleware components. In the table:

  • The column IPv6 Only shows whether or not a component supports using IPv6 only for all communication.

  • The column Dual Stack shows whether or not a component supports using both IPv6 and IPv4 for communication. For example, some components do not support using IPv6 only, because some of the communication is with the Oracle Database, which supports IPv4, not IPv6. Those components might support dual stack, allowing for IPv6 communication with other components.

Table 12-1 Support for IPv6

Component IPv6 Only Dual Stack Notes

Oracle WebLogic Server

Yes

Yes

Most Oracle WebLogic Server plug-ins do not support IPV6. IPv6 is enabled with Oracle HTTP Server with the mod_wl_ohs plug-in.

Oracle HTTP Server

Yes

Yes

To configure for IPv6, see Section 12.5.2.

Oracle Web Cache

Yes

Yes

Enabled by default. To disable, see Section 12.5.3.

Oracle SOA Suite

No

Yes

Requires a dual stack, because Oracle Database requires IPv4 addresses.

Oracle WebCenter

No

Yes

Requires a dual stack, because Oracle Database requires IPv4 addresses.

ADF

Yes

Yes

 

Oracle Directory Integration Platform

Yes

Yes

Uses JNDI to communicate with LDAP servers and uses data sources to communicate with the database. JNDI and data sources (JDBC) support IPV6. No additional configuration is necessary.

Oracle Directory Services Manager

Yes

Yes

Uses JNDI to communicate with LDAP servers and uses data sources to communicate with the database. JNDI and data sources (JDBC) support IPV6. No additional configuration is necessary.

Oracle Identity Federation

No

Yes

Requires a dual stack, because Oracle Database requires IPv4 addresses.

Oracle Internet Directory

No

Yes

Requires a dual stack, because Oracle Database requires IPv4 addresses. See "Managing IP Addresses" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory.

Oracle Platform Security Services

No

Yes

Requires a dual stack, because Oracle Database requires IPv4 addresses.

Oracle Virtual Directory

No

Yes

Requires a dual stack, because Oracle Database requires IPv4 addresses. See Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory.

Oracle Single Sign-On Server

No

No

Uses Oracle HTTP Server proxy, which can be configured for IPv6. Oracle Single Sign-On must be Release 10.1.4.3. See Section 12.5.4.

Oracle Portal

No

No

Uses Oracle HTTP Server reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6. See "Configuring Reverse Proxy Servers" in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal for more information.

Oracle Forms Services

No

No

Uses reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6.

Oracle Reports

No

No

Uses reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6.

Oracle Business Intelligence Discoverer

No

No

Uses reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6.


The following topics provide more information about Oracle Fusion Middleware support for IPv6:

12.5.1 Supported Topologies for IPv4 and IPv6 Network Protocols

The following topologies for IPv4 and IPv6 are supported (dual-stack means that the host is configured with both IPv4 and IPv6):

  • Topology A:

    • Oracle Database on IPv4 protocol host

    • Oracle WebLogic Server on dual-stack host

    • Clients on IPv4 protocol host

    • Clients on IPv6 protocol host

  • Topology B:

    • Oracle Database on IPv4 protocol host

    • One or more of the following components on dual-stack hosts: Oracle WebLogic Server, Oracle SOA Suite, Oracle WebCenter, Oracle Business Activity Monitoring, Fusion Middleware Control

    • Oracle HTTP Server with mod_wl_ohs on IPv6 protocol host

  • Topology C:

    • Database, such as MySQL, that supports IPv6 on IPv6 protocol host

    • Oracle WebLogic Server on IPv6 protocol host

    • Clients on IPv6 protocol host

  • Topology D:

    • Oracle Database on IPv4 protocol host

    • One or more of the following components on dual-stack hosts: Identity Management, Oracle SOA Suite, Oracle WebCenter, Oracle Business Activity Monitoring, Fusion Middleware Control

    • Clients on IPv4 protocol host

    • Clients on IPv6 protocol host

  • Topology E:

    • Oracle Database on IPv4 protocol host

    • One or more of the following components on IPv4 protocol host: Oracle Portal, Oracle Forms Services, Oracle Reports, Oracle Business Intelligence Discoverer, and Oracle Single Sign-On Release 10.1.3.4

    • Oracle HTTP Server with mod_proxy on dual-stack host

    • Clients on IPv6 protocol host

  • Topology F:

    • Oracle Access Manager Release 10.1.4.3 and applications, such as SOA composite applications on IPv4 protocol host

    • Oracle HTTP Server with mod_proxy on dual-stack host

    • Clients on IPv6 protocol host

  • Topology G:

    • Oracle Database on IPv4 protocol host

    • One or more of the following components on IPv4 protocol host: Oracle SOA Suite, Oracle WebCenter, Oracle Business Activity Monitoring, Fusion Middleware Control on IPv4 protocol host

    • Oracle HTTP Server with mod_wl_ohs on dual-stack host

    • Clients on IPv6 protocol host

See Also:

The section "Using IPv6" in the Oracle Fusion Middleware Administrator's Guide

12.5.2 Configuring Oracle HTTP Server for IPv6

To configure Oracle HTTP Server to communicate using IPv6, you modify configuration files in the following directory:

ORACLE_INSTANCE/config/OHS/ohs_name

For example, to configure Oracle HTTP Server to communicate with Oracle WebLogic Server on hosts that are running IPv6, you configure mod_wl_ohs. You edit the configuration files in the following directory:

ORACLE_INSTANCE/config/OHS/ohs_name

In the files, specify either the resolvable host name or the IPv6 address in one of the following parameters:

WebLogicHost hostname | [IPaddress]
WebCluster [IPaddress_1]:portnum1, [IPaddress_2]:portnum2, [IPaddress_3]:portnum3, ...

You must enclose the IPv6 address in brackets.

Any errors are logged in the Oracle HTTP Server logs. To generate more information, set the mod_weblogic directives Debug All and WLLogFile path. Doing so will log module-specific messages.

Note the following limitations:

  • Dynamic clusters are supported only on IPv4 nodes, or in a mixed cluster where each node is configured with a resolvable host name (instead of an IP address or a blank) in the Listen Address.

    To change the Listen Address, use the Oracle WebLogic Server Administration Console and edit the Listen Address in the Server: Configuration: General page, as described in the Oracle WebLogic Server Administration Console help.

  • If the cluster contains IPv6 nodes and the host names are not resolvable, the cluster must be static, not dynamic. To set the cluster to static, change the DynamicServerList to Off. If you add or delete any cluster members, you must manually update the configuration file and restart Oracle HTTP Server.

    To change the DynamicServerList to Off, edit the Oracle HTTP Server configuration files.

12.5.3 Disabling IPv6 Support for Oracle Web Cache

By default, IPv6 support is enabled for Oracle Web Cache. You can disable it in the webcache.xml file, which is located in the following directory:

(UNIX) ORACLE_INSTANCE/config/WebCache/webcache_name
(Windows) ORACLE_INSTANCE\config\WebCache\webcache_name

In the file, change the value of the IPV6 element to "No". For example:

<IPV6 enabled="NO"/>

12.5.4 Configuring Oracle Single Sign-On to Use Oracle HTTP Server with IPv6

Oracle Single Sign-On Server supports IPv4. However, you can configure Oracle Single Sign-On Server to work with clients that support IPv6 by setting up a proxy server and a reverse proxy.

The steps in this section assume that you have installed Oracle Single Sign-On Server Release 10.1.4.3 and a proxy server such as Oracle HTTP Server that acts as a front end to the Oracle Single Sign-On Server.

Take the following steps to configure Oracle Single Sign-On to work with clients that support IPv6:

  1. Enable the proxy server:

    1. Run the ssocfg script on the single sign-on middle tier. This script changes the host name stored in the single sign-on server to the proxy host name. Use the following command syntax, entering values for the protocol, host name, and port of the proxy server:

      (UNIX) $ORACLE_HOME/sso/bin/ssocfg.sh http proxy_server_name proxy_port
      (Windows) %ORACLE_HOME%\sso\bin\ssocfg.bat http proxy_server_name proxy_port
      
    2. Update the targets.xml file on the single sign-on middle tier. The file is located in:

      (UNIX) ORACLE_HOME/sysman/emd
      (Windows) ORACLE_HOME\sysman\emd
      

      Open the file and find the target type oracle_sso_server. Within this target type, locate and edit the three attributes that you passed to ssocfg:

      • HTTPMachine—the HTTP server host name

      • HTTPPort—the SSL port number of the Oracle HTTP server

      • HTTPProtocol—the server protocol

    3. Add the lines that follow to the httpd.conf file on the single sign-on middle tier. The file is at ORACLE_HOME/Apache/Apache/conf. These lines change the directive ServerName from the name of the actual server to the name of the proxy:

      KeepAlive off 
      ServerName proxy_host_name
      Port proxy_port
      

      Note that if you are using SSL, the port must be an SSL port such as 4443.

    4. (SSL only) If you have configured SSL communication between just the browser and the proxy server, configure mod_certheaders on the middle tier. This module enables the Oracle HTTP Server to treat HTTP proxy requests that it receives as SSL requests. Add the lines that follow to httpd.conf. You can place them at the end of the file. Where they appear is unimportant.

      Enter this line to load the module:

      (UNIX) LoadModule certheaders_module libexec/mod_certheaders.so
      (Windows) LoadModule certheaders_module modules/ApacheModuleCertHeaders.dll
      

      If you are using Oracle Web Cache as a proxy, enter this line:

      AddCertHeader HTTPS
      

      If you are using a proxy other than Oracle Web Cache, enter this line:

      SimulateHttps on
      
    5. Reregister mod_osso on the single sign-on middle tier. This step configures mod_osso to use the proxy host name instead of the actual host name. For example, on Linux:

      $ORACLE_HOME/sso/bin/ssoreg.sh 
         -oracle_home_path ORACLE_HOME
         -site_name example.mydomain.com
         -config_mod_osso TRUE
         -mod_osso_url http://example.mydomain.com
      
    6. Update the Distributed Configuration Management schema:

      ORACLE_HOME/dcm/bin/dcmctl updateconfig
      
    7. Restart the single sign-on middle tier:

      ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server
      ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
      
    8. Log in to the single sign-on server, using the single sign-on login URL:

      http://proxy_host_name:proxy_port/sso/
      

      This URL takes you to the single sign-on home page. If you are able to log in, you have configured the proxy correctly.

  2. If you have not already done so, install Oracle HTTP Server 11g Release 1 (11.1.1) to use as a reverse proxy for IPv6.

  3. Change the Oracle HTTP Server 11g Release 1 (11.1.1) configuration to enable reverse proxy:

    1. Stop Oracle HTTP Server:

      opmnctl stopproc ias-component=component_name
      
    2. Edit the following file:

      (UNIX) ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf
      (Windows) ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
      

      Append the following to the httpd.conf file:

      #---Added for Mod Proxy
      ProxyRequests Off
       
      <Proxy *>
      Order deny,allow
      Allow from all
      </Proxy>
       
      ProxyPass /sso http://OHS_host:OHS_port/sso
      ProxyPass / http://OHS_host:OHS_port/
      ProxyPassReverse / http://OHS_host:OHS_port/
      ProxyPreserveHost On
      

      In the example, OHS_host and OHS_port are the host name and port of the front-end server for Oracle Single Sign-On, discussed in Step 1.

    3. Restart the Oracle HTTP Server. For example, to restart ohs1:

      opmnctl startproc ias-component=ohs1
      

12.5.5 Configuring Oracle Access Manager Support for IPv6

Oracle Access Manager supports Internet Protocol Version 4 (IPv4). Oracle Fusion Middleware supports Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6). IPv6 is enabled with Oracle HTTP Server with the mod_wl_ohs plug-in.

You can configure Oracle Access Manager to work with clients that support IPv6 by setting up a reverse proxy server. Several scenarios are provided here. Be sure to choose the right configuration for your environment.

12.5.5.1 Simple Authentication with IPv6

Figure 12-1 illustrates simple authentication with Oracle Access Manager configured to use the IPv6/IPv4 proxy.

Note:

In a WebGate profile, an IPv6 address cannot be specified. In a WebGate profile, the virtual host name must be specified as a host name, for example, myapphost.foo.com, not as an IP address.

Figure 12-1 Simple Authentication with the IPv6/IPv4 Proxy

Description of Figure 12-1 follows
Description of "Figure 12-1 Simple Authentication with the IPv6/IPv4 Proxy "

As illustrated in Figure 12-1, the IPv6 network communicates with the IPv6/IPv4 proxy, which in turn communicates with the Oracle HTTP Server and WebGate using IPv4. WebGate, Oracle Access Manager servers, and Oracle WebLogic Server with the Authentication provider all communicate with each other using IPV4.

12.5.5.2 Configuring IPv6 with an Authenticating WebGate and Challenge Redirect

Figure 12-2 illustrates configuration with a single IPv6 to IPv4 proxy (even though myssohost and myapphost could use separate proxies).

Note:

In a WebGate profile, the virtual host name must be specified as a host name, for example, myapphost.foo.com, not as an IP address. The redirect host name, for example, myssohost.foo.com must also be specified as a host name and not an IP address. The IPv6 address cannot be specified in a WebGate profile.

Figure 12-2 IPv6 with an Authenticating WebGate and Challenge Redirect

Description of Figure 12-2 follows
Description of "Figure 12-2 IPv6 with an Authenticating WebGate and Challenge Redirect"

As illustrated in Figure 12-2, the IPv6 network communicates with the IPv6/IPv4 proxy, which in turn communicates with the Oracle HTTP Server using IPv4. WebGate, Oracle Access Manager server, and Oracle WebLogic Server with the Identity Asserter all communicate with each other using IPV4.

You should be able to access the application from a browser on the IPv4 network directly to the IPv4 server host name and have login with redirect to IPv6 myssohost.foo.com.

12.5.5.3 Considerations

The following considerations apply to each intended usage scenario:

  • IP validation does not work by default. To enable IP validation, you must add the IP address of the Proxy server as the WebGate's IPValidationException parameter value in the Access System Console.

  • IP address-based authorization does not work because all requests come through one IP (proxy IP) that would not serve its purpose.

12.5.5.4 Prerequisites

Regardless of the manner in which you plan to use Oracle Access Manager with IPv6 Clients, the following tasks should be completed before you start:

  • Install an Oracle HTTP Server instance to act as a reverse proxy to the Web server (required for WebGate).

  • Install and complete the initial set up of Oracle Access Manager (Identity Server, WebPass, Policy Manager, Access Server, WebGate) as described in Oracle Access Manager Access Administration Guide.

12.5.5.5 Configuring IPv6 with Simple Authentication

Configuring your environment for simple authentication with Oracle Access Manager using the IPv6/IPv4 proxy is described in the procedure in this section. See Figure 12-1 for a depiction of this scenario.

The configuration in this procedure is an example only. In the example, OHS_host and OHS_port are the host name and port of the actual Oracle HTTP Server with WebGate. You must use values for your environment.

Note:

For this configuration you must use the Web server on which the WebGate is deployed as the Preferred HTTP host in the WebGate profile. You cannot use the IPv6 proxy name.

To configure IPv6 with simple authentication:

  1. Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server to enable reverse proxy:

    1. Stop Oracle HTTP Server with the following command:

      opmnctl stopproc ias-component=component_name
      
    2. Edit the following file:

      (UNIX) ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf
      (Windows) ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
      
    3. Append the following to the httpd.conf file:

      #---Added for Mod Proxy
      <IfModule mod_proxy.c>
      
      ProxyRequests Off
      ProxyPreserveHost On
      
      ProxyPass /http://OHS_host:OHS_port/
      ProxyPassReverse /http://OHS_host:OHS_port/
      
      </IfModule>
      
    4. Restart Oracle HTTP Server using the following command:

      opmnctl startproc ias-component=component_name
      
  2. Log in to the Access System Console. For example:

    http://hostname:port/access/oblix
    

    In the example, hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.

    The Access System main page appears.

  3. Click Access System Configuration, and then click AccessGate Configuration.

    The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.

  4. Select the search attribute and condition from the lists (or click All to find all AccessGates), and then click Go.

  5. Click an AccessGate's name to view its details.

  6. Click Modify.

  7. For Preferred HTTP Host, specify the Web server name on which WebGate is deployed as it appears in all HTTP requests. The host name within the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user's HTTP request.

  8. To enable IP validation, add the IP address of the proxy server as the value of the IPValidationException parameter.

  9. Click Save.

12.5.5.6 Configuring IPv6 with an Authenticating WebGate and Challenge Redirect

Use the procedure in this section to configure your environment to use Oracle Access Manager with the IPv6/IPv4 proxy and an authenticating WebGate and challenge redirect. Figure 12-2 shows a depiction of this scenario.

The following procedure presumes a common proxy for both form-based authentication and the resource WebGate. For example, suppose you have the following configuration:

  • Resource WebGate is installed on http://myapphostv4.foo.com/

  • Resource is on http://myapphostv4.foo.com/testing.html

  • Authenticating WebGate is on http://myssohostv4.foo.com/

  • Login form is http://myssohostv4.foo.com/oamsso/login.html

  • Reverse Proxy URL is http://myapphost.foo.com/

Note:

For this configuration, the Preferred HTTP host must be the name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphost4.foo.com must use myapphost4.foo.com as the Preferred HTTP host. You cannot use the IPv6 proxy name.

In the following procedure, you configure the Oracle HTTP Server, configure WebGate profiles to use the corresponding Oracle HTTP Server as the Preferred HTTP host, and configure the form-based authentication scheme with a challenge redirect value of the reverse proxy server URL (http://myapphost.foo.com/ in this example).

Be sure to use values for your own environment.

To configure IPv6 with an authenticating WebGate and challenge redirect:

  1. Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server, as follows:

    1. Stop Oracle HTTP Server with the following command:

      opmnctl stopproc ias-component=component_name
      
    2. Edit the following file:

      UNIX: ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf
      Windows: ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
      
    3. Append the following information for your environment to the httpd.conf file. For example:

      <IfModule mod_proxy.c>
      ProxyRequests On
      ProxyPreserveHost On
      #Redirect login form requests and redirection requests to Authentication
      WebGate
      
      ProxyPass /obrareq.cgi   http://myssohostv4.foo.com/obrareq.cgi
      ProxyPassReverse /obrareq.cgi  http://myssohostv4.foo.com/obrareq.cgi
      
      ProxyPass /oamsso/login.html http://myssohostv4.foo.com/oamsso/login.html
      ProxyPassReverse /oamsso/login.html http://myssohostv4.foo.com/oamsso/login
      .html
      
      ProxyPass /access/sso   http://myssohostv4.foo.com/ /access/sso
      ProxyPassReverse /access/sso http://myssohostv4.foo.com/access/sso
      
      # Redirect resource requests to Resource WG 
      ProxyPass /http://myapphostv4.foo.com /
      ProxyPassReverse /http://myapphostv4.foo.com /
      
      </IfModule>
      
    4. Restart Oracle HTTP Server using the following command:

      opmnctl startproc ias-component=component_name
      
  2. In the Access System Console, set the Preferred HTTP host for each WebGate as follows:

    1. Log in to the Access System Console. For example:

      http://hostname:port/access/oblix
      

      In the example, hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.

      The Access System main page appears.

    2. Click Access System Configuration, and then click AccessGate Configuration.

      The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.

    3. Select the search attribute and condition from the lists (or click All to find all AccessGates), and then click Go.

    4. Click an AccessGate's name to view its details.

    5. Click Modify.

    6. For Preferred HTTP Host specify the name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphostv4.foo.com must use myapphostv4.foo.com as the Preferred HTTP host.

    7. To enable IP validation, add the IP address of the Proxy server as the value of the IPValidationException parameter.

    8. Click Save.

    9. Repeat for each WebGate and specify name of the Oracle HTTP Server Web server that is configured for this WebGate.

  3. From the Access System Console, modify the Form authentication scheme to include a challenge redirect to the Proxy server, as follows:

    1. Click Access System Configuration, and then click Authentication Management.

    2. Click the name of the scheme to modify, and then click Modify.

    3. Configure the challenge redirect value to the Proxy server URL. In this example, the Proxy server URL is http://myapphost.foo.com/

    4. Click Save.

12.5.5.7 Configuring IPv6: Separate Proxy for Authentication and Resource WebGates

In this configuration you have multiple proxies: for example a separate proxy for the authentication WebGate and another proxy for the resource WebGate. You can access the application from a browser on the IPv4 network directly to an IPv4 server host name with a login redirect to an IPv6 host. For example:

  • Resource WebGate is on http://myapphostv4.foo.com/

  • Authenticating WebGate is on http://myssohostv4.foo.com

  • Proxy used for myapphostv4.foo.com should be myapphostv4.foo.com

  • Proxy used for myssohostv4.foo.com should be myssohostv4.com

Note:

You cannot use the IPv6 proxy name as the Preferred HTTP host in a WebGate profile.

In the example, OHS_host and OHS_port are the host name and port of the actual Oracle HTTP Server that is configured for WebGate. Be sure to use values for your own environment.

To configure IPv6 with a separate proxy for authentication and resource WebGates:

  1. Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server for multiple proxies, as follows:

    1. Stop Oracle HTTP Server with the following command:

      opmnctl stopproc ias-component=component_name
      
    2. Edit the following file:

      UNIX: ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf
      Windows: ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
      
    3. Append the following information for your environment to the httpd.conf file. For example:

      <IfModule mod_proxy.c>
      ProxyRequests Off
      ProxyPreserveHost On
      
      ProxyPass /http://OHS_host:OHS_port
      ProxyPassReverse /http://OHS_host:OHS_port
      
      </IfModule>
      
    4. Restart Oracle HTTP Server using the following command:

      opmnctl startproc ias-component=component_name
      
  2. In the Access System Console, set the Preferred HTTP host for each WebGate as follows:

    1. Log in to the Access System Console. For example:

      http://hostname:port/access/oblix
      

      In the example, hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.

      The Access System main page appears.

    2. Click Access System Configuration, and then click AccessGate Configuration.

      The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.

    3. Select the search attribute and condition from the lists (or click All to find all AccessGates), and then click Go.

    4. Click an AccessGate's name to view its details.

    5. Click Modify.

    6. For Preferred HTTP Host specify the name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphostv4.foo.com must use myapphostv4.foo.com as the Preferred HTTP host.

    7. To enable IP validation, add the IP address of the Proxy server as the value of the IPValidationException parameter.

    8. Click Save.

    9. Repeat for each WebGate and specify name of the Oracle HTTP Server Web server that is configured for this WebGate.

  3. From the Access System Console, modify the Form authentication scheme to include a challenge redirect to the Proxy server, as follows:

    1. Click Access System Configuration, and then click Authentication Management.

    2. Click the name of the scheme to modify, and then click Modify.

    3. Configure the challenge redirect value to the Proxy server URL that acts as a reverse proxy for the authentication WebGate. In this example, the Proxy server URL is http://myssohost.foo.com/

    4. Click Save.