Issue with Windows IIS server and webgate integration

Issue with Windows IIS server and webgate integration
11g Webgate Installation and Configuration on IIS server 7.x 
   
 
Webgate is a web server plug-in for Oracle Access Manager (OAM) which intercepts http requests and forwards to the Access Server for Authentication/Authorization and policy decisions. Webgate plug-in is available for Oracle HTTP Server, OHS server and IIS server.

This post is about issues with the Microsoft IIS server and webgate integration. ISAPI is an Internet Web server extension that the Webgate uses to interact with the IIS server. (ISAPI extensions are true applications that run on IIS and have access to all of the functionality provided by IIS. Extensions and filters are the two types of applications that can be developed using ISAPI.)

ISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. Like ASP and HTML pages, IIS uses the virtual location of the DLL file in the file system to map the ISAPI extension into the URL namespace that is served by IIS.
The installation of the IIS Webgate should go smoothly, make sure you are using 32-bit or 64-bit version as required by your OS. However, there may be issues in installing and configuring the IIS webgate, refer below post from Oracle support/blog for a similar issue. The main thing is after the IIS webgate is instaled on the IIS server, the ISAPI filter will now be used by the webgate. This means that any user requests sent to the IIS server will now be intercepted by the webgate, since webgate is now using the isapi filter.




11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012

This question is Not Answered.
Rizwan Joo OCP11gNewbie
Rizwan Joo OCP11g Oct 4, 2016 11:34 AM
Hey, I have the task to perform:
1) install Windows server 2012R2 Datacenter edition
2) configure IIS Server with maximum options.
3) install C++ redistribution 2012R4
4) install JRE/JDK
5) Install Webgate 11g (11.1.2.2.0)
6) After Configuring i created a site named "ECC"
7) Than I run:
deployWebGateInstance.bat -w home\wg_instance4iis\ -oh \home\Oracle_OAMWebGate1\ -ws iis
ConfigureIISWebGate.bat -oh WebGate_Home -w Webgate_Instancedir -Site ecc
8) Registered a webgate to OAM and copied to config folder in webgate instance.
Than restarted the IIS Server.
9) when i browse the site http://localhost:8080
10) Webgate doesn't redirect it to OAM but directly opens the site.
There is no errors in the Event viewer or in the IIS Server Logs.
I am unable to understand this situation. I have followed the oracle Documentation link:

Average User Rating: No ratings (0 ratings)
Average User Rating
No ratings
(0 ratings)
Your Rating:
Rate Poor(1 of 5)Rate Below Average(2 of 5)Rate Average(3 of 5)Rate Above Average(4 of 5)Rate Exceptional(5 of 5)




    • 1. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      handatSuperhero
      handat Oct 5, 2016 3:51 AM (in response to Rizwan Joo OCP11g)
      What is the hostname associated with the ecc site? It won't be localhost.




    • 3. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 6, 2016 10:22 AM (in response to Rizwan Joo OCP11g)
      Please also check your version numbers.
      I have followed the oracle Documentation link:
      However your 5) step is refers to webgate 11.1.2.2 version. And second thing, what is your OAM version?




    • 4. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      Rizwan Joo OCP11gNewbie
      Rizwan Joo OCP11g Oct 8, 2016 12:02 AM (in response to IdmSk)
      Dear IdmSK,

      Thanks alot for your response. The webgate i am using is the only one available on oracle site. link: Oracle Access Manager WebGates and Agents Downloads
      OAM version is 11.1.2.3 which is the latest one. It has metrix for the IIS 7 or above.IdmSk




    • 5. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 8, 2016 12:59 AM (in response to Rizwan Joo OCP11g)
      Refer to below links. For IIS server webgate the main thing is that the isapi filter for IIS will now use the webgate. You need to make sure this step has been completed. In your case since there is no redirection happening, it means that the webgate and isapi integration is not there. Here is screenshot from IIS as an example for your reference.  The screenshot is from an older version of webgate, so in your case the Executable path may be different. But important thing is that the ISAPI filter will clearly show the webgate (as shown in yellow highlight). Only after this step has been completed the redirection will work.

         isapi_IIS.JPG
      Check your IIS server settings, most probably this step is missing.

      Here are few more references for IIS and webgate integration.
      Completing Webgate Installation with IIS  LINK
      Here is link  to webgate installation on IIS 8.5
      Also check this link, it should be similar for your version. Lastly make sure you are downloading the Oracle Access Manager IIS 7.5/8.5 WebGates 11.1.2.2.0 from downloads.
      Please mark as helpful/answered if this helps your issue.




    • 6. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      Rizwan Joo OCP11gNewbie
      Rizwan Joo OCP11g Oct 11, 2016 1:36 PM (in response to IdmSk)
      Isapi_filter.png
      The ISAPI has the Webgate entry. when i hit the site it says "HTTP Error 503. The service is unavailable."




    • 7. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 12, 2016 1:11 AM (in response to Rizwan Joo OCP11g)
      503 is server error. Make sure the IIS service is up and running. You can check webgate logs to check the actual error to make sure the webgate install works fine.




    • 8. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      Rizwan Joo OCP11gNewbie
      Rizwan Joo OCP11g Oct 12, 2016 1:52 AM (in response to IdmSk)
      Thank you for you prompt reply.
      the oblog.log webgate log file is reporting these errors:
      2016/10/05@08:00:00.017000 UTC - WebGate Multi-Process File Logger
      ****************************************************** BANNER INFORMATION ***************************************************
      WebgateId=eccwebgate
      WebgateInstallDir=c:\oracle\product\11.1.1\as_1\webgate\iis
      WebgateInstanceDir=c:\instance
      AgentType=WebGate
      WebgateVersion=11.1.2.2.0
      WebServer=IIS  7.x/8
      WebServerStartTime=2016/10/05@07:59:59 UTC
      WebServerVersionMode=Version 7.5
      HostName=iis
      OsInfo=Server 4.0 Service Pack 1 (Build 7601)32 bit
      *****************************************************************************************************************************
      <Year/Mon/Day@Hour:Min:Sec.Milsec> <Process_Id> <Thread_Id> <Module> <Level> <Code> <File:Line> "<Message>" <Named_Values...>
      =============================================================================================================================
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/en-us/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/fr-fr/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/de-de/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/es-es/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/it-it/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/ja-jp/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/ko-kr/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/zh-cn/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/zh-tw/globalmsg.xml
      2016/10/05@08:00:00.017000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/oblix/lang/pt-br/globalmsg.xml
      2016/10/05@08:00:00.080000 760 1852 INIT ERROR 0x000003B6 base\oblistrwutil.cpp:225 "Could not read file" filename^c:\oracle\product\11.1.1\as_1\webgate\iis/config/oblog_config.xml
      2016/10/05@08:00:18.020000 760 1852 CONFIG ERROR 0x00000505 ..\src\obconfig.cpp:747 "ObAccess exception thrown" raw_code^0
      2016/10/05@08:00:18.020000 760 1852 ACCESS_GATE FATAL 0x00001520 ..\src\iisentry_web_gate.cpp:619 "Exception thrown during WebGate initialization"
      2016/10/05@08:00:18.020000 760 1852 ACCESS_GATE FATAL 0x0000182C ..\src\iisentry_web_gate.cpp:620 "The AccessGate is unable to contact any Access Servers." raw_code^301
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204
      2016/10/05@08:00:18.020000 760 1852 CONFIG FATAL 0x0000181C ..\src\obconfig.cpp:863 "Oracle AccessGate API is not initialized." raw_code^204

      I am stuck here, can't understand this situation.

      If i see the Event Viewer logs, it shows this error:
      Faulting application name: w3wp.exe, version: 7.5.7601.17514, time stamp: 0x4ce7afa2
      Faulting module name: KERNELBASE.dll, version: 6.1.7601.17514, time stamp: 0x4ce7c78c
      Exception code: 0xe06d7363
      Fault offset: 0x000000000000a49d
      Faulting process id: 0x8b4
      Faulting application start time: 0x01d220f25caf617e
      Faulting application path: c:\windows\system32\inetsrv\w3wp.exe
      Faulting module path: C:\Windows\system32\KERNELBASE.dll
      Report Id: cff6c96a-8ce5-11e6-bf03-000c29f81cb7
      Faulting package full name: %14
      Faulting package-relative application ID: %15




    • 9. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 13, 2016 12:50 AM (in response to Rizwan Joo OCP11g)
      kernelbase.dll fault is IIS/windows related. Make sure 32 or 64 bit compatibility- IIS version, webgate version.




    • 10. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      Rizwan Joo OCP11gNewbie
      Rizwan Joo OCP11g Oct 13, 2016 7:53 PM (in response to IdmSk)
      Dear IdmSk,

      IF i go to IIS Server Aplication pool---> my application pool---> advance settings---> 32 bit Application compatibility set to ENABLE.
      Than i get this error as attached.




    • 11. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 14, 2016 12:04 AM (in response to Rizwan Joo OCP11g)
      First ensure compatibility between 32 bit and 64 bit versions. Meaning if your IIS/windows is 32 bit then webgate version also has to be 32 bit.
      So first check the bit versions. You will have to uninstall webgate first, then ensure IIS is working fine. If IIS is having issues then need to uninstall/reinstall IIS. Then proceed with a fresh install on IIS making sure bit version compatibility.




    • 12. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      Rizwan Joo OCP11gNewbie
      Rizwan Joo OCP11g Oct 14, 2016 6:29 AM (in response to IdmSk)
      I am using windows server 2008R2 64 bits so the IIS Server is also 64 bits as it is built-in with the windows, i have just configured it.
      secondly, the webgate is also 64 bits.




    • 13. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 15, 2016 12:54 PM (in response to Rizwan Joo OCP11g)
      Make sure IIS server is working fine. You can do this by disabling the webgate via the IIS Admin console. Once webgate is disabled you should be able to get to the IIS main page fine. If this works fine you are sure IIS is working fine. Next, enable the webgate and then try again.




    • 14. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 19, 2016 12:46 AM (in response to Rizwan Joo OCP11g)
      Just fyi, to make sure IIS server is working fine, you may temporarily disable the webgate so that you can test basic IIS functionality. ie you should be able to access the home page and other web pages in IIS without any issues. Once you have confirmed IIS is working fine, now re-enable webgate and check if you get redirection to OAM. If not then you at least isolated that the issue is with webgate install. And as discussed please check versions and bits (32 or 64).




    • 15. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      Rizwan Joo OCP11gNewbie
      Rizwan Joo OCP11g Oct 18, 2016 7:08 AM (in response to IdmSk)
      Dear IdmSk,

      Thank you so much for your constant replies.
      What do you mean by disabling the Webgate?
      The Event Logs i have shared clearly mentioning the W3... a process of webgate is crushing, which is the actual reason. The Oracle Support also identified this ERROR and looking for resolution.


    • 16. Re: 11g Webgate Installation and Configuration on IIS Server 7.x windows server 2012
      IdmSkApprentice
      IdmSk Oct 19, 2016 12:47 AM (in response to Rizwan Joo OCP11g)
      Disabling webgate means to stop the functionality of the webgate. Its effect is similar to uninstalling the webgate. This can help during troubleshooting. Via IIS admin console you can disable the webgate module so an admin may not require to take the step of uninstalling webgate. Once webgate functionality is disabled you get back your normal IIS web server behavior which you can test to make sure basic IIS server functionality is ok. This way you can isolate the issue- whether it is due to IIS or it is due to webgate. Once webgate is installed it integrates with IIS server for authentication purposes. In your case since webgate module is causing the issue, then if you disable the webgate (via the IIS admin console, it is mere button clicks actually instead of having to uninstall the whole webgate), IIS webpages should be accessible fine to prove that the issue was in fact with the webgate module and there is no corruption to IIS server... However in your scenario the webgate is the issue, confirmed by the logs and Support.
      I hope it is clear what is meant by disabling webgate. Enabling and disabling webgate are helpful for quick troubleshooting when there are issues with webgate, IIS, OAM setup, instead of having to uninstall the full webgate.

    Comments

    Post a Comment

    Popular posts from this blog

    VMware fix for Invalid manifest and ova file import failed errors

    Image
    Recently we got a OVA file for a virtual machine. The vendor instructions were to import the ova file in vmware Workstation, Player for Windows/Linux, Fusion for Mac, and VirtualBox as well.  The instructions were to take the available package and launch the VM with VMware workstation. The package contained  Module.mf, Module.ovf and Module-disk.vmdk and a Module.ova file. The .mf and .ovf file were 2 KB each whereas the vmdk was several gigs. The package also contained a Module.ova file which was several gigs as well. OVF           Open Virtualization Format MF             Manifest file VMDK       Virtual Machine Disk OVA           Open Virtualization Appliance The ovf file is a xml file that contains metadata for the ovf package The mf file contains the SHA1 hash codes of all files in the package The vmdk file is the disk image of the virtual machine,  VMware Workstation or VirtualBox. (vmdk format was originally developed by VMware and is an open format now). All of
    Read more

    SOAPUI - import certificate

    Image
    Note: SoapUI has two versions, one is open source and second Professional version. The open source can be download here . (confirmed link 12/19/2018). SSL Handshake issue:   There is an Issue in SoapUI version 5.3.0 (and 5.2.0 version) with SSL handshake error. It was resolved by updating below in vmoptions file ( refer here ). However, the error that shows up while trying to load wsdl is "Error loading WSDL" as below The fix is to Enable TLS 1.2 protocol for SOAP/REST calls in SoapUI, by ammending the vmoptions file to add the directive for TLS as (-Dsoapui.https.protocols=TLSv1.2). Refer here . Update: Version 5.5.0 does not have this issue. If you are on 5.3.0 better upgrade to 5.5.0 which is available now (Feb 2019). I had above issue as well as another issue reaching to https endpoint. Upgrade to 5.5.0 resolved issue. Select "Check for updates" under the Help menu and you will get option for upgrade. Select upgrade current version and accept all defaul
    Read more

    Centrally Managed Users (CMU) - New Feature in Oracle Database 18c

    Image
    Centrally Managed Users (CMU) Centrally Managed Users or CMU is a new feature introduced since Oracle DB 18c which allows simplified database user management through integration with Microsoft Active Directory (AD). Beginning with Oracle Database release 18c, version 18.1 and later supports direct integration with Microsoft Active Directory (AD) using the new centrally managed users capability. CMU allows the Oracle database to perform user authentication and authorization directly against AD. Benefits of CMU With centrally managed users, users accessing the database can be centrally managed to improve an organization's security posture. An enterprise user (a user in Microsoft Active Directory) can be exclusively mapped to a database account, or many enterprise users (in an Microsoft Active Directory group) can be mapped to a shared account in the database. Microsoft Active Directory groups can also be mapped to a database global role, which provides users with additional privilege
    Read more