OAM WebGate not intercepting requests: Troubleshooting Tips

Hi all,

Today, I have faced a common error where WebGate installed on OHS 11g is not intercepting the HTTP requests and thought its worth sharing. So, I would like to write the root cause of our issue and other points for troubleshooting.

The background of this is there is a custom portal application deployed in a webserver at backend. We are using OHS 11g as front end for proxying all the backend servers. Hence, we have installed a OHS 11g WebGate on proxy server.

This is followed by creating a Policy domain for protecting resources and assigning Authentication Scheme etc.,

When we test a specific page which is protected in Policy Domain using Access Tester, it gives expected behaviour.  When we test the same in browser accessing the protected resource, it is displayed without OAM WebGate intercepting the request.

There are different points to be followed to troubleshoot this.

  1. Need to check the time sync between WebGate and Access Server machines.
  2. Try to ping the Access Server port from WebGate machine to check whether the port is port in Firewall or not.
  3. We have to ensure that we are using the right Host Identifiers which is configured in Access System Console. Needs to add all possible hostnames, domain name and ip address with port numbers. To elaborate, the Preferred HTTP Host identifier mentioned in the WebGate profile should be available in the Host Identifiers defined in the Access Console exactly. For instance, even if your webserver is running on 80 port, you should mention the preferred http host identifier in WebGate profile as WebServerHost:80 and the same combination should be available in Host Identifiers of Access Console.
  4. Needs to check the WebGate profiles for WebGate Hostname, Preferred Host Identifiers which should be webgate_webserver_hostname:port*****. This is really important which is the root cause in our case.
  5. Also, if we are installing the webgate on proxy server, it is good to make IP validation field as No since the proxy server does not show the actual IP.
  6. If you had specified wrong details in WebGate profile, then it will prompt when you enter the WebGate and Access Server details while  installing the WebGate.
  7. After the webgate is installed, ensure to check whether the webgate is installed properly by accessing the following URL.
  8. http://webgate_webserver_hostname:port/access/oblix/apps/webgate/bin/webgate.cgi?progid=1

Just in case if you feel I have missed any other points, please let me know.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

10 comments
cbompart says March 23, 2011

http://webgate_webserver_xroads-ofmd1.syniverse.com:7777/access/oblix/apps/webgate/bin/webgate.cgi?progid=1

this is the one for 10g. IS there one for 11g test?

Reply
Vikrant Korde says January 9, 2012

Hi Mahendra,
I could hit the URL you mentioned on my machine where i have installed Ipm 11g + Weblogic 10.3.5.0 + OHS 11g + Webgate 10.1.4.3 (pointing to OAM 10.4.3.0 on another machine)

The URL asks me for the creadential, then it shows me “Diagnostic view of OAM” In it shows secondry access server is down.

But it does not show the users from OamIdentityProvider in the list of weblogic users.
What does that mean?

Regards,
Vikrant Korde.

Reply
Girish says November 27, 2012

Hi Mahendra

I am not able to install webgate 11g on OHS properly.
I installed and configured OHS through Webtier 11.1.1.6. It is running.
I installed Webgate 11g. OHS does not work. It is showing “internal server error” on browser.
I am using
OHS 11.1.1.6
Webgate 11.1.1.5
OAM Server 11.1.1.5
Please suggest me solution for this problem.

Reply
    Atul Kumar says November 27, 2012

    @ Girish,

    Did you manage to start OHS after integrating with WebGate ? What error message do you see in OHS logs .

    Reply
Girish says November 27, 2012

Hi Atul

This are the following error messages I found in ohs1.log
OBWebGate_AuthnAndAuthz: Cannot get message for ObAccessException_NO_CONFIG_FILE
OBWebGate_AuthnAndAuthz: ObAccessClient.lst does not contain a client id.
Request Failed for : /favicon.ico, Resp Code : [500]
The below errors I found in oblog.log
“ObAccessClient.lst does not contain a client id.” raw_code^213
0x00001520 \ADE\aime_1\ngamac\src\palantir\webgate2\src\apache2entry_web_gate.cpp:591 “Exception thrown during WebGate initialization”

Thank you

Reply
Girish says November 29, 2012

Hi Atul

Thank you for your suggestion. I got the solution to my problem. I was facing problem with security mode. My oam server instance was running in simple
mode and I was trying to register webgate with open mode.

Thank you

Reply
Vivek says January 8, 2014

I have registered one Webgate in OAM and use that on 2 different webserver machines. This is working and I am able to access application from both webserver with authentication done by OAM.

Is this is correct?
If this is wrong what implication this will have.

OAM 11G, Webgate 11g, OIF 11g, OVD 11g.

Reply
Mahendra says January 8, 2014

Vivek,

It is not recommended to use same webgate instance in two different machines. I cannot say the implications, but if you deploy this setup in production, Oracle will not provide support for any prod issues.

-Mahendra

Reply
aditi.26leo@gmail.com says May 23, 2014

Hi Atul,
I am facign the same error Girish has printed in the post above.
Can you suggest what solution did you provded to Girish?

-Aditi

Reply
krish says July 19, 2015

Hi Team,
I have OAM 10.1.4.0.1 and i am keep getting OBACCESSCLIENT.LST is corrupted. We have to restart all the services to resume the services. We are planning to upgrade to OAM 10.1.4.3 BP13 but for now, do we have any work around to fix this issue?

Please Advise.

Rgds
kv

Reply
Add Your Reply