Oracle® Application Server High Availability Guide 10g (10.1.4.0.1) Part Number B28186-01 |
|
|
View PDF |
This chapter describes high availability topologies for Oracle Access Manager. This chapter contains the following sections:
Section 5.1, "Overview of High Availability Topologies for Oracle Access Manager"
Section 5.2, "Installing Oracle Access Manager in a High Availability Topology"
Section 5.3, "Managing Oracle Access Manager in a High Availability Topology"
To run Oracle Access Manager in a high availability manner, you can run Oracle Access Manager in an active-active topology, as shown in Figure 5-1. This topology has the following features:
You need a load balancer to direct traffic to the Oracle HTTP Servers installed with WebGate and WebPass. Clients use the virtual hostname configured on the load balancer to access WebGate and WebPass.
WebGate and WebPass connect to primary and secondary Access Servers and Identity Servers. You cannot use a load balancer between WebGate/WebPass and Access or Identity Servers because communication between these components uses the proprietary Oracle Access and Oracle Identity protocols.
You need to set up multiple Access Servers and Identity Servers and configure them as primary and secondary so that WebGate and WebPass can redirect requests to other primary servers or to secondary servers if the primary servers are unavailable.
When using Oracle Internet Directory with Oracle Access Manager in a high availability environment, you can set up Oracle Internet Directory in different ways for high availability. You can set up Oracle Internet Directory in an active-active or active-passive topology, or you can also set it up with multimaster replication. The replica can be considered a secondary server.
Note that you can configure Oracle Access Manager in an active-active topology only. Active-passive topology for Oracle Access Manager is not supported. Components used by Oracle Access Manager, such as Oracle Internet Directory, may be configured in an active-passive topology, if supported by that component.
Figure 5-1 Oracle Access Manager in Active-Active Topology
To install and configure Oracle Access Manager in a high availability topology, see chapter 7, "Installing and Configuring myJ2EE with Oracle Access Manager", in the Oracle Application Server Enterprise Deployment Guide.
To manage Oracle Access Manager in a high availability topology, you use the same tools as in a non-high availability topology. For example, you use the Identity System Console to configure the Identity System.
The URLs for accessing the tools remain the same. For example:
To access the Access System Console, use the following URL: http://
hostname
:
port
/access/oblix
.
hostname
refers to the node running WebGate, and port
refers to the Oracle HTTP Server port.
To access the Identity System Console, use the following URL: http://
hostname
:
port
/identity/oblix
.
hostname
refers to the node running WebPass, and port
refers to the Oracle HTTP Server port.
For configuring Oracle Access Manager in a high availability topology, you should be familiar with the following features and procedures:
Section 5.3.1, "Adding Identity Servers and WebPass Instances"
Section 5.3.4, "Associating AccessGate with an Access Server Cluster"
Section 5.3.5, "Configuring Load Balancing and Failover for Oracle Access Manager Components"
Details on configuring Oracle Access Manager are provided in the Oracle Access Manager guides.
You may need to add Identity Servers and/or WebPass instances to your system. A WebPass can be associated with one or more Identity Server, and one Identity Server can receive requests from one or more WebPass instances.
For details on adding Identity Servers, see section 7.4, "Managing Identity Servers", in the Oracle Access Manager Identity and Common Administration Guide.
For details on adding WebPass instances, see section 7.7, "Configuring WebPass", in the Oracle Access Manager Identity and Common Administration Guide.
To add AccessGates to your system, see section 2.4.3, "Adding an AccessGate", in the Oracle Access Manager Access System Administration Guide.
To add Access Servers to your system, see section 2.3.2, "Adding an Access Server Instance", in the Oracle Access Manager Access System Administration Guide.
You should cluster your Access Servers for the following reasons:
You can associate an AccessGate with one or more Access Server clusters. This enables the AccessGate to fail over to another Access Server in the cluster if the first Access Server is not available.
Oracle Access Manager automatically configures failover and load balancing for all the Access Servers in a cluster.
You can configure a cluster to be a primary cluster or a backup cluster. AccessGate creates connections to the Access Servers in the backup cluster if it is unable to create connections to the Access Servers in the primary cluster.
Note that all Access Servers in a cluster and all AccessGates associated with the cluster must have the same transport security mode and Policy API Support mode.
See section 2.3.5, "Clustering Access Servers", in the Oracle Access Manager Access System Administration Guide for the steps on how to cluster the Access Servers.
To associate an AccessGate with an Access Server cluster, see section 2.6, "Associating AccessGates with Access Servers", in the Oracle Access Manager Access System Administration Guide.
Oracle Access Manager can perform both load balancing and failover between these components:
In addition, you can configure failover for Policy Manager to fail over to a secondary directory server. Load balancing for Policy Manager is not supported.
For load balancing and failover, you designate the Identity Servers, Access Servers, and directory servers as primary or secondary. Oracle Access Manager creates connections to secondary servers only if connections to the primary servers become unavailable.
You can also cluster the Identity Servers and Access Servers, if you want. Clustering is recommended for active-active topologies.
Using Hardware Load Balancer vs. the Load Balancing Feature in Oracle Access Manager
Generally, if you already have a hardware load balancer in front of your Oracle Internet Directory for reasons not related to Oracle Access Manager, the best option is to use the hardware load balancer as the only load balancing mechanism. This option is probably more efficient in that the hardware load balancer offloads the load balancing tasks from Oracle Access Manager and is easier to maintain.
Some examples where you might need a hardware load balancer in front of Oracle Internet Directory:
You are already running a previous release of Oracle Internet Directory with a hardware load balancer, and you have users accessing this Oracle Internet Directory only through this hardware load balancer.
OracleAS Portal does not load balance requests to Oracle Internet Directory automatically. If you are using OracleAS Portal with Oracle Internet Directory, then you are going to require a hardware load balancer.
In these examples (where a hardware load balancer exists for other reasons), then you should use the hardware load balancer to load balance requests to Oracle Internet Directory.
However, if you do not have a hardware load balancer, and you do not have other components that require a hardware load balancer to access a redundant Oracle Internet Directory, you can configure the load balancing feature in Oracle Access Manager.
Load balancing and failover for Oracle Access Manager are described in the "Failover and Load Balancing" chapter in the Oracle Access Manager Deployment Guide.
WebPass and WebGate instances, because they run within Oracle HTTP Server, are managed by OPMN. If an Oracle HTTP Server process dies or becomes unavailable, OPMN tries to restart it.
Identity Server and Access Server are not monitored by OPMN. You will have to manage these servers yourself.
Oracle Internet Directory is managed by OPMN.
While Oracle Access Manager must be configured in an active-active topology, components that it uses can be configured in different topologies. For example, Oracle Internet Directory can be configured in an active-active (shown in Figure 5-1) or active-passive (shown in Figure 5-2) topology. In the two figures, the Oracle Access Manager topology is unchanged, the only difference is in the Oracle Internet Directory configuration.
When Oracle Internet Directory is running in an active-passive topology, it also uses a cold failover cluster database, as shown in Figure 5-2.
To install the Oracle Internet Directory in an active-passive topology, see the "Installing in High Availability Environments: OracleAS Cold Failover Cluster" chapter in the Oracle Application Server Installation Guide for your platform.
Figure 5-2 Oracle Access Manager with Oracle Internet Directory in Active-Passive Topology