27 Monitoring Performance and Logs with Fusion Middleware Control

This chapter describes how to monitor performance and log messages for Oracle Access Manager and Oracle Security Token Service using Oracle Fusion Middleware Control. This chapter focuses on general tasks that administrators can perform from Fusion Middleware Control, which does not replace details in the Oracle Fusion Middleware Administrator's Guide.

Note:

Unless explicitly stated, information in this chapter is the same whether you are using Oracle Access Manager alone or with Oracle Security Token Service.

This chapter includes the following topics:

27.1 Prerequisites

Oracle Fusion Middleware Control must be deployed with Oracle Access Manager 11g on the WebLogic Administration Server, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. For more information on Fusion Middleware Control, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

27.2 Introduction to Fusion Middleware Control

Within Fusion Middleware Control, information is updated dynamically during live sessions of Oracle Access Manager with Oracle Security Token Service (and other products).

Fusion Middleware Control organizes a wide variety of performance data and administrative functions into distinct Web-based pages. This helps administrators easily locate the most important monitoring data and the most commonly used administrative functions from a Web browser.

Note:

Enterprise Manager Grid Control is an independently licensed product that provides additional capabilities not found in Fusion Middleware Control (primarily, the ability to collect and maintain data for historical purposes and trending).

Oracle Access Manager 11g is deployed as a Java EE application in a WebLogic container. For high availability and failover, Oracle Access Manager with Oracle Security Token Service is typically deployed in a WebLogic cluster environment.

A WebLogic Server domain can have multiple clusters. To provide monitoring and performance statistics for all clustered components requires a composite target. This target provides status and rolled-up load and response performance metrics for member instances. In addition to the metrics exposed for Oracle Access Manager with Oracle Security Token Service, generic performance metrics are also available for Java EE application and composite Java EE applications.

Fusion Middleware Control must be deployed with Oracle Access Manager 11g on the WebLogic Administration Server, as shown in Figure 27-1.

Figure 27-1 Fusion Middleware Control (AS-Control) Deployment Architecture

Fusion Middleware Control Architecture
Description of "Figure 27-1 Fusion Middleware Control (AS-Control) Deployment Architecture "

Using Fusion Middleware Control for Oracle Access Manager with Oracle Security Token Service targets is supported through the Oracle Dynamic Monitoring Systems instrumentation within Oracle Access Manager. This instrumentation is used to provide:

  • Performance overview and drill down

  • Log message searches and dynamic log level changes

  • Routing topology overview

  • Mbean browser

  • Component- and cluster-level metrics for Oracle Access Manager with Oracle Security Token Service

27.3 Logging In to and Out of Fusion Middleware Control

This section provides the following topics:

27.3.1 About the Login Page for Fusion Middleware Control

The Fusion Middleware Control Login page provides the usual fields for the User Name and Password. The bottom of the Fusion Middleware Control Login page provides topics that you can click for additional information. The Login page is shown in Figure 27-2.

Figure 27-2 Fusion Middleware Control Login Page with Help Topics

Fusion Middleware Control Login Page
Description of "Figure 27-2 Fusion Middleware Control Login Page with Help Topics"

27.3.2 Logging In To Fusion Middleware Control

Only Fusion Middleware Control administrators can perform this task.

See Also:

Oracle Fusion Middleware Administrator's Guide for details about getting started using Fusion Middleware Control

To log in to Fusion Middleware Control

  1. In a browser window, enter the URL to Fusion Middleware Control. For example:

    http://host.domain.com:8888/em/

  2. Expand a topic at the bottom of the Login page to learn about the enhanced user experience or new features.

  3. Log in as a Fusion Middleware Control administrator.

  4. Choose the farm containing Oracle Access Manager 11g, if needed.

  5. Help: From the Farm Resource Center on the OAM Farm page, choose topics of interest (or click Help in the upper-right corner of the page) to get more information.

  6. Proceed to any topic in this chapter for viewing and configuration details.

27.3.3 Logging Out of Fusion Middleware Control

You can use the following procedure to sign out of Fusion Middleware Control.

To log out of Fusion Middleware Control

  1. Click the Log Out link in the upper-right corner of Fusion Middleware Control.

  2. Close the browser window.

27.4 Displaying Menus and Pages in Fusion Middleware Control

This section provides the following topics for Oracle Access Manager with Oracle Security Token Service:

See Also:

Oracle Fusion Middleware Administrator's Guide for details about getting started using Fusion Middleware Control

27.4.1 About the Farm Page in Fusion Middleware Control

Figure 27-3 illustrates the Oracle Access Manager Farm page in Fusion Middleware Control. Each Farm page includes similar information. The Farm Resource Center provides immediate access to online information.

Figure 27-3 OAM Farm Page in Fusion Middleware Control

Fusion Middleware Control OAM Farm Page
Description of "Figure 27-3 OAM Farm Page in Fusion Middleware Control"

Sections on the Farm page are described in Table 27-1.

Table 27-1 Farm Page Sections

Farm Page Sections Description

Deployments

Within the farm, this section displays the Status and Target of each Internal Application within the Application Deployment.

Clicking any link in the Deployments section (or in the navigation tree) displays a page containing more information.

Fusion Middleware

Within the farm, this section displays the status, host, and CPU usage for server instances in the:

  • WebLogic Server domain

  • Identity and Access

Clicking any link on the page (or in the navigation tree) displays a page containing a more detailed summary.

Farm Resource Center

Provides a wealth of online information in the following categories:

  • Information that is useful before you begin using Fusion Middleware Control

  • Administrator tasks using Fusion Middleware Control

  • Other resources

Clicking any link in the resource center displays information on the chosen subject. With a wealth of information online, these details are not repeated in this book.

The navigation tree on the left side of the page, like the one in Figure 27-4, enables you to choose a specific instance (target) on which to operate regardless of the page you are currently viewing. Target names in your environment will be different.

Figure 27-4 Farm Navigation Tree in Fusion Middleware Control

Farm Navigation Tree
Description of "Figure 27-4 Farm Navigation Tree in Fusion Middleware Control"

For more information, see "Logging In To Fusion Middleware Control".

See Also:

"Displaying Menus and Pages in Fusion Middleware Control"

27.4.2 About Context Menus and Pages in Fusion Middleware Control

For Oracle Access Manager with Oracle Security Token Service, Farm details in Fusion Middleware Control are divided into the following nodes within the navigation tree:

  • Application Deployments

  • Internal Applications (includes logout page and other details for the OAM AdminServer and OAM Server instances)

  • WebLogic Server domains (WebLogic Server details, including the OAM Farm)

  • Identity and Access (includes Oracle Access Manager Cluster or individual Oracle Access Manager Server instances, which includes Oracle Security Token Service)

Clicking a node in the navigation tree displays an information page with individual links and a description of the Target, Type, and Full Name, as shown in Figure 27-5 for Application Deployments.

Figure 27-5 Node Information Page in Fusion Middleware Control

Fusion Middleware Control Node Information
Description of "Figure 27-5 Node Information Page in Fusion Middleware Control"

Clicking an instance (target) name (from either the navigation tree or a page), displays a context menu and a more detailed summary page. The Internal Application target is highlighted in the navigation tree and a page of the same name is displayed on the right. The context menu is available beneath the target name at the top of the page, as shown in Figure 27-6.

Figure 27-6 Application Deployment Summary for the Selected Internal Application

Application Deployment Summary
Description of "Figure 27-6 Application Deployment Summary for the Selected Internal Application"

The Application Deployment menu is shown in Figure 27-7.

Figure 27-7 Application Deployment Menu

Application Deployment Menu
Description of "Figure 27-7 Application Deployment Menu"

WebLogic Server domain: The WebLogic Server domain page is shown in Figure 27-8 with the corresponding menu displayed. The Oracle WebLogic Server domain Resource Center, with links to online documentation, is visible in the bottom-left corner. This page more closely resembles the Farm landing page.

Figure 27-8 WebLogic Server Domain Summary with Context Menu Exposed

WebLogic Server Domain Summary
Description of "Figure 27-8 WebLogic Server Domain Summary with Context Menu Exposed"

Selecting a target name within the WebLogic Server domain node displays a target summary page that more closely resembles the Application Deployment page in Figure 27-6.

For more information, see "Displaying Context Menus and Target Details in Fusion Middleware Control".

See Also:

"Viewing Performance in Fusion Middleware Control" for information about the Identity and Access node and related pages.

27.4.3 Displaying Context Menus and Target Details in Fusion Middleware Control

Fusion Middleware Control administrators can use the following procedure to view context menus and target pages for Oracle Access Manager with Oracle Security Token Service.

Note:

From the Farm Resource Center on the Oracle Access Manager Farm page, choose topics of interest (or click Help in the upper-right corner of the page) to get more information.

See Also:

"About Context Menus and Pages in Fusion Middleware Control"

To display context menus and target information

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Expand the Farm containing Oracle Access Manager, if needed.

  3. Information Pages: From the navigation tree, click one of the following to display the related information page:

    • Application Deployments

    • WebLogic Server domain

    • Identity and Access

  4. Menus and Summary Pages: Click an instance name (in either the navigation tree or the related page) to display a summary page and menu (Figure 27-6 and Figure 27-7).

  5. Oracle Access Manager Cluster or Server Pages: See "Viewing Performance in Fusion Middleware Control".

27.5 Viewing Performance in Fusion Middleware Control

Fusion Middleware Control provides administrators with:

  • A cluster-wide view of performance for Oracle Access Manager with Oracle Security Token Service

  • A per-server drill-down of key performance metrics

  • The ability to quickly add or remove performance metrics

Using Fusion Middleware Control, you can view performance metrics for live sessions in a variety of formats. Table 27-2 summarizes the pages for selected nodes and target instances.

Table 27-2 Resulting Pages for Selected Nodes and Targets

Node Target Information Summary Page Performance Overview Performance Summary w/Metrics

Application Deployment

Internal Applications

...AdminServer

oamsso_logout(11.1.1.3.0) AdminServer

oamsso_logout(11.1.1.3.0) oam_server

Yes

Yes

Yes

No

No

No

Yes

Yes

Yes

WebLogic Server domain

oam_bd (Cluster name)

AdminServer

oam_server

Yes

Yes

Yes

No

No

No

No

Yes

Yes

Identity and Access

OAM (Oracle Access Manager Cluster)

oam_server (Oracle Access Manager Server)

No

No

Yes

Yes

Yes

Yes

Note:

Oracle Security Token Service performance is included with both Oracle Access Manager Cluster and Oracle Access Manager Server pages.

This section provides the following topics:

27.5.1 About Performance Overview Pages in Fusion Middleware Control

The Fusion Middleware Control Performance Overview for Oracle Access Manager with Oracle Security Token Service can be used to reflect WebLogic cluster information down to specific performance metrics for individual Oracle Access Manager Cluster and Server targets.

Oracle Access Manager Cluster Page: The top node within Identity and Access leads to a page for the OAM Cluster Deployment, which includes a Performance Overview. For Figure 27-9, the Oracle Access Manager Cluster is selected in the navigation tree, beneath the Identity and Access node. Figure 27-9 illustrates the Oracle Access Manager Cluster Deployments and Performance Overview sections. This page includes a table for Token Issuance and Token Validations.

Figure 27-9 Oracle Access Manager Cluster Page

WebLogic Server Domain Summary
Description of "Figure 27-9 Oracle Access Manager Cluster Page "

OAM Server Pages: Selecting an OAM Server target name from the navigation tree (or the open page), displays a Performance Overview for the target. At the top of the OAM Server page, a summary of Key Metrics for the server instances appears instead of the Oracle Access Manager Cluster Deployment section. Figure 27-10 illustrates the OAM Server instance Key Metrics, which include Token Issuance and Token Validations per second. The Token Validation success rate is included.

Figure 27-10 Key Metrics for Oracle Access Manager Server Pages

Key Metrics for OAM Server
Description of "Figure 27-10 Key Metrics for Oracle Access Manager Server Pages "

Table 27-3 describes the elements of the Performance Overview for Oracle Access Manager Clusters and Oracle Access Manager Server instances in Fusion Middleware Control. There are only a few differences.

Table 27-3 Summary of Performance Overviews in Fusion Middleware Control

Section or Column Name Description

Oracle Access Manager Cluster Menu

Dynamic context menus provide functions related to the selected target (also available when you right-click a target in the navigation tree). This menu is available for the selected Oracle Access Manager Cluster.

OAM Cluster Menu

The Component Performance command enables you to choose between displaying Access Manager or Security Token Service metrics.

See Also: "Access Manager Component Pages" and "Security Token Service Component Pages".

Deployments, OAM Cluster pages

This section appears only on OAM Cluster pages. It describes the status of each instance in the cluster. The following information is included:

  • Instance Name

  • Status

  • Authentications

  • Authorizations

Instance Name

This column includes the name of each OAM Server instance in the cluster. For example:

OAM_server_name

Status

This column identifies the status of each OAM Server instance in the cluster with either a:

  • Green Up Arrow (running)

  • Red Down Arrow (not running)

Authentications

Authentications columns identify:

  • Authentications/sec: The number of authentications per second for each OAM Server instance in the cluster

  • Success Rate (% of Authentications Successful): A numeric value representing the percentage of successful authentications for each OAM Server instance in the cluster

Authorizations

This column identifies the number of authorizations per second for each OAM Server instance in the cluster.

Authorizations columns identify:

  • Authorizations/sec: The number of authorizations per second for each OAM Server instance in the cluster

  • Success Rate (% of Authorizations Successful): A numeric value representing the percentage of successful authorizations for each OAM Server instance in the cluster

Oracle Access Manager Server Instance Menu

Dynamic context menus provide functions related to the selected target (also available when you right-click a target in the navigation tree). This menu is available for the selected Oracle Access Manager server instance.

Surrounding text describes asctrl_oamsvr_menu.gif.

The Component Performance command enables you to choose between displaying specific Access Manager or Security Token Service metrics.

See Also: "Access Manager Component Pages" and "Security Token Service Component Pages".

Key Metrics, OAM Server Page

This table provides a summary of statistics for only the selected OAM Server instance. Key metrics include details for both Oracle Access Manager and Oracle Security Token Service:

  • Authentications/sec, Average Authentication Latency (ms), and Success ratio

  • Authorizations/sec, Average Authorization Latency (ms), and Success ratio

  • Token Issuances/sec, Average Issuance Latency (ms), and Success ratio

  • Token Validations/sec, Average Validation Latency (ms), and Success ratio

Performance Overview, OAM Cluster and OAM Server Pages

This section provides a graphic representations of Oracle Access Manager authentication and authorization operations and Oracle Security Token Service Token Issuance and Token Validation operations. Metrics in the Performance Overview are not configurable. The Metrics Palette is available for only the Performance Summary.

Whether you have an OAM Cluster or OAM Server instance selected, the Performance Overview includes:

  • Authentications/sec and Authorizations/sec

  • Token Issuances/sec and Token Validations/sec

Within each table:

  • Coordinates along the horizontal axis (the x axis) identify the time period.

  • Coordinates along the vertical axis (the y axis) identify the number of named transactions that occured during the time period.

Table View

Click the Table View link on the bottom-right side of the Performance Overview to display performance information in columns within a pop up window.

LDAP Servers, OAM Cluster and OAM Server Pages

This section is available when either an OAM Cluster or a single OAM Server instance is selected. It provides information for the default LDAP user identity store:

  • LDAP operations/sec

  • LDAP Latency (milliseconds)

  • LDAP Success Rate

Application Domains, OAM Cluster and OAM Server Pages

This section of the OAM Cluster and OAM Server pages provides information for all Application Domains that were used during authentication and authorization processing.

Columns in this section provide the:

  • Application Domain Name: Each application domain that contains the authentication and authorization policies used for a request.

  • Authentications/sec, Authentications Latency (ms), Success Ratio (%) for each application domain

  • Authorizations/sec, Authorization Latency (ms), Success Ratio (%) for each application domain

27.5.1.1 Access Manager Component Pages

The Component Performance command on both the Oracle Access Manager Cluster and Oracle Access Manager Server instance menus enables you to display Access Manager-specific metrics.

Component Performance

Oracle Access Manager Cluster component-specific metrics are aggregated across the cluster. illustrated in Figure 27-11. Details follow in Table 27-4.

Figure 27-11 Aggregated Access Manager Component Metrics for the Cluster

Aggregated Cluster Component Metrics
Description of "Figure 27-11 Aggregated Access Manager Component Metrics for the Cluster"

Figure 27-12 illustrates the Access Manager component metrics for a single OAM Server instance.

Figure 27-12 Access Manager Component Metrics for a Single OAM Server Instance

OAM Server Component Metrics
Description of "Figure 27-12 Access Manager Component Metrics for a Single OAM Server Instance"

Table 27-4 describes the component-specific metrics for Oracle Access Manager.

Table 27-4 Access Manager Component Metrics

Access Manager Component Metrics Description

Access Manager Clients

Based on your selection (Cluster or Server instance), this page provides information for all active Access Clients in a cluster (or for the active Access Clients of an individual OAM Server). Details include:

  • Client ID

  • Type

  • Authentications

  • Authorizations

Client ID

Displays the name of the Agent, as defined in the Agent registration in the Oracle Access Manager Console. For example:

IAMSuiteAgent

Type

Displays the Agent. type For example:

OAM Webgate

Authentications

Authentications columns identify:

  • Authentications/sec: The number of authentications per second for each OAM Server instance in the cluster

  • Latency (ms): The number of milliseconds the authentication was delayed

  • Success Rate (% ): A numeric value representing the percentage of successful authentications for each OAM Server instance in the cluster

Authorizations

Authorizations columns identify:

  • Authorizations/sec: The number of authorizations per second for each OAM Server instance in the cluster

  • Latency (ms): The number of milliseconds the authorization was delayed

  • Success Rate (%): A numeric value representing the percentage of successful authorizations for each OAM Server instance in the cluster

27.5.1.2 Security Token Service Component Pages

The Component Performance command on both the Oracle Access Manager Cluster and Oracle Access Manager Server instance menus enables you to display Security Token Service (STS) component-specific metrics.

Component Performance

Component-specific metrics are aggregated for the Oracle Access Manager Cluster, as illustrated in Figure 27-11.

Figure 27-13 Aggregated STS Component Metrics for the Cluster

Aggregated STS Component Metrics
Description of "Figure 27-13 Aggregated STS Component Metrics for the Cluster"

For each individual server instance, STS component-specific metrics are also available, as illustrated in Figure 27-11.

Figure 27-14 STS Component Metrics for an Individual OAM Server Instance

STS Component Metrics for OAM Server
Description of "Figure 27-14 STS Component Metrics for an Individual OAM Server Instance"

Table 27-5 introduces the STS component specific metrics.

Table 27-5 STS Component-Specific Metrics

Security Token Service Component Metrics Description

Requestor Partners

Statistics summary for either the selected OAM Server instance (or an aggregated summary for the Cluster):

  • Partner ID

  • Token Issuances

  • Token Validations

Selecting a Requestor Partner ID reveals Relying Party Details with specific information for only the named partner.

Token Operations

Metrics for STS Token Operations include:

  • Token Type

  • Token Issuances: Total Requests, Requests per second, Average Issuance Latency (ms)

  • Token Validations: Total Requests, Requests per second, Average Issuance Latency (ms)

27.5.2 About the Metrics Palette and the Performance Summary Page

The Performance Summary command on the Oracle Access Manager Cluster or Server menu displays metrics charts for the selected target.

Figure 27-15 Performance Summary Command

Performance Summary Command
Description of "Figure 27-15 Performance Summary Command"

On the Performance Summary page, a chart is displayed for each selected metric. An OAM Server Performance Summary page. Figure 27-16 shows the Performance Summary page with an open Metric Palette from which you can choose metrics to chart. Stacked charts allow you to easily compare multiple metrics for the same time frame, change the time frame to go back in time, or zoom in or out.

Figure 27-16 Performance Summary Page with Metric Palette

Performance Summary Page
Description of "Figure 27-16 Performance Summary Page with Metric Palette "

Table 27-6 describes the status and controls available on the Performance Summary page.

Table 27-6 Status and Controls on Performance Summary Pages

Status or Control Description

Past n minutes

Status is based on the specified time period, which can be adjusted using the slider.

All

  

n Minutes

The specified time period, which can be adjusted using the slider.

Slider

The tool you use to adjust the time period.

Surrounding text describes asctrl_slider.gif.

Chart Set

A list from which you can choose the set of saved charts to view.

View

A menu that enables you to add a grid, save a chart, and order information on the page.

Surrounding text describes asctrl_view.gif.

Overlay

A menu that enables you to search for and view another instance of the same type and compare this against the instance in the summary.

Surrounding text describes asctrl_overlay.gif.

Metric Palette

A listing from which you can select performance metrics to chart. Items unique to Oracle Access Manager with Oracle Security Token Service are shown here.

Left: Metric Palette for the Cluster

Right: Metric Palette for a Single OAM Server

Surrounding text describes asctrl_metricsoam.gif.

27.5.3 Displaying Performance Metrics in Fusion Middleware Control

Fusion Middleware Control administrators can use the following procedure to add or change the metrics that are displayed in the Performance Summary. for Oracle Access Manager with Oracle Security Token Service.

See Also:

To add or change metrics displayed in the Performance Summary

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Performance Overview:

    1. Expand the desired node and select a target. For example: Identity and Access.


      Identity and Access
      oam_server

    2. Review the Performance Overview.

  3. Performance Summary:

    1. Select a target (Step 1).

    2. From the context menu, select Performance Summary.

    3. Review the Summary Page.

  4. Changing Metrics:

    1. From the Performance Summary page (Step 2), click the Show Metrics Palette button.

    2. From the Metrics Palette, expand nodes and check (or clear) boxes to add (or remove) metrics from the summary.

    3. Review the updated the Summary page.

    4. Click Hide Metrics Palette when you finish.

  5. Saving a Chart Set:

    1. From the View menu on the Performance Summary page, click Save Chart Set.

    2. In the dialog box that appears, enter a unique name for this chart set and click OK when the operation is confirmed.

    3. Click Hide Metrics Palette when you finish.

    4. Review the updated information on the Summary Page.

  6. Adding an Overlay, Oracle Access Manager:

    1. From the Overlay menu on the Performance Summary page, click Another Oracle Access Manager.

    2. In the Search and Select Targets dialog, enter the target name and host name, then click Go.

    3. In the target results table, click the name of the desired target and then click Select.

    4. When finished viewing the overlay, click Remove Overlay from the Overlay menu.

  7. Adding an Overlay, Today with Yesterday:

    1. From the Overlay menu on the Performance Summary page, click Today with Yesterday.

    2. When finished viewing the overlay, click Remove Overlay from the Overlay menu.

  8. Testing:

    1. Using the Access Tester, perform several authentication and authorization tests (see Chapter 15).

    2. In Fusion Middleware Control, check performance metrics.

27.5.4 Displaying Component-Specific Performance Details

Fusion Middleware Control administrators can use the following procedure to view and compare component-specific performance data for either Oracle Access Manager or Oracle Security Token Service.

See Also:

To display component-specific performance details

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Expand the desired node and select a target. For example:


    Identity and Access
    oam_server

  3. From the context menu, select Component Performance.

  4. Choose Access Manager (or Security Token Service).

  5. STS Partner ID: Choose a Partner ID in the Security Token Service results table for more details, if needed.

  6. Component Performance:

    1. From the context menu, select Component Performance.

    2. Choose either Access Manager or Security Token Service.

    3. Choose an item in the results table to get more details, if available.

  7. Testing:

    1. Using the Access Tester, perform several authentication and authorization tests (see Chapter 15).

    2. In Fusion Middleware Control, check performance metrics.

27.6 Managing Log Level Changes in Fusion Middleware Control

Oracle Fusion Middleware components generate log files containing messages that record all types of events. Administrators can set log levels using Fusion Middleware Control, as described in this chapter.

Note:

Alternatively, administrators can set OAM logger levels using custom WebLogic Scripting Tool (WLST) commands, as described in Chapter 23.

Topics in this section include:

27.6.1 About Dynamic Log Level Changes

Using Fusion Middleware Control, administrators can change log levels dynamically for Oracle Access Manager with Oracle Security Token Service.

Table 27-7 outlines log availability and functions in Fusion Middleware Control.

Table 27-7 OAM Log Availability and Functions in Fusion Middleware Control

Node Target View Log Messages Log Configuration

Application Deployment

Internal Applications

...AdminServer

oamsso_logout(11.1.1.3.0) AdminServer

oamsso_logout(11.1.1.3.0) oam_server

Yes

Yes

Yes

Yes

Yes

Yes

WebLogic Server domain

oam_bd (Cluster name)

AdminServer

oam_server

Yes

Yes

Yes

No

Yes

Yes

Identity and Access

OAM (Oracle Access Manager Cluster)

oam_server (Oracle Access Manager Server)

No

Yes

No

Yes

Figure 27-17 shows the Log Levels configuration page in Fusion Middleware Control. Notice that Runtime Loggers is the selected View and oracle.oam logger names are currently displayed. With Oracle Security Token Service there is only one logger that affects the log levels for Oracle Security Token Service: oracle.security.fed.

Figure 27-17 Oracle Access Manager Log Levels on the Log Configuration Tab

Oracle Access Manager Log Levels
Description of "Figure 27-17 Oracle Access Manager Log Levels on the Log Configuration Tab"

Figure 27-18 Log Levels for Oracle Security Token Service

Log Levels for Oracle STS
Description of "Figure 27-18 Log Levels for Oracle Security Token Service "

The Log Levels tab on the Log Configuration page allows you to configure the log level for both persistent loggers and active runtime loggers:

  • Persistent loggers are saved in a configuration file and become active when the component is started.

    The log levels for these loggers are persisted across component restarts.

  • Runtime loggers are automatically created during runtime and become active when a particular feature area is exercised.

    For example, oracle.j2ee.ejb.deployment.Logger is a runtime logger that becomes active when an EJB module is deployed. Log levels for runtime loggers are not persisted across component restarts.

Table 27-8 explains the configuration status and options for log levels.

Table 27-8 Log Levels Tab on Log Configuration Page

Element Description

Apply

Submits and applies log level configuration changes, which take affect immediately.

Revert

Restores the target's previous log level configuration, which take affect immediately.

View

Use this list to view runtime loggers or loggers with a persistent log level state.

  • Runtime Loggers

  • Loggers with Persistent Log Level State

Search

Use this list to specify the categories you would like to search.

Log Search

Table

  

Logger Name

The name of the loggers found during the search. You can expand names in the list to see any loggers beneath the top node.

Root Logger

Oracle Diagnostic Logging Level (Java Level)

Choose the logging level for the corresponding logger; c.

Surrounding text describes asctrl_log_msg_menu.gif.

Click Apply and review confirmation messages displayed in a pop-up window:


Updating log levels
Updating the log levels of runtime loggers
The log levels of runtime loggers have been updated successfully
The log levels have been updated successfully

Log File

Clicking a name in the Log File column displays the Log Files page, which you can use to create and edit the file where log messages are logged, the format of the log messages, rotation policies, and other logging parameters.

See Also: "Managing Log File Configuration from Fusion Middleware Control".

Persistent Log Level State

Identifies the persistent state for this specific logger, which is set when you create or edit the value using the Log Files tab.

27.6.2 Setting Log Levels Dynamically Using Fusion Middleware Control

Fusion Middleware Control administrators can use the following procedure to set the log level dynamically for Oracle Access Manager with Oracle Security Token Service.

See Also:

"About Dynamic Log Level Changes"

Note:

Alternatively, administrators can set logger levels using custom WebLogic Scripting Tool (WLST) commands, as described in Chapter 23.

To configure logging levels dynamically in Fusion Middleware Control

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Expand the desired node, and select a target. For example:


    Identity and Access
    oam_server

  3. From the Oracle Access Manager context menu, select Logs and then choose Log Configuration.

  4. From the Log Levels tab, View list, choose the loggers to display. For example: Runtime Loggers.

  5. From the Search list, choose a category, enter your search criteria, and click the search button. For example: All Categories sts.

  6. In the results table, expand nodes to reveal information as needed.

  7. In the results table, choose log levels for your environment, then click Apply (or Revert).

  8. Proceed to "Managing Log File Configuration from Fusion Middleware Control"

27.7 Managing Log File Configuration from Fusion Middleware Control

This section provides the following information for Oracle Access Manager with Oracle Security Token Service:

27.7.1 About Log File Configuration

Figure 27-18 shows the Log Files Configuration. Use this page to create and edit where the log messages will be logged to, the format of the log messages, the rotation policies used, as well as other parameters depending on the log file configuration class.

Figure 27-19 Log Files Configuration Page

Log Files Configuration
Description of "Figure 27-19 Log Files Configuration Page"

Table 27-9 describes the log files configuration parameters for Oracle Access Manager with Oracle Security Token Service.

Table 27-9 Log Files Elements

Element Description

Create

Click this button to display the fresh form to create a new file for logged messages.

Notes:

  • Log File is the name of the log handler (odl-handler for OAM)

  • Log Path points to the logging output file in your environment, which you can change.

  • The output logging file in your environment can have a unique file name.

Create New OAM Log File

Create Like

Click this button to display a partially filled-in form to create a new file for logged messages.

Create Like ... for OAM Log Files

Edit Configuration

Click this button to display and edit the selected log file configuration.

View Configuration

Click this button to view a read-only description of the selected log file configuration.

Table

The information in this table is based on log file configuration parameters in this table.

Handler Name

The Log File name assigned during log file creation.

Log Path

The file system directory path assigned during log file creation.

Log File Format

The Log File format assigned during log file creation.

Rotation Policy

The rotation policy selected during log file creation.

27.7.2 Managing Log File Configuration by Using Fusion Middleware Control

Fusion Middleware Control administrators can use the following procedure to create a log file, edit the configuration, or view a read-only version of the log file configuration.

See Also:

"About Log File Configuration"

To manage log files for OAM in Fusion Middleware Control

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Expand the desired node, and select a target. For example:


    Identity and Access
    oam_server

  3. From the Oracle Access Manager menu, select Logs and then Log Configuration.

  4. Create a Log File: From the Log Files tab (Table 27-9):

    1. Click the Create button to display a fresh Create Log File form.

    2. Enter a name and file system path for this log file. For example:

      Log File oam-odl-handler

      Log Path domains/oam_db/servers/oam-server1/log/oam.log

    3. Click the desired Log File Format. For example: ... Text

    4. Set the logging attributes. For example:

      Use Default Attributes X

      Supplemental Attributes

    5. Associate a Logger. For example: Root Logger

    6. Specify the Rotation Policy. For example: Size Based

      Maximum Log File Size (MB) 10.0

      Maximum Size of All Log File Size (MB) 1000.0

    7. Click OK to submit the configuration.

  5. Create Like:

    1. From the Log Files tab, click the name of an existing log file.

    2. Click the Create Like button.

    3. On the Create Log File form, enter your own information:

      Log File name

      Log Level

      Attributes

    4. Edit any other details as needed, then click OK to submit the configuration.

  6. Edit Configuration:

    1. From the Log Files tab, click the name of an existing log file.

    2. Click the Edit Configuration button.

    3. Change configuration details as needed.

    4. Click OK to submit the changes.

  7. View Configuration:

    1. From the Log Files tab, click the name of an existing log file.

    2. Click the View Configuration button.

    3. Review the information, then click OK to dismiss the configuration page.

  8. Proceed to "Viewing Log Messages in Fusion Middleware Control".

27.8 Viewing Log Messages in Fusion Middleware Control

This section includes the following topics:

27.8.1 About Finding, Viewing, and Exporting Log Messages

By using the context menu for an Oracle Access Manager Server instance in Fusion Middleware Control, administrators can locate, view, and export key log information for:

  • Application Deployment targets, including the WebLogic (and OAM) AdminServer and the OAM SSO logout pages on both AdminServer and OAM Servers

  • WebLogic Server domain targets, including the OAM Farm, AdminServer, and OAM Servers

  • Identity and Access targets, including the Oracle Access Manager Farm, Clusters, and individual OAM Servers

Using log files to troubleshoot common problems requires that you:

  • Get familiar with the Oracle Diagnostic Logging (ODL) format used by Oracle Fusion Middleware components, as described in the Oracle Fusion Middleware Application Security Guide

  • Configure log files to collect the appropriate level of information

  • Search, view and export key log information in the farm

  • Correlate messages in log files across components

Figure 27-20 shows the Log Messages page for Oracle Access Manager with Oracle Security Token Service in Fusion Middleware Control.

Figure 27-20 Typical Log Messages Page in Fusion Middleware Control

Log Messages Page
Description of "Figure 27-20 Typical Log Messages Page in Fusion Middleware Control"

Table 27-10 describes elements on the Log Messages page in Fusion Middleware Control, which you can use to locate and view messages.

Table 27-10 OAM Log Message Search Controls in Fusion Middleware Control

Element Description

Broaden Target Scope

Select items on this list to expand (or narrow) the targets that are used in this search:

  • Oracle WebLogic Server domain

  • Oracle Access Manager Cluster

  • Oracle WebLogic Server

  • Oracle Fusion Middleware Farm

Target Log Files...

Displays a list of all log files for the target scope from which you can select a specific log file to view or download.

Refresh Options

Select an item from this list to specify the refresh method:

  • Manual Refresh

  • 30 Second Refresh

  • 1 Minute Refresh

Search Options

  

Date Range

The period during which the desired set of messages was logged:

  • Most Recent

    Minutes

    Hours

    Days

  • Time interval

    Date Range

    Start Date

    End Date

Message Types

Check all message types that apply for this search:

  • Incident Error

  • Error

  • Warning

  • Notification

  • Trace

  • Unknown

Message

Choose an identifier from this list and add a value in the blank field beside it to refine your search criteria:

Surrounding text describes asctrl_msgmenu.gif.

Add Fields

Click this button to display a list of additional search criteria you can include.

Surrounding text describes asctrl_add_field.gif.

Search

Click this button to initiate a search using the specified criteria.

Viewing Options

  

View

Choose items from this menu to view or reorder columns in the search results table:

Surrounding text describes asctrl_view_choice.gif.

Show

Select the entity to view:

Surrounding text describes asctrl_show_choice.gif.

View Related Messages

This menu is available when at least one message is listed in the search results.

Surrounding text describes asctrl_view_related.gif.

Export Messages to a File

A menu of viewing commands that are available when at least one message is listed in the search results. You can choose from the following commands:

Surrounding text describes asctrl_export_msg.gif.

Results Table Columns

These are based on selections in the View menu on the Log Messages page.

Search Table Fusion Middleware Control

Message Area

Displays details for the selected message in the search results table.

Log Message in Fusion Middleware Control

27.8.2 Viewing Logged Messages With Fusion Middleware Control

Fusion Middleware Control administrators can use the following procedure to view and download log messages for the target. This procedure explains how to search for messages, view messages (or view related messages), view all messages in a single log file, and export or download messages.

See Also:

"About Finding, Viewing, and Exporting Log Messages"

To view OAM Server log messages within Fusion Middleware Control

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Expand the desired node and select a target. For example:


    Identity and Access
    oam_server

  3. From the OAM context menu, select Logs and then choose View Log Messages.

  4. Search (Table 27-10):

    1. Specify a Date Range.

    2. Check all Message Types to be included in your search.

    3. Define Message content options.

    4. Add Fields: Enter details to further refine message content.

    5. Click Search to display a list of messages that fit your search criteria.

  5. View Messages: From the table of search results, click one or more messages to view on the lower half of the page.

  6. View Related: Use one of the following methods to organize the table of search results.

    1. By Time: From the View Related menu, select by Time.

    2. By ECID: Click ECID in the message on the screen (or, from the View Related menu, select by ECID Execution Context ID).

    3. From the Scope menu, select a time period.

  7. Log File: From the table of search results, click a name in the Log File column to view all messages in the file.

  8. Export Messages

    1. Select one or more messages in the search results table.

    2. From the Export Messages menu, choose the desired export format. For example: As Oracle Diagnostic Log (.txt).

    3. In the dialog box, click Open with and then choose the desired program.

    4. From the open program, save the file to a new path.

  9. Download

    1. Select one or more messages in the search results table.

    2. Click the Download button.

    3. In the dialog box, click Open with and then choose the desired program.

    4. From the open program, save the file to a new path.

  10. Testing:

    1. Using the Access Tester, enter an invalid user name and try to authenticate (see Chapter 15).

    2. In Fusion Middleware Control, go to the log viewer and review the error.

    3. Using the Access Tester, enter an invalid password and try to authenticate.

    4. In the Fusion Middleware Control log viewer, check the error and then view all related log messages.

    5. Repeat this test using different log levels, as described in "Managing Log Level Changes in Fusion Middleware Control".

27.9 Displaying MBeans in Fusion Middleware Control

A Java object is a unit of code that runs the computer. Each object is an instance of a particular class or subclass that relies on the class's methods or procedures or data variables. Within the Java programming language, a Java object that represents a manageable resource (application, service, component, or device) is known as an MBean (managed bean).

Fusion Middleware Control enables you to:

  • View information on key MBean Attributes and Operations

  • Invoke methods

This section provides the following topics:

27.9.1 About the System MBean Browser

The Fusion Middleware Control System Mbean Browser can be used to view the items outlined in Table 27-11.

Table 27-11 System MBean Browser

Node Target System Mbean Browser

Application Deployment

Internal Applications

...AdminServer

oamsso_logout(11.1.1.3.0) AdminServer

oamsso_logout(11.1.1.3.0) oam_server

Yes

Yes

Yes

WebLogic Server domain

oam_bd (Cluster name)

AdminServer

oam_server

Yes

Yes

Yes

Identity and Access

OAM (Oracle Access Manager Cluster)

oam_server (Oracle Access Manager Server)

No

Yes

Note:

Oracle Security Token Service MBeans are also available as described here.

Table 27-12 describes the MBeans that Oracle Access Manager and Oracle Security Token Service deploy on the AdminServer on the domain runtime server (OAM Server).

Table 27-12

MBeans For Description

Configuration Service

oracle.oam:type=Config

Partner and Trust Service

oracle.oam:type=PATConfig

STS MBeans

oracle.sts:type=Config

Certificate Validation Module

These are used for CRL management.

oracle.sts:type=CertRevocationListConfig

Figure 27-21 Shows the System MBean Browser and the related Attributes tab displaying information for the Oracle Security Token Service CertRevocationListConfig: oracle.sts:Location=oam_server1,type=CertRevocationListConfig.

Figure 27-21 System MBean Browser and Attributes Tab

System MBean Browser
Description of "Figure 27-21 System MBean Browser and Attributes Tab"

Table 27-13 describes the System MBean Browser and associated tab in greater details.

Table 27-13 System MBean Browser

System MBean Browser

System MBean Browser

Expand items in this section to display Mbeans for the selected target. Under Application Defined Beans, find oracle.oam and oracle.sts.

System MBean Browser

MBean Information

Details for Attributes and Operations related to the MBean for the selected target are displayed on the right.

System MBean Info

Attributes

This tab describes MBean attributes for the selected target.

MBean Attributes

Operations

This tab describes MBean operations for the selected target.

MBean Operations

Notifications

This tab lists any notifications resulting from the invocation of an MBean.

Controls

The following controls are available from these pages:

  • Name Link: Clicking a name on either tab displays a full description of related MBeans.

  • Apply Button: Submits and applies the selected MBean attribute value.

  • Revert Button: Restores previous MBean attribute values following a change (and before clicking Apply.

  • Return Button: Returns you to the MBean Information page.

  • Invoke Button: Invokes the selected MBean and value

27.9.2 Managing Mbeans

Fusion Middleware Control administrators can use the following procedure to view MBeans for Oracle Access Manager or Oracle Security Token Service. Additionally, you can apply values (or revert the change) and invoke MBeans.

To view, edit, or invoke MBeans for Oracle Access Manager and Oracle Security Token Service

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Expand the desired node and select a target. For example:


    Identity and Access
    oam_server

  3. From the Oracle Access Manager context menu, select System MBean Browser.

  4. System MBean Browser: Expand classes and select an MBean target to display related attributes and operations. For example: oracle.sts or oracle.oam.

  5. Manage MBean Attributes:

    1. Click the Attributes tab.

    2. Review the name and description of MBean attributes for the selected target.

    3. Edit values for one or more attributes and click Apply to submit changes (or click Revert to cancel changes).

      Alternatively: Click a Name in the Attributes table to display a full description and the value; change the value and click Apply (or click Revert to cancel the change).

  6. Manage MBean Operations:

    1. Click the Operations tab.

    2. Review the name, description, number of parameters, and return type for each MBean operation for the selected target.

    3. Click a name in the Operations table to display the parameters and related name, description, type, and value.

    4. Edit values for the operation and click Apply to submit changes (or click Revert to cancel changes).

    5. Click Invoke to invoke the MBean and review the message that appears.

27.10 Displaying Farm Routing Topology in Fusion Middleware Control

Fusion Middleware Control enables you to view a graphical representation of the Oracle Access Manager routing topology.

This section provides the following topics:

27.10.1 About the Routing Topology

Figure 27-22 shows the Farm routing topology page in Fusion Middleware Control.

Figure 27-22 Routing Topology with Context Menu

Routing Topology
Description of "Figure 27-22 Routing Topology with Context Menu"

Table 27-14 describes the status and controls on the Farm topology page.

Table 27-14 Farm Topology

Element Description

Save Image

Saves the image.

Print

Prints the image.
Scaler for Topology View

Scales the image.

Find

Enter a value or simply click Find to display results.

Topology: Find Results

+

Expands the instance on the topographical view to provide more information.

Expand Instance Topography

Status Bar

Displays the full farm name and targets within the farm., as well as the up and down status. You can choose to overlay the status and metrics on individual instances in the topology view.

Topographic View Status

27.10.2 Viewing the Routing Topology using Fusion Middleware Control

Fusion Middleware Control Administrators can use the following procedure to view the routing topology of the farm that includes OAM 11g.

See Also:

"About the Routing Topology"

To view Farm routing topology

  1. Log in as described in "Logging In To Fusion Middleware Control".

  2. Select the Farm in the navigation tree.

  3. Click Topology above the navigation tree.

  4. In the Topology Browser window, click the name of the farm and click OK.

  5. Use the scaling tool to shrink or grow the image.

  6. Expand instances in the topology to display details about each one.

  7. Use the Overlay options to add status and metrics information to the instances.

  8. Use the Find option to locate specific information (Table 27-14).

  9. Click Print or Save, as needed.