9 Advanced Topics

This chapter describes additional Oracle Identity Federation administration topics, including:

• Configuration Assistants

• Command-line Tools

• Managing Oracle Identity Federation Performance

• High Availability

• Setting Up a Load Balancer with Oracle Identity Federation

• Setting Up a Proxy for Oracle Identity Federation

9.1 Configuration Assistants

Oracle Identity Federation provides configuration assistants to support the following tasks:

• modification of the transient data store

• server uninstallation

Configuration Assistant for Changing the Transient Data Store

This Configuration Assistant allows you to change the type of transient data store used by your Oracle Identity Federation server. You can switch from a memory-based transient store to an RDBMS-based store, or from an RDBMS-based store to a memory-based store.

The Configuration Assistant performs these tasks:

1. Connects to the RDBMS to create Oracle Identity Federation database tables, if necessary

2. Packages the application with the new transient data store type

3. Redeploys Oracle Identity Federation

4. Updates the Oracle Identity Federation configuration to reflect the new transient data store type

For more information about these tasks, see "Configuration Assistant Operations".

See "Command-Line Configuration Assistant to Change the Transient Data Store" for usage details.

Configuration Assistant for Uninstallation

A Configuration Assistant can also be invoked as a command-line tool to perform server deinstallation. See "Command-Line Configuration Assistant for Uninstallation" for usage details.

This section contains these topics:

• Prerequisites for the Configuration Assistants

• Configuration Assistant Operations

9.1.1 Prerequisites for the Configuration Assistants

The following requirements must be met for the Configuration Assistants to execute properly:

• The files used by Oracle Identity Federation and the components it relies upon must be copied to their respective locations.

• OC4J must be installed and running.

• The deployment tool (dcmctl) must be installed and available to the Configuration Assistant.

• The Configuration Assistant must be run from the operating system account which has the correct privileges to access and configure OC4J.

• If Oracle Identity Federation is configured to use an LDAP repository to store the federation records, that server must be up and running.

• If configuring RDBMS as the new transient data store, a TNS Name must be defined locally referencing the database instance to be used. Refer to the Net Configuration Assistant to create a Local Net Service Name Configuration entry.

Before executing any tasks, the Configuration Assistant validates the parameters you specify on the command line. The assistant can:

• verify that the required parameters are present and have valid values

• check any connection parameters to LDAP or RDBMS servers by connecting to them

In case of a validation error, the Configuration Assistant displays an error message and returns a status code failure.

9.1.2 Configuration Assistant Operations

The Configuration Assistant performs a number of tasks related to Oracle Identity Federation maintenance:

• Repository Maintenance

• Deployment

9.1.2.1 Repository Maintenance

The Configuration Assistant configures and maintains back-end repositories needed for various tasks including federation records and artifact, message, and session information.

9.1.2.2 Deployment

After updating the ear application file with the configuration data supplied through Oracle Universal Installer, the Configuration Assistant deploys Oracle Identity Federation on the OC4J instance.

9.2 Command-line Tools

This section provides details about Oracle Identity Federation command-line tools:

• Bulk Federation Utility

• Command-Line Configuration Assistant to Change the Transient Data Store

• Command-Line Configuration Assistant for Uninstallation

• Command line Federation Delete Tool

9.2.1 Bulk Federation Utility

Oracle Identity Federation include a command-line tool that enables the administrator to perform bulk loading of user federation records.

By way of background, note that a federation represents an account linking between a user and two providers. Typically, the two providers agree to identify the individual using the data contained in the federation. When a federation is created, therefore, these providers will have agreed to use some specific piece of information to identify that user.

The bulk federation utility lets the administrator create an ldif file which can then be used to create federation records in an LDAP repository, and these federation records will be linked to users and peer providers.

The steps are as follows:

1. The utility reads instructions from an input file. For a specific federation record, the input data may contain the identifier of the user who will own the federation, the id of the peer provider with which the federation will be linked, and other parameters.

2. An ldif file containing LDAP commands is produced.

3. The administrator then executes the ldif file to populate the target LDAP server with federation records.

Thus the tool does not directly interact with the LDAP server, and the administrator is able to analyze the changes to the repository before bulk-loading federation data.

In addition to creating an ldif file for the LDAP server, the utility generates a result file that contains a list of all federations created. The administrator can then communicate this file to the peer provider for whom the federations are created, since the peer likewise needs to load the corresponding federation information in its repository.

Operating Modes of the Bulk Federation Utility

The bulk-loading tool operates in two modes:

• A create mode that uses a limited set of data (user id, peer provider id, and so on) to create:

  1. the federation data

  2. the corresponding LDAP commands

• A read mode that reads the input file containing the federation data; in this mode, the tool generates only the ldif file containing the LDAP commands, but no federation data is created.

Bulk Loading Flow

As an example, consider two providers named SP-A and IdP-B. Each provider has 10 users on its system, and the administrators wish to create federations for all of these users using the bulk federation load utility.

The steps they will take to achieve this are as follows:

1. One of the providers (for example, SP-A) creates an input file listing the federations to be created. For each federation data to be created, it contains: the user ID at SP-A, the remote provider ID (IdP-B), and some additional information.

2. The SP-A administrator next uses the bulk load tool in create mode; the tool reads the input file and creates two files: the ldif file containing LDAP commands for the SP-A federation LDAP server, and an output file of federation data.

3. The SP-A administrator uses the ldif file to populate SP-A's LDAP Federation server: at the completion of this step, the federation records have been created at SP-A.

4. At IdP-B, the administrator receives the output file and uses that file with the bulkload utility in read mode: the tool reads that file and creates an ldif file containing LDAP commands.

5. Finally, the IdP-B administrator executes the LDAP commands against its LDAP Federation server to create federation records in IdP-B: at that point, the federations are existing at both providers.

9.2.1.1 The Create Mode

In create mode, the tool generates new federation account-linking data based on the contents of an input file. For each federation record, the input file contains the following information:

Table 9-1 Fields of Input File in Create Mode of Bulk Load

Field	Description	Required?
UserID	This is the user identifier used by Oracle Identity Federation to uniquely reference a user in the user data store.	Yes
UserDescription	This is the human-readable user identifier that will be set on the LDAP federation record.	Yes
ProviderID	This is the identity of the peer provider with which the federation is created.	Yes
Version	This is the federation version. Specify 1.1, 1.2, or 2.0.	Yes
Type	This is the type of federation. The possible values are: OIF_IDP_SP (Oracle Identity Federation as an IdP with an SP Peer Provider) OIF_IDP_AFFILIATION (Oracle Identity Federation as an IdP with an affiliation or group of SPs) OIF_SP_IDP (Oracle Identity Federation as an SP with an IdP Peer Provider) OIF_AFFILIATION_IDP (Oracle Identity Federation as an affiliation or part of a group of SPs and an IdP Peer Provider)	Yes
AffiliationID	This is the AffiliationID in configurations where Oracle Identity Federation acts as an affiliation. Note: This is not the ProviderID of Oracle Identity Federation.	Yes, if Type is OIF_AFFILIATION_IDP

Here is a sample input file for use in the create mode:

UserID: user1b1
UserDescription: user1bb1
ProviderID: http://sp.oracle.com
Version: 2.0
Type: OIF_IDP_SP
 
UserID: user1b2
UserDescription: user1bb2
ProviderID: http://sp.oracle.com
Version: 2.0
Type: OIF_IDP_SP
 
UserID: user1b1
UserDescription: user1bb1
ProviderID: http://idp.oracle.com
Version: 2.0
Type: OIF_SP_IDP

9.2.1.2 The Read Mode

In read mode, the tool reads and processes existing federation account-linking data from the input file without creating any new federations. For each federation record the input file will contain the following information:

Table 9-2 Fields of Input File in Read Mode of Bulk Load

Field	Description	Required?
UserID	This is the user identifier used by Oracle Identity Federation to uniquely reference a user in the user data store.	Yes
UserDescription	This is the human-readable user identifier that will be set on the LDAP federation record.	Yes
ProviderID	This is the identity of the peer provider with which the federation is created.	Yes
Version	This is the federation version. Specify 1.1, 1.2, or 2.0.	Yes
Type	This is the type of federation. The possible values are: OIF_IDP_SP (Oracle Identity Federation as an IdP with an SP Peer Provider) OIF_IDP_AFFILIATION (Oracle Identity Federation as an IdP with an affiliation or group of SPs) OIF_SP_IDP (Oracle Identity Federation as an SP with an IdP Peer Provider) OIF_AFFILIATION_IDP (Oracle Identity Federation as an affiliation or part of a group of SPs and an IdP Peer Provider)	Yes
AffiliationID	This is the AffiliationID in configurations where Oracle Identity Federation acts as an affiliation. Note: This is not the ProviderID of Oracle Identity Federation.	Yes, if Type is OIF_AFFILIATION_IDP
IdPNameID	This is the federation's IdP Name Identifier.	Yes
SPNameID	This is the federation's SP Name Identifier.	No
Format	This is the format of the federation's Name Identifier.	No
Qualifier	This is the qualifier of the federation's Name Identifier.	No

Here is a sample input file for use in the read mode:

userid: user1b1
userdescription: user1bb1
providerid: http://sp.oracle.com
idpnameid: id-SHMeaEZkk4jqiHl32BmmIAcBy4o-
format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
qualifier: http://sp.oracle.com
version: 2.0
type: OIF_IDP_SP
 
userid: user1b2
userdescription: user1bb2
providerid: http://sp.oracle.com
idpnameid: id-QTqtXv13IE493asxqGF-CoeBuRM-
format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
qualifier: http://sp.oracle.com
version: 2.0
type: OIF_IDP_SP
 
userid: user1b1
userdescription: user1bb1
providerid: http://idp.oracle.com
idpnameid: id-He4Nvgeiz4BLzhRhlPzebViLQbU-
format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
qualifier: http://stadm04.us.oracle.com:7780/fed/sp
version: 2.0
type: OIF_SP_IDP

9.2.1.3 Output Files Generated by Bulk Load

In both create and read modes, the tool produces three output files:

1. an ldif file

2. a result file

3. an error file

LDIF File

This file contains the LDAP statements an administrator will need to execute against the LDAP server. Executing the ldif file populates the server with user federation records. You typically achieve this by using an ldapmodify command of the form:

ldapmodify –a –c –x –D "cn=Admin,dc=example,dc=com" –w PASSWORD 
    -h LDAP_HOSTNAME –p LDAP_PORT –f LDIF_FILE

Result File

The result file contains information about the federation records that were created. This file is typically communicated to third party providers, who use it to populate their federation repository with corresponding federation records.

See Table 9-2 for a description of the result file.

Error File

The error file contains records of any input entries that could not be processed. The error record consists of:

• UserID - this is the identifier used by Oracle Identity Federation to uniquely reference a user in the data store.

• ProviderID - this is the identity of the peer provider with which the federation is created.

9.2.1.4 Syntax and Examples

The bulk load utility is invoked at the command line as follows:

java –jar bulkload.jar <parameters>

The parameters are:

• -f INPUT_FILE - This is the file with the information specifying the federation records to create.

• -dir OUTPUT_DIR - This is the directory in which to create the output files such as the ldif file, the result file and the error file.

• -oifdir OIF_DIR - This is the top-level Oracle Identity Federation directory. Typically it is the directory containing the bin, conf, lib and log directories.

• -c - This is the create mode. It specifies that federation records need to be created. The tool will generate IdPNameID, Format and Qualifier fields.

• -r - This is the read mode. It specifies that the federation records information is contained in the input file and no federation data should be created, instead it should be read from the file to produce the ldif and result files.

Example 1

java -jar fed/lib/bulkload.jar -f user-fed-data.dat -dir /saveDir -oifdir $ORACLE_HOME/fed -c

This command directs the tool to read a file containing a list of users for which federations are to be created, and produce 1) an ldif file that the administrator can execute against its LDAP server to create the records, and 2) another file that contains the federation information that should be sent to the peer providers for which the federations were created.

Example 2

java -jar fed/lib/bulkload.jar -f peer-user-fed-data.dat -dir /saveDir -oifdir $ORACLE_HOME/fed -r

This command directs the tool to read a file sent by a peer provider (a file that was created by the bulk load tool, for example), and to create an ldif file based on that input file that would contain commands to create federation records.

Example 3

This example brings together the concepts described earlier in this section, to illustrate all the steps to achieve a bulk load of federation users from beginning to end.

In this example, the input file of users is created at the IdP side, and the IdP federation server is populated. The result file is then used at the SP to generate the necessary data to populate the data records at the SP server.

1. Create the input file.

   UserID: buser9
   UserDescription: buser9
   ProviderID: http://platinum-ob.us.oracle.com:7780/fed/sp
   Version: 1.2
   Type: OIF_IDP_SP
    
   UserID: buser10
   UserDescription: buser10
   ProviderID: http://goofy.us.oracle.com:7785/fed/sp
   Version: 1.2
   Type: OIF_IDP_SP
    
   

2. Navigate to the Oracle_Home\fed\lib directory and generate the result.ldif and result.txt files. For example:

   D:\osfshome2\jdk\bin\java -jar bulkload.jar -f users
      -dir D:\osfshome2\fed\lib -oifdir D:\osfshome2\fed -c
   
   

3. Import the result.ldif into the IdP directory. For example:

   ldapmodify -h platinum-ob.us.oracle.com -a -f result.ldif
      -D "cn=orcladmin" -w malibu97 -p 13060
   
   

4. Copy the result.txt file to the SP, and modify the file to conform to the SP; this means changing the serverid, type, userid, userdescription, and providerid values.

5. At the SP, read the result.txt file into the bulk tool to generate an ldif file. For example:

   C:\OraHome_030306>jdk\bin\java -jar fed\lib\bulkload.jar
      -f c:\orahome_030306\fed\lib\result.txt 
      -dir c:\orahome_030306\fed
      -oifdir c:\orahome_030306\fed -r
   
   

6. Import the resulting ldif file into the directory at the SP:

   ldapmodify –a –c –x –D "cn=Directory Manager" –w 97malibu
      –h akeim2.us.oracle.com –p 440 –f result.ldif
   
   

Users should now be able to do single sign-on without having to log in at the SP, because the federations already exist.

9.2.2 Command-Line Configuration Assistant to Change the Transient Data Store

For a description of this utility, see "Configuration Assistants".

9.2.2.1 Syntax and Examples

The installation configuration assistant is invoked at the command line as follows (the tool will prompt for the RDBMS password):

java -jar $ORACLE_HOME/fed/lib/install.jar <parameters>

The parameters are:

• -oh $ORACLE_HOME - This is the location of the ORACLE_HOME variable referencing the Oracle Application Server installation directory. Required.

• -transient <TYPE> This is the type of repository to use as the transient data store in Oracle Identity Federation. The possible values are memory or rdbms. Required.

• -dbtnsname <TNSNAME> - This is the RDBMS TNS name. Required if an RDBMS is used for the transient data store.

• -dbusername <USERNAME> - This is the RDBMS username. Required if an RDBMS is used for the transient data store.

• -uselocalconfig <BOOLEAN> - This is an optional parameter that can be used with -transient rdbms, to control whether this instance's local configuration settings will overwrite any settings currently stored in the database. The possible values are "true" or "false". If "true", configuration settings in the Oracle Identity Federation server's local files will replace any settings currently stored in the selected database. If "false", or this parameter is omitted, settings stored in the RDBMS (if there are any) will overwrite the local configuration files. The default is "false".

  As mentioned earlier, this is an optional parameter that can be specified if an RDBMS is used for the transient data store.

Requirements

Prior to running the configuration assistant, set the following environment variables:

• $ORACLE_HOME: environment variable referencing the Oracle Home directory. For example:

  • Windows

    set ORACLE_HOME=c:\DIR

  • Linux bash shell

    export ORACLE_HOME=/DIR

• On Linux, you need to set the LD_LIBRARY_PATH to include the $ORACLE_HOME/lib directory. This assumes that the ORACLE_HOME environment variable is already set. For example:

  export LD_LIBRARY_PATH=$ORACLE_HOME/lib
  
  

• On Windows, you need to set the PATH environment variable to include the %ORACLE_HOME%/lib and %ORACLE_HOME%/bin directories. This assumes that the ORACLE_HOME environment variable is already set. For example:

  set PATH=%ORACLE_HOME%/bin;ORACLE_HOME%/lib;%path%
  
  

Example 1

$ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/fed/lib/install.jar -oh ORACLE_HOME -transient memory

Note that the transient data will be stored in memory.

Example 2

$ORACLE_HOME/jdk/bin/java -jar $ORACLE_HOME/fed/lib/install.jar -oh ORACLE_HOME -transient rdbms -dbusername USERNAME -dbtnsname TNSNAME

Note that the transient data will be stored in RDBMS.

9.2.3 Command-Line Configuration Assistant for Uninstallation

The configuration assistant provides an uninstall feature to perform the following operations:

• Destroy all federation records created by the Oracle Identity Federation server being un-installed.

• Destroy all auxiliary and non sensitive data if all federation records were destroyed in the first step. Oracle Identity Federation is the only server using the LDAP federation server to store data, so it is safe to destroy the structural data.

• Remove the attributes and object classes that the configuration assistant added to the LDAP schema at installation time.

  Note:

  This feature is not supported for Microsoft Active Directory as the directory does not allow entries to be removed from its schema.

• Destroy the RDBMS transient tables, if any, used to store persistent data.

The configuration assistant notifies the un-installer if:

• Oracle Identity Federation used an RDBMS database to store persistent data

• An LDAP store was used to store federation records

If an LDAP or RDBMS operation needs to be performed, the uninstallation tool would prompt for LDAP or RDBMS connection information that is then passed to the configuration assistant. That way, the administrator can specify the correct information and credentials required to perform administrative tasks in the LDAP or RDBMS server.

See Also:

For complete Oracle Identity Federation uninstallation procedures, see "Un-installing Oracle Identity Federation"

9.2.3.1 Syntax and Examples

The uninstallation configuration assistant is invoked at the command line as follows (the tool will prompt for the LDAP/RDBMS password):

java -jar $ORACLE_HOME/fed/lib/uninstall.jar <parameters>

The parameters are:

• -uninstall - Launches the uninstallation process. Required.

• -oh ORACLE_HOME - This is the location of the ORACLE_HOME variable referencing the OracleAS installation directory. Required.

• -removefed true|false - Indicates whether to remove federation records from the LDAP server.

• -ldap true|false - Indicates whether to remove the Oracle Identity Federation schema from the LDAP server.

• -ldaptype - Indicates the type of repository. The possible values are oid, msad, iplanet, and tivoli.

• -ldapurl - This is the LDAP URL.

• -ldapusername - This is the username of the LDAP administrator.

• -db - Indicates whether to remove transient Oracle Identity Federation tables from the RDBMS server.

• -dbtnsname <TNSNAME> - This is the RDBMS TNS name. Required if -db is true.

• -dbusername <USERNAME> - This is the RDBMS username. Required if -db is true.

Note:

To see a list of parameters and possible values, run the tool without specifying any parameters.

Requirements

If you plan to remove the RDBMS tables created by Oracle Identity Federation, take these steps prior to running the uninstallation tool:

• Set environment variables.

  On Linux

  Set the LD_LIBRARY_PATH variable to include the $ORACLE_HOME/lib directory. This assumes that the ORACLE_HOME environment variable is already set. For example:

  export LD_LIBRARY_PATH=$ORACLE_HOME/lib

  On Windows

  Set the PATH environment variable to include the %ORACLE_HOME%/lib and %ORACLE_HOME%/bin directories. This assumes that the ORACLE_HOME environment variable is already set. For example:

  set PATH=%ORACLE_HOME%/bin;ORACLE_HOME%/lib;%path%

• Retrieve the TNS Name referencing the RDBMS. This value, which you can find in the $ORACLE_HOME/network/admin/tnsnames.ora file, is the identifier referencing the connection information used to connect to the database.

Example 1

java -jar fed/lib/uninstall.jar -uninstall -oh $ORACLE_HOME -removefed true -ldap false -ldapurl ldap://ldap.com -ldapusername admin -db false

This command removes all the federation records from the LDAP server.

Example 2

java -jar fed/lib/uninstall.jar -uninstall -oh ORACLE_HOME -removefed true -ldap true -ldaptype oid -ldapurl ldap://ldap.com -ldapusername admin -db false

This command:

• removes all the federation records from the LDAP server

• removes the Oracle Identity Federation schema from the LDAP server

Example 3

java -jar fed/lib/uninstall.jar -uninstall -oh ORACLE_HOME -removefed true -ldap true -ldaptype oid -ldapurl ldap://ldap.com -ldapusername admin -db true -dbtnsname orcl -dbusername scott

This command:

• removes all the federation records from the LDAP server

• removes the Oracle Identity Federation schema from the LDAP server

• removes the transient Oracle Identity Federation tables from the RDBMS server

9.2.4 Command line Federation Delete Tool

With the 10.1.4.2.0 patch set, Oracle Identity Federation provides a new command line tool to perform bulk delete operations of federation records from the Federation Data Store.

This tool removes federation records directly from the LDAP server used as the Federation Data Store without notifying the remote provider; thus, the Liberty 1.x/SAML 2.0 protocols will not be exercised to notify the provider that the federation record was locally deleted.

Use the tool to remove federation records when:

• the remote provider no longer exists

• the remote provider is not in the circle of trust

• the remote provider does not support the Federation Termination protocols

• the local administrator wishes to remove federation records without notifying the remote provider

Note:

To remove a federation record and notify the remote provider, use the Identity Federation tab in the Oracle Identity Federation Administration Console to delete the federation: that operation will connect to the remote provider to indicate that the record is being deleted.

You can use the federation delete tool in different ways:

• to remove all federation records of a specific user

• to remove all federation records linked to a specific remote provider

• to remove all federation records of a list of users

Examples of each type of usage appear below.

9.2.4.1 Syntax and Examples

Invoke the federation delete tool at the command line as follows (the LDAP password is entered during command execution):

java -jar $ORACLE_HOME/fed/lib/fedadmin.jar <parameters>

The parameters are:

• -oh ORACLE_HOME - This is the ORACLE_HOME directory. Required.

• -ldapurl url - the URL of the LDAP Federation Data Store

• -ldapusername username - the LDAP username to use to connect to the LDAP Federation Data Store

• -providerid id - the Provider ID for which federations need to be removed

• -userid id - the user ID for which federations need to be removed

• -useridfile file - absolute path to the file containing the list of user IDs for which federations need to be removed

Example 1

To remove all federation records of a specific user, the administrator specifies the identifier of the user.

For example, the following command deletes all federation records belonging to the user alice:

java -jar $ORACLE_HOME/fed/lib/fedadmin.jar -oh $ORACLE_HOME -ldapurl ldap://ldap.com -ldapusername ADMIN -userid alice

Note:

The identifier value must be of the same type as the User ID Attribute configured in the User Data Store section of the Oracle Identity Federation Administration Console.

Example 2

To remove all federation records linked to a specific remote provider, the administrator specifies the Provider ID of the remote provider.

For example, the following command deletes all federation records linked to the provider identified by http://idp.com/idp:

java -jar $ORACLE_HOME/fed/lib/fedadmin.jar -oh $ORACLE_HOME -ldapurl ldap://ldap.com -ldapusername ADMIN -providerid http://idp.com/idp

Example 3

To remove all federation records of a list of users, the administrator specifies a file containing identifiers of the users:

For example, the following command:

java -jar $ORACLE_HOME/fed/lib/fedadmin.jar -oh $ORACLE_HOME -ldapurl ldap://ldap.com -ldapusername ADMIN -useridfile users.txt

where the file users.txt contains:

alice
bob
charlie

deletes all federation records belonging to users alice, bob, and charlie.

Note:

The identifier values must be of the same type as the User ID Attribute configured in the User Data Store section of the Oracle Identity Federation Administration Console.

9.3 Managing Oracle Identity Federation Performance

This section explains topics relevant to Oracle Identity Federation server performance, including:

• Setting Concurrent Connection Limits

• Setting JDBC Connection Limits

• Tuning Oracle HTTP Server

See Also:

Oracle Application Server Performance Guide

9.3.1 Setting Concurrent Connection Limits

Communication between two federation servers occurs by means of the SOAP-over-HTTP protocol. Oracle Identity Federation provides these default connection limits:

• The number of concurrent connections to a single host is limited to 4.0

• The number of maximum total connections is limited to 100.

You can override the default limits by setting the relevant connection parameters:

1. Log on to the Enterprise Manager console.

2. At the console, navigate to OC4J_FED -> Administration -> Server Properties.

3. Add these entries to the Java Options configuration:

   -Dhttp.fed.host=VALUE1
   -Dhttp.fed.max.conn=VALUE2
   
   

   where VALUE1 and VALUE2 are values set by the administrator.

4. Restart OC4J_FED.

9.3.2 Setting JDBC Connection Limits

When Oracle Identity Federation uses a database as its transient data store, the server uses a connection manager to open and maintain SQL connections to the database.

By default, connection manager uses the following settings when working with an RDBMS as the transient data store:

JDBC Connection Setting	Default Value
Minimum number of connections	1
Maximum number of connections	150
Maximum inactivity timeout (the connection will be closed if inactive after this period)	7200 seconds
Connection wait timeout (maximum time to wait for a new connection)	30 seconds

The administrator can override these settings using these steps:

1. Log on to the Enterprise Manager console.

2. At the console, navigate to OC4J_FED - > Administration - > Server Properties

3. Add the following entries to the Java Options configuration corresponding to the settings:

   • -Dfed.jdbc.min.conn=VALUE to set the minimum number of connections

   • -Dfed.jdbc.max.conn=VALUE to set the maximum number of connections

   • -Dfed.jdbc.max.usage=VALUE to set the maximum inactivity timeout in seconds

   • -Dfed.jdbc.conn.timeout=VALUE to set the connection wait timeout in seconds

4. Save the settings and restart OC4J_FED.

9.3.3 Tuning Oracle HTTP Server

By default, Oracle HTTP Server is configured for general use cases.

To efficiently handle heavy loads, you may need to tune Oracle HTTP Server for improved performance. To achieve this, open the ORACLE_HOME/Apache/Apache/conf/httpd.conf file and modify the following properties:

Note:

The values given here are for illustration only. The actual values you employ will vary depending on your machine and operating system configuration.

Setting	Example Value	Meaning
KeepAlive	off	Turns off the KeepAlive feature. When KeepAlive is on, connections are not freed until timeout occurs.
MaxClients	512	Increases the number of clients that Apache can process concurrently.
MinSpareServers	20	This is the minimum number of processes Apache can use.
MaxSpareServers	250	This is the maximum number of processes Apache can use. Caution: This setting can be memory-intensive.
StartServers	100	This is the number of processes to create at startup. Caution: This setting can be memory-intensive.

Note:

You may also need to optimize the IdM framework that is integrated with Oracle Identity Federation (Oracle SSO, Oracle Access Manager, or SiteMinder) with respect to HTTP connections.

Finally, you should also take into account the IdM components that are integrated with the Oracle Identity Federation server, and tune their settings appropriately. For example, tuning Oracle HTTP Server settings for OracleAS Single Sign-On may be helpful in optimizing the performance of the federation server.

9.4 High Availability

Oracle Identity Federation leverages Oracle Application Server to support several strategies for ensuring high availability. These strategies can be employed both within an application server instance and across a cluster that includes multiple application server instances. Oracle Identity Federation supports the Cold Failover Cluster (CFC) or active-passive high availability configuration, where the Oracle Application Server Infrastructure is typically deployed on a two-node hardware cluster with a shared storage device. This configuration requires the use of an RDBMS as the transient data store.

Note:

To support High Availability configurations, the "Advanced Install" option must be selected during Oracle Identity Federation installation. For more information, see "Advanced Installation Procedure".

Key features of Oracle Identity Federation that impact high availability are described in these sections:

• Web Application Session State Replication

• Centralized Storage of Configuration Information

• Data Tier

• Additional Information

9.4.1 Web Application Session State Replication

Oracle Identity Federation is a web application deployed to OC4J (in the OC4J_FED container), and multiple HTTP requests from the same client may need to access the application. However, if Oracle Identity Federation running on the OC4J server experiences a problem resulting in failure of the OC4J process or instance, the state associated with a client request may be lost. Here are some ways to guard against such failures:

1. Using an RDBMS as the transient data store

   In this configuration, Oracle Identity Federation saves the transient session and profile state in the database. When the active server instance goes down, the passive (standby) server instance is brought online and restores session and profile state using information from the database, thus avoiding the loss of the Oracle Identity Federation state due to server failure. Storing transient data in the RDBMS is a requirement for high availability. You must use this feature with Oracle Identity Federation on multiple OC4J processes or instances.

2. Running on Multiple OC4J Processes

   In this configuration, the OC4J instance on which Oracle Identity Federation runs is configured for multiple OC4J processes. The OC4J instance configuration is valid for one or more OC4J processes, and these processes communicate the Web session state to each other, thereby providing protection against software problems like an OC4J process failure or hang.

3. Running on Multiple OC4J Instances

   In this configuration, multiple active instances of Oracle Identity Federation are deployed to multiple OC4J instances. The Web session state must be replicated across the server instances using the replication facilities provided by the OC4J clustering framework, and the state is managed using Oracle Enterprise Manager Application Server Control.

If using load balancers, it is important to ensure that all Oracle Identity Federation sessions are directed to the same server instance.

See Also:

"Setting Up a Load Balancer with Oracle Identity Federation".

9.4.2 Centralized Storage of Configuration Information

Oracle Identity Federation stores configuration information centrally in the RDBMS transient data store when configured for such a store. This ensures that if configuration changes occur in one federation server instance, all other server instances are able to use the most up-to-date configuration settings.

Note:

It takes approximately 10 seconds for the changes to propagate to all active server instances.

When using SAML 1.x or WS-Federation protocols, you will need to manually replicate the ORACLE_HOME/fed/shareid/oblix/config/keystore file to the different Oracle Identity Federation instances. This file contains the peer providers' certificate, which is used to verify signatures in SAML 1.x/WS-Federation protocol messages.

9.4.3 Data Tier

In order to ensure high availability of Oracle Identity Federation, it is necessary to ensure high availability of the specific data repositories that are being used with the server (LDAP, RDBMS, and so on). Refer to product- and vendor-specific documentation for details about configuring specific data stores.

For RDBMS repositories, a good starting point is the Oracle Database High Availability Overview, which is part of the Administration document set in the Oracle9i Database Server documentation library.

9.4.3.1 Configuring Redundant LDAP Servers

If your site contains a redundant infrastructure of LDAP servers, for example a topology where the servers are fronted by a load balancer that re-routes requests to a different LDAP server when a directory instance goes down, the Oracle Identity Federation server should be configured using these steps:

1. Log on to the Oracle Enterprise Manager console.

2. At the console, navigate to OC4J_FED - > Administration - > Server Properties.

3. Add the following entry to the Java Options field:

   -Dfed.ldap.ha=true

4. Save the settings and restart OC4J_FED.

9.4.4 Additional Information

For more information about high availability features that you can leverage in your Oracle Identity Federation installation, see the Oracle Application Server High Availability Guide.

For information about Cold Failover Cluster configurations for high availability, see the Oracle Application Server High Availability Guide in the 10g Release 2 (10.1.2) documentation library.

9.5 Setting Up a Load Balancer with Oracle Identity Federation

This section explains configuration and other steps required for installing Oracle Identity Federation behind a load balancer.

Take these steps to set up a load balancer with Oracle Identity Federation:

Note:

These steps are specific to the F5 load balancer.

1. Follow the standard installation process to install all Oracle Identity Federation instances on corresponding load balanced host machines. Details are provided in Chapter 3, "Installing Oracle Identity Federation".

2. There is no need to choose a virtual hostname, as it is required for Cold Failover Cluster in the advanced installation procedure.

3. Choose the transient data store in the advanced installation procedure.

4. Install all Oracle Identity Federation instances pointing to the same transient data store.

5. In the F5 load balancer administration console, create a pool with all Oracle Identity Federation instances, and enable the application persistence property for this pool. Set the persistence type to Active HTTP Cookie, set the method to insert, and the set expiration to the desired value.

6. Create a virtual server member mapped to the newly created pool.

7. Enable HTTP monitoring on all member nodes in the pool.

8. On all Oracle Identity Federation servers instances, change the ServerName and Port parameters in the httpd.conf file to the Virtual Server name and port.

9. For all Oracle Identity Federation servers that are both load-balanced and integrated with OracleAS Single Sign-On, register the load balancer URL (for example, http://lbr.us.oracle.com:80) to all load-balanced Oracle Identity Federation servers by running this command from the command prompt:

   <OIF_HOME>/sso/bin/ssoreg.bat -oracle_home_path %ORACLE_HOME% -site_name 
       <Load_Balancer_Host_Name> -config_mod_osso TRUE -mod_osso_url 
       <Load_Balancer_URL:Port>
   
   

10. On all Oracle Identity Federation servers, update the configuration by running this command from the command prompt:

    dcmctl updateconfig

11. Restart the HTTP server from the Oracle Enterprise Manager console on all the Oracle Identity Federation server instances.

12. In the Oracle Identity Federation administration console, under Server Configuration - > Server Properties, change the server hostname and port number to the Virtual Server name and port number of the load balancer.

13. Restart the Oracle Identity Federation instances from the Oracle Enterprise Manager console.

14. Distribute the new metadata file to the peer providers.

9.5.1 Additional Considerations for SAML 1.x or WS-Federation

When using SAML 1.x or WS-Federation protocols, you will need to manually replicate the ORACLE_HOME/fed/shareid/oblix/config/keystore file to the different Oracle Identity Federation instances. This file contains the peer providers' certificate, which is used to verify signatures in SAML 1.x/WS-Federation protocol messages.

Additionally, when setting up SAML 1.x or WS-Federation SSO in load-balanced mode, make sure that the URLs in MyDomain at the Load-balanced provider, and in the load-balanced Domain at the other provider, have the hostname and address of the load-balancer machine (as opposed to, for example, the hostname and address of one of the load-balanced Oracle Identity Federation instances).

9.5.2 Additional Steps for the Oracle Identity Federation Monitoring console

The Oracle Identity Federation monitoring console cannot be load balanced; this is because only one server should be responsible for monitoring one or more Oracle Identity Federation instances. Therefore, you need to modify the Oracle HTTP Server settings to correctly enable the monitoring features on the console, as well as on the Oracle Identity Federation servers.

Make sure that the HTTP ports and URLs used for monitoring operations are not integrated with the load balancer. You can accomplish this by creating an Oracle HTTP Server Virtual host that will forward requests made to the /fed and /fedmon URLs to the local OC4J_FED container.

The new virtual host will need these settings:

• ServerName, Port, and Listen directive values for the virtual host set to the local values

• Oc4jMount directives that forward /fed and /fedmon URLs to the OC4J_FED container

For example, the definition of such a virtual host in ORACLE_HOME/Apache/Apache/conf/httpd.conf could look like this:

Listen 7799
NameVirtualHost *:7799
<VirtualHost *:7799>
    ServerName local.machine.com
    <IfModule mod_oc4j.c>
        Oc4jMount /fed OC4J_FED
        Oc4jMount /fed/* OC4J_FED
        Oc4jMount /fedmon OC4J_FED
        Oc4jMount /fedmon/* OC4J_FED
    </IfModule>
</VirtualHost>

Take these steps:

1. Modify the httpd.conf file using the example as a guide.

2. Execute the command:

   dcm/bin/dcmctl updateconfig

3. Restart Oracle HTTP Server:

   opmn/bin/opmnctl restartproc process-type=HTTP_Server

4. After creating the virtual host, access the monitoring console using the URL of the virtual host.

5. Add the URLs of Oracle Identity Federation servers to monitor. The URL should point to the local virtual host value, not the load-balanced URL.

The monitoring console will now be ready to configure to monitor the Oracle Identity Federation server.

9.6 Setting Up a Proxy for Oracle Identity Federation

This section explains how to set up a proxy server for Oracle Identity Federation.

Due to the standalone nature of Oracle Identity Federation, you cannot utilize the usual procedures for setting up an application server proxy. Instead, use the steps provided here to set up an Oracle HTTP Server as a proxy for Oracle Identity Federation:

1. Install Oracle HTTP Server for the proxy server.

2. Edit the ORACLE_HOME/Apache/Apache/conf/httpd.conf file.

   1. Uncomment these lines:

      <IfModule mod_proxy.c>
          ProxyRequests On
      </IfModule>
      
      

   2. Unset the ProxyRequests directive:

      ProxyRequests Off
      
      

   3. Add these directives after ProxyRequests Off:

      ProxyPass /sso HTTP://OIF-HOST:OIF-PORT/sso
      ProxyPass /fed HTTP://OIF-HOST:OIF-PORT/fed
      ProxyPass /shareid HTTP://OIF-HOST:OIF-PORT/shareid
      ProxyPassReverse /sso HTTP://OIF-HOST:OIF-PORT/sso
      ProxyPassReverse /fed HTTP://OIF-HOST:OIF-PORT/fed
      ProxyPassReverse /shareid HTTP://OIF-HOST:OIF-PORT/shareid
       
      #ProxyPass /fedadmin HTTP://OIF-HOST:OIF-PORT/fedadmin
      #ProxyPass /fedmon HTTP://OIF-HOST:OIF-PORT/fedmon
      #ProxyPass /uixi http://OIF-HOST:OIF-NON-SSL-PORT/uixi
      #ProxyPassReverse /fedadmin HTTP://OIF-HOST:OIF-PORT/fedadmin
      #ProxyPassReverse /fedmon HTTP://OIF-HOST:OIF-PORT/fedmon
      #ProxyPassReverse /uixi http://OIF-HOST:OIF-NON-SSL-PORT/uixi
       
      #ProxyPass /osso_login_success HTTP://OIF-HOST:OIF-PORT/
         osso_login_success
      #ProxyPass /osso_logout_success HTTP://OIF-HOST:OIF-PORT/
         osso_logout_success
      #ProxyPassReverse /osso_login_success HTTP://OIF-HOST:OIF-PORT/
         osso_login_success
      #ProxyPassReverse /osso_logout_success HTTP://OIF-HOST:OIF-PORT/
         osso_logout_success
      
      

      where:

      • HTTP is http for an open connection or https for a secure connection from the proxy to Oracle Identity Federation

      • OIF-HOST is the hostname of the Oracle Identity Federation server

      • OIF-PORT is the HTTP or HTTPS port number of the Oracle Identity Federation server. Omit the entry for HTTP port 80 or HTTPS port 443.

      • OIF-NON-SSL-PORT is the http port number of the Oracle Identity Federation server. Omit the entry for HTTP port 80.

      Note:

      • Uncomment the /fedadmin or /fedmon directives only if you need to expose the Oracle Identity Federation administration or monitoring consoles to users on the internet.

      • Uncomment the /uixi directives if any of the /fedadmin or /fedmon directives is enabled.

      • Uncomment the /osso_login_success and /osso_logout_success directives if Oracle Identity Federation is integrated with Oracle Single Sign-On Server.

      Caution:

      Oracle recommends that you do not make the administration and monitoring consoles available through the proxy.

   4. Comment out the mod_oc4j include:

      #include "ORACLE_HOME/Apache/Apache/conf/mod_oc4j.conf
      
      

   5. If using SSL from the proxy to the Oracle Identity Federation server, add an additional directive after ProxyPassReverse directives:

      SSLProxyWallet file:OHS_HOME/Apache/Apache/conf/ssl.wlt/default

      where OHS_HOME is the install directory for the proxy Oracle HTTP Server. If you have not already done so, also import the certificate of the CA that issued the Oracle Identity Federation server certificate in this wallet. See "Configuring SSL Server on Oracle Identity Federation" for details.

3. If using SSL with the proxy, follow the instructions in "Configuring SSL Server on Oracle Identity Federation". Omit the section about editing the mod_oc4j.conf file.

   If you require SSL client certificate authentication for the IdP/source side of the SAML 1.x Artifact profile, do the following for the proxy Oracle HTTP Server:

   1. Copy the Perl script shown here to the appropriate location.

      Unix: ORACLE_HOME/perl/lib/site_perl/5.6.1/Apache/SSLClientCertHeader.pm

      Windows: ORACLE_HOME\Apache\Apache\mod_perl\site\5.6.1\lib\Apache\SSLClientCertHeader.pm

      This script sets the ssl_client_certificate header that Oracle Identity Federation uses to complete the client certificate authentication.

      package Apache::SSLClientCertHeader;
       
      use Apache::Constants qw(OK DECLINED);
      use Apache::URI ();
      use strict;
       
      sub handler {
          my $r = shift;
          $r->subprocess_env;
          my $clientcert = $r->subprocess_env("SSL_CLIENT_CERT");
          my $outstr;
          # Remove newlines from certificate before setting header.
          for my $i (split "\n", $clientcert) {
              if (!($i =~ /^-/)) {
                  chomp($i);
                  $outstr .= $i;
              }
          }
          $r->header_in("ssl_client_cert", $outstr);
          return OK;
      }
       
      1;
      
      

   2. Add these directives to the VirtualHost for the SSL client certificate authentication port in ORACLE_HOME/Apache/Apache/conf/ssl.conf:

      <VirtualHost _default_:CLIENT-CERT-PORT>
          . . .
          SSLOptions +ExportCertData +CompatEnvVars
          PerlModule Apache::SSLClientCertHeader
          PerlFixupHandler Apache::SSLClientCertHeader
      </VirtualHost>
      
      

   Copy an existing virtual host first, similar to the steps for just configuring the Oracle Identity Federation server with client certificate mode. The new virtual host should have the client certificate port number of the proxy. Also, update the responder port on the Domain page of the Oracle Identity Federation administration console with the client certificate port of the proxy server.

4. Restart Oracle HTTP Server to make the configuration changes effective. You can test the proxy by invoking:

   HTTP://PROXY-HOST:PROXY_PORT/shareid/saml/ObSAMLTransferService

   You should get an Oracle Identity Federation error with Error ID TSE002.

5. Determine the proxy HTTP or HTTPS ports through the Ports page of the Enterprise Manager Console:

   • Oracle HTTP Server Listen port (http)

   • Oracle HTTP Server Listen (SSL) port (https)

6. Reconfigure Oracle Identity Federation to use the proxy host and port for its external URLs. Make these changes in the Oracle Identity Federation administration console:

   1. Server Configuration - > General:

      - Server Hostname

      - Server Port

      - SOAP Port

   2. SAML 1.x/WS-Fed - > Domains - > MyDomain:

      - Error URL

      - Transfer URL

      - Responder URL

      - SourceID (blank to regenerate for new ResponderURL)

      - Identity Realm STS URL

      - Receiver URL

      - Resource Realm STS URL

   Note:

   Do not modify the Signing Certificate Subject DN or Issuer DN, as these must continue to match the generated certificate.

7. Restart Oracle Identity Federation to make the General server configuration changes effective.

8. If using Oracle Access Manager as the IdM, use the Access System Console to update the Fed SSO authentication schemes:

   Access System Console - > Access System Configuration - > Authentication Management:

   - Fed SSO - SAML 1.x

   - Fed SSO - WS-Federation

   - Fed SSO - SAML 2.0/Liberty 1.x

   Change the Challenge Redirect parameter for each scheme to use the proxy host and port.

9. Communicate the changes to partners using this Oracle Identity Federation, if necessary. Partners using SAML 2.0 or Liberty 1.x will need to download new metadata. Partners using SAML 1.x or WS-Federation will need to manually update their configurations with the Oracle Identity Federation MyDomain configuration set in Step 6.

10. If Oracle Identity Federation is integrated with Oracle Single Sign-On, some additional steps are required.

    1. Update the Oracle Single Sign-On Partner application:

       - Go to the Oracle Single Sign-On administration console (http://osso_host:osso_port/pls/orasso).

       - Click Single Sign-On Administration.

       - Click Administer Partner Applications.

       - Choose the partner application referencing the Oracle Identity Federation server, and edit the application configuration.

       - Replace the http(s), hostname and port number by the proxy's values for Home URL, Success URL, and Logout URL.

       - Click OK.

    2. Update the policy.properties file:

       - Open the ORACLE_HOME/sso/conf/policy.properties file in the Oracle Single Sign-On deployment.

       - Replace the http(s), hostname and port number by the proxy's value for the SASSOAuthnUrl and SASSOLogoutUrl entries.

       - Save and close the file.

    3. Restart the OC4J_SECURITY instance of the Oracle Single Sign-On deployment by using the command:

       opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY