Skip Headers
Oracle® Access Manager Deployment Guide
10
g
(10.1.4.2.0)
Part Number E10353-01
Home
Book List
Index
Contact Us
Next
View PDF
Contents
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
What's New in Oracle Access Manager?
Product and Component Name Changes
Deployment Overview
Capacity Planning
Tuning the Directory
Tuning the Access Server
Tuning the Identity System
Tuning Workflows
Tuning Your Network
Tuning Performance for Access System Operations
Failover and Load Balancing
Reconfiguring Oracle Access Manager
Migrating Data
1
Oracle Access Manager Deployment Overview
1.1
About Oracle Access Manager Deployment Types and Tiers
1.2
Deployment Scenarios and Environments
1.3
Deployment Categories
1.3.1
Extranet Deployment Category
1.3.2
Intranet Deployment Category
1.4
General Recommendations
1.4.1
Security Recommendations
1.4.2
Standardization Recommendations
1.4.3
Oracle Access Manager Server Recommendations
1.4.4
Web Server Recommendations
1.4.5
LDAP Directory and Data Recommendations
1.4.6
Audit Data Usability Recommendations
1.4.7
Configuring a Single Idle Timeout for the Entire Deployment
1.4.8
Customization Recommendations
1.4.9
Testing and Performance Recommendations
1.5
Identity System Recommendations
1.5.1
Customizing the Look and Feel of Embeddable User Interface Elements
1.5.2
Recycling an Identity Server Instance Name
1.6
Access System Recommendations
1.6.1
Using IP Validation, HTTPS, and Secure Cookies to Mitigate The Risk of a Cookie Reply Attack
1.6.2
Configuring Dynamic Groups Rather than Authorization Filters to Simplify Authorization Administration
1.6.3
Deploying WebGates On Reverse Proxies to Simplify Management
1.6.4
Developing Document Protection Policies to Minimize WebGate Calls to the Access Server
1.6.5
Configuring Form-Based Authentication to Avoid Login Errors
1.7
Oracle Access Manager Deployment Planning
1.7.1
Planning Deliverables
1.8
About Deployment Best Practices
2
Capacity Planning
2.1
About Capacity Planning
2.2
Estimating the Anticipated Peak System Load for Server Sizing
2.2.1
Measuring the Load
2.2.1.1
Measuring the Load in a Deployment
2.2.1.2
Measuring the Active User Sessions in a Multi-Site Deployment
2.2.2
Projecting System Usage
2.3
Component-Specific Capacity Planning and Sizing Considerations
2.3.1
Identity and Access Server Recommendations
2.3.2
WebPass Considerations and Recommendations
2.3.3
Access System Considerations and Recommendations
2.3.3.1
Access Server Recommendations
2.3.3.2
Access Server to WebGate Ratios
2.3.3.3
WebGate Impact on Web Server Performance
2.4
Oracle Access Manager Performance and Scaleability Characteristics
2.4.1
Scale-Up Characteristics
2.4.2
Scale-Out Characteristics
2.4.3
Deployment and Configuration Impact on Performance
2.4.4
Baseline Performance for Identity and Access Servers
2.5
Oracle Access Manager Reference Server Footprint
2.5.1
Hardware for Small-to-Medium Deployments
2.5.2
Hardware for Large Deployments
2.6
Considerations for the LDAP Directory Server
2.6.1
LDAP Server Requirements For Small to Medium Deployments
2.6.2
LDAP Server Requirements For Large Deployments
2.7
Sample Medium-to-Large-Scale Deployment
2.8
Test Cases for Baseline Performance Data
2.8.1
Identity Server Baseline Performance Test Case
2.8.1.1
Self Registration Test Case
2.8.1.2
Lost Password Test Case
2.8.1.3
Change Password Test Case
2.8.1.4
Account Lockout Test Case
2.8.2
Access Server Baseline Performance Test Case
2.8.2.1
Login Test Case
2.8.2.2
LoginNavi Test Case
2.8.3
Integrated Baseline Performance Test Case
3
Performance Tuning
3.1
Guidelines for Directory Tuning
3.1.1
Checking the Performance of the Directory
3.1.2
Directory Connection Pool Size
3.1.2.1
Differences Between Configured and Actual Connection Pool Size
3.1.2.2
Configuring the Connection Pool
3.1.3
Storing Workflow Tickets in the Directory
3.1.3.1
Writing Workflow Tickets to the Directory
3.1.4
Indexing Attributes in the Directory
3.1.4.1
Limitations of Indexing
3.1.4.2
Indexing and User Deactivation
3.1.4.3
Indexing and Workflows
3.1.4.4
Indexing and Groups
3.1.4.5
Indexing and Search Constraints
3.1.5
Changing the Number of Access Server-to-Directory Server Connections
3.1.6
Deleting and Archiving Workflows
3.1.7
Setting Read and Write Permissions for Administrators
3.1.8
Configuring the Searchbase
3.1.8.1
Setting a Searchbase Filter
3.1.9
Applying Search Constraints
3.1.10
Increasing Connections to the Directory in the Identity System
3.1.11
Changing Directory Content
3.1.11.1
Ordering the Columns in a Search Results List
3.1.11.2
Changing the Bind DN
3.1.12
Adjusting Cache Settings
3.1.13
Deleting ObSyncRecord Entries from the Directory
3.1.14
Performance Considerations for Microsoft Active Directory
3.1.14.1
Pointing Directly to a Domain Controller to Avoid Potential Data Inconsistency Problems
3.1.14.2
Using LDAP Over SSL Rather than ADSI to Connect to Microsoft Active Directory
3.1.14.3
Fine Tuning Appropriate Active Directory Configuration Parameters to Optimize Performance
3.2
About LDAP Tools
3.2.1
Viewing Directory Content in LDIF Files
3.2.1.1
LDAPSEARCH Command-Line Format
3.2.1.2
LDAPSEARCH Command-Line Parameters
3.2.1.3
LDAPSEARCH Examples
3.2.2
Changing Directory Content with LDAPMODIFY
3.2.2.1
LDAPMODIFY Command-Line Format
3.2.2.2
LDAPMODIFY Command-Line Parameters
3.2.2.3
LDAPMODIFY Examples
3.3
Tuning the Identity System
3.3.1
Tuning Identity System Searches
3.3.1.1
Restricting the Operators Used in a Search
3.3.1.2
Requiring the User to Enter a Minimum Number of Characters in a Search Field
3.3.1.3
Restricting the Number of Entries Returned on a Search
3.3.2
Create Thread-Safe Plug-Ins
3.3.3
Consider Pooling Identity Servers
3.3.4
Configure Identity Servers from a File System Level
3.3.5
Configure Identity Servers to Use 3 GB of Virtual Memory
3.4
Tuning Groups in the Identity System
3.4.1
General Recommendations for Tuning Groups in the Identity System
3.4.1.1
Use Dynamic Groups Instead of Static Groups
3.4.1.2
Use Nested Groups with Caution
3.4.2
Guidelines for Working with Large Static Groups
3.4.2.1
Exclude Group Membership Attributes from Panels and Search Results Tables
3.4.2.2
Exclude Member Roles from Attribute Access Control Policies
3.4.2.3
Performance Tuning for Evaluation of Large Static Groups
3.4.3
Tuning the Group Manager Application
3.4.3.1
Tuning the My Groups Page
3.4.3.2
Tuning the View Members Page
3.4.3.3
Tuning the Group Expansion Page
3.4.4
Tuning the User ID Cache
3.5
Tuning Workflows
3.5.1
Tuning workflowdbparams.xml
3.5.2
Configuring Workflow Search Parameters
3.6
Tuning the Access System
3.6.1
Configuring Password Validation by the Access Server
3.6.1.1
The ObCredValidationByAS Parameter
3.6.2
Changing the Number of Request Queues and Threads
3.6.2.1
About Threads and Queues
3.6.2.2
Estimating the Current Number of Threads
3.6.2.3
Estimating the Required Number of Threads and Queues
3.6.3
Limiting the Number of Authorization Queries from WebGate
3.6.4
Reducing Instability in the Access Server
3.6.5
Securing AccessGate Clients
3.6.6
Tuning the Handling of Groups in the Access System
3.6.6.1
Use Dynamic Groups Instead of Static Groups
3.6.6.2
Considerations for Nested Groups
3.6.6.3
Considerations for ObMyGroups
3.7
Tuning the Caches
3.7.1
Tuning the Policy Cache
3.7.1.1
Calculating Maximum Elements in a Policy Cache
3.7.1.2
Calculating Memory Requirements for the Policy Cache Elements
3.7.1.3
Calculating Policy Cache Timeout
3.7.2
User Cache Tuning
3.7.2.1
Calculating the User Cache Timeout
3.7.2.2
Calculating Maximum Elements in the User Cache
3.7.2.3
Calculating Memory Requirements for User Caches
3.7.3
Tuning the URL Prefix Cache
3.7.4
WebGate Cache Tuning
3.7.5
Sizing the Maximum Elements in Cache
3.8
Tuning Your Network
3.8.1
Be Sure Your Machines Are Working Properly
3.9
Resource-Intensive Operations
3.9.1
Time to Process Calls to Various Components
3.9.2
Login Forms
3.9.3
Password Management
3.9.4
Plug-Ins
4
Failover and Load Balancing
4.1
About Load Balancing with Oracle Access Manager
4.1.1
About Load Balancing of LDAP Data
4.2
Configuring Load Balancing for Web Components
4.2.1
Configuring Simple Round-Robin Load Balancing
4.2.2
Configuring Weighted Round-Robin Load Balancing
4.3
Configuring Load Balancing among Oracle Access Manager and Directory Servers
4.3.1
Configuring Load Balancing for User Data
4.3.2
Configuring Load Balancing of Configuration & Policy Data
4.3.3
Adjusting Connection Pooling for a Directory Server Instance
4.4
About Failover with Oracle Access Manager
4.4.1
Primary Versus Secondary Servers
4.5
About Failover Between Oracle Access Manager and Directory Servers
4.6
Configuring Failover of Web Components
4.7
Configuring Directory Failover for User Data
4.8
Configuring Directory Failover for Configuration and Policy Data
4.8.1
Configuring Identity Server Failover for Configuration Data
4.8.2
Configuring Access Server Directory Failover for Configuration and Policy Data
4.9
Configuring Failover Based on Directory Server Availability
4.10
Configuring Failover Based on Directory Server Response Time
4.10.1
Guidelines for Configuring Failover Based on Directory Server Response Time
4.10.2
Configuring the LDAPOperationTimeout and LDAPMaxNoOfRetries Parameters
4.10.3
Testing the LDAPOperationTimeout Value
5
Caching and Cloning
5.1
Cloned and Synchronized Components
5.2
About Caching Recent Information
5.2.1
Triggering Cache Flush Events
5.2.2
Cache Timeout
5.3
Caching System Information
5.3.1
Caching Group Objects
5.3.2
Turning Off the Credential Mapping Cache
5.4
Caching Access System Information
5.4.1
Access Server Cache Configuration
5.4.1.1
Information in a Policy Cache
5.4.1.2
Caching User Information
5.4.2
Turning off the Access Server User Cache
5.4.3
Automatically Flushing Access Server Caches
5.4.4
Manually Flushing Access Server Caches
5.4.5
Cache Configuration Using Replicated Directories
5.4.5.1
Timeouts That Ensure Correct Behavior
5.4.6
AccessGate Cache Configuration
6
Reconfiguring the System
6.1
What Can Be Reconfigured
6.2
Performing Reconfiguration That Requires Re-Running Setup
6.3
Updating the LDAP Bind Password
6.3.1
Parameters for the ModifyLDAPBindPassword Tool
6.3.2
Running the ModifyLDAPBindPassword Tool
6.3.3
Changing the LDAP Bind Password When Running in ADSI Mode
7
Synchronizing System Clocks Across Time Zones
7.1
About Synchronization
7.2
Synchronization With NTP
7.3
Synchronization with a GPS-based System
7.4
About Daylight Savings Time
8
Upgrading Versus Migrating Data to a Different Deployment
8.1
About Upgrading to a Later Release of Oracle Access Manager
8.2
About Oracle Access Manager Configuration Data Migration
9
Oracle Access Manager Backup and Recovery Strategies
9.1
About Backup and Recovery Strategies
9.2
Backup Recommendations
9.3
Back Up Strategies for Deployment Events
9.3.1
Backing Up Before Oracle Access Manager Installation
9.3.2
Backing Up After Oracle Access Manager Installation
9.3.3
Backing Up After Customizing Oracle Access Manager
9.3.4
Backing Up Before Upgrading
9.3.5
Backing Up After Upgrading
9.4
Recovery Strategies
9.4.1
Recovery Strategies After Installation
9.4.2
Recovery Strategies During Upgrades
Index