Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documents
• Conventions

What's New in Oracle Access Manager?

• Product and Component Name Changes
• Enhancements Available in 10g (10.1.4.3)
• Deployment Overview
• Access System Performance Enhancements for Large Group Evaluations
• Cache Flush Enhancements
• Capacity Planning
• Failover and Load Balancing
• Migrating Data
• Reconfiguring Oracle Access Manager
• Tuning the Directory
• Tuning the Access Server
• Tuning the Identity System
• Tuning Workflows
• Tuning Your Network
• Tuning Performance for Access System Operations

1 Oracle Access Manager Deployment Overview

• About Oracle Access Manager Deployment Types and Tiers
• Deployment Scenarios and Environments
• Deployment Categories
  • Extranet Deployment Category
  • Intranet Deployment Category
• General Recommendations
  • Security Recommendations
  • Standardization Recommendations
  • Oracle Access Manager Server Recommendations
  • Web Server Recommendations
  • LDAP Directory and Data Recommendations
  • Audit Data Usability Recommendations
  • Configuring a Single Idle Timeout for the Entire Deployment
  • Customization Recommendations
  • Testing and Performance Recommendations
• Identity System Recommendations
  • Customizing the Look and Feel of Embeddable User Interface Elements
  • Recycling an Identity Server Instance Name
• Access System Recommendations
  • Using IP Validation, HTTPS, and Secure Cookies to Mitigate The Risk of a Cookie Reply Attack
  • Configuring Dynamic Groups Rather than Authorization Filters to Simplify Authorization Administration
  • Deploying WebGates On Reverse Proxies to Simplify Management
  • Developing Document Protection Policies to Minimize WebGate Calls to the Access Server
  • Configuring Form-Based Authentication to Avoid Login Errors
• Oracle Access Manager Deployment Planning
  • Planning Deliverables
• About Deployment Best Practices

2 Capacity Planning

• About Capacity Planning
• Estimating the Anticipated Peak System Load for Server Sizing
  • Measuring the Load
    • Measuring the Load in a Deployment
    • Measuring the Active User Sessions in a Multi-Site Deployment
  • Projecting System Usage
• Component-Specific Capacity Planning and Sizing Considerations
  • Identity and Access Server Recommendations
  • WebPass Considerations and Recommendations
  • Access System Considerations and Recommendations
    • Access Server Recommendations
    • Access Server to WebGate Ratios
    • WebGate Impact on Web Server Performance
• Oracle Access Manager Performance and Scaleability Characteristics
  • Scale-Up Characteristics
  • Scale-Out Characteristics
  • Deployment and Configuration Impact on Performance
  • Baseline Performance for Identity and Access Servers
• Oracle Access Manager Reference Server Footprint
  • Hardware for Small-to-Medium Deployments
  • Hardware for Large Deployments
• Considerations for the LDAP Directory Server
  • LDAP Server Requirements For Small to Medium Deployments
  • LDAP Server Requirements For Large Deployments
• Sample Medium-to-Large-Scale Deployment
• Test Cases for Baseline Performance Data
  • Identity Server Baseline Performance Test Case
    • Self Registration Test Case
    • Lost Password Test Case
    • Change Password Test Case
    • Account Lockout Test Case
  • Access Server Baseline Performance Test Case
    • Login Test Case
    • LoginNavi Test Case
  • Integrated Baseline Performance Test Case

3 Performance Tuning

• Guidelines for Directory Tuning
  • Checking the Performance of the Directory
  • Directory Connection Pool Size
    • Differences Between Configured and Actual Connection Pool Size
    • Configuring the Connection Pool
  • Storing Workflow Tickets in the Directory
    • Writing Workflow Tickets to the Directory
  • Indexing Attributes in the Directory
    • Limitations of Indexing
    • Indexing and User Deactivation
    • Indexing and Workflows
    • Indexing and Groups
    • Indexing and Search Constraints
  • Changing the Number of Access Server-to-Directory Server Connections
  • Deleting and Archiving Workflows
  • Setting Read and Write Permissions for Administrators
  • Configuring the Searchbase
    • Setting a Searchbase Filter
  • Applying Search Constraints
  • Increasing Connections to the Directory in the Identity System
  • Changing Directory Content
    • Ordering the Columns in a Search Results List
    • Changing the Bind DN
  • Adjusting Cache Settings
  • Deleting ObSyncRecord Entries from the Directory
  • Performance Considerations for Microsoft Active Directory
    • Pointing Directly to a Domain Controller to Avoid Potential Data Inconsistency Problems
    • Using LDAP Over SSL Rather than ADSI to Connect to Microsoft Active Directory
    • Fine Tuning Appropriate Active Directory Configuration Parameters to Optimize Performance
• About LDAP Tools
  • Viewing Directory Content in LDIF Files
    • LDAPSEARCH Command-Line Format
    • LDAPSEARCH Command-Line Parameters
    • LDAPSEARCH Examples
  • Changing Directory Content with LDAPMODIFY
    • LDAPMODIFY Command-Line Format
    • LDAPMODIFY Command-Line Parameters
    • LDAPMODIFY Examples
• Tuning the Identity System
  • Tuning Identity System Searches
    • Restricting the Operators Used in a Search
    • Requiring the User to Enter a Minimum Number of Characters in a Search Field
    • Restricting the Number of Entries Returned on a Search
  • Create Thread-Safe Plug-Ins
  • Consider Pooling Identity Servers
  • Configure Identity Servers from a File System Level
  • Configure Identity Servers to Use 3 GB of Virtual Memory
• Tuning Groups in the Identity System
  • General Recommendations for Tuning Groups in the Identity System
    • Use Dynamic Groups Instead of Static Groups
    • Turning off Dynamic Group Evaluation for the Identity Server
    • Use Nested Groups with Caution
  • Guidelines for Working with Large Static Groups
    • Exclude Group Membership Attributes from Panels and Search Results Tables
    • Exclude Member Roles from Attribute Access Control Policies
    • Performance Tuning for Evaluation of Large Static Groups
  • Tuning the Group Manager Application
    • Tuning the My Groups Page
    • Tuning the View Members Page
    • Tuning the Group Expansion Page
  • Tuning the User ID Cache
• Tuning Workflows
  • Tuning workflowdbparams.xml
  • Configuring Workflow Search Parameters
• Tuning the Access System
  • Configuring Password Validation by the Access Server
    • The ObCredValidationByAS Parameter
  • Changing the Number of Request Queues and Threads
    • About Threads and Queues
    • Estimating the Current Number of Threads
    • Estimating the Required Number of Threads and Queues
  • Limiting the Number of Authorization Queries from WebGate
  • Reducing Instability in the Access Server
  • Securing AccessGate Clients
  • Tuning the Handling of Groups in the Access System
    • Using Dynamic Groups Instead of Static Groups
    • Improving Performance During Group Search When Dynamic Groups Are Not Used
    • Considerations for Nested Groups
    • Considerations for ObMyGroups
    • Improving Performance of ObMyGroups Evaluations
    • Configuring the Access Server Group Cache Timeout and Maximum Elements
  • Tuning the LDAP Search Filter in the Policy Manager
• Tuning the Caches
  • Tuning the Policy Cache
    • Calculating Maximum Elements in a Policy Cache
    • Calculating Memory Requirements for the Policy Cache Elements
    • Calculating Policy Cache Timeout
  • User Cache Tuning
    • Calculating the User Cache Timeout
    • Calculating Maximum Elements in the User Cache
    • Calculating Memory Requirements for User Caches
  • Tuning the URL Prefix Cache
  • WebGate Cache Tuning
  • Sizing the Maximum Elements in WebGate Cache
  • Tuning the Internal DBAgent Cache
• Tuning Your Network
  • Be Sure Your Computers Are Working Properly
• Resource-Intensive Operations
  • Time to Process Calls to Various Components
  • Login Forms
  • Password Management
  • Plug-Ins

4 Failover and Load Balancing

• About Load Balancing with Oracle Access Manager
  • About Load Balancing of LDAP Data
• Configuring Load Balancing for Web Components
  • Configuring Simple Round-Robin Load Balancing
  • Configuring Weighted Round-Robin Load Balancing
• Configuring Load Balancing Among Oracle Access Manager and Directory Servers
  • Configuring Load Balancing for User Data
  • Configuring Load Balancing of Configuration & Policy Data
  • Adjusting Connection Pooling for a Directory Server Instance
• About Failover with Oracle Access Manager
  • Primary Versus Secondary Servers
• About Failover Between Oracle Access Manager and Directory Servers
• Configuring Failover of Web Components
• Configuring Directory Failover for User Data
• Configuring Directory Failover for Configuration and Policy Data
  • Configuring Identity Server Failover for Configuration Data
  • Configuring Access Server Directory Failover for Configuration and Policy Data
• Configuring Failover Based on Directory Server Availability
• Configuring Failover Based on Directory Server Response Time
  • Guidelines for Configuring Failover Based on Directory Server Response Time
  • Configuring the LDAPOperationTimeout and LDAPMaxNoOfRetries Parameters
  • Testing the LDAPOperationTimeout Value

5 Cloning and Caching

• About Cloned and Synchronized Components
• About Caching Recent Information
  • About Caching and Performance
  • About Cache Timeouts
• About Identity System Caches and Cache Flushing
• Managing Identity System Caches
  • Managing the OSD Cache
    • Viewing OSD Cache Content
    • Clearing the OSD Cache
    • Loading the OSD Cache
  • Managing the Group Objects Cache
    • Configuring Group Cache Parameters
    • Clearing the Group Cache
  • Configuring Cache Flush for Identity Servers
• About Access System Caches
  • Elements, the Cache Timeout, and Off-Time Network Traffic
  • Access Server Cache Configuration
    • The Policy Cache, Cache Timeout, and Elements
    • Access Server User Cache and Cache Timeout
  • Cache Configuration Using Replicated Directories
    • Timeouts That Ensure Correct Behavior in Replicated Environments
  • AccessGate Cache Configuration
  • Performance Improvements Using Asynchronous vs. Synchronous Cache Flush Mode
  • Performance Improvements Using Mixed-Mode Communication for Cache Flush Operations
    • About Mixed Security Modes with Oracle Access Manager
    • About Oracle Access Manager Caching and Performance
• Managing Access System Caches
  • Turning Off the Access Server User Cache
  • Automatically Flushing Access Server Caches
  • Manually Flushing Access Server Caches
    • Flushing the Access Server User Cache Manually
    • Flushing the Password Policy Cache Manually
  • Managing the Credential Mapping Cache
• Configuring Synchronous Cache Flush Requests between Multiple Access Servers
  • About Message Channels, Sockets, and Wait Periods
  • Configuring Synchronous Cache Flush Requests Between Multiple Access Servers with a Wait Period
• Error Handling for Message Channel Initialization During Cache Flush
• Enhancing Performance by Configuring Mixed-Mode Communication for Access Server Cache Flush Operations
  • Method 1: Manual Access Server Configuration for Open Mode Cache Flush Requests
    • About Method 1
    • Configuring Access Servers Manually for Mixed Mode Transport Security
    • Modifying WebGates After Manually Enabling Mixed Security Modes With Method 1
  • Method 2: Automatic Mixed Mode Communication
    • About Method 2: Automatic Mixed Mode Communication
    • Using Method 2 for Automatic Mixed Mode Security with Access System Cache Flush Requests
  • Logging and Cache Flush Operations Using Mixed Mode Communication
    • About Cache Flush Logging with Mixed Mode Communication
    • Enabling Cache Flush Logging for Mixed Mode Communication
• Configuring Asynchronous Access System Cache Flush
  • About Asynchronous Access System Cache Flush Operations
  • Configuring Asynchronous Access System Cache Flush Operations

6 Reconfiguring the System

• What Can Be Reconfigured
• Performing Reconfiguration That Requires Re-Running Setup
• Updating the LDAP Bind Password
  • About the ModifyLDAPBindPasswd Tool and Logs
  • Parameters for the ModifyLDAPBindPasswd Tool
  • About Using a Script
  • Updating the LDAP Bind Password
    • About Updating the LDAP Bind Password
    • Generating the Encrypted Password File
    • Updating the LDAP Bind Password for Configuration Data
    • Updating the LDAP Bind Password for User Data
    • Updating the LDAP Bind Password for Policy Data
  • Changing the LDAP Bind Password When Running in ADSI Mode

7 Synchronizing System Clocks Across Time Zones

• About Synchronization
• Synchronization With NTP
• Synchronization with a GPS-based System
• About Daylight Savings Time

8 About Upgrading

9 Oracle Access Manager Backup and Recovery Strategies

• About Backup and Recovery Strategies
• Backup Recommendations
• Back Up Strategies for Deployment Events
  • Backing Up Before Oracle Access Manager Installation
  • Backing Up After Oracle Access Manager Installation
  • Backing Up After Customizing Oracle Access Manager
  • Backing Up Before Upgrading
  • Backing Up After Upgrading
• Recovery Strategies
  • Recovery Strategies After Installation
  • Recovery Strategies During Upgrades

Index