5 Managing Server Registration
This chapter describes how to register the managed server instances that interact with Oracle Access Management. In this book, these managed servers are referred to as OAM Servers. You accomplish this task using the Oracle Access Management Console.
The following topics are included:
5.1 Prerequisites
Ensure that the following environmental considerations are met:
-
A new Managed Server has been added to the domain using either the Oracle WebLogic Server Administration Console or WLST commands.
-
The Oracle JRF Template was applied to the Managed Server (or cluster) if needed. For details, see Oracle Fusion Middleware Administrator's Guide.
Oracle recommends that you review the "Introduction to OAM Servers, Registration, and Management".
5.2 Introduction to OAM Servers, Registration, and Management
The Oracle Access Management Console is a Java EE application that must be installed and run on the same computer as the WebLogic Administration Server. Other key applications that run on the WebLogic Administration Server include the WebLogic Server Administration Console and Enterprise Manager for Fusion Middleware Control.
Note:
The Oracle Access Management Console might be referred to as the OAM Administration Server. However, this is not a peer of the OAM Server deployed on a WebLogic Managed Server.The Oracle Access Management runtime instance deployed on Oracle WebLogic Managed Servers is referred to as an OAM Server. Each OAM Server must be registered with Access Manager to enable communication with registered agents during authentication, authorization, and resource access.
Administrators can extend the WebLogic Server domain and add more OAM Server instances whenever needed, using either:
-
The WebLogic Server Administration Console, after which you manually register the OAM Server instance using the Oracle Access Management Console
-
The WebLogic Configuration Wizard
-
Customized Oracle WebLogic Scripting Tool (WLST) commands as described in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference
The last two methods automatically register the OAM Server instance, which appears in the Oracle Access Management Console; no additional steps are required.
This section introduces OAM Server instance registration and management using the Oracle Access Management Console:
See Also:
Table 1-4 for a comparison of Access Manager 11g versus Oracle Access Manager 10g.5.2.1 About Individual OAM Server Registrations
Administrators can add one or more Managed Servers to the WebLogic Server domain for Oracle Access Management.
When using the WebLogic Configuration Wizard, the OAM Server is automatically registered. However, if the configuration wizard was not used, the OAM Server must be registered manually to open a communication channel.
Alternatively. You can use custom WLST commands for OAM to display, edit, or delete a server registration Any changes are automatically propagated to the Oracle Access Management Console and to every OAM Server in the cluster.
Only OAM Servers are registered with Oracle Access Management. The Oracle Access Management Console (on the WebLogic Administration Server) is not registered with itself.
Regardless of the method used to register an OAM Server, details for each instance are located on the System Configuration tab, Common Configuration section in the Oracle Access Management Console, including:
-
Server name, Host, Port
-
Proxy: Performs as the legacy Access Server and defines the communication security mode. For more information, see:
-
Oracle Coherence: Provides a distributed cache for various OAM services, including session data.
Administrators can search for a specific instance registration, register a newly installed OAM Server, view, modify, or delete server registrations using the Oracle Access Management Console. For more information, see "About the OAM Server Registration Page".
5.2.2 About the Embedded Proxy Server and Backward Compatibility
Oracle Access Management server-side components include Proxy servers to maintain backward compatibility with Oracle Access Manager 10g policy-enforcement agents (10g Webgates and Access Clients) and OracleAS SSO 10g mod_osso (known as OSSO Agents in 11g), as well as OpenSSO Agents.
Legacy 10g SSO: The OAM Proxy can accept requests from multiple Access clients concurrently and enables all Webgates and AccessGates (known as Access Clients in 11g) to interact with Access Manager. For more information, see "OAM Proxy Page".
Legacy OracleAS 10g (OSSO): The integrated OSSO proxy handles token generation and validation in response to token requests during authentication using OSSO Agents with Access Manager. The OSSO proxy needs no configuration. Simply register the OSSO agent as described in Chapter 12 and Chapter 13.
5.2.3 About 11g SSO, Legacy 10g SSO in Combination with OSSO 10g
You can upgrade OracleAS SSO to use Access Manager SSO when you have a legacy deployment where Oracle Access Manager 10g is integrated and used in combination with OracleAS (OSSO) 10g.
After upgrading OSSO to use Access Manager 11g, you can have 10g Webgates operating with Access Manager 11g SSO the same deployment. In this situation, the OAM Proxy forwards requests to either the 10g Access Server or to Access Manager 11g as needed.
The Oracle Access Manager 10g ObSSOCookie is an encrypted session-based single sign-on cookie that is generated when a user authenticates successfully. The 10g ObSSOCookie stores user identity information, which you can cache if needed.
The integrated OAM Proxy supports the AES encryption algorithm of the 10g ObSSOCookie to enable backward compatibility with release 10g Webgates. The 10g Access Server can decrypt the cookie created by the OAM Proxy (and vice versa). This allows Access Manager 11g to perform authentication and Oracle Access Manager 10g to perform authorization (and vice versa).
Note:
An Access Manager 11g ObSSOCookie created by OAM Proxy is compatible with the 10g ObSSOCookie created by Access Server.For more information, see "OAM Proxy Page".
5.2.4 About Communication Between OAM Servers and Webgates
Communication modes for the OAP channel include:
-
Open: Use this unencrypted mode if communication security is not an issue in your deployment.
-
Simple: Use this Oracle-signed certificate mode if you have some security concerns, such as not wanting to transmit passwords as plain text, but you do not manage your own Certificate Authority (CA).
-
Cert: Use if you want different certificates on OAM Servers and Webgates and you have access to a trusted third-party CA.
On each individual OAM Server registration, the security mode is defined on the Proxy tab, as described in "About the OAM Server Registration Page".
Simple and Cert modes also require:
-
Security passwords that are common to all OAM Servers and Webgates, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security".
-
Appropriately signed X.509 digital certificates, as described in Appendix C, "Securing Communication".
At least one OAM Server instance must be running in the same mode as the agent during agent registration. Otherwise, agent registration fails. After agent registration, however, you can change the communication mode of the OAM Server. Communication between the agent and server would continue to work as long as the Webgate mode is at least at the same level as the OAM Server mode or higher. The agent mode can be higher but cannot be lower. For example, of OAM Server mode is Open, agents can communicate in any of the three modes. If OAM Server mode is Simple, agents can use Simple or Cert mode. If OAM Server mode is Cert, agents must use Cert mode.
See Also:
Appendix C, "Securing Communication"5.2.5 About Restarting Servers After Configuration Changes
Most Oracle Access Management functional services take up changes made through the Oracle Access Management Console without restarting OAM Server. Table 5-1 identifies conditions that do require a server restart.
Table 5-1 Conditions Requiring Server Restart
| Event | Description |
|---|---|
|
Session persistence change |
A change from database to in-memory (or vice versa) session persistence requires an OAM Server restart. |
|
Oracle Coherence port number |
A change to the port number requires an OAM Server restart. |
|
Load balancer server definition |
A change requires an OAM Server restart. |
|
Managed Server port number |
A change requires an OAM Server restart. |
|
New Managed Server |
Adding a new managed server to the cluster requires restarting the AdminServer to policy enable uptake. OAM Servers must be restarted to reinitialize Oracle Coherence security configuration with the new server included. |
5.3 Managing Individual OAM Server Registrations
This section describes how to register and manage OAM Server instances using the Oracle Access Management Console. Topics here include:
5.3.1 About the OAM Server Registration Page
Users with valid Administrator credentials can register a freshly installed Managed Server (OAM Server instance) or modify an existing OAM Server registration using the Oracle Access Management Console.
Alternatively: You can use custom WLST commands to register and manage OAM Server instances. Changes are reflected in the Oracle Access Management Console and are automatically propagated to every OAM Server in the cluster.
Figure 5-1 illustrates a typical OAM Server registration page when viewed within the Oracle Access Management Console.
Figure 5-1 OAM Server Registration Page with Proxy Tab Displayed
Description of "Figure 5-1 OAM Server Registration Page with Proxy Tab Displayed "
Individual server registration settings are described in Table 5-2.
Table 5-2 OAM Server Instance Settings
| Element | Definition |
|---|---|
|
Server name |
The identifying name for this server instance, which was defined during initial deployment in the WebLogic Server domain. |
|
Host |
The full DNS name (or IP address) of the computer hosting the server instance. For example: host2.domain.com. |
|
Port |
The port on which this server communicates (listens and responds). Default: 5575 Note: If both the SSL and Open ports of the Managed Server are enabled, then the Managed Server is set to the SSL port by default. If you must use the non-SSL port, the credential collector URL of the authentication scheme must be set to the absolute URL which points to See Also: Appendix C, "Securing Communication" |
|
Proxy |
See "OAM Proxy Page" |
|
Coherence |
5.3.1.1 OAM Proxy Page
An integrated proxy server (OAM Proxy) is installed with each Managed Server for OAM Server. The OAM Proxy is used as a legacy Access Server to provide backward compatibility for 10g Agents that are registered with Access Manager 11g. The Agent can be freshly installed or currently operating within an Oracle Access Manager 10g SSO deployment.
Each OAM Proxy instance requires a different port. The proxy starts listening when the application starts. Registered access clients can immediately communicate with the proxy.
The OAM Proxy handles both configuration and run-time events. Each OAM Proxy can accept requests from multiple access clients concurrently. Each OAM Proxy enables access clients to interact with Access Manager 11g. This includes:
-
10g (10.1.4.3) Webgates
-
10g (10.1.4.2.0) Webgates
-
10g (10.1.4.0.1) Webgates
-
11g Webgates (needs no proxy)
Note:
For Access Clients, Access Manager 11g provides authentication and authorization functionality only. Policy modification through Access Clients is not supported.OAM Proxy settings consist of the details in Table 5-3.
Table 5-3 OAM Proxy Settings for an Individual OAM Server
| OAM Proxy Setting | Type | Value |
|---|---|---|
|
Port |
int (integer) |
The unique port on which this OAM Proxy instance is listening. |
|
Proxy Server ID |
The identifier of the computer on which the OAM Proxy (and this OAM Server instance) resides. DNS hostname is preferred; however, you can use any valid and relevant string. |
|
|
Mode |
OAM channel transport security for the OAM Proxy can be one of the following (the agent mode must match during registration and can be higher after registration):
Note: Simple and Cert transport security modes are governed by information defined on the OAM Server Common Properties OAM Proxy tab, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security". See Also: Appendix C if you are configuring Simple or Cert transport security modes. |
OAM Proxy Logging: Oracle Access Management services use the same logging infrastructure as any other Oracle Fusion Middleware 11g component, as described in Chapter 8. However, OAM Proxy uses Apache log4j for logging.
5.3.1.2 Coherence Page for Individual Servers
Coherence provides replicated and distributed (partitioned) data management and caching services on top of a reliable, highly scalable peer-to-peer clustering protocol. Coherence has no single points of failure; it automatically and transparently fails over and redistributes its clustered data management services when a server becomes inoperative or is disconnected from the network.
When a new server is added, or when a failed server is restarted, it automatically joins the cluster and Coherence fails back services to it, transparently redistributing the cluster load. Coherence includes network-level fault tolerance features and transparent soft re-start capability to enable servers to self-heal.
Coherence modules consist of the values, and types for the individual server instance, as shown in Figure 5-1.
Figure 5-2 Coherence Page and Values for an Individual OAM Server
Description of "Figure 5-2 Coherence Page and Values for an Individual OAM Server "
WARNING:
Oracle recommends that you do not modify Oracle Coherence settings for an individual server unless you are requested to do so by an Oracle Support Representative.
Table 5-4 Default Coherence Settings for Individual OAM Servers
| Coherence Module | Type of Entry | Description and Default Values |
|---|---|---|
|
LogLevel |
String |
The Coherence log level (from 0 to 9) for OAM Server events. |
|
LogPort |
int (integer) |
The listening port for Coherence logging on the WebLogic Server. |
|
LogLimit |
String |
The Coherence log limit |
Coherence Logging: Appears only in the WebLogic Server log. There is no bridge from Oracle Coherence logging to Oracle Access Management logging. For Oracle Fusion Middleware 11g logging infrastructure details, see Chapter 6.
5.3.2 Registering a Fresh OAM Server Instance
Users with valid Administrator credentials can perform the following task to register a new Managed Server (OAM Server) instance using the Oracle Access Management Console.
Note:
Each OAM Server must be registered to communicate with agents.The new Managed Server instance must be configured in the Oracle WebLogic Server domain, but not yet started.
See Also:
To register an OAM Server instance
-
Install the new Managed Server instance and configure it in the Oracle WebLogic Server domain, but do not start this instance.
-
Log in to the Oracle Access Management Console as usual.
-
From the Server Configuration tab, Common Configuration section, click Server Instances then click the Create button in the tool bar to open a fresh page.
-
On the Create: OAM Server page, enter details for your instance, as described in Table 5-2:
-
Server name
-
Host
-
Port
-
-
Proxy: Enter or select details for this OAM Proxy instance, as described in Table 5-3:
-
Port
-
Proxy Server ID
-
Mode (Open, Simple, or Cert)
See Also:
Appendix C if you are using Simple or Cert mode
-
-
Coherence: Oracle recommends that you do not modify Oracle Coherence settings for an individual server instance unless you are requested to do so by an Oracle Support Representative.
See Also:
"Using Coherence" -
Click Apply to submit the configuration, which should appear in the navigation tree (or close the page without applying changes).
-
Start the newly registered server.
5.3.3 Viewing or Editing Individual OAM Server and Proxy Settings
Users with valid Administrator credentials can perform the following task to view or modify settings for an individual server instance using the Oracle Access Management Console. For instance, you might need to change the listening port or the Proxy communication transport security mode.
Changes are immediately visible in the Oracle Access Management Console and propagated to all OAM Servers in the cluster.
See Also:
To view or modify a server instance registration
-
From the System Configuration tab, Common Configuration section, click to expand the Server Instances node.
-
Double-click the desired instance name to display its configuration, and then proceed as follows:
-
View Only: Close the page when you finish viewing details.
-
Modify: Perform remaining steps to edit the configuration.
-
-
On the OAM Server page, change details for your instance, as described in Table 5-2.
-
Proxy: Change details for this OAM Proxy instance, as described in Table 5-3.
See Also:
Appendix C if you are using Simple or Cert mode -
Coherence: Oracle recommends that you do not modify Oracle Coherence settings for an individual server instance unless you are requested to do so by an Oracle Support Representative.
See Also:
"Using Coherence" -
Click Apply to submit the changes (or close the page without applying change).
5.3.4 Deleting an Individual Server Registration
Users with valid Administrator credentials can perform the following task to delete a server registration, which disables the OAM Server.
Registering a Fresh OAM Server Instance
To delete a server registration
-
From the System Configuration tab, Common Configuration section, click to expand the Server Instances node.
-
Double-click the desired instance name to confirm details, then close the page.
-
Click the desired instance name, click the Delete button in the tool bar, and confirm removal in the Confirmation window.
-
Confirm that the instance is removed from the navigation tree.
-
Finalize server instance removal by removing the instance from the WebLogic Server Administration Console.
The Node Manager on Managed Server host handles the rest automatically.