6 Managing Common OAM Server Registration

This chapter describes how to provision and manage OAM Server instance registrations using the Oracle Access Manager Console.

The following topics are included:

6.1 Prerequisites

Ensure that the following environmental considerations are met:

  • A new Managed Server has been added to the domain using either the Oracle WebLogic Server Administration Console or WLST commands.

  • The Oracle JRF Template was applied to the Managed Server (or cluster) if needed. For details, see Oracle Fusion Middleware Administrator's Guide.

Oracle recommends that you review the "Introduction to OAM Server Registration and Management".

Note:

Unless explicitly stated, information is the same whether you are using Oracle Access Manager alone or with Oracle Security Token Service.

6.2 Introduction to OAM Server Registration and Management

This section introduces Oracle Access Manager server instance registration and management in the following topics:

6.2.1 About Server Side Differences Between OAM 11g and OAM 10g

Table 6-1 summarizes server-side differences between Oracle Access Manager 11g, OAM 10g, and OracleAS SSO 10g (extracted from the overall comparison in Table 1-2).

Table 6-1 Summary: Server-side Differences with OAM 11g versus OAM 10g versus OSSO 10g


 OAM 11g OAM 10g OSSO 10g

Server-side components

  • OAM Server (installed on a WebLogic Managed Sever)

    Oracle Security Token Service runs on OAM Server

  • Oracle Access Manager Console (installed on WebLogic Administration Server)

  • Access Server

  • Policy Manager

  • OracleAS SSO server (OSSO server)

Cryptographic keys

The protocols used to secure information exchange on the Internet.

  • One per agent secret key shared between Webgate and OAM Server, generated during Agent registration

  • One OAM Server key, generated during Server registration

One global shared secret key per Webgate

  • One key per partner shared between mod_osso and OSSO server

  • OSSO server's own key

  • One global key per OSSO setup for the GITO domain cookie

Keys storage

  • Agent side: A per agent key is stored locally in the Oracle Secret Store in a wallet file

  • OAM 11g server side: A per agent key, and server key, are stored in the credential store on the server side

  • Oracle Security Token Service

Global shared secret stored in the directory server only (not accessible to Webgate)

  • mod_osso side: partner keys and GITO global key stored locally in obfuscated configuration file

  • OSSO server side: partner keys, GITO global key, and server key are all stored in the directory server

6.2.2 About Individual OAM Server Registrations

Administrators can add one or more Managed Servers to the WebLogic Server domain for Oracle Access Manager with Oracle Security Token Service.

When using the WebLogic Configuration Wizard, the OAM Server is automatically registered. However, if the configuration wizard was not used, the OAM Server must be registered manually to open a communication channel.

Note:

There is no difference in server registration for Oracle Access Manager or Oracle Security Token Service.

Alternatively. You can use custom WLST commands for OAM to display, edit, or delete a server registration Any changes are automatically propagated to the Oracle Access Manager Console and to every OAM Server in the cluster.

See Also:

Appendix F, "Introduction to Custom WLST Commands for Administrators"

Only OAM Servers are registered with Oracle Access Manager 11g. The Oracle Access Manager Console on the WebLogic Administration Server is not registered with itself.

Regardless of the method used to register an OAM Server, the details (also known as a registration) are organized under the System Configuration tab in the Oracle Access Manager Console, OAM Server registration details within the Oracle Access Manager Console include:

Administrators can search for a specific instance registration, register a newly installed OAM Server, view, modify, or delete server registrations using the Oracle Access Manager Console. For more information, see "About the OAM Server Registration Page".

6.2.3 About the Embedded Proxy Server and Backward Compatibility

Oracle Access Manager 11g server-side components maintain backward compatibility with existing Oracle Access Manager 10g policy-enforcement agents (OAM 10G Webgates and Access Clients) and OracleAS SSO 10g mod_osso (known as OSSO Agents in 11g).

Legacy OAM 10g SSO: The OAM Proxy can accept requests from multiple Access clients concurrently and enables all Webgates and AccessGates to interact with Oracle Access Manager 11g services. For more information, see "OAM Proxy Page".

See Also:

"About OAM 11g SSO and Legacy OAM 10g SSO in Combination with OSSO"

Legacy OracleAS 10g (OSSO): The integrated OSSO proxy handles token generation and validation in response to token requests during authentication using OSSO Agents with OAM 11g. The OSSO proxy needs no configuration. Simply register the OSSO agent with OAM 11g as described in Chapter 9 and Chapter 10.

6.2.4 About OAM 11g SSO and Legacy OAM 10g SSO in Combination with OSSO

You can upgrade OracleAS SSO to use OAM 11g SSO when you have a legacy deployment where OAM 10g is integrated and used in combination with OracleAS (OSSO) 10g.

After upgrading OSSO to use OAM 11g, you can have OAM 10g Webgates operating with OAM 11g SSO the same deployment. In this situation, the OAM Proxy forwards requests to either the OAM 10g Access Server or to OAM 11g services as needed.

The OAM 10g ObSSOCookie is an encrypted session-based single sign-on cookie that is generated when a user authenticates successfully. The OAM 10g ObSSOCookie stores user identity information, which you can cache if needed.

The integrated OAM Proxy supports the AES encryption algorithm of the 10g ObSSOCookie to enable backward compatibility with release 10g Webgates. The 10g Access Server can decrypt the cookie created by the OAM 11g Proxy (and vice versa). This allows OAM 11g to perform authentication and OAM 10g to perform authorization (and vice versa).

Note:

An OAM 11g ObSSOCookie created by OAM Proxy is compatible with the ObSSOCookie created by an Oracle Access Manager 10g Access Server.

For more information, see "OAM Proxy Page".

6.2.5 About Communication Between OAM Servers and Webgates

Communication modes for the OAP channel include:

  • Open: Use this unencrypted mode if communication security is not an issue in your deployment.

  • Simple: Use this Oracle-signed certificate mode if you have some security concerns, such as not wanting to transmit passwords as plain text, but you do not manage your own Certificate Authority (CA).

  • Cert: Use if you want different certificates on OAM Servers and Webgates and you have access to a trusted third-party CA.

On each individual OAM Server registration, the security mode is defined on the Proxy tab, as described in "About the OAM Server Registration Page".

Simple and Cert modes also require:

At least one OAM Server instance must be running in the same mode as the agent during agent registration. Otherwise, agent registration fails. After agent registration, however, you can change the communication mode of the OAM Server. Communication between the agent and server would continue to work as long as the Webgate mode is at least at the same level as the OAM Server mode or higher. The agent mode can be higher but cannot be lower. For example, of OAM Server mode is Open, agents can communicate in any of the three modes. If OAM Server mode is Simple, agents can use Simple or Cert mode. If OAM Server mode is Cert, agents must use Cert mode.

See Also:

Appendix E, "Securing Communication for Oracle Access Manager 11g"

6.3 Managing Individual OAM Server Registrations

This section describes how to register and manage OAM Server instances using the Oracle Access Manager Console. Topics here include:

6.3.1 About the OAM Server Registration Page

Users with valid Administrator credentials can register a freshly installed Managed Server (OAM Server instance) or modify an existing OAM Server registration using the Oracle Access Manager Console.

Alternatively: You can use custom WLST commands for OAM to register and manage OAM Server instances. Changes are reflected in the Oracle Access Manager Console and are automatically propagated to every OAM Server in the cluster.

See Also:

Appendix F, "Introduction to Custom WLST Commands for Administrators"

Figure 6-1 illustrates a typical OAM Server registration page when viewed within the Oracle Access Manager Console.

Figure 6-1 OAM Server Registration Page with Proxy Tab Displayed

OAM Server Registration Page with Proxy Tab
Description of "Figure 6-1 OAM Server Registration Page with Proxy Tab Displayed "

Individual server registration settings are described in Table 6-2.

Table 6-2 OAM Server Instance Settings

Element Definition

Server name

The identifying name for this server instance, which was defined during initial deployment in the WebLogic Server domain.

Host

The full DNS name (or IP address) of the computer hosting the server instance. For example: host2.domain.com.

Port

The port on which this server communicates (listens and responds).

Default: 5575

Note: If both the SSL and Open ports of the Managed Server are enabled, then the Managed Server is set to the SSL port by default.If you must use the non-SSL port, the credential collector URL the authentication scheme must be set to the absolute URL which points to 'http' as the protocol and non-SSL port.

See Also: Appendix E, "Securing Communication for Oracle Access Manager 11g"

Proxy

See "OAM Proxy Page"

Coherence

See "Coherence Page for Individual Servers"

See Also:

"Managing Individual OAM Server Registrations"

6.3.1.1 OAM Proxy Page

An integrated proxy server (OAM Proxy) is installed with each Managed Server for Oracle Access Manager (OAM Server). The OAM Proxy is used as a legacy Access Server to provide backward compatibility for OAM 10g Agents that are registered with OAM 11g. The Agent can be freshly installed or currently operating within an OAM 10g SSO deployment.

Each OAM Proxy instance requires a different port. The proxy starts listening when the application starts. Registered access clients can immediately communicate with the proxy.

The OAM Proxy handles both configuration and run-time events. Each OAM Proxy can accept requests from multiple access clients concurrently. Each OAM Proxy enables OAM access clients to interact with Oracle Access Manager 11g services. This includes:

  • 10g (10.1.4.3) Webgates

  • 10g (10.1.4.2.0) Webgates

  • 10g (10.1.4.0.1) Webgates

  • 11g Webgates (needs no proxy)

Note:

For Access Clients, OAM 11g provides authentication and authorization functionality only. Policy modification through Access Clients is not supported.

OAM Proxy settings consist of the details in Table 6-3.

Table 6-3 OAM Proxy Settings for an Individual OAM Server

OAM Proxy Setting Type Value

Port

int (integer)

The unique port on which this OAM Proxy instance is listening.

Proxy Server ID

  

The identifier of the computer on which the OAM Proxy (and this OAM Server instance) resides. DNS hostname is preferred; however, you can use any valid and relevant string.

Mode

  

OAM channel transport security for the OAM Proxy can be one of the following (the agent mode must match during registration and can be higher after registration):

  • Open: No encryption.

  • Simple: The data passed between the OAM Agent and OAM Server is encrypted using OAM self-signed certificates.

    Before specifying Simple mode, you must specify the global passphrase.

  • Cert: The data between the OAM Agent and OAM Server is encrypted using Certificate Authority (CA) signed X.509 certificates.

    Note: Before specifying Cert mode, you must acquire signed certificates from a trusted third party Certificate Authority.

Note: Simple and Cert transport security modes are governed by information defined on the OAM Server Common Properties OAM Proxy tab, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security".

See Also: Appendix E if you are configuring Simple or Cert transport security modes.

OAM Proxy Logging: Oracle Access Manager 11g components use the same logging infrastructure as any other Oracle Fusion Middleware 11g component, as described in Chapter 25. However, OAM Proxy uses Apache log4j for logging.

6.3.1.2 Coherence Page for Individual Servers

Coherence provides replicated and distributed (partitioned) data management and caching services on top of a reliable, highly scalable peer-to-peer clustering protocol. Coherence has no single points of failure; it automatically and transparently fails over and redistributes its clustered data management services when a server becomes inoperative or is disconnected from the network.

When a new server is added, or when a failed server is restarted, it automatically joins the cluster and Coherence fails back services to it, transparently redistributing the cluster load. Coherence includes network-level fault tolerance features and transparent soft re-start capability to enable servers to self-heal.

Coherence modules consist of the values, and types for the individual server instance, as shown in Figure 6-1.

Figure 6-2 Coherence Page and Values for an Individual OAM Server

Coherence Page and Values for an Individual OAM Server
Description of "Figure 6-2 Coherence Page and Values for an Individual OAM Server "

WARNING:

Oracle recommends that you do not modify Oracle Coherence settings for an individual server unless you are requested to do so by an Oracle Support Representative.

Table 6-4 Default Coherence Settings for Individual OAM Servers

Coherence Module Type of Entry Description and Default Values

LogLevel

String

The Coherence log level (from 0 to 9) for OAM Server events.

LogPort

int (integer)

The listening port for Coherence logging on the WebLogic Server.

LogLimit

String

The Coherence log limit

Coherence Logging: Appears only in the WebLogic Server log. There is no bridge from Oracle Coherence logging to Oracle Access Manager logging. For Oracle Fusion Middleware 11g logging infrastructure details, see Chapter 23.

6.3.2 Registering a Fresh OAM Server Instance

Users with valid Administrator credentials can perform the following task to register a new Managed Server (OAM Server) instance using the Oracle Access Manager Console.

Note:

Each OAM Server must be registered to communicate with agents.

Prerequisites

The new Managed Server instance must be configured in the Oracle WebLogic Server domain, but not yet started.

See Also:

To register an OAM Server instance

  1. Install the new Managed Server instance and configure it in the Oracle WebLogic Server domain, but do not start this instance.

  2. Log in to the Oracle Access Manager Console as usual.

  3. From the Server Configuration tab, Common Configuration section, click Server Instances then click the Create button in the tool bar to open a fresh page.

  4. On the Create: OAM Server page, enter details for your instance, as described in Table 6-2:

    • Server name

    • Host

    • Port

  5. Proxy: Enter or select details for this OAM Proxy instance, as described in Table 6-3:

    • Port

    • Proxy Server ID

    • Mode (Open, Simple, or Cert)

      See Also:

      Appendix E if you are using Simple or Cert mode

  6. Coherence: Oracle recommends that you do not modify Oracle Coherence settings for an individual server instance unless you are requested to do so by an Oracle Support Representative.

    See Also:

    "Using Coherence"

  7. Click Apply to submit the configuration, which should appear in the navigation tree (or close the page without applying changes).

  8. Start the newly registered server.

6.3.3 Viewing or Editing Individual OAM Server and Proxy Settings

Users with valid Administrator credentials can perform the following task to view or modify settings for an individual server instance using the Oracle Access Manager Console. For instance, you might need to change the listening port or the Proxy communication transport security mode.

Changes are immediately visible in the Oracle Access Manager Console and propagated to all OAM Servers in the cluster.

See Also:

To view or modify a server instance registration

  1. From the System Configuration tab, Common Configuration section, click to expand the Server Instances node.

  2. Double-click the desired instance name to display its configuration, and then proceed as follows:

    • View Only: Close the page when you finish viewing details.

    • Modify: Perform remaining steps to edit the configuration.

  3. On the OAM Server page, change details for your instance, as described in Table 6-2.

  4. Proxy: Change details for this OAM Proxy instance, as described in Table 6-3.

    See Also:

    Appendix E if you are using Simple or Cert mode

  5. Coherence: Oracle recommends that you do not modify Oracle Coherence settings for an individual server instance unless you are requested to do so by an Oracle Support Representative.

    See Also:

    "Using Coherence"

  6. Click Apply to submit the changes (or close the page without applying change).

6.3.4 Deleting an Individual Server Registration

Users with valid Administrator credentials can perform the following task to delete a server registration, which disables the OAM Server.

Prerequisites

Registering a Fresh OAM Server Instance

To delete a server registration

  1. From the System Configuration tab, Common Configuration section, click to expand the Server Instances node.

  2. Double-click the desired instance name to confirm details, then close the page.

  3. Click the desired instance name, click the Delete button in the tool bar, and confirm removal in the Confirmation window.

  4. Confirm that the instance is removed from the navigation tree.

  5. Finalize server instance removal by removing the instance from the WebLogic Server Administration Console.

    The Node Manager on Managed Server host handles the rest automatically.