41.8 About the Installation of the Security Token Service

The following topics describe the installation options for the Security Token Service:

41.8.1 About Security Token Service Cluster in Single WLS Domain

This installation option for Security Token Service leverages clustering across Security Token Service instances within a single WebLogic domain. This deployment topology facilitates High Availability capabilities through a load balancer. By default, Access Manager co-exists on the same managed server as Security Token Service. However, Security Token Service is disabled by default and must be manually enabled before it can be used.

This deployment topology supports:

  • Deploying multiple instances of Security Token Service through the suite installer.

  • Deploying a load balancer to support the High Availability and failover scenarios on the front of the Security Token Service cluster.

    See Server Load Balancing in a High Availability Environment in High Availability Guide.

41.8.2 About Endpoint Exposure through a Web Server Proxy

This installation option for Security Token Service provides inter-operability of Requester and Relying Party with Third-party STS Servers. At runtime, Security Token Service supports interoperability with Requesters and Relying Parties of third-party security token servers using the OPSS WS-Trust-Provider.

For instance, a third-party Security Token Service can create a valid SAML Assertion that can be consumed by Security Token Service.

41.8.3 About Interoperability of Requester and Relying Party with Other Oracle WS-Trust based Clients

All run-time scenarios for Requesters and Relying Parties are supported by other Oracle WS-Trust Clients.

The WS-Trust Clients includes WLSClient, MetroClient, and Oracle Web Services Manager (Oracle WSM). All Web services clients are supported with Security Token Service only through the WS-Trust binding.

41.8.4 About Security Token Service Installation Overview

Access Manager and Security Token Service are installed together from a single EAR file and deployed on the same managed server in a WebLogic domain.

The Oracle WSM Agent uses a keystore for various cryptographic operations. For those tasks, the Oracle WSM Agent uses the keystore configured for Oracle WSM tasks. During installation, if the Oracle WSM keystore service has not been configured, the installer:

  • Creates a new keystore in the $DOMAIN_HOME/config/fmwconfig folder (default name is default-keystore.jks

  • Creates a key entry with the corresponding certificate to be used by OWSM for signature and encryption operations. This key entry is stored in the OWSM Keystore under the orakey alias

  • Stores the passwords of the key entry and of the keystore in CSF

Having access to the keystore is sometimes required to:

  • Extract the signing or encryption certificate to distribute to clients, if needed

  • Update or replace the signing or encryption key entry

  • Add trusted certificates

For more information, see the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

41.8.5 Post-Installation Tasks: Security Token Service

Any server hosting Security Token Service must be registered with Access Manager. This can occur automatically during installation, or manually after installation.

All Security Token Service system configuration is done using the Oracle Access Management Console. Elements in the Oracle Access Management Console enable Administrators to easily configure the Security Token Service to exchange WS Trust tokens with partners. Other Security Token Service elements provide for creation, viewing, modification, and removal of partners, endpoints, validation templates, issuance templates, and data store connections.

See Managing Oracle Access Management Security Token Service for details about the Security Token Service.