The following topics describe the installation options for the Security Token Service:
This installation option for Security Token Service leverages clustering across Security Token Service instances within a single WebLogic domain. This deployment topology facilitates High Availability capabilities through a load balancer. By default, Access Manager co-exists on the same managed server as Security Token Service. However, Security Token Service is disabled by default and must be manually enabled before it can be used.
This deployment topology supports:
Deploying multiple instances of Security Token Service through the suite installer.
Deploying a load balancer to support the High Availability and failover scenarios on the front of the Security Token Service cluster.
See Server Load Balancing in a High Availability Environment in High Availability Guide.
For instance, a third-party Security Token Service can create a valid SAML Assertion that can be consumed by Security Token Service.
All run-time scenarios for Requesters and Relying Parties are supported by other Oracle WS-Trust Clients.
The WS-Trust Clients includes WLSClient, MetroClient, and Oracle Web Services Manager (Oracle WSM). All Web services clients are supported with Security Token Service only through the WS-Trust binding.
Access Manager and Security Token Service are installed together from a single EAR file and deployed on the same managed server in a WebLogic domain.
The Oracle WSM Agent uses a keystore for various cryptographic operations. For those tasks, the Oracle WSM Agent uses the keystore configured for Oracle WSM tasks. During installation, if the Oracle WSM keystore service has not been configured, the installer:
Creates a new keystore in the $DOMAIN_HOME/config/fmwconfig folder (default name is default-keystore.jks
Creates a key entry with the corresponding certificate to be used by OWSM for signature and encryption operations. This key entry is stored in the OWSM Keystore under the orakey
alias
Stores the passwords of the key entry and of the keystore in CSF
Having access to the keystore is sometimes required to:
Extract the signing or encryption certificate to distribute to clients, if needed
Update or replace the signing or encryption key entry
Add trusted certificates
For more information, see the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Any server hosting Security Token Service must be registered with Access Manager. This can occur automatically during installation, or manually after installation.
All Security Token Service system configuration is done using the Oracle Access Management Console. Elements in the Oracle Access Management Console enable Administrators to easily configure the Security Token Service to exchange WS Trust tokens with partners. Other Security Token Service elements provide for creation, viewing, modification, and removal of partners, endpoints, validation templates, issuance templates, and data store connections.
See Managing Oracle Access Management Security Token Service for details about the Security Token Service.