1. Administering Oracle Access Management
  2. Implementing Multi-Data Centers
  3. Configuring Multi-Data Centers

18 Configuring Multi-Data Centers

The Multi-Data Center feature is disabled by default. You have to enable and configure the Multi-Data Center functionality.

This section describes the following topics:

18.1 Before Setting Up a Multi-Data Center

Before you proceed with the Multi-Data Center (MDC) configuration process ensure the system level requirements are met.

  • Ensure you have a fully functioning Oracle Access Management environment with all applicable WebGates configured.

  • Partners (WebGates or agents) are anchored to a single data center thus, partner registration is done at the individual data centers.

  • Clocks on the machines in which Access Manager and agents are deployed must be in sync. Non-MDC Access Manager clusters require the clocks of WebGate agents be in sync with Access Manager servers. This requirement applies to the MDC as well. If the clocks are out of sync, token validations will not be consistent resulting in deviations from the expected behaviors regarding the token expiry interval, validity interval, timeouts and the like.

  • The identity stores in a Multi-Data Center topology must have the same name.

  • WebLogic Server domains do not span data centers.

  • Ensure that the OAM Managed servers in the Master and Clone data centers are front ended by the single (SSL-terminated) load balancer. The load balancer should send all requests in a user session consistently to the same back end server (persistence, stickiness) and it should be route traffic geographically (geo-affinity). Check if this load balancer is configured in the OAM Admin Console of the Master data center before restarting the servers.

  • Any firewall between data centers must allow communication over the Oracle Access Protocol (OAP) channel. This entails opening the necessary ports and taking into account the lifetime of the connection. In regards to the latter, the MaxSessionTime parameter in the WebGate profile should be set to less than the firewall timeout value.

  • OAM Admin server in the Master and Clone data center should be SSL-enabled.

  • All the managed servers in the Master and Clone data centers should be configured with the same security mode.

    • Use SIMPLE mode to secure communication between OAM Servers and WebGates using out-of-box certificates.

    • Use CERT mode, if you have access to a trusted third-party Certificate Authority (CA).

  • The ID Stores are configured for Master and Clone data centers and they have the same name.

18.2 Primary Multi-Data Center Use Cases

The primary MDC deployments include active-active and active-standby use cases.

Table 18-1 lists the primary MDC use cases.

Table 18-1 MDC Use Cases

MDC Deployment MDC Policy Validate Remote Session Session Synchronized in data center Servicing User From Remote DC Terminate Remote Session User Challenged

Active-Active

SessionMustBeAnchoredToDataCenterServicingUser=false

SessionDataRetrievalOnDemand=true

Reauthenticate=false

SessionDataRetrievalOnDemandMax_retry_attempts=<number>

SessionDataRetrievalOnDemandMax_conn_wait_time=<milliseconds>

SessionContinuationOnSyncFailure= false

MDCGitoCookieDomain=<sub domain>

Yes

Yes

No

When a valid session could not be located in a remote data center

Active-Standby

SessionMustBeAnchoredToDataCenterServicingUser=false

SessionDataRetrievalOnDemand=true

Reauthenticate=false

SessionDataRetrievalOnDemandMax_retry_attempts=<number>

SessionDataRetrievalOnDemandMax_conn_wait_time=<milliseconds>

SessionContinuationOnSyncFailure= true

MDCGitoCookieDomain=<sub domain>

Could not validate as the remote data center is down

No, since the remote data center is down

Could not terminate as the remote data center is down

No

Provides seamless access by creating a local session from the details available in the valid cookie

18.3 Setting Up a Master and a Clone in Multi-Data Center

The MDC feature is disabled by default. To set up an Access Manager MDC, start with an Access Manager cluster, set all MDC global configurations and designate the cluster as the Master data center.

Ensure that the Data Center 1 cluster, Data Center 2 cluster and its four nodes are configured and ready for Multi-Data Center configurations. SeeBefore Setting Up a Multi-Data Center.

Setting up Master Data Center

Configure a Master data center for MDC environment using MDC ADMIN REST APIs as follows:

  1. Run the following command with appropriate values to configure the Master data center.

    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"value", "masterMDCAgentID":"value","cloneMDCAgentID":"value", "accessClientPassword":"value","artifactPassword":"value","cloneServerURL":"value","agentKeyPassword":"value","certModeKeystorePassword":"value","masterServerURL":"value", "cloneAdminUserNamePassword":"value","trustStorePath":"value", "keyStorePath":"value", "artifactsZipLocation":"value"}'

    • mdcTopologyType: Choose one of the two topology types available for MDC configuration, ACTIVE_ACTIVE or DISASTER_RECOVERY.

    • masterMDCAgentID: Enter the MDC NAP Agent Name for the Master data center.

    • cloneMDCAgentID: Enter the MDC NAP Agent Name for the Clone data center.

    • accessClientPassword: Provide the password required to be used by the MDC NAP agents in Master and Clone data centers.

    • artifactPassword: Provide the password that is used to protect cloning artifacts.

    • cloneServerURL: Enter the URL of the Clone Admin server or the URL of the reverse proxy front ending the Clone Admin server.

    • (Only for CERT mode) agentKeyPassword: Enter the agent key password used to register partners in the CERT mode.

    • (Only for CERT mode) certModeKeystorePassword: Enter the keystore password used to protect clientTrustStore.jks and clientKeyStore.jks.

    • (Optional) masterServerURL: Enter the URL of the Master Admin server or the URL of the reverse proxy front ending the Master Admin Server.

    • (Optional) cloneAdminUserNamePassword: Enter the user credentials of the Clone data center’s Administrator if the user name and password of the Administrator for Master and Clone data centers are different.

    • (Optional)trustStorePath: Enter the following depending on SIMPLE or CERT mode:

      • For SIMPLE mode : Provide the path to oamclient-truststore.jks file if this file is available in folders other than $MW_HOME/user_projects/domains/OAMDomain/output/webgate-ssl-SHA-256/

      • For CERT mode : Provide the path to clientTrustStore.jks file if this file is available in folders other than $MW_HOME/user_projects/domains/OAMDomain/config/fmwconfig/oam-mdc-cert-artifacts/

    • (Optional)keyStorePath: Enter the following depending on SIMPLE or CERT mode:

      • For SIMPLE mode : Provide the path to oamclient-keystore.jks file if this file is available in folders other than $MW_HOME/user_projects/domains/OAMDomain/output/webgate-ssl-SHA-256/

      • For CERT mode : Provide the path to clientKeyStore.jks file if this file is available in folder other than $MW_HOME/user_projects/domains/OAMDomain/config/fmwconfig/oam-mdc-cert-artifacts/

    • (Optional) artifactsZipLocation: Provide the location where cloning artifacts has to be stored; specify only if cloning artifacts need to be stored in any location other than /tmp

    Here are the sample Curl commands for configuring a Master data center in SIMPLE and CERT modes using Active-Active MDC topology:
    • Using CERT mode: 
      curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"ACTIVE_ACTIVE", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password","agentKeyPassword":"password", "certModeKeystorePassword":"password"}'
    • Using SIMPLE mode: 
      curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"ACTIVE_ACTIVE", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password"}'

    See MDC Master REST API in REST API for Multi Data Center in Oracle Access Manager.

Setting up Clone Data Center

Configure a Clone data center for MDC environment using MDC ADMIN REST APIs as follows:

  1. Run the following command with appropriate values to configure the Clone data center.

    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/clone' -d '{"masterServerURL":"value","artifactPassword":"value","masterAdminUserNamePassword":"value", "artifactsZipLocation":"value", "masterArtifactsZipLocation":"value"}'

    • masterServerURL: Enter the URL of the Master Admin server or the URL of the reverse proxy front ending the Master Admin Server.

    • artifactPassword: Provide the same password that protects cloning artifacts and used while setting up the Master data center

    • (Optional) masterAdminUserNamePassword: Enter the user credentials of the Master data center’s Administrator if the username and password of the Administrator for Master and Clone data centers are different.

    • (Optional)artifactsZipLocation: Provide the location where backup artifacts should be stored in Clone data center (artifacts present in Clone data center are backed up before replacing it with Master artifacts); specify only when the backup artifacts need to be stored in any location other than /tmp.

    • (Optional) masterArtifactsZipLocation: Provide the location where cloning artifacts are present in Master data center; specify only when artifactsZipLocation was used in input while configuring the Master data center.

    Here is the sample Curl command for configuring a Clone data center: 
    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/clone' -d '{"masterServerURL":"https://oamadmin1-dc1.poc.com:7002/","artifactPassword":"password","masterAdminUserNamePassword":"password"}'

    See MDC Clone REST API in REST API for Multi Data Center in Oracle Access Manager.

  2. Run the following command to reconfigure the Clone Data Center:

    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST ' https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/clone/configuration'

    Note:

    This command does not require any input parameters. It updates the flag, DataCenterType to Clone. To make the clone write-protected, execute the WLST command setMultiDataCenterWrite(WriteEnabledFlag="false"). It ignores any update to clone configuration.

    See MDC Reconfigure Clone REST API in REST API for Multi Data Center in Oracle Access Manager.

You have successfully setup, one master and one clone data center.

See Also:

Adding an Additional Clone Data Center to the Existing Multi-Data Center Setup

18.4 Adding an Additional Clone Data Center to the Existing Multi-Data Center Setup

You can add an additional clone data center to the existing MDC environment if the Master and Clone data centers are using 12.2.1.3.0 binaries.

Note:

Upgrading Oracle Access Management Multi-Data Center Environments

  1. Optionally, You can run the diagnostic REST APIs on the Master and the Clone Data Centers to view the MDC configuration settings:

    curl -k -u weblogic:password 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/configuration'
curl -k -u weblogic:password 'https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/configuration'

    Verify the following from the output of the command:

    • When the diagnostic REST API is executed on the Master,

      In dcConfigMap entry, MultiDataCenterEnabled should be true, MultiDataCenterPartners should contain the existing MDC Partners and agentMap entry should contain the information about agents associated with the MDCPartners.

    • When the diagnostic REST API is executed on the Clone,

      In dcConfigMap entry, MultiDataCenterEnabled should be false, MultiDataCenterPartners list should be empty and agentMap entry should be empty.

    See MDC Diagnostic REST API in REST API for Multi Data Center in Oracle Access Manager.

  2. Run the following command with appropriate values to add a new clone to the Master data center.

    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master/clone' -d '{"cloneMDCAgentID":"value", "accessClientPassword":"value","artifactPassword":"value","cloneServerURL":"value","agentKeyPassword":"value","certModeKeystorePassword":"value", "cloneAdminUserNamePassword":"value","trustStorePath":"value", "keyStorePath":"value", "artifactsZipLocation":"value"}'

    • cloneMDCAgentID: Enter the MDC NAP Agent Name for the new Clone data center.

    • accessClientPassword: Provide the password required to use the MDC NAP agents in the new Clone data centers.

    • artifactPassword: Provide the password that is used to protect cloning artifacts.

    • cloneServerURL: Enter the URL of the new Clone Admin server or the URL of the reverse proxy front ending the new Clone Admin server.

    • (Only for CERT mode) agentKeyPassword: Enter the agent key password used to register the new Clone partners in the CERT mode.

    • (Only for CERT mode) certModeKeystorePassword: Enter the keystore password used to protect clientTrustStore.jks and clientKeyStore.jks.

    • (Optional) cloneAdminUserNamePassword: Enter the user credentials of the new Clone data center’s Administrator if the username and password of the Administrator for Master and new Clone data centers are different.

    • (Optional) trustStorePath: Enter the following depending on SIMPLE or CERT mode:

      • For SIMPLE mode, Provide the path to oamclient-truststore.jks file if this file is available in folder other than $MW_HOME/user_projects/domains/OAMDomain/output/webgate-ssl-SHA-256/.

      • For CERT mode, Provide the path to clientTrustStore.jks file if this file is available in folder other than $MW_HOME/user_projects/domains/OAMDomain/config/fmwconfig/oam-mdc-cert-artifacts/.

    • (Optional) keyStorePath: Enter the following depending on SIMPLE or CERT mode:

      • For SIMPLE mode, Provide the path to oamclient-keystore.jks file if this file is available in folder other than DOMAIN_HOME/output/webgate-ssl-SHA-256/.

      • For CERT mode, Provide the path to clientKeyStore.jks file if this file is available in folder other than $MW_HOME/user_projects/domains/OAMDomain/config/fmwconfig/oam-mdc-cert-artifacts/.

    • (Optional) artifactsZipLocation: Provide the location where cloning artifacts has to be stored; specify only if cloning artifacts need to be stored in any location other than /tmp

    Here are the sample Curl commands for configuring Managed Servers in SIMPLE and CERT modes:
    • Using CERT mode: 
      curl -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master/clone' -d '{"cloneMDCAgentID":"CloneNAPAgent2","accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","agentKeyPassword":"password","certModeKeystorePassword":"password"}' 
    • Using SIMPLE mode: 
      curl -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master/clone' -d '{"cloneMDCAgentID":"CloneNAPAgent2","accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002"}'
    See MDC Clone REST API in REST API for Multi Data Center in Oracle Access Manager.

  3. Run the following command with appropriate values to configure the Clone data center.

    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/clone' -d '{"masterServerURL":"value","artifactPassword":"value","masterAdminUserNamePassword":"value", "artifactsZipLocation":"value", "masterArtifactsZipLocation":"value"}'

    • masterServerURL: Enter the URL of the Master Admin server or the URL of the reverse proxy front ending the Master Admin Server.

    • artifactPassword: Provide the same password that protects cloning artifacts and used while setting up the Master data center

    • (Optional) masterAdminUserNamePassword: Enter the user credentials of the Master data center’s Administrator if the username and password of the Administrator for Master and Clone data centers are different.

    • (Optional) artifactsZipLocation: Provide the location where backup artifacts should be stored in Clone data center (artifacts present in Clone data center will be backed up before replacing it with Master artifacts); Specify only when the backup artifacts need to be stored in any location other than /tmp.

    • (Optional)masterArtifactsZipLocation: Provide the location where cloning artifacts are present in Master data center; specify only when artifactsZipLocation was used in input while configuring the Master data center.

    Here is the sample Curl command for configuring a Clone data center: 
    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/clone' -d '{"masterServerURL":"https://oamadmin1-dc1.poc.com:7002/","artifactPassword":"password","masterAdminUserNamePassword":"password"}'

  4. Run the following command to reconfigure the Clone Data Center:

    curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST ' https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/clone/configuration'

    Note:

    This command does not require any input parameters. It updates the flag, DataCenterType to Clone. To make the clone write-protected, execute the WLST command setMultiDataCenterWrite(WriteEnabledFlag="false"). It ignores any update to clone configuration.
    See MDC Reconfigure Clone REST API in REST API for Multi Data Center in Oracle Access Manager.

  5. Restart Clone Admin and managed servers.

  6. Run the following diagnostic REST API on the Master and the Clone Data Centers to verify MDC configurations:

    curl -k -u weblogic:password 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/configuration'
curl -k -u weblogic:password 'https://oamadmin1-dc2.poc.com:7002/oam/services/rest/mdc/configuration'

  7. Export the partner and policy information from Data Center 1, Node 1 and then import it to Data Center 2, Node 1.

    1. To export, change to the $MW_HOME/oracle_common/common/bin directory and run WLST to export from Data Center 1, Node 1. 

      ./wlst.sh
connect()
exportAccessStore(toFile=”<name and location of the master metadata ZIP file>”, namePath=”/”)
exit()

    2. Copy the exported file (that is, <name and location of the master metadata ZIP file>) from Data Center 1, Node 1 to Data Center 2, Node 1. To import, change to the $MW_HOME/oracle_common/common/bin directory and run WLST to import on Data Center 2, Node 1. 

      ./wlst.sh
connect()
importAccessStore(fromFile=”<name and location of master metadata ZIP file>”, namePath=”/”)
exit()

After exporting the partner and policy information from Master data center to Clone data center continue with enabling APS steps as specified in Enabling Automated Policy Synchronization.

18.5 Multi-Data Center Security Modes

A Multi-Data Center relies on the Oracle Access Protocol (OAP) channel for inter data center session management operations and back channel communication. The security mode of the MDC partner profile should match the security mode defined for the Access Manager server: OPEN, SIMPLE or CERT.

The following sections have details about the security modes.

18.5.1 OPEN Security Mode

OPEN Security Mode is the default mode of the Access Manager deployment. No configuration is needed. Oracle recommends SIMPLE or CERT modes to avoid security issues. In a multi-data center environment, all the Admin and managed servers need to be configured with the same security mode.

Use MDC Admin REST commands to setup the master data center in OPEN mode and provide the following mandatory and optional MDC parameters as shown in the example:

curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"value", "masterMDCAgentID":"value","cloneMDCAgentID":"value", "accessClientPassword":"value","artifactPassword":"value","cloneServerURL":"value","agentKeyPassword":"value","certModeKeystorePassword":"value","masterServerURL":"value", "cloneAdminUserNamePassword":"value", "artifactsZipLocation":"value"}'

  • mdcTopologyType: Choose one of the two topology types available for MDC configuration, ACTIVE_ACTIVE or DISASTER_RECOVERY.

  • masterMDCAgentID: Enter the MDC NAP Agent Name for the Master data center.

  • cloneMDCAgentID: Enter the MDC NAP Agent Name for the Clone data center.

  • accessClientPassword: Provide the password required to use the MDC NAP agents in Master and Clone data centers.

  • artifactPassword: Provide the password that is used to protect cloning artifacts.

  • cloneServerURL: Enter the URL of the Clone Admin server or the URL of the reverse proxy front ending the Clone Admin server.

  • (Optional) masterServerURL: Enter the URL of the Master Admin server or the URL of the reverse proxy front ending the Master Admin Server.

  • (Optional) cloneAdminUserNamePassword: Enter the user credentials of the Clone data center’s Administrator if the username and password of the Administrator for Master and Clone data centers are different.

  • (Optional) artifactsZipLocation: Provide the location where cloning artifacts has to be stored; specify only if cloning artifacts need to be stored in any location other than /tmp

Here are the sample Curl commands for configuring a Master data center in OPEN mode using Active-Active and Disaster_Recovery MDC topologies:

  • Using Active-Active MDC topology: 
    curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"ACTIVE_ACTIVE", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password"}'
  • Using Disaster Recovery MDC topology: 
    curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"DISASTER_RECOVERY", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password"}'

See Also:

Setting Up a Multi-Data Center

Enabling Automated Policy Synchronization

18.5.2 SIMPLE Security Mode

Follow the instructions in Configuring Simple Mode Communication with Access Manager to set up the Access Manager servers in SIMPLE mode. In a multi-data center environment, all the Admin and managed servers need to be configured with the same security mode. Use SIMPLE mode to secure communications between OAM Servers and WebGates using out-of-box certificates.

Use MDC Admin REST commands to setup the master data center in SIMPLE mode and provide the following mandatory and optional MDC parameters as shown in the example:

curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"value", "masterMDCAgentID":"value","cloneMDCAgentID":"value", "accessClientPassword":"value","artifactPassword":"value","cloneServerURL":"value","agentKeyPassword":"value","certModeKeystorePassword":"value","masterServerURL":"value", "cloneAdminUserNamePassword":"value","trustStorePath":"value", "keyStorePath":"value", "artifactsZipLocation":"value"}'

  • mdcTopologyType: Choose one of the two topology types available for MDC configuration, ACTIVE_ACTIVE or DISASTER_RECOVERY.

  • masterMDCAgentID: Enter the MDC NAP Agent Name for the Master data center.

  • cloneMDCAgentID: Enter the MDC NAP Agent Name for the Clone data center.

  • accessClientPassword: Provide the password required to use the MDC NAP agents in Master and Clone data centers.

  • artifactPassword: Provide the password that is used to protect cloning artifacts.

  • cloneServerURL: Enter the URL of the Clone Admin server or the URL of the reverse proxy front ending the Clone Admin server.

  • (Optional) masterServerURL: Enter the URL of the Master Admin server or the URL of the reverse proxy front ending the Master Admin Server.

  • (Optional) cloneAdminUserNamePassword: Enter the user credentials of the Clone data center’s Administrator if the username and password of the Administrator for Master and Clone data centers are different.

  • (Optional) trustStorePath: Provide the path to oamclient-truststore.jks file if this file is available in folders other than  %DOMAIN_HOME%/output/webgate-ssl-SHA-256

  • (Optional) keyStorePath: Provide the path to oamclient-keystore.jks file if this file is available in folders other than  %DOMAIN_HOME%/output/webgate-ssl-SHA-256

  • (Optional) artifactsZipLocation: Provide the location where cloning artifacts has to be stored; specify only if cloning artifacts need to be stored in any location other than /tmp

Here are the sample curl commands for configuring a Master data center in SIMPLE mode using Active-Active and Disaster_Recovery MDC topologies:

  • Using Active-Active MDC topology: 
    curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"ACTIVE_ACTIVE", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password"}'
  • Using Disaster Recovery MDC topology: 
    curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"DISASTER_RECOVERY", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password"}'

See Also:

Setting Up a Multi-Data Center

Enabling Automated Policy Synchronization

18.5.3 CERT Security Mode

Follow the instructions in Configuring Cert Mode Communication for Access Manager to set up the Access Manager servers in CERT mode. In a multi-data center environment, all the Admin and managed servers need to be configured with the same security mode. Use CERT mode if you have access to a trusted third-party Certificate Authority (CA).

Create an MDC partner in each of the member data centers in CERT mode. Generate the clientTrustStore.jks and clientKeyStore.jks KeyStores for the partners to communicate in CERT mode.

In an MDC setup, each Clone data center is a replica of the Master data center. For the newly cloned data centers to communicate with the existing data centers in CERT mode, the KeyStores generated may be reused across data centers. However, while configuring the domain across multiple nodes (such as adding a new OAM server to a new host), ensure that the new host’s file system has the required artifacts stored in the same directory structure as that of the AdminServer node.

  1. Run the following openssl command from a Linux command prompt to generate aaa_key.pem and aaa_req.pem.

    openssl req -new -keyout aaa_key.pem -out aaa_req.pem -utf8 -sha256

    Use the certreq command to generate the certificate.

  2. Create aaa_cert.pem using the following procedure.

    1. Open aaa_req.pem in a text editor and copy the contents.

      Exclude the trailing spaces from your selection.

    2. Paste the copied text into Signcsr.

      Include [-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----].

    3. Copy the output into a text editor and save it as aaa_cert.pem.

  3. Create aaa_chain using the following procedure.

    1. Open certreq.

    2. Click on chain.pem and copy/paste the contents into a text editor and save it as aaa_chain.pem.

      Excluding trailing and leading spaces from your selection.

  4. Encrypt the private key (aaa_key.pem) using the following command. 

    openssl rsa -in aaa_key.pem -passin pass: -out aaa_key.pem -passout pass:Welcome1 -des

    The password used in this command must be defined as the access client password or agent key password while registering the MDC partner.

  5. Copy aaa_key.pem, aaa_cert.pem, and aaa_chain.pem to a temporary location.

    For example, /tmp/clientCertArtifacts/

  6. Convert aaa_cert.pem and aaa_key.pem into DER format using one of the following commands. 

    -openssl x509 -in /tmp/clientCertArtifatcs/aaa_cert.pem -inform PEM -out 
 /tmp/clientCertArtifatcs/aaa_cert.der -outform DER;

    -openssl pkcs8 -topk8 -nocrypt -in /tmp/clientCertArtifatcs/aaa_key.pem 
 -inform PEM -out /tmp/clientCertArtifatcs/aaa_key.der -outform DER;

  7. Import the aaa_key.der and aaa_cert.der into clientKeyStore.jks; and the aaa_chain.pem into clientTrustStore.jks with the below steps 

    -cd $MW_HOME/idm/oam/server/tools/importcert/;

-unzip importcert.zip;

-java -cp importcert.jar 
 oracle.security.am.common.tools.importcerts.CertificateImport -keystore 
 /tmp/clientCertArtifatcs/clientKeyStore.jks -privatekeyfile 
 /tmp/clientCertArtifatcs/aaa_key.der -signedcertfile 
 /tmp/clientCertArtifatcs/aaa_cert.der -storetype jks -genkeystore yes

-keytool -importcert -file /tmp/clientCertArtifatcs/aaa_chain.pem -trustcacerts 
 -keystore /tmp/clientCertArtifatcs/clientTrustStore.jks -storetype JKS

    Enter the keystore passwords when prompted. The password needs to be set in the input parameter, certModeKeystorePassword while setting up Master data center.

If not done when creating the certificates for the WebGate, import the aaa_key.der and aaa_cert.der formatted certificates into the .oamkeystore using the same Oracle provided importcert.jar used in the previous step.
-java -cp importcert.jar 
 oracle.security.am.common.tools.importcerts.CertificateImport 
 -keystore /scratch/Oracle/Middleware/domains/
 base_domain/config/fmwconfig/.oamkeystore -privatekeyfile 
 /tmp/clientCertArtifacts/aaa_key.der -signedcertfile 
 /tmp/clientCertArtifacts/aaa_cert.der -alias mycertmode1 -storetype JCEKS

alias is the alias name defined when setting CERT mode in Access Manager

Use MDC Admin REST commands to setup the master data center in CERT mode and provide the following mandatory and optional MDC parameters as shown in the example:

curl -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"value", "masterMDCAgentID":"value","cloneMDCAgentID":"value", "accessClientPassword":"value","artifactPassword":"value","cloneServerURL":"value","agentKeyPassword":"value","certModeKeystorePassword":"value","masterServerURL":"value", "cloneAdminUserNamePassword":"value","trustStorePath":"value", "keyStorePath":"value", "artifactsZipLocation":"value"}'

  • mdcTopologyType: Choose one of the two topology types available for MDC configuration, ACTIVE_ACTIVE or DISASTER_RECOVERY.

  • masterMDCAgentID: Enter the MDC NAP Agent Name for the Master data center.

  • cloneMDCAgentID: Enter the MDC NAP Agent Name for the Clone data center.

  • accessClientPassword: Provide the password required to use the MDC NAP agents in Master and Clone data centers.

  • artifactPassword: Provide the password that is used to protect cloning artifacts.

  • cloneServerURL: Enter the URL of the Clone Admin server or the URL of the reverse proxy front ending the Clone Admin server.

  • (Only for CERT mode) agentKeyPassword: Enter the agent key password used to register partners in the CERT mode.

  • (Optional) masterServerURL: Enter the URL of the Master Admin server or the URL of the reverse proxy front ending the Master Admin Server.

  • (Optional) cloneAdminUserNamePassword: Enter the user credentials of the Clone data center’s Administrator if the username and password of the Administrator for Master and Clone data centers are different.

  • (Optional) trustStorePath: Provide the path to clientTrustStore.jks file if this file is available in folders other than  $MW_HOME/user_projects/domains/OAMDomain/config/fmwconfig/oam-mdc-cert-artifacts/

  • (Optional) keyStorePath: Provide the path to clientKeyStore.jks file if this file is available in folders other than  $MW_HOME/user_projects/domains/OAMDomain/config/fmwconfig/oam-mdc-cert-artifacts/

  • (Optional) artifactsZipLocation: Provide the location where cloning artifacts has to be stored; specify only if cloning artifacts need to be stored in any location other than /tmp

Here are the sample curl commands for configuring a Master data center in CERT mode using Active-Active and Disaster_Recovery MDC topologies:

  • Using Active-Active MDC topology: 
    curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"ACTIVE_ACTIVE", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password","agentKeyPassword":"password", "certModeKeystorePassword":"password"}'
  • Using Disaster Recovery MDC topology: 
    curl  -k -u weblogic:password -H 'Content-Type: application/json' -X POST 'https://oamadmin1-dc1.poc.com:7002/oam/services/rest/mdc/master' -d '{"mdcTopologyType":"DISASTER_RECOVERY", "masterMDCAgentID":"MDCmasterNAPagent","cloneMDCAgentID":"MDCcloneNAPagent", "accessClientPassword":"password","artifactPassword":"password","cloneServerURL":"https://oamadmin1-dc2.poc.com:7002","cloneAdminUserNamePassword":"weblogic:password","agentKeyPassword":"password", "certModeKeystorePassword":"password"}'

See Also:

Setting Up a Multi-Data Center

Enabling Automated Policy Synchronization