2.3 Registered OAM Agent Configuration Parameters
After you register the agent using Oracle Access Management console, double-click SSO agents in the console, search for a registered OAM agent, click the agent name in the results table and you can view/edit the agent configuration page in the console. The following table describes the elements when you view the registered agent:
| Element | Description |
|---|---|
|
Version |
Displays OAM Webgate |
|
Name |
Displays the name of the agent. |
|
Description |
Displays the description for the agent. |
|
Access Client Password |
Displays the password registered with the agent. |
|
Security |
Displays the chosen level of communication transport security between the Agent and the OAM Server |
|
State |
Specifies whether this registration is enabled or disabled. Default = Enabled |
|
Max Cache Elements |
Number of elements maintained in the cache. Caches are the following:
The value of this setting refers to the maximum consolidated count for elements in these caches. Default = 100000 |
|
Cache Timeout (seconds) |
Amount of time cached information remains in the WebGate caches (Resource to Authentication Scheme, Authentication Schemes, and Resource to Authorization Policy) when the information is neither used nor referenced. Default = 1800 (seconds) |
|
Token Validity Period (seconds) |
Maximum valid time period for an agent token (the content of OAMAuthnCookie). This value is the validity period for the obsso cookie. Within this period, only authorization nap calls will pass to the OAM server. Once this period has passed, the obsso cookie will be considered invalid and an 'obrareq.cgi' redirect will occur. The OAM Server will validate the OAM_ID cookie and re-issue a new obsso cookie, or challenge the user if the server side session is expired/deleted/timed out. Default = 3600 (seconds) |
|
Max Connections |
The maximum number of connections that this WebGate can establish with the OAM Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1 |
|
Max Session Time (hours) |
Maximum time to keep WebGate connections to OAM Server network alive. After this time all WebGate to OAM Server network connections will be shutdown and replaced with new ones. The unit is based on the maxSessionTimeUnits user-defined parameter which can be 'minutes' or 'hours'. When maxSessionTimeUnits is not defined, the unit is defaulted to 'hours'. |
|
Failover Threshold |
Number representing the point when this WebGate opens connections to a Secondary OAM Server. Default = 1 For example, if you type 30 in this field and the number of connections to primary OAM Server falls to 29, this Agent opens connections to secondary OAM Server. |
|
AAA Timeout Threshold |
Number (in seconds) to wait for a response from the OAM Server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used) If using a simple mode WebGate, you can improve the response time of the OAM login page by changing the aaaTimeoutThreshold time parameter in the WebGate profile from -1 to 10. A typical value for this parameter is between 30 and 60 seconds. If set to a very low value, the socket connection can be closed before a reply from OAM Server is received, resulting in an error. |
|
Preferred Host |
Specifies how the hostname appears in all HTTP requests as users attempt to access the protected Web server. The hostname within the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user's HTTP request. The Preferred Host function prevents security holes that can be inadvertently created if a host's identifier is not included in the Host Identifiers list. However, it cannot be used with virtual Web hosting. For virtual hosting, you must use the Host Identifiers feature. Defaults to Name (of WebGate registration) |
|
Logout URL |
The Logout URL triggers the logout handler, which removes the cookie (ObSSOCookie; OAMAuthnCookie) and requires the user to re-authenticate the next time he accesses a resource protected by Access Manager. Default = [] (not set) |
|
Logout Callback URL |
The URL to oam_logout_success, which clears cookies during the call back. This can be a URI format without host:port (recommended), where the OAM Server calls back on the host:port of the original resource request. For example: Default = /oam_logout_success This can also be a full URL format with a host:port, where OAM Server calls back directly without reconstructing callback URL. |
|
Logout Redirect URL |
This parameter is automatically populated after agent registration completes.By default, this is based on the OAM Server host name with a default port of 14200. For example: Default = http://OAMServer_host:14200/oam/server/logout |
|
Logout Target URL |
The value is the name for the query parameter that the OPSS applications passes to WebGate during logout; the query parameter specifies the target URL of the landing page after logout completes. Default: end_url |
|
User Defined Parameters |
Parameters you can enter to enable specific WebGate behaviors. |
|
Sleep for (seconds) |
The frequency (in seconds) with which the OAM Server checks its connections to the directory server. For example, if you set a value of 60 seconds, the OAM Server checks its connections every 60 seconds from the time it comes up. Default: 60 (seconds) |
|
Cache Pragma Header Cache Control Header WebGate only (not Access Clients) |
These settings apply only to WebGates and control the browser's cache. By default, both parameters are set to no-cache. This prevents WebGate from caching data at the Web server application and the user's browser. However, this may prevent certain operations such as downloading PDF files or saving report files when the site is protected by a WebGate. You can set the Access Manager SDK caches that the WebGate uses to different levels. See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html section 14.9 for details. All of the cache-response-directives are allowed. For example, you may need to set both cache values to public to allow PDF files to be downloaded. Defaults: no-cache |
|
Debug |
Debugging can be enabled or not. |
|
IP Validation |
Check the box to ensure a client's IP address is as the IP address stored in the ObSSOCookie generated for single sign-on. Selecting this option displays a field where you can enter the IP Validation Exceptions. |
|
Allow Management Operations |
This Agent Privilege function enables the provisioning of session operations per agent, as follows:
Default: Disabled |
|
Allow Token Scope Operations |
Allows the ASDK code to scope the OAM_ID cookie to the domain level instead of host level. |
|
Allow Master Token Retrieval |
Allows the ASDK code to retrieve the OAM_ID cookie. |
|
Allow Credential Collector Operations |
Activates WebGate detached credential collector functionality for simple-form or dynamic multi-factor authentication. Default: Disabled |
|
IIS Impersonation User |
The trusted user for impersonation, in Active Directory. This user should not be used for anything other than impersonation. The constraints are the same as any other user in Active Directory. |
|
IIS Impersonation Password |
This is the trusted user password for impersonation. The constraints are the same as any other user password in Active Directory. |
|
Primary Server List |
Identifies Primary Server details for this Agent. The default is based on the OAM Server:
|
|
Secondary Server List |
Identifies Secondary OAM Server details for this agent, which must be specified manually:
|
|
Apply |
You can make any changes if required and click on Apply to submit the registration. |
|
Download |
Click Download to download the generated artifacts. |
Related Topics
Introduction to Agents and Registration in Administrator's Guide for Oracle Access Management