Prerequisites for Enterprise Deployments 2-7
2.2.5.1 Oracle Access Manager Protocols
Oracle Access Protocol OAP enables communication between Access System components for example, Access Manager server, WebGate during user
authentication and authorization. This protocol was formerly known as NetPoint Access Protocol NAP or COREid Access Protocol.
2.2.5.2 Overview of User Request
The request flow when a user requests access is as follows:
1.
The user requests access to a protected resource over HTTP or HTTPS.
2.
The WebGate intercepts the request.
3.
The WebGate forwards the request to the Oracle Access Manager server over Oracle Access Protocol to determine if the resource is protected, how, and whether
the user is authenticated if not, there is a challenge.
4.
The Oracle Access Manager server checks the directory server for credentials such as a user ID and password, sends the information back to WebGate over Oracle
Access Protocol, and generates an encrypted cookie to authenticate the user.
5.
Following authentication, the WebGate prompts the Oracle Access Manager server over Oracle Access Protocol and the Oracle Access Manager server looks up the
appropriate security policies, compares them to the users identity, and determines the users level of authorization.
■
If the access policy is valid, the user is allowed to access the desired content andor applications.
■
If the policy is false, the user is denied access and redirected to another URL determined by the organizations administrator.
2.2.6 Firewall and Port Configuration
Many Oracle Fusion Middleware components and services use ports. As an administrator, you must know the port numbers used by these services, and to ensure
that the same port number is not used by two services on a host.
Most port numbers are assigned during installation. Table 2–2
lists the ports used in the Oracle Identity Management topologies, including the ports that you must open on the firewalls in the topologies.
Firewall notation:
■
FW0 refers to the outermost firewall.
■
FW1 refers to the firewall between the web tier and the application tier.
■
FW2 refers to the firewall between the application tier and the directory tier.
2-8 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
Table 2–2 Ports Used in the Oracle Identity Management Enterprise Deployment topologies
Type Firewall
Port and Port Range
Protocol Application
Inbound Outbound
Timeout
Browser request FW0
80 HTTP Load
balancer Both
Timeout depends on all HTML
content and the type of process
model used for Oracle Identity
Management.
Browser request FW0
443 HTTPS Load
balancer Both
Timeout depends on all HTML
content and the type of process
model used for Oracle Identity
Management.
Oracle WebLogic Administration Server
access from web tier FW1
7001 HTTP Oracle
HTTP Server and Administration
Server Inbound
NA
Enterprise Manager Agent - web tier to
Enterprise Manager FW1
5160 HTTP
Enterprise Manager Agent
and Enterprise Manager
Both NA
Oracle HTTP Server to WLS_ODS
FW1 7006
HTTP Oracle HTTP Server to
WebLogic Server Inbound
Timeout depends on the mod_
weblogic parameters used.
Oracle HTTP Server to WLS_OAM
FW1 14100
HTTP Oracle HTTP Server to
WebLogic Server Inbound
Timeout depends on the mod_
weblogic parameters used.
Oracle HTTP Server to WLS_OAAM_ADMIN
FW1 14200
HTTP Oracle HTTP Server to
WebLogic Server Inbound
Timeout depends on the mod_
weblogic parameters
Oracle HTTP Server to WLS_OAAM
FW1 14300
HTTP Oracle HTTP Server to
WebLogic Server Inbound
Timeout depends on the mod_
weblogic parameters used.
Oracle HTTP Server WLS_OIM
FW1 14000
HTTP Oracle HTTP Server to
WebLogic Server Inbound
Timeout depends on the mod_
weblogic parameters used
Oracle HTTP Server WLS_SOA
FW1 8001
HTTP Oracle HTTP Server to
WebLogic Server Both
Timeout depends on the mod_
weblogic parameters used
Oracle Process Manager and Notification Server
OPMN access in web tier
FW1 OPMN remote
port HTTP
Administration Server to OPMN
Outbound NA
Oracle HTTP Server proxy port
FW1 9999
HTTP Administration
Server to Oracle HTTP Server
Outbound NA
Oracle Access Manager Server 11g
FW1 5574-5575
OAP Both
NA Oracle Coherence Port
FW1 8000 - 8090
TCMP Both
NA
Prerequisites for Enterprise Deployments 2-9
Oracle WebLogic Administration Server
access from directory tier
FW2 7001
HTTP Oracle Internet Directory,
Oracle Virtual Directory, and
Administration Server
Outbound NA
Enterprise Manager Agent - directory tier to
Enterprise Manager FW2
5160 HTTP
Enterprise Manager Agent
and Enterprise Manager
Both NA
OPMN access in directory tier
FW2 OPMN remote
port HTTP
Administration Server to OPMN
Inbound NA
Oracle Virtual Directory proxy port
FW2 8899
HTTP Administration
Server to Oracle Virtual Directory
Inbound NA
Database access FW2
1521 SQLNet
Both Timeout depends
on all database content and on the
type of process model used for
Oracle Identity Management.
Oracle Internet Directory access
FW2 389
LDAP Inbound
Tune the directory servers parameters
based on the load balancer, and not
the other way around. Ideally,
these connections should be
configured not to time out.
Oracle Internet Directory access
FW2 636
LDAP SSL Inbound
Tune the directory servers parameters
based on the load balancer, and not
the other way around. Ideally,
these connections should be
configured not to time out.
Oracle Virtual Directory access
FW2 6501
LDAP Inbound
Ideally, these connections should
be configured not to time out.
Oracle Virtual Directory access
FW2 7501
LDAP SSL Inbound
Ideally, these connections should
be configured not to time out.
Oracle Identity Federation access
FW2 7499 HTTP
Both NA OIN
FW2 7001 HTTP Both NA
Table 2–2 Cont. Ports Used in the Oracle Identity Management Enterprise Deployment topologies
Type Firewall
Port and Port Range
Protocol Application
Inbound Outbound
Timeout
2-10 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management
2.3 WebLogic Domain Considerations
A domain is the basic administration unit for WebLogic Server instances. A domain consists of one or more WebLogic Server instances and their associated resources
that you manage with a single Administration Server. You can define multiple domains based on different system administrators responsibilities, application
boundaries, or geographical locations of servers. Conversely, you can use a single domain to centralize all WebLogic Server administration activities.
In the context of Identity Management, it is recommended that you deploy the Identity Management components, plus SOA, in a separate WebLogic Server domain from the
one where SOA, WebCenter and other customer applications might be deployed. In a typical enterprise deployment, the administration of identity management
components such as LDAP directory, single sign-on solutions, and provisioning solutions is done by a different set of administrators from those who administer the
middleware infrastructure and applications.
It is technically possible to deploy everything in a single domain in a development or test environment. However, in a production environment, the recommendation to use
separate domains creates a logical administrative boundary between the identity management stack and the rest of the middleware and application deployment.
2.4 Shared Storage and Recommended Directory Structure
This section details the directories and directory structure that Oracle recommends for an EDG topology. Other directory layouts are possible and supported, but the model
adopted in this guide is chosen for maximum availability, providing both the best isolation of components and symmetry in the configuration and facilitating backup
and disaster recovery. The rest of the document uses this directory structure and directory terminology.
This section contains the following topics:
■
Section 2.4.1, Directory Structure Terminology and Environment Variables
■
Section 2.4.2, Recommended Locations for the Different Directories
2.4.1 Directory Structure Terminology and Environment Variables
This section describes directory structure terminology and environment variables.
Load balancer to Oracle HTTP Server
NA 7777
HTTP NA
NA Session replication
within a WebLogic Server cluster
NA NA
NA NA
By default, this communication
uses the same port as the servers listen
address.
Node Manager NA
5556 TCPIP
NA NA
Note: Additional ports might need to be opened across the firewalls
to enable applications in external domains, such as SOA or WebCenter domains, to authenticate against this Identity Management domain.
Table 2–2 Cont. Ports Used in the Oracle Identity Management Enterprise Deployment topologies
Type Firewall
Port and Port Range
Protocol Application
Inbound Outbound
Timeout