Prerequisites for Enterprise Deployments 2-7

2.2.5.1 Oracle Access Manager Protocols

Oracle Access Protocol OAP enables communication between Access System components for example, Access Manager server, WebGate during user authentication and authorization. This protocol was formerly known as NetPoint Access Protocol NAP or COREid Access Protocol.

2.2.5.2 Overview of User Request

The request flow when a user requests access is as follows: 1. The user requests access to a protected resource over HTTP or HTTPS. 2. The WebGate intercepts the request. 3. The WebGate forwards the request to the Oracle Access Manager server over Oracle Access Protocol to determine if the resource is protected, how, and whether the user is authenticated if not, there is a challenge. 4. The Oracle Access Manager server checks the directory server for credentials such as a user ID and password, sends the information back to WebGate over Oracle Access Protocol, and generates an encrypted cookie to authenticate the user. 5. Following authentication, the WebGate prompts the Oracle Access Manager server over Oracle Access Protocol and the Oracle Access Manager server looks up the appropriate security policies, compares them to the users identity, and determines the users level of authorization. ■ If the access policy is valid, the user is allowed to access the desired content andor applications. ■ If the policy is false, the user is denied access and redirected to another URL determined by the organizations administrator.

2.2.6 Firewall and Port Configuration

Many Oracle Fusion Middleware components and services use ports. As an administrator, you must know the port numbers used by these services, and to ensure that the same port number is not used by two services on a host. Most port numbers are assigned during installation. Table 2–2 lists the ports used in the Oracle Identity Management topologies, including the ports that you must open on the firewalls in the topologies. Firewall notation: ■ FW0 refers to the outermost firewall. ■ FW1 refers to the firewall between the web tier and the application tier. ■ FW2 refers to the firewall between the application tier and the directory tier. 2-8 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management Table 2–2 Ports Used in the Oracle Identity Management Enterprise Deployment topologies Type Firewall Port and Port Range Protocol Application Inbound Outbound Timeout Browser request FW0 80 HTTP Load balancer Both Timeout depends on all HTML content and the type of process model used for Oracle Identity Management. Browser request FW0 443 HTTPS Load balancer Both Timeout depends on all HTML content and the type of process model used for Oracle Identity Management. Oracle WebLogic Administration Server access from web tier FW1 7001 HTTP Oracle HTTP Server and Administration Server Inbound NA Enterprise Manager Agent - web tier to Enterprise Manager FW1 5160 HTTP Enterprise Manager Agent and Enterprise Manager Both NA Oracle HTTP Server to WLS_ODS FW1 7006 HTTP Oracle HTTP Server to WebLogic Server Inbound Timeout depends on the mod_ weblogic parameters used. Oracle HTTP Server to WLS_OAM FW1 14100 HTTP Oracle HTTP Server to WebLogic Server Inbound Timeout depends on the mod_ weblogic parameters used. Oracle HTTP Server to WLS_OAAM_ADMIN FW1 14200 HTTP Oracle HTTP Server to WebLogic Server Inbound Timeout depends on the mod_ weblogic parameters Oracle HTTP Server to WLS_OAAM FW1 14300 HTTP Oracle HTTP Server to WebLogic Server Inbound Timeout depends on the mod_ weblogic parameters used. Oracle HTTP Server WLS_OIM FW1 14000 HTTP Oracle HTTP Server to WebLogic Server Inbound Timeout depends on the mod_ weblogic parameters used Oracle HTTP Server WLS_SOA FW1 8001 HTTP Oracle HTTP Server to WebLogic Server Both Timeout depends on the mod_ weblogic parameters used Oracle Process Manager and Notification Server OPMN access in web tier FW1 OPMN remote port HTTP Administration Server to OPMN Outbound NA Oracle HTTP Server proxy port FW1 9999 HTTP Administration Server to Oracle HTTP Server Outbound NA Oracle Access Manager Server 11g FW1 5574-5575 OAP Both NA Oracle Coherence Port FW1 8000 - 8090 TCMP Both NA Prerequisites for Enterprise Deployments 2-9 Oracle WebLogic Administration Server access from directory tier FW2 7001 HTTP Oracle Internet Directory, Oracle Virtual Directory, and Administration Server Outbound NA Enterprise Manager Agent - directory tier to Enterprise Manager FW2 5160 HTTP Enterprise Manager Agent and Enterprise Manager Both NA OPMN access in directory tier FW2 OPMN remote port HTTP Administration Server to OPMN Inbound NA Oracle Virtual Directory proxy port FW2 8899 HTTP Administration Server to Oracle Virtual Directory Inbound NA Database access FW2 1521 SQLNet Both Timeout depends on all database content and on the type of process model used for Oracle Identity Management. Oracle Internet Directory access FW2 389 LDAP Inbound Tune the directory servers parameters based on the load balancer, and not the other way around. Ideally, these connections should be configured not to time out. Oracle Internet Directory access FW2 636 LDAP SSL Inbound Tune the directory servers parameters based on the load balancer, and not the other way around. Ideally, these connections should be configured not to time out. Oracle Virtual Directory access FW2 6501 LDAP Inbound Ideally, these connections should be configured not to time out. Oracle Virtual Directory access FW2 7501 LDAP SSL Inbound Ideally, these connections should be configured not to time out. Oracle Identity Federation access FW2 7499 HTTP Both NA OIN FW2 7001 HTTP Both NA Table 2–2 Cont. Ports Used in the Oracle Identity Management Enterprise Deployment topologies Type Firewall Port and Port Range Protocol Application Inbound Outbound Timeout 2-10 Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management

2.3 WebLogic Domain Considerations

A domain is the basic administration unit for WebLogic Server instances. A domain consists of one or more WebLogic Server instances and their associated resources that you manage with a single Administration Server. You can define multiple domains based on different system administrators responsibilities, application boundaries, or geographical locations of servers. Conversely, you can use a single domain to centralize all WebLogic Server administration activities. In the context of Identity Management, it is recommended that you deploy the Identity Management components, plus SOA, in a separate WebLogic Server domain from the one where SOA, WebCenter and other customer applications might be deployed. In a typical enterprise deployment, the administration of identity management components such as LDAP directory, single sign-on solutions, and provisioning solutions is done by a different set of administrators from those who administer the middleware infrastructure and applications. It is technically possible to deploy everything in a single domain in a development or test environment. However, in a production environment, the recommendation to use separate domains creates a logical administrative boundary between the identity management stack and the rest of the middleware and application deployment.

2.4 Shared Storage and Recommended Directory Structure

This section details the directories and directory structure that Oracle recommends for an EDG topology. Other directory layouts are possible and supported, but the model adopted in this guide is chosen for maximum availability, providing both the best isolation of components and symmetry in the configuration and facilitating backup and disaster recovery. The rest of the document uses this directory structure and directory terminology. This section contains the following topics: ■ Section 2.4.1, Directory Structure Terminology and Environment Variables ■ Section 2.4.2, Recommended Locations for the Different Directories

2.4.1 Directory Structure Terminology and Environment Variables

This section describes directory structure terminology and environment variables. Load balancer to Oracle HTTP Server NA 7777 HTTP NA NA Session replication within a WebLogic Server cluster NA NA NA NA By default, this communication uses the same port as the servers listen address. Node Manager NA 5556 TCPIP NA NA Note: Additional ports might need to be opened across the firewalls to enable applications in external domains, such as SOA or WebCenter domains, to authenticate against this Identity Management domain. Table 2–2 Cont. Ports Used in the Oracle Identity Management Enterprise Deployment topologies Type Firewall Port and Port Range Protocol Application Inbound Outbound Timeout