Oracle Security Token Service Component Characteristics
8.8.3.2 Oracle Security Token Service Component Characteristics
This section describes Oracle Security Token Service component characteristics and includes the following topics: ■ Section 8.8.3.2.1, Oracle Security Token Service Component Lifecycle ■ Section 8.8.3.2.2, Runtime Processes ■ Section 8.8.3.2.3, Starting and Stopping Oracle Security Token Service ■ Section 8.8.3.2.4, J2EE Components and Subcomponents ■ Section 8.8.3.2.5, Session State Information ■ Section 8.8.3.2.6, Configuration Artifacts ■ Section 8.8.3.2.7, External Dependencies8.8.3.2.1 Oracle Security Token Service Component Lifecycle On startup, the OAMOracle
Security Token Service Server initializes connections to the backend repositories. If the repository is not reachable, the OAMOracle Security Token Service server retries the connections to the repositories using a timeout that grows exponentially with a configurable upper limit. OAMOracle Security Token Service Server provide continuity of service based on locally cached data if the backend connections go down. Service continues until the caches grow stale or the backend connections come up again.8.8.3.2.2 Runtime Processes The following graphic shows the Oracle Security Token
Service runtime process. Figure 8–15 Oracle Security Token Service Runtime Process The Oracle Security Token Service runtime process works as described below: 1. A Web Service Consumer WSC sends a Web Services-Trust Request Security Token RST message for a security token type that the WSP requires. Authentication of the client occurs by using the transport layer authentication, or by binding the WSS Token to the RST message. 2. The Security Token Service STS validates the RST message, authenticates the request, then authorizes the requested operation. 3. The appropriate security token is generated in accordance with the metadata that the RST message specifies. For the policy driven exchange use-case, the STS looks Note: The additionremoval of Access Server instances is transparent to other Oracle Security Token Service instances in the cluster. Verify that removing a specific Oracle Security Token Service server does not affect the load. 8-128 Oracle Fusion Middleware High Availability Guide up the appropriate token generation policy to generate the appropriate security token. 4. STS generates an RST message that contains the generated security token; it sends the message to the WSC as a response.8.8.3.2.3 Starting and Stopping Oracle Security Token Service Because they are J2EE
applications, you can start the Access Server where Oracle Security Token Service is deployed and Admin Console from the user interface and Command Line tool that the Application Server provides.8.8.3.2.4 J2EE Components and Subcomponents J2EE Components and sub-components
include the following: ■ STS - An event based design pattern that implements the core Oracle Security Token Service 11gR1-PS1. It is packaged as a WAR application in the OAM EAR file and comprises a WS Provider Servlet and Java classes. The STS Web Application is bound to the sts root path ■ Admin Console - A stand-alone console based on ADFIDM Shell, and packaged as an EAR file. ■ JMX Mbeans - Packaged with the Access Server package. Config Mbeans are packaged as standalone JAR files. ■ WSLT Command - Consists of Java classes that are in the OAMOracle Security Token Service package. ■ OWSM Agent - Web Service interceptor providing support for WSS protocol, part of JRF. ■ ORAProvider - JRF Web Service Provider8.8.3.2.5 Session State Information Oracle Security Token Service is a stateless J2EE
application with the exception of the Nonce caching for Username Tokens, where OSTS will keep track of presented username tokens when the nonce is present, in order to prevent replay attacks.8.8.3.2.6 Configuration Artifacts Oracle Access Manager and Oracle Security Token
Service are built together and use the same modules for configuration, logging, and other processes. The Oracle Security Token Service configuration artifacts include the following files. ■ DOMAIN_HOMEconfigfmwconfigoam-config.xml — The configuration file, which contains instance-specific information. ■ DOMAIN_HOMEconfigfmwconfigoam-policy.xml — Present only when OES Micro SM is not being used. ■ DOMAIN_HOMEconfigfmwconfigserversinstanceNamelogging.xml — Logging config ■ DOMAIN_HOMEconfigfmwconfigcwallet.sso — Passwords Note: WSP validation of the security token depends on the token type. When STS acts as a trust intermediary only, validation is performed against the underlying security infrastructure, such as Kerberos. Configuring High Availability for Identity Management Components 8-129 ■ DOMAIN_HOMEconfigfmwconfigoamkeystore — keystore containing keys and certificates OAMOracle Security Token Service owns ■ DOMAIN_HOMEconfigfmwconfigamtruststore — keystore containing the trust anchors used for X509 cert validation ■ DOMAIN_HOMEconfigfmwconfigamcrl.jar — zip file containing CRLs used for certificate revocation ■ DOMAIN_HOMEconfigfmwconfigdefault-keystore.jks — OWSM keystore used to store keys and certificates used by the OWSM Agent, as well as trusted anchors used to validate X.509 certificates for WSS operations8.8.3.2.7 External Dependencies Oracle Security Token Service has external
dependencies on the: ■ LDAP based Identity Store – User Identity Repository – LDAP access abstracted by UserRole API. ■ OCSP Responder Service – Real-time X.509 Certification Validation ■ RDBMS Policy Store – Policy Authentication and Authorization Repository – RDBMS access abstracted by the OAM policy engine8.8.3.3 Oracle Security Token Service High Availability Configuration Steps
Parts
» Oracle Fusion Middleware Online Documentation Library
» High Availability Problems High Availability Solutions
» High Availability Information in Other Documentation
» What Is the Administration Server? Understanding Managed Servers and Managed Server Clusters
» What Is a System Component Domain? What Is a Middleware Home? What Is a WebLogic Server Home?
» Oracle Fusion Middleware High Availability Terminology
» Server Load Balancing Oracle Fusion Middleware High Availability Technologies
» Local High Availability Active-Passive Deployment
» About Active-Active and Active-Passive Solutions
» Disaster Recovery Oracle Fusion Middleware High Availability Solutions
» Protection from Planned and Unplanned Down Time
» What Is a WebLogic Server Cluster? WebLogic Server Clusters and WebLogic Server Domains
» Application Failover Migration Key Capabilities of a Cluster
» Benefits of Clustering Types of Objects That Can Be Clustered
» Communications in a Cluster Cluster-Wide JNDI Naming Service
» Startup Process in a Cluster with Migratable Servers
» Administration Servers Role in Whole Server Migration Migratable Server Behavior in a Cluster
» Node Managers Role in Whole Server Migration Cluster Masters Role in Whole Server Migration
» Load Balancing Oracle Fusion Middleware Online Documentation Library
» Multi Data Sources Cluster Configuration and config.xml
» Java-Based Oracle Fusion Middleware Components Deployed to Oracle WebLogic Server
» Configuring Multi Data Sources for MDS Repositories
» Log on to SQLPlus as a system user, for example:
» Log on to SQLPlus as a user with sysdba privileges. For example:
» Configuring Multi Data Sources with Oracle RAC
» Oracle RAC Failover with WebLogic Server JDBC Clients
» Oracle Reports and Oracle Discoverer
» Troubleshooting Real Application Clusters
» SCAN Run Time Implications and Limitations
» Oracle SOA Service Infrastructure Protection from Failures and Expected Behavior
» Oracle SOA Service Infrastructure Cluster-Wide Configuration Changes
» Oracle BPEL Process Manager Request Flow and Recovery
» Oracle BPEL Process Manager Protection from Failures and Expected Behavior
» Oracle BPM Suite Component Characteristics
» Oracle BPM Suite Component Interaction
» Oracle BPMN Service Engine Single Instance Characteristics
» Oracle BPMN Service Engine High Availability Considerations
» Oracle Business Process Web Applications Single Instance Characteristics
» Oracle Business Process Analytics Single Instance Characteristics
» Oracle Mediator Component Characteristics Oracle Mediator Startup and Shutdown Lifecycle
» Oracle Mediator Request Flow
» Oracle Mediator Protection from Failures and Expected Behavior
» Troubleshooting Oracle Mediator High Availability
» Troubleshooting Oracle Human Workflow High Availability
» Oracle B2B Component Characteristics Oracle B2B Startup and Shutdown Lifecycle
» Oracle B2B Protection from Failures and Expected Behavior
» Oracle WSM Component Characteristics Oracle WSM Startup and Shutdown Lifecycle
» Oracle WSM Protection from Failures and Expected Behavior
» Oracle WSM Cluster-Wide Configuration Changes Configuring the Java Object Cache for Oracle WSM
» Configuring Distributed Notifications for the MDS Repository
» Oracle User Messaging Service Component Characteristics
» Oracle User Messaging Service Protection from Failures and Expected Behavior
» Oracle User Messaging Service Cluster-Wide Configuration Changes
» Oracle JCA Adapters Component Lifecycle
» Oracle JCA Adapters Reliability and Transactional Behavior
» Oracle JCA Adapters - Rejected Message Handling
» Oracle JCA Adapters High Availability Error Handling Oracle Database Adapters High Availability
» Oracle JMS Adapters High Availability
» Oracle JCA Adapters Log File Locations
» Oracle Business Activity Monitoring Component Characteristics
» Oracle Business Activity Monitoring Configuration Artifacts
» Oracle Business Activity Monitoring Protection from Failures and Expected Behavior
» Oracle Business Activity Monitoring Cluster-Wide Configuration Changes
» Oracle Service Bus Session State Oracle Service Bus External Dependencies
» Oracle Service Bus Configuration Artifacts Oracle Service Bus Deployment Artifacts
» Oracle Service Bus Protection from Failures and Expected Behavior
» Database Prerequisites VIP and IP Prerequisites Shared Storage Prerequisites
» Configuring Virtual Server Names and Ports for the Load Balancer
» Validating Oracle HTTP Server To verify that Oracle HTTP Server is set up
» Setting Connection Destination Identifiers for B2B Queues
» Starting Node Manager on SOAHOST2 Starting and Validating the WLS_SOA2 Managed Server
» Setting the Front End HTTP Host and Port
» Setting the WLS Cluster Address for Direct BindingRMI Invocations to Composites
» Deploying Applications Click Next.
» Configuring Server Migration for the WLS_SOA Servers
» Connect to the database as the leasing user. Run the leasing.ddl script in SQLPlus.
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Enabling VIP1 and VIP3 in SOAHOST1 and VIP2 and VIP4 in SOAHOST2
» Configure Oracle Coherence for the Oracle Service Bus Result Cache
» Configuring a Default Persistent Store for Transaction Recovery Deploying Applications
» Configuring Server Migration for the WLS_OSB Servers
» Enabling VIP0 and VIP1 on BAMHOST1
» Oracle ADF Components Understanding Oracle ADF
» Oracle ADF Single Node Architecture Oracle ADF External Dependencies
» Oracle ADF Scope and Session State
» Oracle ADF Failover and Expected Behavior Oracle ADF Active Data Services
» Troubleshooting Oracle ADF Development Issues
» Deploying the ADF Application Validating Access through Oracle HTTP Server
» Select the Control tab. Select Environment Servers from the Administration Console. Select Clone.
» Oracle WebCenter Components Understanding Oracle WebCenter
» Oracle WebCenter Single-node Architecture Oracle WebCenter State and Configuration Persistence
» Oracle WebCenter External Dependencies
» Oracle WebCenter Configuration Considerations
» Oracle WebCenter Analytics Communications
» Oracle WebCenter State Replication Understanding the Distributed Java Object Cache
» Maintaining Configuration in a Clustered Environment
» Installing Oracle Fusion Middleware for Oracle WebCenter
» Enabling the Administration Server VIP
» Configuring a Virtual Host for Oracle Pagelet Producer and Sharepoint
» Configuring Activity Graph Click Start.
» Converting Discussions from Multicast to Unicast
» Configuring a Cluster for Oracle WebCenter Portal Applications
» Agent Startup and Shutdown Cycle Oracle Data Integrator External Dependencies
» Java EE Agent Configuration Standalone Agent Configuration
» Oracle Data Integrator Clustered Deployment
» WebLogic Server or Standalone Agent Crash Repository Database Failure
» About the 11g Oracle Identity Management Products
» Database Prerequisites Installing and Configuring the Database Repository
» Oracle Internet Directory Component Characteristics
» Oracle Internet Directory High Availability Architecture
» Protection from Failures and Expected Behavior
» Installing Oracle Fusion Middleware for Identity Management The next step is to
» Registering Oracle Internet Directory with a WebLogic Domain If you want to
» Creating boot.properties for the Administration Server on OIDHOST1 This section
» Configuring Oracle Internet Directory on OIDHOST2 Ensure that the Oracle Internet
» Validating Oracle Internet Directory High Availability
» Performing an Oracle Internet Directory Failover Performing an Oracle RAC Failover
» Troubleshooting Oracle Internet Directory High Availability
» Changing the Password of the ODS Schema Used by Oracle Internet Directory
» Oracle Virtual Directory Runtime Considerations Oracle Virtual Directory Component Characteristics
» Oracle Virtual Directory High Availability Architecture
» Configuring Oracle Virtual Directory on OVDHOST2 Follow these steps to configure
» Registering Oracle Virtual Directory with a WebLogic Domain It is recommended
» On the Installation Complete screen, click Finish to confirm your choice to exit.
» Troubleshooting LDAP Adapter Creation
» Oracle Directory Integration Platform Component Characteristics
» Oracle Directory Integration Platform High Availability Architecture
» Configuring Oracle HTTP Server for Oracle Directory Services Manager High
» If WebLogic Node Manager Fails to Start Operation Cannot Be Completed for Unknown Errors Message
» Oracle Directory Services Manager Component Characteristics
» Oracle Directory Services Manager High Availability Architecture
» Protection from Failures and Expected Behaviors
» Performing a WebLogic Server Instance Failover
» Using Oracle Directory Services Manager to Validate a Failover of a Managed Server
» Collocated Architecture Overview Troubleshooting Collocated Components Manager High Availability
» Additional Considerations for Collocated Components High Availability
» Oracle Access Manager Component Characteristics
» Oracle Access Manager High Availability Architecture
» Oracle Security Token Service High Availability Architecture
» Oracle Security Token Service Component Characteristics
» In the Customize Server and Cluster Configuration screen, select Yes, and click
» On the Configuration Summary screen, click Create to begin the creation process.
» Oracle Identity Manager Component Characteristics
» Runtime Processes Component and Process Lifecycle
» Starting and Stopping Oracle Identity Manager Configuration Artifacts External Dependencies
» Oracle Identity Manager High Availability Architecture
» On the Welcome screen, select Create a WebLogic Domain.
» Connect to the database as the leasing user.
» Select Environment - Servers from the Administration Console. Select Clone.
» Select the Automatic Server Migration Enabled option. This enables the Node Click Save.
» Click the OIMMSServerXXXXXX subdeployment. Add the new JMS Server
» Click Save. Authorization Policy Manager High Availability
» Oracle Adaptive Access Manager Component Characteristics
» Oracle Adaptive Access Manager High Availability Architecture
» On the Welcome screen, click Next.
» Oracle Identity Federation Component Characteristics
» High Availability Considerations for Integration with Oracle Access Manager
» Oracle Internet Directory Oracle Virtual Directory Oracle HTTP Server Node Manager
» WebLogic Administration Server Oracle Identity Manager
» Oracle Access Manager Managed Servers Oracle Adaptive Access Manager Managed Servers
» Oracle Identity Federation Starting and Stopping Oracle Identity Management Components
» Oracle HTTP Server and Oracle WebLogic Server
» Prerequisites Configuring Oracle HTTP Server for High Availability
» Install Oracle HTTP Server on WEBHOST2
» Oracle Web Cache Request Flow
» Oracle Web Cache Stateless Load Balancing
» Oracle Web Cache Backend Failover Oracle Web Cache Session Binding
» Oracle Web Cache Cluster-Wide Configuration Changes
» Oracle Web Cache as a Software Load Balancer
» From the Session Name list, select a session to enable binding for a specific
» Click Add. In the Component field, enter the name of the cache member.
» Adding a Node in Oracle Advanced Database Multimaster Replication
» Deleting a Node in Oracle Advanced Database Multimaster Replication
» Oracle IPM Component Characteristics
» Oracle IPM High Availability Architecture
» Creation of Oracle IPM Artifacts in a Cluster Troubleshooting Oracle IPM
» Oracle UCM Component Characteristics
» Oracle UCM High Availability Architecture
» Oracle UCM and Inbound Refinery High Availability Architecture
» Oracle URM High Availability Protection from Failure and Expected Behaviors
» Shared Storage Configuring the Oracle Database
» Installing Oracle ECM on ECMHOST1
» On the Welcome screen, select Create a new WebLogic domain.
» In the Select JMS Distributed Destination Type screen, select UDD from the
» Configuring Oracle HTTP Server on WEBHOST1
» Terminology for Directories and Directory Environment Variables
» Administration Server Topology 1 Transforming Oracle Fusion Middleware Infrastructure Components
» Administration Server Topology 2 Transforming Oracle Fusion Middleware Infrastructure Components
» Click Activate Changes. Choose Environment Servers. Click Control. Select WLS_EXMPL. Click Start.
» Transforming Oracle Internet Directory and Its Clients
» Select the Connect to a directory -- Create A New Connection link in the
» Click JDBC Connection under Data Sources.
» Click Administration. Click Scheduler Configuration under System Maintenance Click Apply.
» Database Instance Platform-Specific Considerations
» Example Topology 1 Example Topology 2
» Destination Topologies Cold Failover Cluster Transformation Procedure
» Introduction to Oracle Clusterware Cluster Ready Services and Oracle Fusion Middleware
» Upgrading Older Versions of ASCRS to the Current ASCRS Version Installing ASCRS
» Configuring ASCRS with Oracle Fusion Middleware
» Creating a Virtual IP Resource Creating a Shared Disk Resource
» Creating an Oracle Database Listener Resource Creating an Oracle Database Resource
» Creating a Middleware Resource
» Updating Resources Starting Up Resources Shutting Down Resources Resource Switchover
» Oracle Portal, Forms, Reports, and Discoverer Architecture
» Oracle Forms Runtime Considerations Oracle Forms Process Flow
» Oracle Forms Configuration Files Oracle Forms External Dependencies Oracle Forms Log Files
» Oracle Discoverer Runtime Considerations
» Preference Server Failover Session State Replication and Failover Performance Recommendation
» Dependencies Network Requirements Prerequisites
» Install Oracle WebLogic Server Install Oracle Portal, Forms, Reports, and Discoverer Validation
» Oracle BI EE Component Characteristics
» Oracle BI EE and EPM High Availability Architecture
» Shared Files and Directories
» Cluster-Wide Configuration Changes Oracle BI EE High Availability Concepts
» Oracle Essbase Component Characteristics
» Oracle Essbase High Availability Architecture Protection from Failures and Expected Behaviors
» Oracle Hyperion Provider Services Component Characteristics
» Oracle Hyperion Provider Services High Availability Architecture
» Workspace Component Characteristics Oracle EPM Workspace Component Architecture
» Workspace High Availability Architecture
» Oracle Hyperion Financial Reporting Component Characteristics
» Oracle BI Publisher Component Characteristics
» Oracle BI Publisher High Availability Architecture
» Oracle RTD Component Characteristics
» Oracle RTD High Availability Architecture
Show more