Configuring the LDAP Read Timeout Setting

6-8 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation userldaphaenabled, true, boolean ■ To integrate the Federation Data Store with an HA LDAP server, set the fedldaphaenabled boolean property from the datastore group to true; otherwise set it to false: setConfigPropertydatastore, fedldaphaenabled, true, boolean ■ To integrate the LDAP authentication engine with an HA LDAP server, set the ldaphaenabled boolean property from the authnengines group to true; otherwise set it to false: setConfigPropertyauthnengines, ldaphaenabled, true, boolean

6.4.2 Configuring the HTTP Session State SleepRetry Interval

When Oracle Identity Federation is deployed in HA mode in a cluster, it can be configured so that the User HTTP session state is replicated across the Oracle WebLogic servers where Oracle Identity Federation is running. By default the HTTP session state replication is disabled for Oracle Identity Federation. To enable it, refer to Cluster-Wide Configuration Changes in the Oracle Fusion Middleware High Availability Guide. The rest of this section provides some additional configuration for Oracle Identity Federation when HTTP session state replication is enabled. This additional configuration allows the user to visit different Oracle Identity Federation servers without encountering any errors during processing of a federation request. Sometimes, the HTTP session state is not replicated fast enough between server instances, generating an error when the user accesses a service in an Oracle Identity Federation instance to which the state has not yet been copied. You can choose one of two options to avoid this issue: ■ Enable sticky sessions on the load balancer to force a specific user to visit the same Oracle WebLogic Server managed server every time it sends an HTTP request; or ■ Set additional configuration properties in Oracle Identity Federation so that, when the server detects that the HTTP session state has not been replicated yet, it can wait to allow the information to be copied. You can enable this feature and configure the wait time. Note: For performance reasons, disabling HTTP session state replication is the preferred approach. Note: For performance reasons, enabling sticky sessions is the preferred approach. Additional Server Configuration 6-9 To enable and set the wait time for the User HTTP Session State replication setting for Oracle Identity Federation, enter the WLST script environment for Oracle Identity Federation and set the following properties: ■ To configure Oracle Identity Federation to wait for the session state to be replicated, set the sessionreplicationenabled boolean property from the serverconfig group to true, otherwise set it to false: setConfigPropertyserverconfig, sessionreplicationenabled, true, boolean ■ Set the sessionreplicationtimeout long property from the serverconfig group to the wait time in milliseconds, for example: setConfigPropertyserverconfig, sessionreplicationtimeout, 2000, long

6.5 Additional RDBMS Configuration

This section contains additional topics for RDBMS configuration for Oracle Identity Federation: ■ Configuring RDBMS Session Cache ■ Configuring RDBMS Data Compression

6.5.1 Configuring RDBMS Session Cache

When Oracle Identity Federation is using an RDBMS to store the user session objects, the server uses a caching mechanism to improve performance at runtime: the server keeps a reference to recently used session objects in memory to avoid read access to the database. You can configure the maximum number of session entries in the cache, and the maximum time the session is present in the cache before it is cleared. By default, Oracle Identity Federation server caches a maximum of 25,000 session entries, for a maximum time of 300 seconds It is important to set an optimal timeout, especially in cluster mode where the session can be destroyed by another Oracle Identity Federation server if: ■ a load balancer is used without sticky sessions ■ SOAP Logout is enabled To set maximum number of entries and the timeout settings for Oracle Identity Federation, enter the WLST script environment for Oracle Identity Federation and set the properties as in the following examples: ■ Set the transientrdbmssessioncachesize long property from the datastore group to the maximum entries: setConfigPropertydatastore, transientrdbmssessioncachesize, 25000, long ■ Set the transientrdbmssessioncachetimeout long property from the datastore group to the cache timeout in seconds: Note: This is a critical feature, since a given users session is accessed multiple times when performing an SSO operation.