8-112 Oracle Fusion Middleware High Availability Guide ■ Section 8.8.2, Oracle Access Manager High Availability Concepts ■ Section 8.8.3, Oracle Security Token Service High Availability ■ Section 8.8.4, Oracle Access Manager High Availability Configuration Steps

8.8.1 Oracle Access Manager Component Architecture

Figure 8–12 shows the Oracle Access Manager 11gR1 component architecture. Figure 8–12 Oracle Access Manager Single Instance Architecture Figure 8–12 shows the following components: ■ User agents: These include web browsers, Java applications, and Web services applications. The user agents access the Access Server and the administration and configuration tools using HTTP. ■ Protected resources: A protected resource is an application or web page to which access is restricted. Access to protected resources is controlled by WebGates or Custom Agents. ■ Administration and configuration tools: Oracle Access Manager can be administered and configured by the Oracle Access Manager console, the Oracle Enterprise Manager Fusion Middleware Control and the Oracle Enterprise Manager Grid Control, and the WebLogic Scripting Tool WLST. ■ Access Server: The Access Server includes the Credential Collector, OSSO Proxy, and OAM Proxy components. The Coherence Distributed Object Cache is used to propagate configuration file changes between Access Servers

8.8.1.1 Oracle Access Manager Component Characteristics

An Oracle Access Manager 11gR1 deployment is composed of the following system entities: ■ Oracle Access Manager Agents - Oracle Access Manager agents are extensions of the Access Server that are responsible for ensuring that access is controlled as per the policies managed in the Access Server. Agents are the clientsprograms such File LDAP RDBMS HTTP HTTP User Agents Browsers, JavaWS Applications Protected Resources Access Server Admin Config OAM Console FMW Grid Control WLST OSSO 10g Agent OAM 10g 11g WebGates Custom Access SDK HTTP OAP OAP Credential Collector OAM Proxy OSSO Proxy Coherence Distributed Object Cache Configuring High Availability for Identity Management Components 8-113 as WebGate, Java Agents, custom Agents, and Oracle Single Sign-On Apache Modules used by end-users to access various Web resources that are protected by Oracle Access Manager11gR1. The most commonly used user agents are web browsers. Oracle Access Manager 11gR1 is a Web Single Sign-On solution that is primarily focused on controlling resources accessible via HTTP resources identified by a URL and custom resource types. Agents require the Access Server component to perform their functions. If the Access Server is unavailable, no access to protected servers will be permitted users will be locked out of the system. Oracle Access Manager 11gR1 agents connect to the Access Server over the front channel and back channel. The front channel communication takes place over HTTPS when the user needs to be authenticated. Front channel communications tend to be short-lived. When an Oracle Access Manager agent communicates with the Access Server using the front channel HTTP binding, it needs to communicate through a load balancing router. This information is passed to the agent and configured as the Challenge Redirect URL in the authentication scheme. Back channel communication takes place using a proprietary protocol called Oracle Access Protocol OAP, which takes place over a TCP connection. Agents use back channel communications with the Access Server for every resource access request in order to make an authorization decision, thus these back-channel connections are persistent and long-lived. When an Oracle Access Manager agent communicates with the Access Server using back channel OAP binding, it is configured to use a primary secondary model. Oracle Access Manager agents are externally staged deployed in the web tier because this provides the best scalability. WebGate caches information about resource requests and authentication schemes. The WebGate cache is flushed based on a configured timeout or a server-initiated cache purge. WebGates refresh their configuration by polling the server every 60 seconds. When configuration changes are detected, they persist immediately. Existing connections terminate and new connections are created if a connection information change occurs. WebGate configuration includes information about the agent identity, agent credentials, agent-server security context, and connection parameters. ■ Protected Resources - These are the applications that are protected by Oracle Access Manager11gR1 also referred to as partner applications. Access to these resources is subject to the access control policies in Oracle Access Manager 11gR1 and is enforced by Oracle Access Manager agents that are deployed in the access path of the protected resource for example, Oracle Access Manager agents deployed in the Web Server, J2EE agents deployed in the Application Server. Agents are entities that control access to protected applications based on security policies. Agents present in the resource access path intercept every resource access request to enforce the security policy that protects the resources. ■ Access Server - This is the server side component that provides the core runtime access management services. It has an event-based design pattern that implements the core Oracle Access Manager services. An Access Server is a J2EE application that is packaged as an EAR file and is composed of Servlets and JSPs in addition to Java classes. It provides various Identity Provider IDP services. The Access 8-114 Oracle Fusion Middleware High Availability Guide Server in Oracle Access Manager 11gR1 provides Single Sign-On, Authentication, and Authorization services. ■ JMX Mbeans - Runtime Mbeans are packaged as part of the Access Server package. Config Mbeans are packaged as standalone WAR files. ■ WebLogic 11g SSPI providers are composed of Java classes that implement the SSPI interface along with the Access Java Access JDK. AccessGates are built using the pure Java Access JDK. ■ Administration Console - The Oracle Access Manager Administration Console is a J2EE application that hosts the Administration Console and provides services like AdministrationConfiguration to manage the Oracle Access Manager 11gR1 deployment. In Oracle Access Manager 11gR1, this component must be deployed to the WebLogic Administration Server. ■ WebLogic Scripting Tool WLST is composed of Java classes, which are included in the Access Server package. Limited administration of the Oracle Access Manager 11gR1 deployment is supported via the command line. ■ Fusion Middleware Control and Enterprise Manager Grid Control - Oracle Access Manager 11gR1 integrates with the Enterprise Manager Grid Control to display performance metrics and deployment topology. ■ Coherence Distributed Object Cache - Oracle Access Manager 11gR1 components rely on this infrastructure for real time change propagation. ■ External credential collectors are a set of JSPs. ■ The Oracle Access Manager Proxy is a customized version of the Apache MINA server based on the JCA architecture, which includes MessageDrivenBeans and ResourceAdapters in addition to Java Server classes. It is included in the Access Server package. ■ The Oracle Single Sign-On OSSO Proxy is composed of Java classes, which are included in the Access Server package. ■ Data Repositories - Oracle Access Manager 11gR1 handles different types of information including Identity, Policy, Partner, Session and Transient data: – LDAP for Identity data – Files for Configuration and Partner data – Coherence in-memory for Session and Transient Data – Policy data will be stored in files or in an RDBMS ■ Oracle Access Manager 10g WebGates are C-based agents that are intended to be deployed in web servers. ■ Oracle Single Sign-On Apache modules are C-based agents that are intended to be deployed in Oracle HTTP Server web servers. ■ Oracle Access Manager 11g WebGates are C-based agents that are intended to be deployed in web servers.

8.8.1.1.1 Oracle Access Manager State Information Authenticated user session information

is persisted via the Coherence Distributed Object Cache. Use the Coherence Distributed Object Cache in-memory mode for Oracle Access Manager 11gR1. Oracle Access Manager may create a transient state for unauthenticated users during the login processing. This state is generally not replicated among Oracle Access Configuring High Availability for Identity Management Components 8-115 Manager nodes. To protect against effects of node failures during the login processing, the state may be optionally stored in an encrypted client cookie. To store the transient state for unauthenticated users during login processing, change the Oracle Access Manager server parameter RequestCacheType from BASIC to COOKIE by following these steps: 1. Set up the environment for WLST by running this command: DOMAIN_HOME binsetDomainEnv.sh 2. Start WLST by issuing this command: Start WLST by issuing this command: ORACLE_HOME commonbinwlst.sh 3. Connect to your domain: wls:IDM_DomainserverConfig connect 4. Enter the WebLogic Administration username and password, and enter the URL for the Administration Server in the format: t3:OAMHOST1.mycompany.com:7001 5. Issue this command: wls:IDM_DomainserverConfig configRequestCacheTypetype=COOKIE 6. Check that the command worked by issuing this command: wls:IDM_DomainserverConfig displayRequestCacheType 7. Restart the Oracle Access Manager managed servers.

8.8.1.1.2 Oracle Access Manager Request Flow The following list shows the steps in an

Oracle Access Manager request flow: 1. The user tries to access a Oracle Access Manager 11gR1 protected Web Resource using his web browser. 2. The Oracle Access Manager agent 1 intercepts the request and tries to ascertain if the user has an authenticated session. 3. Since this is the users first access, the user is redirected to the Oracle Access Manager 11gR1 Access Server for authentication. 4. Access Servers credential collector 2 component displays a Login Form. 3 The user submits his credentials to the Access Server. 5. Access Server validates the users credentials and generates a security token. The user is redirected to the resource he tried to access in Step 1. 6. The Oracle Access Manager agent intercepts the request and extracts the security token cookie. 1 The agent in use is specific to a deployment and different types of agents with different features can be used in a deployment. 2 In addition to the built-in Credential Collector, Oracle Access Manager is capable of supporting external credential collectors. 3 The credential collection will be different for non-username and password authentication schemes. 8-116 Oracle Fusion Middleware High Availability Guide 7. The Oracle Access Manager agent then makes a back channel call 4 to the Access Server OAP over TCP to validate the session and authorize the request. 8. Oracle Access Manager authenticates the user from the LDAP repository. 9. Access server verifies the users permissions against the configured policy for the web resource. 10. Access server responds to the WebGate request indicating that access is allowed. 11. The Oracle Access Manager agent allows the request to go through. 5 12. The user is now able to access the web resource he tried to access in Step 1.

8.8.1.1.3 Oracle Access Manager Process Lifecycle As J2EE applications, you can start

Access Server and Administration Console from the user interface and command line tools that WebLogic Server provides. The Access Server supports a health check request a ping request over HTTP that can be used by a load balancer for death detection. Oracle Access Manager agents are native applications that reside in the protected application environment. No tools are provided as part of OAM 11gR1 but it is expected that environment specific tooling, where available, will be leveraged for the above purpose. Oracle Access Manager 11gR1 is instrumented for server side metrics using DMS and this information is published to the Administration Console. Using DMS metrics collection, you can monitor the agent and server component metrics as a proxy for component monitoring. In addition, Oracle Access Manager 11gR1 supports fine-grained real time activity tracing, which can also serve as a proxy for component monitoring. On startup, Access Server initializes connections to the backend repositories. If the repository is not reachable, the Access Server retries the connections to the repositories, using a timeout that grows exponentially with a configurable upper bound. Access Server will provide continuity of service based on locally cached data if the backend connections go down. This will continue until the caches grow stale or the backend connections become alive again.

8.8.1.1.4 Oracle Access Manager Configuration Artifacts The Oracle Access Manager

configuration artifacts include these files: ■ DOMAIN_HOMEconfigfmwconfigoam-configuration.xml The configuration file, which contains instance specific information. ■ DOMAIN_HOMEconfigfmwconfigoam-policy.xml ■ DOMAIN_HOMEconfigfmwconfig.oamkeystore This is used for storing symmetric and asymmetric keys. ■ DOMAIN_HOMEconfigfmwconfigcomponent_events.xml Used for audit definition. ■ DOMAIN_HOMEconfigfmwconfigjazn-data.xml 4 Only WebGates support back channel communication. 5 The agent may perform some housekeeping tasks, such as session refresh, before allowing the request to go through to the web resource. Configuring High Availability for Identity Management Components 8-117 Used for Administration Console permissions ■ DOMAIN_HOMEconfigfmwconfigserversinstanceNamelogging.xml Used for logging configuration. ■ DOMAIN_HOMEconfigfmwconfigserversinstanceNamedms_config.xml Used for tracing logging. ■ DOMAIN_HOMEconfigfmwconfigcwallet.sso Used for passwords

8.8.1.1.5 Oracle Access Manager External Dependencies Oracle Access Manager has

external runtime dependencies on the: ■ LDAP based Identity Store – User Identity Repository – LDAP access abstracted by UserRole API. ■ OCSP Responder Service – Real-time X.509 Certification Validation ■ RDBMS Policy Store – Policy Authentication and Authorization Repository – RDBMS access abstracted by the OAM policy engine ■ Oracle Identity Manager when OIM based password management is enabled – Oracle Identity Manager is used to provide Password Management Services and replaces the Oracle Access Manager 10g Identity Server ■ Oracle Identity Manager Policy Store when Oracle Identity Manager-based password management is enabled – LDAP Repository containing Oblix Schema elements that are used to store Configuration, Metadata, and so on. ■ Oracle Adaptive Access Manager when Oracle Adaptive Access Manager Advanced Authentication Scheme is selected ■ Oracle Identity Federation when Oracle Identity Federation Authentication Scheme is selected

8.8.1.1.6 Oracle Access Manager Log File Location Oracle Access Manager is a J2EE

application deployed on WebLogic Server. All log messages are logged in the server log file of the WebLogic Server that the application is deployed on. The default location of the server log is: WL_HOME user_projectsdomainsdomainNameserversserverNamelogs serverName -diagnostic.log Note: Oracle Access Manager always connects to one Identity store, which can be a physical server or a load balancer IP. If the primary is down, Oracle Access Manager reconnects and expects the load balancer to connect it to the secondary. 8-118 Oracle Fusion Middleware High Availability Guide

8.8.2 Oracle Access Manager High Availability Concepts