Oracle Access Manager High Availability Architecture
8.8.2 Oracle Access Manager High Availability Concepts
This section provides conceptual information about using Oracle Access Manager in a high availability two-node cluster.8.8.2.1 Oracle Access Manager High Availability Architecture
Figure 8–13 shows an Oracle Access Manager high availability architecture: Configuring High Availability for Identity Management Components 8-119 Figure 8–13 Oracle Access Manager High Availability Architecture In Figure 8–13 , incoming authentication requests are received by the hardware load balancer, which routes them to WEBHOST1 or WEBHOST2 in the web tier. These hosts OAMHOST2 OAMHOST1 RAC Database WLS_OAM1 Access Server WEBHOST2 WEBHOST1 OHS OHS WLS_OAM2 mod_wl_ohs OVDHOST1 OVD OVD_INST1 OVDHOST2 OVD OVD_INST2 OIDHOST1 OVD OID_INST1 OIDHOST2 OVD OID_INST2 mod_wl_ohs Access Server Coherence DOC VIP: ovd.mycompany.com VIP: oid.mycompany.com WLS Admin Server OAM Console Admin Console WLS Admin Server OAM Console Admin Console Load Balancer HTTP Firewall Firewall HTTP WEBHOST3 OHS mod_wl_ohs WebGate OAP 8-120 Oracle Fusion Middleware High Availability Guide have Oracle HTTP Server installed. The Oracle HTTP Server then forwards requests on to the WebLogic managed servers using the WebLogic plugin mod_wl_ohs. The load balancing router should use session stickiness for HTTP traffic only. OAP traffic does not use a load balancing router, so session stickiness is not required for OAP traffic. Applications which are accessed by other Oracle HTTP Servers whose resources have restricted access must also have a WebGate, Oracle Single Sign-On Server agent mod_ osso agent, or custom agent configured. The WebGate on WEBHOST3 communicates with the Access Servers on OAMHOST1 and OAMHOST2 in the application tier using OAP. WEBHOST3 is an application web server, and for authentication, HTTP redirect is used to route requests to the load balancer and to WEBHOST1 and WEBHOST2. For a high availability deployment, you can optionally configure another host for example, WEBHOST4 with the same components as WEBHOST3. OAMHOST1 and OAMHOST2 deploy managed servers which host the Oracle Access Server application. These managed servers are configured in a cluster which allows the Access Servers to work in an active-active manner. The WebLogic Administration Server runs on OAMHOST1 and deploys the WebLogic Administration Console, Oracle Enterprise Manager Fusion Middleware Control, and the Oracle Access Manager Console. The Administration Server can be configured to run in active-passive mode on OAMHOST2, which means that if OAMHOST1 becomes unavailable, then Administration Server can be manually started on OAMHOST2. In the directory tier, the virtual IP ovd.mycompany.com is set up to route Oracle Virtual Directory requests to OVDHOST1 and OVDHOST2, which comprise an active-active Oracle Virtual Directory cluster. The virtual IP oid.mycompany.com is set up to route Oracle Internet Directory requests to OIDHOST1 and OIDHOST2, which comprise an active-active Oracle Internet Directory cluster. An Oracle RAC database provides high availability in the data tier. In Oracle Access Manager 11gR1, only one Oracle Access Manager cluster is supported per WebLogic Server domain. In addition, Oracle Access Manager clusters cannot span WebLogic Server domains. A single instance Oracle Access Manager 11gR1 deployment satisfies the following high availability requirements: ■ Load handling ■ External connection management and monitoring ■ Recovery ■ Fault containment ■ Fault diagnostics ■ Administration Server offline A multiple instance Oracle Access Manager 11gR1 deployment satisfies the following additional high availability requirements: ■ Redundancy ■ Client connection failovercontinuity ■ Client load balancing ■ State management Configuring High Availability for Identity Management Components 8-121 Use of an external load balancing router is recommended for inbound HTTP connections. Outbound external connections to LDAP Servers or OAM policy engine PDPPIP are load balanced with support for connection failover. Oracle Access Manager agents can load balance connections across multiple Access Servers. Oracle Access Manager agents open persistent TCP connections to the Access Servers. This requires firewall connection timeouts to be sufficiently large to avoid premature termination of TCP connections. The Access Server and Oracle Access Manager Administration Console interface with the OAM policy engine for policy evaluation and management. The OAM policy engine internally depends on a database as the policy repository. The database interactions are encapsulated within the OAM policy engine, with only the connectivity configuration information managed by Oracle Access Manager. The high availability characteristics of the interaction between Oracle Access Manager and the OAM policy engine are: ■ The database connection information is configured in the Oracle Access Manager configuration file synchronized among the Oracle Access Manager instances. Should the database connection information change at runtime, Access Server instances will re-initialize OES to complete the change activation. ■ Database communication is managed within the OAM policy engine, and generally decoupled from Oracle Access Manager and OAM policy engine interactions. The very first startup of an Oracle Access Manager server instance will fail, however, if the database is unreachable. An OAM policy engine bootstrap failure is treated as fatal by Oracle Access Manager, and the startup operation is aborted. ■ Transient database unavailability is transparently tolerated by OAM policy engine policy evaluation services, allowing Oracle Access Manager server runtimes to continue functioning uninterrupted. After the initial OAM policy engine bootstrap, the Oracle Access Manager instances may even be restarted while the database is unreachable -- the OAM policy engine will continue operating against its locally cached policies. ■ Oracle Access Manager policy management interfaces in the Oracle Access Manager Administration Console and the CLI tool will fail if the database is unreachable, as seen by the OAM policy engine management service interfaces. The operation may be retried at a later point in time, but no automated retry is provided for management operations. ■ Following a successful policy modification in the database repository, the OAM policy engine layer in the Oracle Access Manager server runtimes retrieves and activates the changes within a configurable OAM policy engine database poll interval configured through Oracle Access Manager configuration. A positive acknowledgement of a policy change must be received from each Oracle Access Manager server runtime, otherwise the policy change cannot be considered successfully activated. The administrator can use the Oracle Access Manager Administration Console to remove any Oracle Access Manager instance with a policy activation failure from service.8.8.2.1.1 Starting and Stopping the Cluster In a high availability architecture, Oracle
Access Manager server is deployed on an Oracle WebLogic Cluster, which has at least two servers as a part of the cluster. By default, Oracle WebLogic Server starts stops, monitors and manages the various lifecycle events for the application. The Oracle Access Manager application leverages the high availability features of the underlying Oracle WebLogic Clusters. In case of 8-122 Oracle Fusion Middleware High Availability Guide hardware or other failures, session state is available to other cluster nodes that can resume the work of the failed node. In a high availability environment, WebLogic Node Manager is configured to monitor the Oracle WebLogic Servers. In case of failure, Node Manager restarts the WebLogic Server. In a high availability environment, a hardware load balancer is used to load balance requests between the multiple Oracle Access Manager instances. If one of the Oracle Access Manager instances fails, the load balancer detects the failure and routes requests to the surviving instances.8.8.2.1.2 Cluster-Wide Configuration Changes The standard Java EE artifacts that Oracle
Access Manager uses are configured as part of the Oracle WebLogic domain in which Oracle Access Manager is installed. Oracle WebLogic Clusters provide automatic configuration synchronization for artifacts, such as data sources, across the WebLogic Server domain. At the same time, the WebLogic Server cluster synchronizes the deployments and libraries used by the Oracle Access Manager components. Additionally, Oracle Access Manager application level configuration is stored in the Oracle Access Manager repository. Propagation of Oracle Access Manager configuration changes to all the cluster members is based on a distribution mechanism that leverages the Coherence Distributed Object Cache. All Oracle Access Manager components are notified of change events from the coherence layer, which are then taken up by the components. To ensure atomicity of the change, Oracle Access Manager components reload their entire configuration every time a change happens. Oracle Access Manager configuration applies to all instances in a cluster. The only exceptions to the above instance-specific configuration supported in Oracle Access Manager 11gR1 are the Oracle Access Manager proxy host, Oracle Access Manager proxy port, and the instance-specific Coherence configuration when Well Known Addresses WKA is used. The IP address of the proxy host and proxy port are stored in a configuration file. The Oracle Access Manager proxy port is the endpoint for OAP requests from agents. The IP address of the Coherence WKA is also stored in a configuration file. The Coherence WKA is used to determine the Coherence nodes that are authorized to receive Oracle Access Manager-specific traffic. The oam-configuration.xml file is the configuration file that stores this configuration information. It is possible to configure clients of the Oracle Access Manager proxy to access the service using this virtuallogical IP. The Oracle Access Manager proxy can be deployed and its clients still able to access the service when the logical IP and the component instance is migrated to any other physically different machine configured similarly. Adding and removing Access Server instances is transparent to other Oracle Access Manager Access Server instances in the cluster. However, take care to ensure that the removal of a specific Access Server does not affect the load balancing and failover characteristics of the agents. Restarting an Oracle Access Manager Access Server has no impact on any other running components or members of the cluster. Online application redeployment does not cause any problems. Configuring High Availability for Identity Management Components 8-1238.8.2.2 Protection from Failures and Expected Behaviors
Parts
» Oracle Fusion Middleware Online Documentation Library
» High Availability Problems High Availability Solutions
» High Availability Information in Other Documentation
» What Is the Administration Server? Understanding Managed Servers and Managed Server Clusters
» What Is a System Component Domain? What Is a Middleware Home? What Is a WebLogic Server Home?
» Oracle Fusion Middleware High Availability Terminology
» Server Load Balancing Oracle Fusion Middleware High Availability Technologies
» Local High Availability Active-Passive Deployment
» About Active-Active and Active-Passive Solutions
» Disaster Recovery Oracle Fusion Middleware High Availability Solutions
» Protection from Planned and Unplanned Down Time
» What Is a WebLogic Server Cluster? WebLogic Server Clusters and WebLogic Server Domains
» Application Failover Migration Key Capabilities of a Cluster
» Benefits of Clustering Types of Objects That Can Be Clustered
» Communications in a Cluster Cluster-Wide JNDI Naming Service
» Startup Process in a Cluster with Migratable Servers
» Administration Servers Role in Whole Server Migration Migratable Server Behavior in a Cluster
» Node Managers Role in Whole Server Migration Cluster Masters Role in Whole Server Migration
» Load Balancing Oracle Fusion Middleware Online Documentation Library
» Multi Data Sources Cluster Configuration and config.xml
» Java-Based Oracle Fusion Middleware Components Deployed to Oracle WebLogic Server
» Configuring Multi Data Sources for MDS Repositories
» Log on to SQLPlus as a system user, for example:
» Log on to SQLPlus as a user with sysdba privileges. For example:
» Configuring Multi Data Sources with Oracle RAC
» Oracle RAC Failover with WebLogic Server JDBC Clients
» Oracle Reports and Oracle Discoverer
» Troubleshooting Real Application Clusters
» SCAN Run Time Implications and Limitations
» Oracle SOA Service Infrastructure Protection from Failures and Expected Behavior
» Oracle SOA Service Infrastructure Cluster-Wide Configuration Changes
» Oracle BPEL Process Manager Request Flow and Recovery
» Oracle BPEL Process Manager Protection from Failures and Expected Behavior
» Oracle BPM Suite Component Characteristics
» Oracle BPM Suite Component Interaction
» Oracle BPMN Service Engine Single Instance Characteristics
» Oracle BPMN Service Engine High Availability Considerations
» Oracle Business Process Web Applications Single Instance Characteristics
» Oracle Business Process Analytics Single Instance Characteristics
» Oracle Mediator Component Characteristics Oracle Mediator Startup and Shutdown Lifecycle
» Oracle Mediator Request Flow
» Oracle Mediator Protection from Failures and Expected Behavior
» Troubleshooting Oracle Mediator High Availability
» Troubleshooting Oracle Human Workflow High Availability
» Oracle B2B Component Characteristics Oracle B2B Startup and Shutdown Lifecycle
» Oracle B2B Protection from Failures and Expected Behavior
» Oracle WSM Component Characteristics Oracle WSM Startup and Shutdown Lifecycle
» Oracle WSM Protection from Failures and Expected Behavior
» Oracle WSM Cluster-Wide Configuration Changes Configuring the Java Object Cache for Oracle WSM
» Configuring Distributed Notifications for the MDS Repository
» Oracle User Messaging Service Component Characteristics
» Oracle User Messaging Service Protection from Failures and Expected Behavior
» Oracle User Messaging Service Cluster-Wide Configuration Changes
» Oracle JCA Adapters Component Lifecycle
» Oracle JCA Adapters Reliability and Transactional Behavior
» Oracle JCA Adapters - Rejected Message Handling
» Oracle JCA Adapters High Availability Error Handling Oracle Database Adapters High Availability
» Oracle JMS Adapters High Availability
» Oracle JCA Adapters Log File Locations
» Oracle Business Activity Monitoring Component Characteristics
» Oracle Business Activity Monitoring Configuration Artifacts
» Oracle Business Activity Monitoring Protection from Failures and Expected Behavior
» Oracle Business Activity Monitoring Cluster-Wide Configuration Changes
» Oracle Service Bus Session State Oracle Service Bus External Dependencies
» Oracle Service Bus Configuration Artifacts Oracle Service Bus Deployment Artifacts
» Oracle Service Bus Protection from Failures and Expected Behavior
» Database Prerequisites VIP and IP Prerequisites Shared Storage Prerequisites
» Configuring Virtual Server Names and Ports for the Load Balancer
» Validating Oracle HTTP Server To verify that Oracle HTTP Server is set up
» Setting Connection Destination Identifiers for B2B Queues
» Starting Node Manager on SOAHOST2 Starting and Validating the WLS_SOA2 Managed Server
» Setting the Front End HTTP Host and Port
» Setting the WLS Cluster Address for Direct BindingRMI Invocations to Composites
» Deploying Applications Click Next.
» Configuring Server Migration for the WLS_SOA Servers
» Connect to the database as the leasing user. Run the leasing.ddl script in SQLPlus.
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Enabling VIP1 and VIP3 in SOAHOST1 and VIP2 and VIP4 in SOAHOST2
» Configure Oracle Coherence for the Oracle Service Bus Result Cache
» Configuring a Default Persistent Store for Transaction Recovery Deploying Applications
» Configuring Server Migration for the WLS_OSB Servers
» Enabling VIP0 and VIP1 on BAMHOST1
» Oracle ADF Components Understanding Oracle ADF
» Oracle ADF Single Node Architecture Oracle ADF External Dependencies
» Oracle ADF Scope and Session State
» Oracle ADF Failover and Expected Behavior Oracle ADF Active Data Services
» Troubleshooting Oracle ADF Development Issues
» Deploying the ADF Application Validating Access through Oracle HTTP Server
» Select the Control tab. Select Environment Servers from the Administration Console. Select Clone.
» Oracle WebCenter Components Understanding Oracle WebCenter
» Oracle WebCenter Single-node Architecture Oracle WebCenter State and Configuration Persistence
» Oracle WebCenter External Dependencies
» Oracle WebCenter Configuration Considerations
» Oracle WebCenter Analytics Communications
» Oracle WebCenter State Replication Understanding the Distributed Java Object Cache
» Maintaining Configuration in a Clustered Environment
» Installing Oracle Fusion Middleware for Oracle WebCenter
» Enabling the Administration Server VIP
» Configuring a Virtual Host for Oracle Pagelet Producer and Sharepoint
» Configuring Activity Graph Click Start.
» Converting Discussions from Multicast to Unicast
» Configuring a Cluster for Oracle WebCenter Portal Applications
» Agent Startup and Shutdown Cycle Oracle Data Integrator External Dependencies
» Java EE Agent Configuration Standalone Agent Configuration
» Oracle Data Integrator Clustered Deployment
» WebLogic Server or Standalone Agent Crash Repository Database Failure
» About the 11g Oracle Identity Management Products
» Database Prerequisites Installing and Configuring the Database Repository
» Oracle Internet Directory Component Characteristics
» Oracle Internet Directory High Availability Architecture
» Protection from Failures and Expected Behavior
» Installing Oracle Fusion Middleware for Identity Management The next step is to
» Registering Oracle Internet Directory with a WebLogic Domain If you want to
» Creating boot.properties for the Administration Server on OIDHOST1 This section
» Configuring Oracle Internet Directory on OIDHOST2 Ensure that the Oracle Internet
» Validating Oracle Internet Directory High Availability
» Performing an Oracle Internet Directory Failover Performing an Oracle RAC Failover
» Troubleshooting Oracle Internet Directory High Availability
» Changing the Password of the ODS Schema Used by Oracle Internet Directory
» Oracle Virtual Directory Runtime Considerations Oracle Virtual Directory Component Characteristics
» Oracle Virtual Directory High Availability Architecture
» Configuring Oracle Virtual Directory on OVDHOST2 Follow these steps to configure
» Registering Oracle Virtual Directory with a WebLogic Domain It is recommended
» On the Installation Complete screen, click Finish to confirm your choice to exit.
» Troubleshooting LDAP Adapter Creation
» Oracle Directory Integration Platform Component Characteristics
» Oracle Directory Integration Platform High Availability Architecture
» Configuring Oracle HTTP Server for Oracle Directory Services Manager High
» If WebLogic Node Manager Fails to Start Operation Cannot Be Completed for Unknown Errors Message
» Oracle Directory Services Manager Component Characteristics
» Oracle Directory Services Manager High Availability Architecture
» Protection from Failures and Expected Behaviors
» Performing a WebLogic Server Instance Failover
» Using Oracle Directory Services Manager to Validate a Failover of a Managed Server
» Collocated Architecture Overview Troubleshooting Collocated Components Manager High Availability
» Additional Considerations for Collocated Components High Availability
» Oracle Access Manager Component Characteristics
» Oracle Access Manager High Availability Architecture
» Oracle Security Token Service High Availability Architecture
» Oracle Security Token Service Component Characteristics
» In the Customize Server and Cluster Configuration screen, select Yes, and click
» On the Configuration Summary screen, click Create to begin the creation process.
» Oracle Identity Manager Component Characteristics
» Runtime Processes Component and Process Lifecycle
» Starting and Stopping Oracle Identity Manager Configuration Artifacts External Dependencies
» Oracle Identity Manager High Availability Architecture
» On the Welcome screen, select Create a WebLogic Domain.
» Connect to the database as the leasing user.
» Select Environment - Servers from the Administration Console. Select Clone.
» Select the Automatic Server Migration Enabled option. This enables the Node Click Save.
» Click the OIMMSServerXXXXXX subdeployment. Add the new JMS Server
» Click Save. Authorization Policy Manager High Availability
» Oracle Adaptive Access Manager Component Characteristics
» Oracle Adaptive Access Manager High Availability Architecture
» On the Welcome screen, click Next.
» Oracle Identity Federation Component Characteristics
» High Availability Considerations for Integration with Oracle Access Manager
» Oracle Internet Directory Oracle Virtual Directory Oracle HTTP Server Node Manager
» WebLogic Administration Server Oracle Identity Manager
» Oracle Access Manager Managed Servers Oracle Adaptive Access Manager Managed Servers
» Oracle Identity Federation Starting and Stopping Oracle Identity Management Components
» Oracle HTTP Server and Oracle WebLogic Server
» Prerequisites Configuring Oracle HTTP Server for High Availability
» Install Oracle HTTP Server on WEBHOST2
» Oracle Web Cache Request Flow
» Oracle Web Cache Stateless Load Balancing
» Oracle Web Cache Backend Failover Oracle Web Cache Session Binding
» Oracle Web Cache Cluster-Wide Configuration Changes
» Oracle Web Cache as a Software Load Balancer
» From the Session Name list, select a session to enable binding for a specific
» Click Add. In the Component field, enter the name of the cache member.
» Adding a Node in Oracle Advanced Database Multimaster Replication
» Deleting a Node in Oracle Advanced Database Multimaster Replication
» Oracle IPM Component Characteristics
» Oracle IPM High Availability Architecture
» Creation of Oracle IPM Artifacts in a Cluster Troubleshooting Oracle IPM
» Oracle UCM Component Characteristics
» Oracle UCM High Availability Architecture
» Oracle UCM and Inbound Refinery High Availability Architecture
» Oracle URM High Availability Protection from Failure and Expected Behaviors
» Shared Storage Configuring the Oracle Database
» Installing Oracle ECM on ECMHOST1
» On the Welcome screen, select Create a new WebLogic domain.
» In the Select JMS Distributed Destination Type screen, select UDD from the
» Configuring Oracle HTTP Server on WEBHOST1
» Terminology for Directories and Directory Environment Variables
» Administration Server Topology 1 Transforming Oracle Fusion Middleware Infrastructure Components
» Administration Server Topology 2 Transforming Oracle Fusion Middleware Infrastructure Components
» Click Activate Changes. Choose Environment Servers. Click Control. Select WLS_EXMPL. Click Start.
» Transforming Oracle Internet Directory and Its Clients
» Select the Connect to a directory -- Create A New Connection link in the
» Click JDBC Connection under Data Sources.
» Click Administration. Click Scheduler Configuration under System Maintenance Click Apply.
» Database Instance Platform-Specific Considerations
» Example Topology 1 Example Topology 2
» Destination Topologies Cold Failover Cluster Transformation Procedure
» Introduction to Oracle Clusterware Cluster Ready Services and Oracle Fusion Middleware
» Upgrading Older Versions of ASCRS to the Current ASCRS Version Installing ASCRS
» Configuring ASCRS with Oracle Fusion Middleware
» Creating a Virtual IP Resource Creating a Shared Disk Resource
» Creating an Oracle Database Listener Resource Creating an Oracle Database Resource
» Creating a Middleware Resource
» Updating Resources Starting Up Resources Shutting Down Resources Resource Switchover
» Oracle Portal, Forms, Reports, and Discoverer Architecture
» Oracle Forms Runtime Considerations Oracle Forms Process Flow
» Oracle Forms Configuration Files Oracle Forms External Dependencies Oracle Forms Log Files
» Oracle Discoverer Runtime Considerations
» Preference Server Failover Session State Replication and Failover Performance Recommendation
» Dependencies Network Requirements Prerequisites
» Install Oracle WebLogic Server Install Oracle Portal, Forms, Reports, and Discoverer Validation
» Oracle BI EE Component Characteristics
» Oracle BI EE and EPM High Availability Architecture
» Shared Files and Directories
» Cluster-Wide Configuration Changes Oracle BI EE High Availability Concepts
» Oracle Essbase Component Characteristics
» Oracle Essbase High Availability Architecture Protection from Failures and Expected Behaviors
» Oracle Hyperion Provider Services Component Characteristics
» Oracle Hyperion Provider Services High Availability Architecture
» Workspace Component Characteristics Oracle EPM Workspace Component Architecture
» Workspace High Availability Architecture
» Oracle Hyperion Financial Reporting Component Characteristics
» Oracle BI Publisher Component Characteristics
» Oracle BI Publisher High Availability Architecture
» Oracle RTD Component Characteristics
» Oracle RTD High Availability Architecture
Show more