Configuring High Availability for Oracle Access Manager Components

7 Configuring High Availability for Oracle Access Manager Components

An introduction to Oracle Access Manager and description of how to design and deploy a high availability environment for Access Manager.

Access Manager provides a single authoritative source for all authentication and authorization services. See Introduction to Oracle Access Manager in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Access Manager Component Architecture

An introduction to primary Access Manager components and architecture.

Figure 7-1 shows the Access Manager component architecture.

Figure 7-1 Access Manager Single Instance Architecture

Description of "Figure 7-1 Access Manager Single Instance Architecture"

Following are the components discussed in the Access Manager Single Instance Architecture:

User agents: Include web browsers, Java applications, and Web services applications. User agents access the Access Server and administration and configuration tools using HTTP.
Protected resources: Application or web page to which access is restricted. WebGates or Custom Agents control access to protected resources.
Administration and configuration tools: Administer and configure Access Manager with Oracle Access Management Console, Oracle Enterprise Manager Fusion Middleware Control and Oracle Enterprise Manager Grid Control, and WebLogic Scripting Tool (WLST).
Access Server: Includes Credential Collector and OAM Proxy components.

Access Manager Component Characteristics

A typical Access Manager deployment consists of system entities such as user agents, protected resources, and access server.

A list of system entities and the characteristics required for an Access Manager deployment:

Access Manager Agents - Access Server extensions that ensure access is controlled according to policies that Access Server manages. Agents require the Access Server component to perform their functions. If Access Server is unavailable, access to protected servers is denied; users are locked out of the system.
Protected Resources (partnered applications) - Applications that Access Manager protects. Access to these resources depends on access control policies in Access Manager and enforced by Access Manager agents deployed in the protected resource's access path.
Access Server - Server side component. Provides core runtime access management services.
JMX Mbeans - Runtime Mbeans are packaged as part of the Access Server package. Config Mbeans are packaged as standalone WAR files.
WebLogic SSPI providers consist of Java classes that implement the SSPI interface along with Access Java Access JDK. AccessGates are built using pure Java Access JDK.
Oracle Access Management Console - Application that hosts Administration Console and provides services to manage Access Manager deployment.
WebLogic Scripting Tool - Java classes included in Access Server package. Limited administration of Access Manager deployment is supported via the command line.
Fusion Middleware Control and Enterprise Manager Grid Control - Access Manager integrates with Enterprise Manager Grid Control to show performance metrics and deployment topology.
Access Manager Proxy - Custom version of Apache MINA server. Includes MessageDrivenBeans and ResourceAdapters in addition to Java Server classes.
Data Repositories - Access Manager handles different types of information including Identity, Policy, Partner, Session and Transient data:
- LDAP for Identity data
- Files for Configuration and Partner data
- Policy data will be stored in files or in an RDBMS
Oracle Access Manager WebGates are C-based agents that are intended to be deployed in web servers.
Oracle Single Sign-On Apache modules are C-based agents that are intended to be deployed in Oracle HTTP Server web servers.

Access Manager Configuration Artifacts

Access Manager configuration artifacts include:

Table 7-1 Access Manager Configuration Artifacts

Configuration Artifact	Description
DOMAIN_HOME/config/fmwconfig/oam-config.xml	Configuration file which contains instance specific information.
DOMAIN_HOME/config/fmwconfig/oam-policy.xml	Policy store information.
DOMAIN_HOME/config/fmwconfig/.oamkeystore	Stores symmetric and asymmetric keys.
DOMAIN_HOME/config/fmwconfig/component_events.xml	Used for audit definition.
DOMAIN_HOME/config/fmwconfig/jazn-data.xml	Administration Console permissions
DOMAIN_HOME/config/fmwconfig/servers/instanceName/logging.xml	Logging configuration. Do not edit this file manually.
DOMAIN_HOME/config/fmwconfig/servers/instanceName/dms_config.xml	Tracing logging. Do not edit this file manually.
DOMAIN_HOME/config/fmwconfig/cwallet.sso	Stores passwords that OAM uses to connect to identity stores, database, and other entities. This is not for end user passwords.
DOMAIN_HOME/output	Stores agent configuration files.

Access Manager External Dependencies

The following table describes Access Manager external runtime dependencies.

Table 7-2 Access Manager External Dependencies

Dependency	Description
LDAP based Identity Store	User Identity Repository LDAP access abstracted by User/Role API. Access Manager always connects to one Identity store: a physical server or a load balancer IP. If the primary down, Access Manager reconnects and expects the load balancer to connect it to the secondary.
OCSP Responder Service	Real-time X.509 Certification Validation
RDBMS Policy Store	Policy (Authentication and Authorization) Repository RDBMS access abstracted by the OAM policy engine
Oracle Identity Manager Policy Store (when Oracle Identity Manager-based password management is enabled)	LDAP Repository containing Oblix Schema elements that are used to store Configuration, Metadata, and so on
Identity Federation	Dependency when Identity Federation Authentication Scheme is selected
OCSP Responder Service	Real-time X.509 Certification Validation

Access Manager Log File Location

You deploy Access Manager on WebLogic Server. Log messages go to the server log file of the WebLogic Server that you deploy it on. The default server log location is:

DOMAIN_HOME/servers/serverName/logs/serverName-diagnostic.log

Access Manager High Availability Concepts

This following sections provide conceptual information about using Access Manager in a high availability two-node cluster.

Access Manager High Availability Architecture

Figure 7-2 shows an Access Manager high availability architecture:

Figure 7-2 Access Manager High Availability Architecture

Description of "Figure 7-2 Access Manager High Availability Architecture"

In Figure 7-2, the hardware load balancer receives incoming authentication requests and routes them to WEBHOST1 or WEBHOST2 in the web tier. These hosts have Oracle HTTP Server installed. Oracle HTTP Server then forwards requests on to the WebLogic managed servers using the WebLogic plugin mod_wl_ohs.conf. See Oracle HTTP Server Configuration.

The load balancing router should use session stickiness for HTTP traffic only.

Applications that other Oracle HTTP Servers access, that in turn have resources with restricted access, must have a WebGate and a custom agent. The WebGate on WEBHOST3 communicates with the Access Servers on OAMHOST1 and OAMHOST2 in the application tier using HTTP REST calls. WEBHOST3 is an application web server, and for authentication, HTTP redirect routes requests to the load balancer and WEBHOST1 and WEBHOST2. For a high availability deployment, you can configure another host (for example, WEBHOST4) with the same components as WEBHOST3.

OAMHOST1 and OAMHOST2 deploy managed servers which host the Oracle Access Server application. These managed servers are configured in a cluster which enables the Access Servers to work in an active-active manner.

The Administration Server runs on OAMHOST1 using a virtual HOSTNAME and contains Oracle Enterprise Manager and the Oracle Access Management Console.

In the directory tier, the virtual IP idstore.example.com routes the IDstore requests to LDAPHOST1 and LDAPHOST2, which comprise an active-active IDStore cluster. For example the virtual IP oud.example.com is set up to route Oracle Unified Directory requests to OUDHOST1 and OUDHOST2, which comprise an active-active Oracle Unified Directory cluster.

An Oracle RAC database provides high availability in the data tier. The Oracle RAC database is configured in a JDBC multi data source or GridLink data source to protect the instance from Oracle RAC node failure.

In Access Manager, only one Access Manager cluster is supported per WebLogic Server domain.

A single instance Access Manager deployment satisfies the following high availability requirements:

Load handling
External connection management and monitoring
Recovery
Fault containment
Fault diagnostics
Administration Server offline

A multiple instance Access Manager deployment satisfies the following additional high availability requirements:

Redundancy
Client connection failover/continuity
Client load balancing
State management

Oracle recommends using an external load balancing router for inbound HTTP connections. Outbound external connections to LDAP Servers (or OAM policy engine PDP/PIP) are load balanced with support for connection failover. Therefore, a load balancer is not required. Access Manager agents, typically WebGates, can load balance connections across multiple Access Servers.

Access Manager agents open persistent TCP connections to the Access Servers. This requires firewall connection timeouts to be sufficiently large to avoid premature termination of TCP connections.

The Access Server and Access Manager Administration Console interface with the OAM policy engine for policy evaluation and management. The OAM policy engine internally depends on a database as the policy repository. The database interactions are encapsulated within the OAM policy engine, with only the connectivity configuration information managed by Access Manager. The high availability characteristics of the interaction between Access Manager and the OAM policy engine are:

The database connection information is configured in the Access Manager configuration file synchronized among the Access Manager instances.
Database communication is managed within the OAM policy engine, and generally decoupled from Access Manager and OAM policy engine interactions. The very first startup of an OAM server instance will fail, however, if the database is unreachable. An OAM policy engine bootstrap failure is treated as fatal by Access Manager, and the startup operation is aborted.
Access Manager policy management interfaces (in the Oracle Access Management Console and the CLI tool) fail if the database is unreachable, as seen by the OAM policy engine management service interfaces. The operation may be retried at a later point in time, but no automated retry is provided for management operations.
Following a successful policy modification in the database repository, the OAM policy engine layer in the OAM server runtimes retrieves and activates the changes within a configurable OAM policy engine database poll interval (configured through Access Manager configuration). A positive acknowledgement of a policy change must be received from each OAM server runtime, otherwise the policy change cannot be considered successfully activated. The administrator can use the Oracle Access Management Console to remove any Access Manager instance with a policy activation failure from service.

Protection from Failures and Expected Behaviors

The WebLogic Server infrastructure protects the Identity Management Service Infrastructure system from all process failures. These features protect an Access Manager high availability configuration from failure

Back channel OAP bindings use a primary/secondary model for failover. Front Channel HTTP bindings use a load balancing router for failover.
If an Access Server fails, a WebGate with a persistent connection to that server waits for the connection to timeout, then it switches over to the secondary (backup) Access Server. Outstanding requests fail over to the secondary server.
Access Manager Access Servers support a heartbeat check. Also, the WebLogic Node Manager on the Managed Server can monitor the application and restart it.
If a WebLogic Server node fails, external connection failover is based on the configuration, the retry timeout, and the number of retries. Access Manager Agent-Access Server failover is based on a timeout.
If the load balancing router or proxy server detects a WebLogic Server node failure, subsequent client connections route to the active instance, which picks up the session state and carries on with processing.
When the lifetime of a connection expires, pending requests complete before the connection terminates. The connection object returns to the pool.
When it receives an exception from another service, Access Manager retries external connection requests. You can configure the number of retries.

WebLogic Server Crash

If a Managed Server fails, Node Manager attempts to restart it locally

Ongoing requests from Oracle HTTP Server timeout and new requests are directed to the other Managed Server. After the server's restart completes on the failed node, Oracle HTTP Server resumes routing any incoming requests to the server.

Note:

Access Manager servers support a heartbeat check to determine if the access server can service its requests. It checks:

Whether the LDAP store can be accessed
Whether the policy store can be accessed

If the heartbeat succeeds, the Access Server can service requests and requests are sent to it. If the heartbeat fails, requests do not route to the Access Server.

Node Failure

Node failures are treated in the same way as WebLogic Server fails.

Database Failure

Multi data sources protect Access Manager service Infrastructure against failures. When an Oracle RAC database instance fails, connections are reestablished with available database instances. The multi data source enables you to configure connections to multiple instances in an Oracle RAC database.

For more on multi data source configuration, see Section 4.1.3, "Using Multi Data Sources with Oracle RAC".

High Availability Directory Structure Prerequisites

A high availability deployment requires product installations and files to reside in specific directories. A standard directory structure facilitates configuration across nodes and product integration.

The following table describes high availability directory structure prerequisites.

Table 7-3 Directory Structure Prerequisites

Directory Requirements

Directory	Requirements
ORACLE_HOME	Each product must have its own ORACLE_HOME. For example, OAM and OIM must go in separate ORACLE_HOME locations. ORACLE_HOME contents must be identical across all nodes. Across all nodes, ORACLE_HOME must: Reside in the file system at the same path Contain identical products Contain identical versions of those products Have identical ORACLE_HOME names Have identical patches installed
DOMAIN_HOME and APPLICATION_DIRECTORY	These directories must have the same path on all nodes. Put these directories in a separate file system location from ORACLE_HOME; do not put these directories in the ORACLE_HOME/`user_projects` directory
`wlsserver`	Each OAM and OIM installation requires its own, separate WebLogic Server installation.

ORACLE_HOME

Each product must have its own ORACLE_HOME. For example, OAM and OIM must go in separate ORACLE_HOME locations.

ORACLE_HOME contents must be identical across all nodes. Across all nodes, ORACLE_HOME must:

Reside in the file system at the same path
Contain identical products
Contain identical versions of those products
Have identical ORACLE_HOME names
Have identical patches installed

DOMAIN_HOME and APPLICATION_DIRECTORY

These directories must have the same path on all nodes.

Put these directories in a separate file system location from ORACLE_HOME; do not put these directories in the ORACLE_HOME/user_projects directory

wlsserver

Each OAM and OIM installation requires its own, separate WebLogic Server installation.

You have three options to set up the high availability directory structure:

Use shared storage to store ORACLE_HOME directories. Oracle recommends this option. Use a NFS exported by a NAS, or a cluster file system pointing to a SAN/NAS.
Use local storage and run all installation, upgrade, and patching procedures on one node, then replicate to other nodes (using rsync, for example.)
Use local storage and repeat all installation and patch procedures on each node.

Access Manager High Availability Configuration Steps

This section provides high-level instructions to set up a high availability deployment for Access Manager. This deployment includes two Oracle HTTP Servers, which distribute requests to two OAM servers. These OAM servers interact with an Oracle Real Application Clusters (Oracle RAC) database and, optionally, an external LDAP store. If any single component fails, the remaining components continue to function.

See Using Dynamic Clusters.

Access Manager Configuration Prerequisites

Before you configure Access Manager for high availability, you must:

Install Oracle WebLogic Server on OAMHOST1 and OAMHOST2. See Installing Oracle WebLogic Server.
Install the Oracle Identity Management executables on OAMHOST1 and OAMHOST2. See the Installing and Configuring the Access Manager Application Tier.
Run the Repository Creation Utility to create the Access Manager schemas in a database. See Running the Repository Creation Utility to Create the Database Schemas.
Ensure that a highly available LDAP implementation is available.

For example,

Install the Infrastructure jar, jdk17.0.12 or jdk21.0.4/bin/java -jar fmw_14.1.2.0.0_infrastructure.jar and change the default installation directory path manually from /tmp/Middleware/ORACLE_HOME to /tmp/Middleware/
Install IDM jar, jdk17.0.12 or jdk21.0.4/bin/java -jar fmw_14.1.2.1.0_idm_generic.jar and choose /tmp/Middleware/ as the installation directory.
Run RCU located at /tmp/Middleware/oracle_common/bin/rcu

Running the Repository Creation Utility to Create the Database Schemas

The schemas you create depend on the products you want to install and configure. See Starting the Repository Creation Utility to run RCU.

For more information, see Planning an Installation of Oracle Fusion Middleware and Creating Schemas with the Repository Creation Utility.

Installing Oracle WebLogic Server

To install Oracle WebLogic Server, see Installing and Configuring Oracle WebLogic Server and Coherence.

Note:

On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, JDK is not installed with Oracle WebLogic Server. You must install JDK separately, before installing Oracle WebLogic Server.

Installing and Configuring the Access Manager Application Tier

See Installing and Configuring the Oracle Access Management Software in Installing and Configuring Oracle Identity and Access Management.

Starting OAMHOST1

The following sections describe the steps for starting OAMHOST1.

Start Node Manager

If Node Manager is not running, start it by running the following command on OAMHOST1:
```
ORACLE_HOME/user_projects/domains/domainName/bin/startNodeManager.sh
```

Start Access Manager on OAMHOST1

To start Access Manager on OAMHOST1, follow these steps:

Log into the WebLogic Remote Console using this URL using WebLogic administrator credentials:
Note:

Before you can start WebLogic Hosted Console, you must have deployed it. See Deploy Hosted WebLogic Remote Console.
```
for HTTP:
http://hostname:port/rconsole
or for HTTPS:
 https://hostname:port/rconsole
```
Start the WLS_OAM1 Managed Server using the WebLogic Server Remote Console, as follows:
1. In the Monitoring Tree, go to Environment.
2. Click Servers.
3. Select WLS_OAM1, and then click Start.
4. Then select OAM_POLICY_MGR1, and then click Start.

Validating OAMHOST1

Validate the implementation by connecting to the OAM server:

http://OAMHOST1.example.com:14150/access
http://OAMHOST1.example.com:14100/oam/server/logout

The implementation is valid if an OAM logout successful page opens.

Configuring OAM on OAMHOST2

After configuration succeeds on OAMHOST1, propagate it to OAMHOST2. Pack the domain using the pack script on OAMHOST1 and unpack it with the unpack script on OAMHOST2.

Both scripts reside in the ORACLE_HOME/oracle_common/common/bin directory.

On OAMHOST1, enter:

pack.sh -domain=$ORACLE_HOME/user_projects/domains/IDM_Domain \
    -template=/tmp/idm_domain.jar -template_name="OAM Domain" -managed=true

This creates a file called idm_domain.jar in the /tmp directory. Copy this file to OAMHOST2.

On OAMHOST2, enter:

unpack.sh -domain=$ORACLE_HOME/user_projects/domains/IDM_Domain \
    -template=/tmp/idm_domain.jar

Starting OAMHOST2

This following sections describe the steps for starting OAMHOST2. Steps include the following:

Start Node Manager

Start Node Manager by issuing the following command:

/u01/oracle/config/domains/access/startNodeManager.sh

Start Access Manager on OAMHOST2

To start Access Manager on OAMHOST2:

Log into the WebLogic Remote Console using this URL:
```
http://hostname:port/rconsole
```
Supply the WebLogic administrator username and password.
In the Monitoring Tree, go to Environment, then Servers.
Click the server WLS_OAM2.
Click Start.

Validating OAMHOST2

Validate the implementation by connecting to the OAM server:

http://OAMHOST2.example.com:14150/access
http://OAMHOST2.example.com:14100/oam/server/logout

The implementation is valid if an OAM logout successful page opens.

Configuring Access Manager to Work with Oracle HTTP Server

Complete the subsequent procedures to configure Access Manager to work with Oracle HTTP Server.

Update Oracle HTTP Server Configuration

On WEBHOST1 and WEBHOST2, create a file named oam.conf in this directory:

OHSDOMAIN/config/fmwconfig/components/OHS/<instancename>/moduleconf/

Create the file and add the following lines:

NameVirtualHost *:7777
<VirtualHost *:7777>
 
    ServerName login.example.com:7777
    ServerAdmin you@your.address
    RewriteEngine On
    RewriteOptions inherit

    <Location /oam>
        SetHandler weblogic-handler
        Debug ON
        WLLogFile /tmp/weblogic.log
        WLProxySSL ON
        WLProxySSLPassThrough ON
        WLCookieName OAM_JSESSIONID
        WebLogicCluster OAMHOST1.example.com:14100,OAMHOST2.example.com:14100
    </Location>

    <Location /oamfed>
        SetHandler weblogic-handler
        Debug ON
        WLLogFile /tmp/weblogic.log
        WLProxySSL ON
        WLProxySSLPassThrough ON
        WLCookieName OAM_JSESSIONID
        WebLogicCluster OAMHOST1.example.com:14100,OAMHOST2.example.com:14100
        
    </Location>

    <Location /sts>
        SetHandler weblogic-handler
        WLLogFile /tmp/weblogic.log
        WLProxySSL ON
        WLProxySSLPassThrough ON
        WLCookieName OAM_JSESSIONID
        WebLogicCluster OAMHOST1.example.com:14100,OAMHOST2.example.com:14100
        
    </Location>

    <Location /access>
        SetHandler weblogic-handler
        Debug ON
        WLLogFile /tmp/weblogic.log
        WLProxySSL ON
        WLProxySSLPassThrough ON
        WLCookieName OAM_JSESSIONID
        WebLogicCluster amahost1.example.com:14150,amahost2.example.com:14150
        

    <Location /oamsso>
        SetHandler weblogic-handler
        Debug ON
        WLLogFile /tmp/weblogic.log
        WLProxySSL ON
        WLProxySSLPassThrough ON
        WLCookieName OAM_JSESSIONID
        WebLogicCluster oam_policy_mgr1.example.com:14100,oam_policy_
         mgr2.example.com:14100
        
    </Location>

</VirtualHost>

Restart Oracle HTTP Server

Restart the Oracle HTTP Server on WEBHOST1:

OHSDOMAIN/bin/stopComponent.sh ohs1
OHSDOMAIN/bin/startComponent.sh ohs1

Restart the Oracle HTTP Server on WEBHOST2:

OHSDOMAIN/bin/stopComponent.sh ohs2
OHSDOMAIN/bin/startComponent.sh ohs2

Make OAM Server Aware of the Load Balancer

By default, Access Manager sends requests to the login page on the local server. In a high availability deployment, you must change this setup so that login page requests go to the load balancer.

To make Access Manager aware of the load balancer:

Log into the Oracle Access Management Console at this URL as the weblogic user:
```
http://OAMHOST1.example.com:7001/oamconsole
```
Click on the Configuration tab.
Click the Access Manager Settings link.
Enter the following information:
- OAM Server Host: login.example.com
- OAM Server Port: 7777
- OAM Server Protocol: http(s)
Click Apply.
Restart managed servers WLS_OAM1 and WLS_OAM2.

Configuring Access Manager to use an External LDAP Store

By default, Access Manager uses its own in built-in LDAP server. In a highly available environment, Oracle recommends an external LDAP directory as the directory store.

Note:

Oracle recommends that you back up the environment and LDAP store before following this procedure.

Extending Directory Schema for Access Manager

Pre-configuring the Identity Store extends the schema in the backend directory regardless of directory type. To extend the directory schema for Access Manager, see Integrating Oracle Access Manager and LDAP in the Integration Guide for Oracle Identity Management Suite.

Integrating Oracle Access Manager and LDAP

To add users that Access Manager requires to the Identity Store, follow these steps in Integrating Oracle Access Manager and LDAP in the Integration Guide for Oracle Identity Management Suite.

Adding LDAP Groups to WebLogic Administrators

Access Manager requires access to MBeans stored within the administration server. In order for LDAP users to be able to log in to the WebLogic Remote Console and Fusion Middleware control, they must be assigned the WebLogic Administration rights. In order for Access Manager to invoke these Mbeans, users in the OAMAdministrators group must have WebLogic Administration rights.

When Single Sign-on is implemented, provide the LDAP group IDM Administrators with WebLogic administration rights, so that you can log in using one of these accounts and perform WebLogic administrative actions.

To add the LDAP Groups OAMAdministrators and WLSAdmins to the WebLogic Administrators:

Login to Weblogic Remote Console.
Click on Security Data Tree.
From the left pane, expand Realms > myrealm > Role Mappers > XACMLRoleMapper > Global > Roles
Click the Admin role.
Click on Add Condition and select Group in Predicate List.
Specify OAMAdministrators for Group Argument Name and click OK.
If you have the WLSAdmins LDAP group, then repeat step 5 and 6 for WLSAdmins group.
If you have the OAMAdministrators LDAP group, then repeat step 5 and 6 for OAMAdministrators group.
Click Save to finish adding the Admin role(s).

Validating the Access Manager Configuration

Validate the configuration by logging into the Oracle Access Management Console at http://OAMHOST1.example.com:7001/oamconsole as oamadmin.

See Adding LDAP Groups to WebLogic Administrators

Scaling Up Access Manager Topology

You scale up to add a new Access Manager managed server to a node already running one or more server instances.

Scaling Up Access Manager

To scale up OAM:

Log in to the Administration Console at http://hostname.example.com:7001/console. From the Domain Structure window, expand the Environment node and then Servers.
In the Change Center, click Lock & Edit.
Select a server on the host you want to extend, for example: WLS_OAM1.
Click Clone.
Enter the following information:
- Server Name: A new name for the server, for example: WLS_OAM3.
- Server Listen Address: The name of the host on which the managed server will run.
- Server Listen Port: The port the new managed server will use, this port must be unique within the host.
Click OK.
Click on the newly created server WLS_OAM3
Set the SSL listen port. This should be unique on the host that the managed server will run on.

Note:

Enable the SSL listen port 14101.
Click Save.
Disable hostname verification for the new managed server. You must do this before you start and verify the WLS_OAM3 Managed Server. You can re-enable it after you configure server certificates for the communication between the Administration Server and Node Manager in OAMHOSTn.

If the source server from which the new one was cloned had already disabled hostname verification, you do not need to take this step because the hostname verification settings propagated to the cloned server.

To disable hostname verification, set Hostname Verification to None then click Save.
Click Activate configuration from the Change Center menu.

Registering the New Managed Server

To configure the new managed server as an OAM server, use the Oracle Access Management Console:

Log in to the Oracle Access Management Console as the oamadmin user at http://oamhost1.example.com:7001/oamconsole
Click the Configuration tab. Click Server Instances.
Select Create from the Actions menu.
Enter the following information:
- Server Name: WLS_OAM3
- Host: Host that the server will run on
- Port: Listen port that was assigned when the managed server was created, for example, 14100
- Proxy Server ID: AccessServerConfigProxy
- Port: Port you want the OAM proxy to run on. This is unique for the host, for example, 5575
- Mode: Open
Click Apply when a prompt requests that you confirm the edit.
Ensure that the OAM_ORACLE_HOME property <ORACLE_HOME>/oam is set while starting server nodes (OAM1, OAM2 etc). In this environment, startWeblogic script is edited to pass -DOAM_ORACLE_HOME=<ORACLE_HOME>/oam while starting the Java process.

Configuring WebGate with the New OAM Managed Server

To configure the WebGate with the new OAM Managed Server, take these steps:

Verify that Node Manager is running on the new Access Server WLS_OAM3.
Start the Managed Server using the Administration Console. See the Start the Managed Server
Inform WebGates about the new Managed Server. See Inform WebGates of the New Managed Server

Start the Managed Server

To start the Managed Server using the Administration Console:

Change to the directory to OAM Domain HOME. For example, DOMAIN_HOME/bin

Start the Managed Server. For example, enter:

./startManagedWebLogic.sh WLS_OAM3 http://hostname:7001

At the prompt, enter the WebLogic username and password. Click Enter.
Verify that the Managed Server is running. Check the startManagedWebLogic logs, or click Servers under Environment in the Administration Console to view the Summary page. Refresh the page to see updates.

Inform WebGates of the New Managed Server

To inform any WebGates about the new Managed Server:

Log in to the Oracle Access Management Console at http://OAMHOST1.example.com:7001/oamconsole as the oamadmin user.
Click Application Security tab, click Agents to open SSO Agents page.
On the SSO Agents page, click Search.
Click Search.
Click the WebGate you want to change.
Add the new server to either the primary or secondary server list by clicking the Add + icon.
Select the server name from the list.
Click Apply

Note:

Repeat this procedure to inform all the configured WebGate Agents.

Scaling Out Access Manager

You scale out to add a new Access Manager managed server to a new node. Scale out is very similar to scale up, but requires the software to be installed on the new node.

Install Oracle WebLogic Server on the new host. See Installing Oracle WebLogic Server.
Install Identity Management components on the new host. See Installing and Configuring the Access Manager Application Tier.
Log in to the Administration Console at http://hostname.example.com:7001/oamconsole.
From the Domain Structure window of the Administration Console, expand the Environment node and then Machines.
From the Machines table, click New.
At the Create a New Machine screen labeled Machine Identity, enter the following information:
- Name: New node host name, for example, host.example.com
- Machine OS: Select operating system, for example, UNIX
Click Next.
In the Create New Machine screen labeled Node Manager Properties, enter this information
- Type: Keep the default SSL
- Listen Address: Replace localhost with the hostname that WLS_OAM3 will run on.
- Port: Verify that the Listen Port matches the Node Manager port that will run on the other node, for example, WLS_OAM3.
Click Finish.
From the Domain Structure expand Servers.
Select a server on the host you want to extend, for example: WLS_OAM1.
Click Clone.
From the Clone a Server screen labeled Server Identity enter the following:
- Server Name: New name for the server, for example WLS_OAM3.
- Server Listen Address: Name of the host the Managed Server will run on.
- Server Listen Port: Port the new managed server will use. This port must be unique within the host.
Click OK.
From the Servers table, click the new clone you just created, for example WLS_OAM3.
From the Machine option, assign the server to the new machine name you just created. This is the machine that the Managed Server will run on.
Click Save.
Click on the SSL tab.
Click Advanced.
Set Hostname Verification to None.
Click Save.

Run pack.sh and unpack.sh scripts located at ORACLE_HOME/oracle_common/common/bin to pack the domain on OAMHOST1 and unpack it on the new host respectively.

pack.sh -domain=ORACLE_HOME/user_projects/domains/domainName -template =/tmp/idm_domain.jar -template_name="OAM Domain" 
unpack.sh -domain=ORACLE_HOME/user_projects/domains/domainName -template =/tmp/idm_domain.jar

Registering the Managed Server with OAM

Note:

This is only required if you are using legacy communication between your WebGates and OAM Servers. If you are using OAP over REST, then this step is not required.

To register the new managed server as an OAM server:

Log in to the Oracle Access Management Console at http://OAMHOST1.example.com:7001/oamconsole as the oamadmin user.
Click the Configuration tab. Click Server Instances.
Select Create from the Actions menu.
Enter the following information:
- Server Name: Enter the same server name you entered while cloning the OAM server node in the WebLogic Remote Console.
- Host: Host that the server will run on, OAMHOST3.
- Port: Listen port that was assigned when you created the managed server.
- OAM Proxy Port: Port you want the OAM proxy to run on. This is unique for the host.
- Proxy Server ID: AccessServerConfigProxy
- Mode: Select the appropriate mode: Open or Cert.
Click Apply.

Edit oam-config.xml as described in Modifying OAM Configuration Properties ] to set the IP range of nodes that get added dynamically.

The Settings Map for the following example is SetWellKnownAddress>AuthorizedSubnets >Range1 >From [value of start ip range]]>To [value of end ip range].

<Setting Name="AuthorizedSubnets" Type="htf:map">
<Setting Name="Range1" Type="htf:map">
<Setting Name="From" Type="htf:map">
<Setting Name="Key"
Type="xsd:string">oam.coherence.auth.range.from.1</Setting>
<Setting Name="Value"
Type="xsd:string">10.229.139.20</Setting>
</Setting>
<Setting Name="To" Type="htf:map">
<Setting Name="Key"
Type="xsd:string">oam.coherence.auth.range.to.1</Setting>
<Setting Name="Value"
Type="xsd:string">10.229.139.40</Setting>
</Setting>
</Setting>
</Setting>

Ensure that the OAM_ORACLE_HOME property <ORACLE_HOME>/oam is set while starting server nodes (OAM1, OAM2 etc). In this environment, startWeblogic script is edited to pass -DOAM_ORACLE_HOME=<ORACLE_HOME>/oam while starting the Java process.

Configuring WebGate with the New OAM Access Server

Note:

This is only required if you are using legacy communication between your WebGates and OAM Servers. If you are using OAP over REST, then this step is not required.

Start the Access Server. To use the server, you must inform any WebGates of its existence:

Log in to the Oracle Access Management Console at http://OAMHOST1.example.com:7001/oamconsole as the oamadmin user.
Click Application Security tab.
Click Agents to open SSO Agents page
On the SSO Agents page, click Search.
Click the WebGate you want to change.
Under the Server Lists section, add the new OAM Access Server WLS_OAM3 to either the primary or secondary server list by clicking the Add [+] icon.
Select the server name from the list.
Click Apply.

Verifying the WebGate Configuration is Updated

To verify the WebGate configuration

Log into the Web server where the WebGate was updated previously.
Go to the directory OHSDomain/config/fmwconfig/components/OHS/<instancename>/webgate/config
Open ObAccessClient.xml with a text editor. Verify that primary_server_list or secondary_server_list shows that the new OAM Access Server is updated.

Note:

If the WebGate configuration does not update, recycle the web server, which pulls Webgate Agent profile updates to the ObAccessClient.xml file.

Editing Oracle HTTP Server Configuration File

Now that you created and started the new Managed Server, the web tier starts to direct requests to it. However, Oracle recommends informing the web server about the new Managed Server.

In the Web tier, there are several configuration files including admin_vh.conf, sso_vh.conf and igdinternal_vh.conf reside in the directory: ORACLE_INSTANCE/config/OHS/component name/moduleconf. Each contain a number of entries in location blocks. If a block references two server instances and you add a third one, you must update that block with the new server.

Add the new server to the WebLogicCluster directive in the file. For example, change:

<Location /oam>
   SetHandler weblogic-handler
   WebLogicCluster OAMHOST1.example.com:14100,OAMHOST2.example.com:14100
</Location>

to:

<Location /oam>
   SetHandler weblogic-handler
   WebLogicCluster OAMHOST1.example.com:14100,OAMHOST2.example.com:14100,OAMHOST1.example.com:14101
</Location>

Deploying Oracle Identity and Access Management Cluster with Unicast Configuration

If multicast IP is disabled in deployment environment then you can deploy Oracle Identity and Access Management cluster with Unicast configuration.

In your deployment environment, if multicast IP is disabled because of security reasons or if you are using cloud Infrastructure for deployment, it is not feasible to deploy Oracle Identity and Access Management with the default configuration (multicast). It is not feasible because Oracle Identity and Access Management uses EH cache, which depends on JavaGroup or JGroup library and supports multicast configuration as default for messages broadcasting.

To perform unicast configuration for EH cache, complete the following steps:

Get the list of host machines and available port to prepare the below JGroup configuration.

Example:

connect=TCP(bind_port=7800): TCPPING(initial_hosts=<Node1 IP>[7800],<Node2 IP>[7800];port_range=10;timeout=3000; num_initial_members=3): pbcast.NAKACK(use_mcast_xmit=false;retransmit_timeout=10000):pbcast.GMS(print_local_addr=true;join_timeout=3000)

In the EM Console, expand Identity and Access and click OIM.
Right-click on oim(version_number) and select System MBean Browser.

Where, version_number is the current version number of Oracle Identity and Access Management.
Expand oracle.iam, click Server:oim, click Application:oim, select XMLConfig, click Config, then select XMLConfig.CacheConfig, and click Cache.
In the right pane, go to the Attributes tab, set the Clustered attribute value to true.
In the left pane, expand the Cache folder, select XMLConfig.CacheConfig.XLCacheProvider, and then click XLCacheProvider.
In the right pane, go to the Attributes tab, set the MulticastAddress: value to empty and the MulicastConfig attribute value to the equivalent JGroup string you identified in Step 1.
In oracle.iam, click Server:oim, select Application:oim, click XMLConfig, select Config, click XMLConfig.DeploymentConfig, select DeploymentConfig, click Application Defined MBeans: XMLConfig.DeploymentConfig:DeploymentConfig, and specify the Deployment Config Deployment Mode value as cluster.
Click Apply.
For using unicast IPV4, verify if the JVM property is set in the SetDomainEnv script on all the nodes. If not, set the JVM property, and then add the following parameters to the SetDomainEnv script:
```
EXTRA_JAVA_PROPERTIES="-Djava.net.preferIPv4Stack=true ${EXTRA_JAVA_PROPERTIES}"
```
```
export EXTRA_JAVA_PROPERTIES
```
Restart all the Oracle Identity and Access Management Managed Servers.