Managing Server Registration

6 Managing Server Registration

Managed server instances must be registered in order to interact with Oracle Access Management. (In this book, these managed servers are referred to as OAM Servers.) Accomplish this registration task using the Oracle Access Management Console.

You need to familiarize yourself with the following topics to manage server registrations:

6.1 Before You Register

Ensure that the environment meets the requirements before you register.

The following environmental considerations should be met:

A new Managed Server has been added to the domain using either the Oracle WebLogic Server Administration Console or WLST commands.
The Oracle JRF Template was applied to the Managed Server (or cluster) if needed.

See Oracle Fusion Middleware Administrator's Guide.

Oracle recommends that you review the following topic:

See Understanding OAM Server Registration and Management.

6.2 Understanding OAM Server Registration and Management

The Oracle Access Management Console is a Java EE application that must be installed and run on the same computer as the WebLogic Administration Server. Other key applications that run on the WebLogic Administration Server include the WebLogic Server Administration Console and Enterprise Manager for Fusion Middleware Control.

The Oracle Access Management Console might be referred to as the OAM Administration Server. However, this is not a peer of the OAM Server deployed on a WebLogic Managed Server.

The Oracle Access Management runtime instance deployed on Oracle WebLogic Managed Servers is referred to as an OAM Server. Each OAM Server must be registered with Access Manager to enable communication with registered agents during authentication, authorization, and resource access.

Administrators can extend the WebLogic Server domain and add more OAM Server instances whenever needed, using either:

The WebLogic Server Administration Console, after which you manually register the OAM Server instance using the Oracle Access Management Console
The WebLogic Configuration Wizard
Customized Oracle WebLogic Scripting Tool (WLST) commands. See Customization Commands in WLST Command Reference for WebLogic Server

The last two methods automatically register the OAM Server instance, which appears in the Oracle Access Management Console; no additional steps are required.

This section introduces OAM Server instance registration and management using the Oracle Access Management Console:

6.2.1 About Individual OAM Server Registrations

Administrators can add one or more Managed Servers to the WebLogic Server domain for Oracle Access Management.

When using the WebLogic Configuration Wizard, the OAM Server is automatically registered. However, if the configuration wizard was not used, the OAM Server must be registered manually to open a communication channel.

Alternatively. You can use custom WLST commands for OAM to display, edit, or delete a server registration Any changes are automatically propagated to the Oracle Access Management Console and to every OAM Server in the cluster.

See Also:

Customization Commands in WLST Command Reference for WebLogic Server

Only OAM Servers are registered with Oracle Access Management. The Oracle Access Management Console (on the WebLogic Administration Server) is not registered with itself.

Regardless of the method used to register an OAM Server, details for each instance are located on the System Configuration tab, Common Configuration section in the Oracle Access Management Console, including:

Server name, Host, Port

Administrators can search for a specific instance registration, register a newly installed OAM Server, view, modify, or delete server registrations using the Oracle Access Management Console. For more information, see "OAM Server Registration Page".

6.2.2 About Communication Between OAM Servers and WebGates

The OAM Server communication mode can be changed after a successful agent registration. The Webgate mode needs to be at the same level as the OAM Server mode or higher for the server to continue communicating with the agent.

Communication modes for the OAP channel include:

Open: Use this unencrypted mode if communication security is not an issue in your deployment.
Simple: Use this Oracle-signed certificate mode if you have some security concerns, such as not wanting to transmit passwords as plain text, but you do not manage your own Certificate Authority (CA).
Cert: Use if you want different certificates on OAM Servers and WebGates and you have access to a trusted third-party CA.
HTTP: This mode is auto configured in WebGate user defined parameters (based on the settings in WebGate Load Balancer of Access Manager Settings page). Use this unencrypted communication mode if the paramter OAMServerCommunicationMode is set to HTTP. It is a user defined configuration parameter.
HTTPS: This mode is auto configured in WebGate user defined parameters (based on the settings in WebGate Load Balancer of Access Manager Settings page). Use this encrypted communication mode if the paramter OAMServerCommunicationMode is set to HTTPS. It is a user defined configuration parameter.

On each individual OAM Server registration, the security mode is defined on the Proxy tab, as described in "OAM Server Registration Page".

Simple and Cert modes also require:

Security passwords that are common to all OAM Servers and WebGates, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security".
Appropriately signed X.509 digital certificates, as described in Securing Communication.

At least one OAM Server instance must be running in the same mode as the agent during agent registration. Otherwise, agent registration fails. After agent registration, however, you can change the communication mode of the OAM Server. Communication between the agent and server would continue to work as long as the Webgate mode is at least at the same level as the OAM Server mode or higher. The agent mode can be higher but cannot be lower. For example, of OAM Server mode is Open, agents can communicate in any of the three modes. If OAM Server mode is Simple, agents can use Simple or Cert mode. If OAM Server mode is Cert, agents must use Cert mode.

See Also:

Securing Communication

6.2.3 Conditions Requiring Server Restart

Most Oracle Access Management functional services take up changes made through the Oracle Access Management Console without restarting OAM Server.

Table 6-1 identifies conditions that do require a server restart.

Table 6-1 Conditions Requiring Server Restart

Event	Description
Load balancer server definition	A change requires an OAM Server restart.
Managed Server port number	A change requires an OAM Server restart.
New Managed Server	Adding a new managed server to the cluster requires restarting the AdminServer to policy enable uptake.

6.3 Managing Individual OAM Server Registrations

OAM Server instances can be registered and managed using the Oracle Access Management Console.

Topics here include:

6.3.1 OAM Server Registration Page

Users with valid Administrator credentials can register a freshly installed Managed Server (OAM Server instance) or modify an existing OAM Server registration using the Oracle Access Management Console.

Alternatively: You can use custom WLST commands to register and manage OAM Server instances. Changes are reflected in the Oracle Access Management Console and are automatically propagated to every OAM Server in the cluster.

See Also:

Access Manager WLST Commands in WebLogic Scripting Tool Command Reference for Identity and Access Management

Figure 6-1 illustrates a typical OAM Server registration page when viewed within the Oracle Access Management Console. To access the OAM Server registration page using the Oracle Access Management Console, click Configuration in the top right of the console and then click the Server Instances link on the Configuration page. From the resulting Server Instances search page, click Create in the Search Results table to display the Create: OAM Server page. See Registering a Fresh OAM Server Instance for details on how to configure this page.

Figure 6-1 OAM Server Registration Page with Proxy Tab Displayed

Description of "Figure 6-1 OAM Server Registration Page with Proxy Tab Displayed "

Individual server registration settings are described in Table 6-2.

Table 6-2 OAM Server Instance Settings

Element	Definition
Server name	The identifying name for this server instance, which was defined during initial deployment in the WebLogic Server domain.
Host	The full DNS name (or IP address) of the computer hosting the server instance. For example: host2.domain.com.
Port	The port on which this server communicates (listens and responds). Default: 5575 Note: If both the SSL and Open ports of the Managed Server are enabled, then the Managed Server is set to the SSL port by default. If you must use the non-SSL port, the credential collector URL of the authentication scheme must be set to the absolute URL which points to `http` as the protocol and non-SSL port. See Also: Securing Communication

6.3.1.1 OAM Proxy Settings

An integrated proxy server (OAM Proxy) is installed with each Managed Server for OAM Server.

Each OAM Proxy instance requires a different port. The proxy starts listening when the application starts. Registered access clients can immediately communicate with the proxy.

The OAM Proxy handles both configuration and run-time events. Each OAM Proxy can accept requests from multiple access clients concurrently. Each OAM Proxy enables access clients to interact with Access Manager.

Note:

For Access Clients, Access Manager provides authentication and authorization functionality only. Policy modification through Access Clients is not supported.

OAM Proxy settings are documented in Table 6-3.

Table 6-3 OAM Proxy Settings for an Individual OAM Server

OAM Proxy Setting	Value
Port	The unique port on which this OAM Proxy instance is listening. On a default installation, the port is 5575.
Proxy Server ID	The identifier of the computer on which the OAM Proxy (and this OAM Server instance) resides. DNS hostname is preferred; however, you can use any valid and relevant string. On a default installation, the Proxy Server ID is AccessServerConfigProxy.
Mode	OAM channel transport security for the OAM Proxy can be one of the following (the agent mode must match during registration and can be higher after registration): Open: No encryption. Simple: The data passed between the OAM Agent and OAM Server is encrypted using OAM self-signed certificates. Before specifying Simple mode, you must specify the global passphrase. Cert: The data between the OAM Agent and OAM Server is encrypted using Certificate Authority (CA) signed X.509 certificates. Note: Before specifying Cert mode, you must acquire signed certificates from a trusted third party Certificate Authority. On a default installation, the Mode is Open. Note: Simple and Cert transport security modes are governed by information defined on the OAM Server Common Properties OAM Proxy tab, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security". See Also: Securing Communication if you are configuring Simple or Cert transport security modes.

OAM Proxy Setting

Value

Port

The unique port on which this OAM Proxy instance is listening.

On a default installation, the port is 5575.

Proxy Server ID

The identifier of the computer on which the OAM Proxy (and this OAM Server instance) resides. DNS hostname is preferred; however, you can use any valid and relevant string.

On a default installation, the Proxy Server ID is AccessServerConfigProxy.

Mode

OAM channel transport security for the OAM Proxy can be one of the following (the agent mode must match during registration and can be higher after registration):

Open: No encryption.
Simple: The data passed between the OAM Agent and OAM Server is encrypted using OAM self-signed certificates.

Before specifying Simple mode, you must specify the global passphrase.
Cert: The data between the OAM Agent and OAM Server is encrypted using Certificate Authority (CA) signed X.509 certificates.

Note: Before specifying Cert mode, you must acquire signed certificates from a trusted third party Certificate Authority.

On a default installation, the Mode is Open.

Note: Simple and Cert transport security modes are governed by information defined on the OAM Server Common Properties OAM Proxy tab, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security".

See Also: Securing Communication if you are configuring Simple or Cert transport security modes.

OAM Proxy Logging: Oracle Access Management services use the same logging infrastructure as any other Oracle Fusion Middleware component, as described in Auditing Administrative and Run-time Events. However, OAM Proxy uses Apache log4j for logging.

6.3.2 Registering a Fresh OAM Server Instance

Users with valid Administrator credentials can register a new Managed Server (OAM Server) instance using the Oracle Access Management Console. Each OAM Server must be registered to communicate with agents.

Before you begin, the new Managed Server instance must be configured in the Oracle WebLogic Server domain, but not yet started.

Install the new Managed Server instance and configure it in the Oracle WebLogic Server domain, but do not start this instance.
Log in to the Oracle Access Management Console and click Configuration in the top bar.
In the Configuration console, click Server Instances.
In the tab that appears, click Create OAM Server.

The OAM Server registration page illustrated in Figure 6-1 is displayed.
On the Create: OAM Server page, enter details for your instance, as described in Table 6-2:
- Server name
- Host
- Port
Proxy: Enter or select details for this OAM Proxy instance.
- Port
- Proxy Server ID
- Mode (Open, Simple, or Cert)
  
  See Also:
  
  Securing Communication if you are using Simple or Cert mode
Click Apply to submit the configuration, which should appear in the navigation tree (or close the page without applying changes).
Start the newly registered server.

See Also:

6.3.3 Viewing or Editing Individual OAM Server Registrations and Proxy Settings

Users with valid Administrator credentials can view or modify settings for an individual server instance using the Oracle Access Management Console. For instance, you might need to change the listening port or the Proxy communication transport security mode.

Changes made are immediately visible in the Oracle Access Management Console and propagated to all OAM Servers in the cluster.

See Also:

"OAM Server Registration Page"
Access Manager WLST Commands in WebLogic Scripting Tool Command Reference for Identity and Access Management
Movement Scripts in Administering Oracle Fusion Middleware

At the top of the Oracle Access Management Console, click Configuration.
In the Configuration console, click Server Instances.
In the page that appears, click Search, then double-click the target instance to display its configuration, and then proceed as follows:
- View Only: Close the page when you finish viewing details.
- Modify: Perform remaining steps to edit the configuration.
On the OAM Server page, change details for your instance, as described in Table 6-2.
Proxy: Change details for this OAM Proxy instance, as described in Table 6-3.

See Also:

Securing Communication if you are using Simple or Cert mode
Click Apply to submit the changes (or close the page without applying change).

6.3.4 Deleting an Individual Server Registration

Users with valid Administrator credentials can delete an OAM server registration, effectively disabling it.

To delete:

At the top of the Oracle Access Management console, click Configuration.
In the Configuration console, click Server Instances.
In the tab that appears, double-click the target instance to confirm its details, then close the tab.
In the list of instances, select the target instance, click Delete in the tool bar, and confirm removal in the dialog that appears.
Confirm that the instance has been removed from the instance list.
Remove the deleted instance from the WebLogic Server Administration Console.

The Node Manager on Managed Server host handles the rest automatically.