6 Managing Server Registration
You need to familiarize yourself with the following topics to manage server registrations:
6.1 Before You Register
Ensure that the environment meets the requirements before you register.
The following environmental considerations should be met:
-
A new Managed Server has been added to the domain using either the Oracle WebLogic Server Administration Console or WLST commands.
-
The Oracle JRF Template was applied to the Managed Server (or cluster) if needed.
See Oracle Fusion Middleware Administrator's Guide.
Oracle recommends that you review the following topic:
6.2 Understanding OAM Server Registration and Management
The Oracle Access Management Console is a Java EE application that must be installed and run on the same computer as the WebLogic Administration Server. Other key applications that run on the WebLogic Administration Server include the WebLogic Server Administration Console and Enterprise Manager for Fusion Middleware Control.
The Oracle Access Management Console might be referred to as the OAM Administration Server. However, this is not a peer of the OAM Server deployed on a WebLogic Managed Server.
The Oracle Access Management runtime instance deployed on Oracle WebLogic Managed Servers is referred to as an OAM Server. Each OAM Server must be registered with Access Manager to enable communication with registered agents during authentication, authorization, and resource access.
Administrators can extend the WebLogic Server domain and add more OAM Server instances whenever needed, using either:
-
The WebLogic Server Administration Console, after which you manually register the OAM Server instance using the Oracle Access Management Console
-
The WebLogic Configuration Wizard
-
Customized Oracle WebLogic Scripting Tool (WLST) commands. See Customization Commands in WLST Command Reference for WebLogic Server
The last two methods automatically register the OAM Server instance, which appears in the Oracle Access Management Console; no additional steps are required.
This section introduces OAM Server instance registration and management using the Oracle Access Management Console:
See Also:
6.2.1 About Individual OAM Server Registrations
Administrators can add one or more Managed Servers to the WebLogic Server domain for Oracle Access Management.
When using the WebLogic Configuration Wizard, the OAM Server is automatically registered. However, if the configuration wizard was not used, the OAM Server must be registered manually to open a communication channel.
Alternatively. You can use custom WLST commands for OAM to display, edit, or delete a server registration Any changes are automatically propagated to the Oracle Access Management Console and to every OAM Server in the cluster.
See Also:
Customization Commands in WLST Command Reference for WebLogic Server
Only OAM Servers are registered with Oracle Access Management. The Oracle Access Management Console (on the WebLogic Administration Server) is not registered with itself.
Regardless of the method used to register an OAM Server, details for each instance are located on the System Configuration tab, Common Configuration section in the Oracle Access Management Console, including:
-
Server name, Host, Port
Administrators can search for a specific instance registration, register a newly installed OAM Server, view, modify, or delete server registrations using the Oracle Access Management Console. For more information, see "OAM Server Registration Page".
6.2.2 About Communication Between OAM Servers and WebGates
The OAM Server communication mode can be changed after a successful agent registration. The Webgate mode needs to be at the same level as the OAM Server mode or higher for the server to continue communicating with the agent.
Communication modes for the OAP channel include:
-
Open: Use this unencrypted mode if communication security is not an issue in your deployment.
-
Simple: Use this Oracle-signed certificate mode if you have some security concerns, such as not wanting to transmit passwords as plain text, but you do not manage your own Certificate Authority (CA).
-
Cert: Use if you want different certificates on OAM Servers and WebGates and you have access to a trusted third-party CA.
-
HTTP: This mode is auto configured in WebGate user defined parameters (based on the settings in WebGate Load Balancer of Access Manager Settings page). Use this unencrypted communication mode if the paramter
OAMServerCommunicationMode
is set to HTTP. It is a user defined configuration parameter. -
HTTPS: This mode is auto configured in WebGate user defined parameters (based on the settings in WebGate Load Balancer of Access Manager Settings page). Use this encrypted communication mode if the paramter
OAMServerCommunicationMode
is set to HTTPS. It is a user defined configuration parameter.
On each individual OAM Server registration, the security mode is defined on the Proxy tab, as described in "OAM Server Registration Page".
Simple and Cert modes also require:
-
Security passwords that are common to all OAM Servers and WebGates, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security".
-
Appropriately signed X.509 digital certificates, as described in Securing Communication.
At least one OAM Server instance must be running in the same mode as the agent during agent registration. Otherwise, agent registration fails. After agent registration, however, you can change the communication mode of the OAM Server. Communication between the agent and server would continue to work as long as the Webgate mode is at least at the same level as the OAM Server mode or higher. The agent mode can be higher but cannot be lower. For example, of OAM Server mode is Open, agents can communicate in any of the three modes. If OAM Server mode is Simple, agents can use Simple or Cert mode. If OAM Server mode is Cert, agents must use Cert mode.
See Also:
6.2.3 Conditions Requiring Server Restart
Most Oracle Access Management functional services take up changes made through the Oracle Access Management Console without restarting OAM Server.
Table 6-1 identifies conditions that do require a server restart.
Table 6-1 Conditions Requiring Server Restart
Event | Description |
---|---|
Load balancer server definition |
A change requires an OAM Server restart. |
Managed Server port number |
A change requires an OAM Server restart. |
New Managed Server |
Adding a new managed server to the cluster requires restarting the AdminServer to policy enable uptake. |
6.3 Managing Individual OAM Server Registrations
OAM Server instances can be registered and managed using the Oracle Access Management Console.
Topics here include:
6.3.1 OAM Server Registration Page
Users with valid Administrator credentials can register a freshly installed Managed Server (OAM Server instance) or modify an existing OAM Server registration using the Oracle Access Management Console.
Alternatively: You can use custom WLST commands to register and manage OAM Server instances. Changes are reflected in the Oracle Access Management Console and are automatically propagated to every OAM Server in the cluster.
See Also:
Access Manager WLST Commands in WebLogic Scripting Tool Command Reference for Identity and Access Management
Figure 6-1 illustrates a typical OAM Server registration page when viewed within the Oracle Access Management Console. To access the OAM Server registration page using the Oracle Access Management Console, click Configuration in the top right of the console and then click the Server Instances link on the Configuration page. From the resulting Server Instances search page, click Create in the Search Results table to display the Create: OAM Server page. See Registering a Fresh OAM Server Instance for details on how to configure this page.
Figure 6-1 OAM Server Registration Page with Proxy Tab Displayed

Description of "Figure 6-1 OAM Server Registration Page with Proxy Tab Displayed "
Individual server registration settings are described in Table 6-2.
Table 6-2 OAM Server Instance Settings
Element | Definition |
---|---|
Server name |
The identifying name for this server instance, which was defined during initial deployment in the WebLogic Server domain. |
Host |
The full DNS name (or IP address) of the computer hosting the server instance. For example: host2.domain.com. |
Port |
The port on which this server communicates (listens and responds). Default: 5575 Note: If both the SSL and Open ports of the Managed Server are enabled, then the Managed Server is set to the SSL port by default. If you must use the non-SSL port, the credential collector URL of the authentication scheme must be set to the absolute URL which points to See Also: Securing Communication |
See Also:
6.3.1.1 OAM Proxy Settings
An integrated proxy server (OAM Proxy) is installed with each Managed Server for OAM Server.
Each OAM Proxy instance requires a different port. The proxy starts listening when the application starts. Registered access clients can immediately communicate with the proxy.
The OAM Proxy handles both configuration and run-time events. Each OAM Proxy can accept requests from multiple access clients concurrently. Each OAM Proxy enables access clients to interact with Access Manager.
Note:
For Access Clients, Access Manager provides authentication and authorization functionality only. Policy modification through Access Clients is not supported.
OAM Proxy settings are documented in Table 6-3.
Table 6-3 OAM Proxy Settings for an Individual OAM Server
OAM Proxy Setting | Value |
---|---|
Port |
The unique port on which this OAM Proxy instance is listening. On a default installation, the port is 5575. |
Proxy Server ID |
The identifier of the computer on which the OAM Proxy (and this OAM Server instance) resides. DNS hostname is preferred; however, you can use any valid and relevant string. On a default installation, the Proxy Server ID is AccessServerConfigProxy. |
Mode |
OAM channel transport security for the OAM Proxy can be one of the following (the agent mode must match during registration and can be higher after registration):
On a default installation, the Mode is Open. Note: Simple and Cert transport security modes are governed by information defined on the OAM Server Common Properties OAM Proxy tab, as described in "Managing the Access Protocol for OAM Proxy Simple and Cert Mode Security". See Also: Securing Communication if you are configuring Simple or Cert transport security modes. |
OAM Proxy Logging: Oracle Access Management services use the same logging infrastructure as any other Oracle Fusion Middleware component, as described in Auditing Administrative and Run-time Events. However, OAM Proxy uses Apache log4j for logging.
6.3.2 Registering a Fresh OAM Server Instance
Users with valid Administrator credentials can register a new Managed Server (OAM Server) instance using the Oracle Access Management Console. Each OAM Server must be registered to communicate with agents.
Before you begin, the new Managed Server instance must be configured in the Oracle WebLogic Server domain, but not yet started.
6.3.3 Viewing or Editing Individual OAM Server Registrations and Proxy Settings
Changes made are immediately visible in the Oracle Access Management Console and propagated to all OAM Servers in the cluster.
See Also:
-
Access Manager WLST Commands in WebLogic Scripting Tool Command Reference for Identity and Access Management
-
Movement Scripts in Administering Oracle Fusion Middleware