Oracle Access Manager (OAM) WebGate Guide - Part Four - WebGate Highly Available (HA) Architecture

November 2, 2023 | 3 minute read
Kenneth Owens
Senior Principal Software Engineer
Text Size 100%:

Introduction

A Highly Available (HA) architecture for the Oracle Access Manager (OAM) WebGate component eliminates a single points of failure and a distribution of work load via a load balancer.

  • The terms WebGate and Agent are interchangeable
  • This note will not discuss the HA of the OAP as it is handled by internal code by default, but also can be addressed by the concept of Load Balancing the OAP Port or in OAM 12.2.1.4.x using the OAP over Rest.
  • Using the concepts from the  Enterprise Deployment Guide (EDG) for Oracle Identity and Access Management, when referring to the OAM WebGate to front and protect the various console resources for product HA functionality.

Concepts Of How To Acheive WebGate HA

  • From an OAM Agent/WebGate perspective, when in an HA environment the LBR is a black box, all the WG needs to know is what URL is to be used by the outside world to use to access the resource its protecting.
  • The OAM WebGate should be configured with more than one primary OAM server, and any additional secondary OAM servers, to achieve even further HA for the WG to OAM server communication.
  • OAM supports multiple WebGates using the same WebGate profile (ObAccessClient.xml ... one registration), by setting up multiple WebGates behind a load balancer which requires installing a WebGate on each of the web servers that the load balancer will use.

Guide Lines - Sugessted Approach

1. Before the OAM WebGate's are installed and registered, a static page on each web server must be accessible via the LBR using the same protocol, hostname, and port that the OAM WebGate will use.

Example:

LBR = http(s)://<APPLICATION_FQDN:PORT/RESOURCE>

Based on LBR rules redirects to physical web server application is running on

http(s)://<APPLICATION_1_FQDN:PORT/RESOURCE>
http(s)://<APPLICATION_2_FQDN:PORT/RESOURCE>
http(s)://<APPLICATION_3_FQDN:PORT/RESOURCE>
etc...

2. Shut down all application web servers except one for testing...(Starting Point)

3. Follow the OAM documentation for installing/configuring of a WebGate.

  • The agent will only need to be registered once.
  • It will be registered using the protocol hostname and port of the LBR.
  • The resulting artifacts will be used on each applications web server tiers WebGate.

4. Test functionality ... (Stop Gap)

5. Shut down working Web server WebGate and start the next Web server WebGate.

Repeat steps 3 and 4, taking notice that the agent will not need to be registered again.

6. Repeat this process for all web server WebGate's

7. Once they are all working individually, than test with all of them running.

Wrap up

The OAM WebGate Highly Avaialable (HA) Architecture things to remember ...

  • HTTP communication and LBR must be working prior to the introduction of an OAM WebGate.
  • The OAM WebGate will only need to be registered once. The Resulting Artifacts will be used by the other OAM WebGate's that are behind the LBR.
  • The WebGate should be configured with primary and secondary OAM servers to achieve even further HA.

Related Articles:

Kenneth Owens

Senior Principal Software Engineer


Previous Post

Advisor Webcast: Durable Subscriber in WebLogic JMS

Tanya Heise | 2 min read

Next Post


Oracle Access Manager (OAM) WebGate Guide - Part Three - WebGate Installation/Configuration/Registration

Kenneth Owens | 2 min read