Wednesday, January 15, 2014

OAM LDAP connections through firewalls

In a previous post, we discussed some of the complications that can occur when a firewall is placed between WebGates and OAM Servers in a typical deployment. This post follows on from that discussion, to explore an analogous topic- firewalls between the OAM Server and the LDAP Identity Store. This post is part of a larger series on Oracle Access Manager 11g called Oracle Access Manager Academy. An index to the entire series with links to each of the separate posts is available.

The problem we are trying to solve

Without repeating the discussion from the previous post, the problem, in a nutshell, is preventing an over-eager firewall from tearing down an LDAP Identity Store connection that OAM still needs to use. Should this happen, OAM requests sent over that connection will fail, leading to degraded performance as the LDAP connection is re-established and the operation re-tried. Once again, the solution lies in configuring OAM's LDAP Connection Pool to refresh connections on its own accord, by appropriately setting the Identity Store's connection TTL (time to live) as below.

This procedure works for OAM versions from 11.1.1.5 up to and including 11.1.2.1.
 

 How to prevent the firewall closing connections

The way to avoid this problem is to ensure that the firewall is never given cause to close an LDAP connection - in other words, ensuring that LDAP connections never exceed the configured TTL or inactivity timeout as defined at the firewall. This is achieved by configuring a maximum LDAP connection lifespan, or TTL, at the OAM side that is less than the firewall's maximum TTL or idle timeout. This is achieved by adding the MaxConnectionReuseTime setting to the Identity Store configuration in oam-config.xml, as per the below snippet. The value is specified in seconds. 

<Setting Name="LDAP" Type="htf:map">
        <Setting Name="E9ABCBCF59F0CDEC56" Type="htf:map">
          .....         
          <Setting Name="LDAP_URL" Type="xsd:string">ldap://idstore.example.com:389</Setting>
          <Setting Name="ReferralPolicy" Type="xsd:string">follow</Setting>
          <Setting Name="GroupCacheSize" Type="xsd:integer">10000</Setting>
          <Setting Name="MaxConnectionReuseTime" Type="xsd:string">1740</Setting>
          <Setting Name="UserIdentityProviderType" Type="xsd:string">OracleUserRoleAPI</Setting>
        </Setting>
       .....
</Setting>

In the above example, MaxConnectionReuseTime has been set to 1740 seconds, or 29 minutes. This would be an appropriate setting for a firewall that times connections out after 30 minutes, since the OAM TTL should always be lower than that enforced by the firewall. Be sure to set MaxConnectionReuseTime to an appropriate value for your own environment.

Be sure to follow the correct procedure for making manual edits to oam-config.xml, as described in this post

 As a closing comment, be aware that you may additionally need to configure your LDAP server to enforce a connection TTL; in this case, though, the server-side timeout should be higher than that set by the firewall - and obviously also higher than OAM's MaxConnectionReuseTime.
Posted by Rob Otto at 12:59 AM
Labels: , , , ,

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)