Oracle Access Manager on Disaster Recovery (DR) site : Operation Error

oracle_disaster_recovery

Last year we launched our consulting services where we design, implement and support Oracle products. This post is from issue we encountered during failover of Oracle Access Manager (OAM) from Primary site to Standby site for one of our client.

We also cover High Availability and Disaster Recovery in our Oracle Access Manager Training  agenda here (next batch starts on 2oth September 2015)

Setup at customer site: Oracle Access Manager (OAM) deployed with high availability in primary datacenter (assume DC1) and disaster recovery site in secondary datacenter (assume DC2). We used RAC database to synchronise data in database from primary site to standby site. File system on application tier (hosting OAM servers) was replicated from primary site to standby site using SAN replication (If you don’t have SAN then use O.S. utility like rsync) . There are few other steps for OAM DR setup that I am going to cover in another post.

 

Issue: After failover of OAM to disaster recovery site, while accessing the single sign on URL: https://sso.mycompany.com at DR Site it was showing an error

“Oracle Access Manager Operation Error
The webgate plug-in is unable to contact any access server”

Cause : Error is self explanatory that WebGate (Policy Enforcement Point) is unable to reach OAM Server (Policy Decision Point) on DR site. This error could be because of number of reasons.

Logs/Errors : To Find the root cause check OHS Error logs at $ORACLE_INSTANCE/diagnostics/logs/OHS/ohs1/ohs1.log , in my case it was showing the error as below:

The Access Gate is unable to contact any Access Servers

[2015-09-01T10:27:12.4327+00:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: example.com] [host_addr: HOST_IP] [tid: 139963023050496] [user: demo] [ecid:00S7] [rid: 0] [Virtual Host: main] OBWebGate_AuthnAndAuthz: The AccessGate is unable to contact any Access servers

 [2015-09-01T10:27:12.4351+00:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: example.com] [host_addr: HOST_IP] [tid: 139963023050496] [user: demo] [ecid:00S7] [rid: 0] [Virtual Host: main] Request Failed For: /index.html, Resp code : [500]

2. check Oblix logs (oblog.log) at $ORACLE_INSTANCE/dignostics/logs/OHS/ohs1/oblog.log and it was showing the error as below:

Exception thrown during WebGate Initialization

2015/09/01813:56:36.38344 21825 21849 ACCESS_GATE contact INIT config.xml FATAL 0x0000182C any Access Servers. “ERROR 0x00CONFIG ERROR 0x00000505 raw codeS’ 0 21825 21852 ACCESS_GATE FATAL 0x00001520 “Exception thrown during WebGate initialization”

Checks : For this issue, we need to check if WebGate is able to contact the OAM server on Port mentioned in primary_server_list of WebGate configuration file.

Key File : OAM server details are stored in webgate configuration file (on OHS Server) at $ORACLE_INSTANCE/config/OHS/ohs1/webgate/config/ObAccessClient.xml

We discuss lot of other important key files for OAM server, WebLogic, OHS, WebGate in our Oracle Access Manager (OAM) Training

Webgate connect to the OAM Server via OAM Proxy Port and in our case we Provided the OAM Proxy port with a different value 7009 other than the default port 5575
Root Cause : In the file ObAccessClient.xml the Proxy port was changed to the default 5575 after migration to DR site because of which the WebGate was unable to contact the OAM server.

 

FIX:

1.    Login to OAM Console on DR site  http://comp.example.com:7001/oamconsole
2.    Navigate to the Configuration –> Server Instances
3.    Click Search
4.    Click WLS_OAM1
5.    Change the Proxy Port to the old value that was 7009
6.    Similarly, change the Proxy Port of WLS_OAM2 (If you have two OAM nodes in DR site)
7.    Save the changes
8.    Copy the updated ObAccessClient.xml located under OAM Domain ($DOMAIN_HOME/output/<WEB_AGENT>) to OHS Server ($ORACLE_INSTANCE/config/OHS/ohs1/webgate)
9.    Bounce the services of OAM & OHS

Single sign URL: https://sso.mycompany.com should be accessible now

 

If you want to learn more issues like above or wish to discuss challenges you are hitting in Oracle Access Manager Implementation, register for our Oracle Access Manager Training.

We are so confident on quality and value of our trainings that We provide 100% Money back guarantee so in unlikely case of you being not happy after 2 sessions, just drop us a mail before third session and We’ll refund FULL money.

Did you subscribe to our YouTube Channel (293 already subscribed) ?

About the Author Atul Kumar

Leave a Comment:

2 comments
SIVAKUMAR says October 21, 2015

Hi Atul,
Why the OAM server first of all not taking the 5575 proxy port in the DR site? Is this port is assigned to any other process? We can change this port in oam-config.xml and we can change the version of this xml.

Regards
Sivakumar.B

Reply
SeemaYadav says October 24, 2015

Hi Siva,

As per the client requirement we changed proxy port on Primary site because of which it was taking the same value on DR site.

oam-config.xml was showing the correct value but the
ObAccessclient.xml file which connects webgate to OAM server was showing incorrect value so to correct that value we have provided the method in our Blog.

Reply
Add Your Reply

Not found