This post will talk about an important setting of OAM 11g high availability environment. The Oracle doc for setting up OAM 11g in HA is here.
The section 8.8.3.11 explains changing request cache type. Let us see the importance of this flag and certain other factors where this is essential.
When a user access a OAM 11g protected resource then the OAM server needs to remember about the user’s original request. This data is defined using a parameter in oam-config.xml located at $DOMAIN_NAME/config/fmwconfig as shown below.
<Setting Name="serverRequestCacheType" Type="xsd:string">COOKIE</Setting>
The permitted values are BASIC (set by default), COOKIE and FORM.
NOTE: FORM is introducted in OAM 11.1.1.5 and is not present in 11.1.1.3 version.
BASIC: In this mode the OAM Server stores the information in memory. This mode could not be used in an OAM Cluster High Availability environment because during the authentication process, the client might be redirected to different OAM Server instances and the information about the original request is only available in the memory of one OAM Server instance. This mode requires the Login Page to return the “request_id” value.
COOKIE: In this mode the OAM Server creates an encrypted OAM_REQ cookie to store the information. This mode could be used in a High Availability environment. The Login Page only needs to return the username and password.
FORM: In this mode the OAM Server sends the information about the original request via a POST request using an encrypted OAM_REQ value. This mode could be used in a High Availability environment. The login page must return the OAM_REQ value.
So OAM_REQ cookie is set in both cases COOKIE and FORM by the OAM server but login page should return to OAM server only for FORM scenario.
If you are using custom Login page in your environment then you will need to return specific values to the OAM server from login page as per the Request Cache Type setting.
How to change this parameter?
wlst.st tool can be used to change it to either BASIC or COOKIE but it does not reflect the changes for FORM.
So as an alternative solution perform manual changes to oam-config.xml as follows:
serverRequestCacheType
value in the oam-config.xml located at $DOMAIN_HOME/config/fmwconfigAnother scenario where this parameter is essential is when the requested resource URL is too large. Consider the user is having a valid OAM session and access another resource A where resource A URL is too large.
Since the user is having a valid session already it does not generate OAM_REQ cookie anymore and user will be redirected to resource A succesfully.
However if the user does not a valid session and access resource A directly then OAM server stores the original requested resource information in an encrypted cookie OAM_REQ. Since the original resource URL is too large the OAM_REQ cookie is also too large. The problem only occurs if long URL access triggers redirect to OAM for login.
In case of IE it may result in error “Internet Explorer cannot display the webpage”. This is because of the IEs maximum browser URL restriction (2083 characters)
If the user is using Firefox where there is no URL restriction but the problem occurs when cookies (OAM_REQ in this case) are storing large content and it will result in firefox crash.
So the best solution is to change the Request Cache Type setting to FORM value.
Hope this helps.
References: metalink note 1348419.1
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com