addPartnerForMultiDataCentre is not updating MDC partners in oam-config.xml in OAM 11g R2 PS2
In OAM 11g R2 PS2, I was working on Multi Data Center setup by following the documentation. I had to run the WLST command addPartnerForMultiDataCentre by giving partnerInfo.properties file as input.
What does this command do?
In MDC, when the failover happens from DC1 to DC2, all the webgate requests will be routed to DC2 to serve. The user session would have cookies/session pertaining to DC1. When the DC2 OAM servers serve the user request, then DC2 specific cookies/session has to be present. Before that, DC2 OAM servers will talk to DC1 OAM servers through back channel using Access Gate.
partnerInfo.properties contains the below details:
remoteDataCentreClusterId=DC2_CLUSTER
oamMdcAgentId=ACCESS_GATE_NAME
PrimaryHostPort=DC2_OAM_SERVER_NAME:port
SecondaryHostPort=
AccessClientPasswd=ACCESS_GATE_PASSWORD
oamMdcSecurityMode=open
agentVersion=11g
trustStorePath=
keyStorePath=
globalPassPhrase=
keystorePassword=
Let me explain every parameter:
remoteDataCentreClusterId: This is the secondary Data center Cluster Name.
oamMdcAgentId: Access Gate name which is making back channel call to DC1 for validating/requesting user session details. By default in OAM 11g R2 PS2, accessgate-oic is created. I have used this in my case. Also, ensure that Allow Management operations flag is enabled in this AG profile. For quick test, you can verify the regular webgate profiles and see that this flag is disabled by default.
PrimaryHostPort & SecondaryHostPort: Secondary DC OAM server host name and port eg., oam2.oracle.com:5575 and oam2.oracle.com:5576 respectively.
oamMdcSecurityMode: Mode in which AG is running.
agentVersion: AG version defined in profile.
trustStorePath, keyStorePath, globalPassPhrase, keystorePassword: If AG is set in simple/cert mode, provide the keystore and relevant details.
Steps to run the command:
- Run ./wlst.sh from $ORACLE_HOME/common/bin
- connect to weblogic admin server.
- Run WLST command addPartnerForMultiDataCentre(propfile=”/opt/oam/MDC/partnerInfo.properties”)
- You should see successful message as shown belowls:/oam_domain/serverConfig>addPartnerForMultiDataCentre(propfile=”/opt/oam/MDC/partnerInfo.properties”)
Partner added successfully.
success:
- I had executed this command in both data centers. After execution, we can verify this in oam-config.xml under the section MultiDataCenterPartners as shown below
<Setting Name=”MultiDataCenterPartners” Type=”htf:map”>
<Setting Name=”CLUSTER_NAME” Type=”htf:map”>
<Setting Name=”oamMdcSecurityMode” Type=”xsd:string”>open</Setting>
<Setting Name=”periodForWatcher” Type=”xsd:string”>2000</Setting>
<Setting Name=”maxConnPool” Type=”xsd:string”>10</Setting>
<Setting Name=”minConnPool” Type=”xsd:string”>1</Setting>
<Setting Name=”delayForWatcher” Type=”xsd:string”>1000</Setting>
<Setting Name=”oamMdcAgentId” Type=”xsd:string”>accessgate-oic</Setting>
<Setting Name=”accessClientPasswd” Type=”xsd:string”>qqwer3235123asdf</Setting>
<Setting Name=”PrimaryHostPort” Type=”xsd:string”>HOST:PORT</Setting>
<Setting Name=”agentVersion” Type=”xsd:string”>11g</Setting>
<Setting Name=”serverConnTimeout” Type=”xsd:string”>3600</Setting>
<Setting Name=”SecondaryHostPort” Type=”xsd:string”></Setting>
</Setting>
- It worked as expected in DC1. When I executed in DC2, it displayed successful message but it is not updated in oam-config.xml.
Fix:
DC2 MDC cluster is write protected. To verify, open the oam-config.xml and look for the element WriteEnabledFlag as shown below.
<Setting Name=”WriteEnabledFlag” Type=”xsd:boolean”>false</Setting>
Since it is set to false, any changes made through WLST will not take effect. So run below WLST command to fix this or you can manually edit the oam-config.xml carefully.
setMultiDataCenterWrite(WriteEnabledFlag = "true")
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com