“RequestCacheType” setting in OAM 11g

Very good post .

Regards
Atul Kumar

Hi,

We recently ran across this problem, but from testing, when the OAM_REQ is too long (apparently > 4KB with Firefox), the symptom we were seeing was not that Firefox crashed.

Rather, instead of re-directing, etc., the browser would display a blue OAM error page.

The oam_server1.out log file shows an OAM-02703 and/or OAMSSA-14003 message.

From detailed analysis of Firefox Live HTTP headers, plus some testing with Firefox with responses with long Set-Cookie for setting OAM_REQ, it appears that at least Firefox fails silently, and doesn’t store the OAM_REQ that’s in the Set-Cookie response.

From what I’m seeing in the OAM server logs, it appears that what happens is that, because the browser fails to store the long OAM_REQ, and thus sends no OAM_REQ to OAM server subsequently, OAM server fails when it tries to determine if the resource is protected, causing a runtime error.

Question: Our testing thus far was with FORM-based login to OAM. Does changing the cacheType from COOKIE to FORM affect the functionality of other authentication types, e.g., CERT/PKI?

The reason for the question is that when the cacheType is set to FORM, the login page that does the POST has to include the OAM_REQ in the POSTed data, but, with PKI authentication, there is no FORM to do a POST with the OAM_REQ, etc., so I’m wondering what is the effect on PKI authentication when cacheType is changed to FORM? It seems like changing cacheType to FORM would break (cause to fail) PKI ATN?

Jim

I need small help from you to validate the scenario that i have tested. It is a production (HA setup) for OAM.
-> OAM setup is done in HA mode and load balanced by load balancer.
-> The application (deployed on weblogic) is proxied by two apache server (on which webgate is installed).
-> I installed the two webgates with same Webgate_ID (only one webgate instance defined in oamconsole) on both apache webservers and in the host identifier created, i put both webgate machines host and port(also load balancer url and port for webgates), so that there is one host identifier for requests coming from both web servers.
-> created policies etc

For a single web server deployment in dev environment, i had a custom form authentication scheme. The challenge url in is http://WEBSERVERHOST:PORT/XYZapp/login.jsp

For HA environment, the challenge url i put is webserver’s load balancer url http://WebServerLoadBalancerUrl:PORT/XYZapp/login.jsp.
Everything is working as expected. I just need you to validate this that load balancer url for LOGIN PAGE in custom authentication scheme is correct approach.

Thanks a lot for your help.

Hi, Currently we are using OAM 10g / IIS / Webgate with a customer Login Form ( a.k.a DCC -Detached Credential Collector). We are evaluating OAM 11gR2 for upgrade. As there is no supported 11g webgate for IIS, we continue to use 10g webgate only. But it is not supporting DCC. It support only ECC – Embedded Credential Collector.( we tried this and is working)

Changing Login Form is not an easy option for us. Changing the webserver from IIS to OHS is also not an option for us. can you pls suggest any other way to overcome the issue ? – Thanks

HI,

We have RSA integration from OAM 11g as well.

The document http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/rsa.htm says serverRequestCacheType must be set to BASIC for it to work.

Then how to get HA as well as RSA to work ?

-Thanks.

Hi,

Just to answer to the older question, we have changed the application side as needed and implemented ECC auth. The Embedded Credential Collector…..

– Rgds..

Valuable Info about OAM-HA integration with RSA (thanks to Oracle support for clarifying):

> “serverRequestCacheType” set to “BASIC” is must for RSA authentication. This limitations is not from OAM. It is imposed by RSA Authentication API’s.
>
> In order to perform RSA authentication we need RSA Session.
> This session is not serialized. Thus, it needs to be cached locally during multiple authentication (i.e. 2 factor flows like next token flow) which is done when “serverRequestCacheType” is set to “BASIC”.
>
> When “serverRequestCacheType” is set to “COOKIE”, as the session is not serialized. When server tries to prepare the request again, RSA Session is null” and thus it fails.
>
> BASIC mode doesn’t support HA failover scenarios and stickiness is mandatory in HA scenarios using BASIC mode.
>
> Regards,
> Ajit Kumar

Hope this helps.

Regards

We just ran into an interesting situation at work, which caused us to create an sev-1 with Oracle.

Last Friday, we upgraded our 11gr2 with BP05 and had switched from COOKIE to FORM. When it was set at COOKIE, the URL was long and security did not like everything being displayed.

On Monday, we received calls from some of our customers, who were unable to access the website. We found out, they were using IE6 and IE8. By changing the requestCacheType to FORM, all version of IE less than 9 will not work.

Through testing on different browsers will be done today and tonight we will switch back to COOKIE. We are also giving the customers a cutoff date to upgrade their browsers so we can switch back to FORM.

Dear manin21,

Need some information Regarding the OAM-HA integration with RSA which you posted above.

We have single OAM set up now and is integrated with RSA AM and its working fine.

But, we have a plan to build the second instance of OAM.

What all the important points do we need to consider?

You have mentioend BASIC does not work in OAM-HA and stickiness is mandatory in HA scenario while using BASIC.

How to set the stickiness and where do we need to set this stickiness any docs for this ? please share the linls.