“RequestCacheType” setting in OAM 11g

This post will talk about an important setting of OAM 11g high availability environment. The Oracle doc for setting up OAM 11g in HA is here.

The section 8.8.3.11 explains changing request cache type. Let us see the importance of this flag and certain other factors where this is essential.

When a user access a OAM 11g protected resource then the OAM server needs to remember about the user’s original request. This data is defined using a parameter in oam-config.xml located at $DOMAIN_NAME/config/fmwconfig as shown below.

<Setting Name="serverRequestCacheType" Type="xsd:string">COOKIE</Setting>

The permitted values are BASIC (set by default), COOKIE and FORM.

NOTE: FORM is introducted in OAM 11.1.1.5 and is not present in 11.1.1.3 version.

BASIC: In this mode the OAM Server stores the information in memory. This mode could not be used in an OAM Cluster High Availability environment because during the authentication process, the client might be redirected to different OAM Server instances and the information about the original request is only available in the memory of one OAM Server instance. This mode requires the Login Page to return the “request_id” value.

COOKIE: In this mode the OAM Server creates an encrypted OAM_REQ cookie to store the information. This mode could be used in a High Availability environment.  The Login Page only needs to return the username and password.

FORM:  In this mode the OAM Server sends the information about the original request via a POST request using an encrypted OAM_REQ value.  This mode could be used in a High Availability environment. The login page must return the OAM_REQ value.

So OAM_REQ cookie is set in both cases COOKIE and FORM by the OAM server but login page should return to OAM server only for FORM scenario.

If you are using custom Login page in your environment then you will need to return specific values to the OAM server from login page as per the Request Cache Type setting.

How to change this parameter?

wlst.st tool can be used to change it to either BASIC or COOKIE but it does not reflect the changes for FORM.

So as an alternative solution perform manual changes to oam-config.xml as follows:

  1. Stop all OAM servers (admin + managed servers)
  2. Change the serverRequestCacheType value in the oam-config.xml located at $DOMAIN_HOME/config/fmwconfig
  3. Start all OAM servers.

Another scenario where this parameter is essential is when the requested resource URL is too large. Consider the user is having a valid OAM session and access another resource A where resource A URL is too large.

Since the user is having a valid session already it does not generate OAM_REQ cookie anymore and user will be redirected to resource A succesfully.

However if the user does not a valid session and access resource A directly then OAM server stores the original requested resource information in an encrypted cookie OAM_REQ. Since the original resource URL is too large the OAM_REQ cookie is also too large. The problem only occurs if long URL access triggers redirect to OAM for login.

In case of IE it may result in error “Internet Explorer cannot display the webpage”. This is because of the IEs maximum browser URL restriction (2083 characters)

If the user is using Firefox where there is no URL restriction but the problem occurs when cookies (OAM_REQ in this case) are storing large content and it will result in firefox crash.

So the best solution is to change the Request Cache Type setting to FORM value.

Hope this helps.

References: metalink note 1348419.1

Share This Post with Your Friends over Social Media!

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

13 comments
Atul Kumar says August 28, 2012

Very good post .

Regards
Atul Kumar

Reply
ohaya says October 18, 2012

Hi,

We recently ran across this problem, but from testing, when the OAM_REQ is too long (apparently > 4KB with Firefox), the symptom we were seeing was not that Firefox crashed.

Rather, instead of re-directing, etc., the browser would display a blue OAM error page.

The oam_server1.out log file shows an OAM-02703 and/or OAMSSA-14003 message.

From detailed analysis of Firefox Live HTTP headers, plus some testing with Firefox with responses with long Set-Cookie for setting OAM_REQ, it appears that at least Firefox fails silently, and doesn’t store the OAM_REQ that’s in the Set-Cookie response.

From what I’m seeing in the OAM server logs, it appears that what happens is that, because the browser fails to store the long OAM_REQ, and thus sends no OAM_REQ to OAM server subsequently, OAM server fails when it tries to determine if the resource is protected, causing a runtime error.

Question: Our testing thus far was with FORM-based login to OAM. Does changing the cacheType from COOKIE to FORM affect the functionality of other authentication types, e.g., CERT/PKI?

The reason for the question is that when the cacheType is set to FORM, the login page that does the POST has to include the OAM_REQ in the POSTed data, but, with PKI authentication, there is no FORM to do a POST with the OAM_REQ, etc., so I’m wondering what is the effect on PKI authentication when cacheType is changed to FORM? It seems like changing cacheType to FORM would break (cause to fail) PKI ATN?

Jim

Reply
Mahendra says October 18, 2012

Jim,

I’ve not tested this scenario with PKI/CERT atn. You can give a try and let us know your observations. Perhaps it is also good to raise an SR request with Oracle Support.

-Mahendra.

Reply
SK says October 24, 2012

I need small help from you to validate the scenario that i have tested. It is a production (HA setup) for OAM.
-> OAM setup is done in HA mode and load balanced by load balancer.
-> The application (deployed on weblogic) is proxied by two apache server (on which webgate is installed).
-> I installed the two webgates with same Webgate_ID (only one webgate instance defined in oamconsole) on both apache webservers and in the host identifier created, i put both webgate machines host and port(also load balancer url and port for webgates), so that there is one host identifier for requests coming from both web servers.
-> created policies etc

For a single web server deployment in dev environment, i had a custom form authentication scheme. The challenge url in is http://WEBSERVERHOST:PORT/XYZapp/login.jsp

For HA environment, the challenge url i put is webserver’s load balancer url http://WebServerLoadBalancerUrl:PORT/XYZapp/login.jsp.
Everything is working as expected. I just need you to validate this that load balancer url for LOGIN PAGE in custom authentication scheme is correct approach.

Thanks a lot for your help.

Reply
Mahendra says October 25, 2012

This looks fine to me, SK.

Reply
ramgopalrg says April 3, 2013

Hi, Currently we are using OAM 10g / IIS / Webgate with a customer Login Form ( a.k.a DCC -Detached Credential Collector). We are evaluating OAM 11gR2 for upgrade. As there is no supported 11g webgate for IIS, we continue to use 10g webgate only. But it is not supporting DCC. It support only ECC – Embedded Credential Collector.( we tried this and is working)

Changing Login Form is not an easy option for us. Changing the webserver from IIS to OHS is also not an option for us. can you pls suggest any other way to overcome the issue ? – Thanks

Reply
Mahendra says April 3, 2013

@Ramgopal,

I am afraid if it is not supported, then you don’t have an option. This may be weird, but can you try this, just have OHS infront of IIS and try redirecting login page request to IIS and see if that works!!

Thanks
mahendra.

Reply
ramgopalrg says June 23, 2013

HI,

We have RSA integration from OAM 11g as well.

The document http://docs.oracle.com/cd/E27559_01/admin.1112/e27239/rsa.htm says serverRequestCacheType must be set to BASIC for it to work.

Then how to get HA as well as RSA to work ?

-Thanks.

Reply
ramgopalrg says June 23, 2013

Hi,

Just to answer to the older question, we have changed the application side as needed and implemented ECC auth. The Embedded Credential Collector…..

– Rgds..

Reply
manin21 says December 4, 2013

Valuable Info about OAM-HA integration with RSA (thanks to Oracle support for clarifying):

> “serverRequestCacheType” set to “BASIC” is must for RSA authentication. This limitations is not from OAM. It is imposed by RSA Authentication API’s.
>
> In order to perform RSA authentication we need RSA Session.
> This session is not serialized. Thus, it needs to be cached locally during multiple authentication (i.e. 2 factor flows like next token flow) which is done when “serverRequestCacheType” is set to “BASIC”.
>
> When “serverRequestCacheType” is set to “COOKIE”, as the session is not serialized. When server tries to prepare the request again, RSA Session is null” and thus it fails.
>
> BASIC mode doesn’t support HA failover scenarios and stickiness is mandatory in HA scenarios using BASIC mode.
>
> Regards,
> Ajit Kumar

Hope this helps.

Regards

Reply
Scott says August 13, 2015

We just ran into an interesting situation at work, which caused us to create an sev-1 with Oracle.

Last Friday, we upgraded our 11gr2 with BP05 and had switched from COOKIE to FORM. When it was set at COOKIE, the URL was long and security did not like everything being displayed.

On Monday, we received calls from some of our customers, who were unable to access the website. We found out, they were using IE6 and IE8. By changing the requestCacheType to FORM, all version of IE less than 9 will not work.

Through testing on different browsers will be done today and tonight we will switch back to COOKIE. We are also giving the customers a cutoff date to upgrade their browsers so we can switch back to FORM.

Reply
Usman Ali Shaik says November 5, 2015

Dear manin21,

Need some information Regarding the OAM-HA integration with RSA which you posted above.

We have single OAM set up now and is integrated with RSA AM and its working fine.

But, we have a plan to build the second instance of OAM.

What all the important points do we need to consider?

You have mentioend BASIC does not work in OAM-HA and stickiness is mandatory in HA scenario while using BASIC.

How to set the stickiness and where do we need to set this stickiness any docs for this ? please share the linls.

Reply
Add Your Reply