Last year we launched our consulting services where we design, implement and support Oracle products. This post is from issue we encountered during failover of Oracle Access Manager (OAM) from Primary site to Standby site for one of our client.
Setup at customer site: Oracle Access Manager (OAM) deployed with high availability in primary datacenter (assume DC1) and disaster recovery site in secondary datacenter (assume DC2). We used RAC database to synchronise data in database from primary site to standby site. File system on application tier (hosting OAM servers) was replicated from primary site to standby site using SAN replication (If you don’t have SAN then use O.S. utility like rsync) . There are few other steps for OAM DR setup that I am going to cover in another post.
Issue: After failover of OAM to disaster recovery site, while accessing the single sign on URL: https://sso.mycompany.com at DR Site it was showing an error
“Oracle Access Manager Operation Error
The webgate plug-in is unable to contact any access server”
Cause : Error is self explanatory that WebGate (Policy Enforcement Point) is unable to reach OAM Server (Policy Decision Point) on DR site. This error could be because of number of reasons.
Logs/Errors : To Find the root cause check OHS Error logs at $ORACLE_INSTANCE/diagnostics/logs/OHS/ohs1/ohs1.log , in my case it was showing the error as below:
“The Access Gate is unable to contact any Access Servers”
[2015-09-01T10:27:12.4327+00:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: example.com] [host_addr: HOST_IP] [tid: 139963023050496] [user: demo] [ecid:00S7] [rid: 0] [Virtual Host: main] OBWebGate_AuthnAndAuthz: The AccessGate is unable to contact any Access servers
[2015-09-01T10:27:12.4351+00:00] [OHS] [ERROR:32] [OHS-9999] [core.c] [client_id: 127.0.0.1] [host_id: example.com] [host_addr: HOST_IP] [tid: 139963023050496] [user: demo] [ecid:00S7] [rid: 0] [Virtual Host: main] Request Failed For: /index.html, Resp code : 
2. check Oblix logs (oblog.log) at $ORACLE_INSTANCE/dignostics/logs/OHS/ohs1/oblog.log and it was showing the error as below:
“Exception thrown during WebGate Initialization”
2015/09/01813:56:36.38344 21825 21849 ACCESS_GATE contact INIT config.xml FATAL 0x0000182C any Access Servers. “ERROR 0x00CONFIG ERROR 0x00000505 raw codeS’ 0 21825 21852 ACCESS_GATE FATAL 0x00001520 “Exception thrown during WebGate initialization”
Checks : For this issue, we need to check if WebGate is able to contact the OAM server on Port mentioned in primary_server_list of WebGate configuration file.
Key File : OAM server details are stored in webgate configuration file (on OHS Server) at $ORACLE_INSTANCE/config/OHS/ohs1/webgate/config/ObAccessClient.xml
We discuss lot of other important key files for OAM server, WebLogic, OHS, WebGate in our Oracle Access Manager (OAM) Training
Webgate connect to the OAM Server via OAM Proxy Port and in our case we Provided the OAM Proxy port with a different value 7009 other than the default port 5575
Root Cause : In the file ObAccessClient.xml the Proxy port was changed to the default 5575 after migration to DR site because of which the WebGate was unable to contact the OAM server.
1. Login to OAM Console on DR site http://comp.example.com:7001/oamconsole
2. Navigate to the Configuration –> Server Instances
3. Click Search
4. Click WLS_OAM1
5. Change the Proxy Port to the old value that was 7009
6. Similarly, change the Proxy Port of WLS_OAM2 (If you have two OAM nodes in DR site)
7. Save the changes
8. Copy the updated ObAccessClient.xml located under OAM Domain ($DOMAIN_HOME/output/<WEB_AGENT>) to OHS Server ($ORACLE_INSTANCE/config/OHS/ohs1/webgate)
9. Bounce the services of OAM & OHS
Single sign URL: https://sso.mycompany.com should be accessible now
If you want to learn more issues like above or wish to discuss challenges you are hitting in Oracle Access Manager Implementation, register for our Oracle Access Manager Training.
We are so confident on quality and value of our trainings that We provide 100% Money back guarantee so in unlikely case of you being not happy after 2 sessions, just drop us a mail before third session and We’ll refund FULL money.
Did you subscribe to our YouTube Channel (293 already subscribed) ?