Oracle Access Manager AAA Server in High Availability configuration
We have
deployed LTM (10.2.1) including APM in our environment. The intention was to
use APM with Oracle Access Manager as an External Authentication agent. This
requires setting up an AAA server of the Type Oracle Access Manager (OAM) in
the APM module.
However
only one AAA server of the type Oracle Access Manager (OAM) is allowed by LTM.
In order to maintain the existing High Availability
of backend Oracle OAM servers, we have configured a Virtual Server (called
OAM_VS) which listens on a self-IP of LTM (and an unused port) as our Oracle
AAA server. This Virtual Server has a default pool which contains our two test_
OAM servers as resources.
So far so
good, this approach appears to work till now. To the best of my knowledge, it
works as follows:
when a client tries to
reach a backend service which is protected by Oracle Access Manager, It sends
an HTTP request to a publicly available IP/Port
(which in our case is mapped to
to an APM-enabled Virtual
Server
called
Public_VS),
APM intercepts the traffic
and connects to our Virtual Server (OAM_VS) i.e the AAA server which verifies the credentials.
Now, the
connection between APM and the AAA server appears not to be HTTP and may be
encrypted (if configured). What we are trying to achieve is as follows:
In addition to the existing test_ OAM server pool , to configure another pool which contains our two production_ OAM servers as resources.
Depending
on the incoming URL to Public_VS , change the default pool of our OAM_VS such
that:-
for urls
belonging to test servers APM will make the Authentication request to the test_
OAM server pool
for urls belonging to production
servers APM will make the Authentication request to the production_ OAM server
pool
Ensure that the traffic related to a
particular URL is persisted to the correct back-end pool of the AAA server
(OAM_VS)
We cannot
generate an I-rule that works in APM to achieve the above since the process
paths on both Virtual servers appear to be unrelated.
An approach
which seems promising is to use the TCP function
and parse the
first few lines to see if the request coming from APM to our OAM_VS contains a
particular url and change the pool using LB:: reselect or similar command to
change the default pool on the fly.
CLIENT_DATA
However until
now I couldn’t get this to work, I would greatly appreciate any help in this
regard.