Forum Discussion

dehinde_21599's avatar
Icon for Nimbostratus rankNimbostratus
Feb 07, 2011

Oracle Access Manager AAA Server in High Availability configuration

We have deployed LTM (10.2.1) including APM in our environment. The intention was to use APM with Oracle Access Manager as an External Authentication agent. This requires setting up an AAA server of the Type Oracle Access Manager (OAM) in the APM module.




However only one AAA server of the type Oracle Access Manager (OAM) is allowed by LTM. In order to maintain the existing High Availability of backend Oracle OAM servers, we have configured a Virtual Server (called OAM_VS) which listens on a self-IP of LTM (and an unused port) as our Oracle AAA server. This Virtual Server has a default pool which contains our two test_ OAM servers as resources.




So far so good, this approach appears to work till now. To the best of my knowledge, it works as follows: when a client tries to reach a backend service which is protected by Oracle Access Manager, It sends an HTTP request to a publicly available IP/Port (which in our case is mapped to to an APM-enabled Virtual Server called Public_VS), APM intercepts the traffic and connects to our Virtual Server (OAM_VS) i.e the AAA server which verifies the credentials.



Now, the connection between APM and the AAA server appears not to be HTTP and may be encrypted (if configured). What we are trying to achieve is as follows:


In addition to the existing test_ OAM server pool , to configure another pool which contains our two production_ OAM servers as resources.




Depending on the incoming URL to Public_VS , change the default pool of our OAM_VS such that:-


for urls belonging to test servers APM will make the Authentication request to the test_ OAM server pool


for urls belonging to production servers APM will make the Authentication request to the production_ OAM server pool


Ensure that the traffic related to a particular URL is persisted to the correct back-end pool of the AAA server (OAM_VS)


We cannot generate an I-rule that works in APM to achieve the above since the process paths on both Virtual servers appear to be unrelated.


An approach which seems promising is to use the TCP function CLIENT_DATA and parse the first few lines to see if the request coming from APM to our OAM_VS contains a particular url and change the pool using LB:: reselect or similar command to change the default pool on the fly.


However until now I couldn’t get this to work, I would greatly appreciate any help in this regard.



No RepliesBe the first to reply