Oracle Access Manager 11g:
Administration
Volume II • Student Guide
D63114GC10 Edition 1.0 December 2010 D71611
Copyright © 2010,Oracle and/or it affiliates. All rights reserved. Disclaimer
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.
The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free.
Restricted Rights Notice
If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable:
U.S. GOVERNMENT RIGHTS
The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.
Trademark Notice
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Authors Vishal Parashar David Goldsmith Technical Contributors and Reviewers Amjad Afanah Jeremy Banford Abhijit Bhatode Rama Bollu
Vikas Pooven Chathoth Toby Close Jui Deshpande Steve Doinidis Sunil Gupta Beomsuk Kim Ashish Kolli Vadim Lander Derick Leo Mayank Maria Madhu Martin Vamsi Motukuru Rey Ong Vimal Patel Peter Povinec Deepak Ramakrishnan Shankar Raman Chitra Sabapathy Narasimhaiah Sreehari Ramya Subramanya Ramana Turlapati Venkat Venkatnarayan Weifang Xie Editors Smita Kommini Priti Goswami Graphic Designer Satish Bettegowda Publishers Sujatha Nagendra Giri Venugopal
Contents
1 Course Overview
Course Objectives 1-2 Course Agenda: Day 1 1-4 Course Agenda: Day 2 1-5 Course Agenda: Day 3 1-6 Course Agenda: Day 4 1-7 Course Agenda: Day 5 1-8
Practice Environment: Overview 1-9
2 Introduction to Oracle Access Manager
Objectives 2-2
Oracle Identity Management: Oracle + Sun Combination 2-3 Oracle Access Management Suite Plus 2-6
Salient Features of OAM 2-8 OAM 11g Architecture 2-10
Enterprise Deployment Architecture 2-11 SSO Login Processing with OAM Agents 2-15 Installation and Configuration 2-18
Installation and Configuration Configuration Wizard Screenshot: Templates 2-20 OAM 11g R1 Run-Time Architecture 2-21
Management Interfaces 2-23
Backward Compatibility of Agents in a Heterogeneous Environment 2-25 Coexistence of OAM 10g and 11g Servers 2-26
Coexistence of OSSO 10g and OAM 11g Servers 2-27 Session Management 2-28
Oracle Coherence in Session Management 2-30
Usability and Life Cycle Management Enhancements 2-32
Usability and Life Cycle Management Enhancements: Operational Metrics 2-33 Windows Native Authentication 2-34
Upgrade for OracleAS Single Sign-On 10.1.4.3.0 2-35 Rich ADF-Based UI 2-36
Connection Simulator: Access Tester 11g 2-37 Access Tester 11g 2-38
Key Enhancements in OAM 11g 2-39
Oracle Access Manager 11g Policy Object Comparison 2-46 Product Component Mapping 2-47
Summary 2-48 Quiz 2-49
Practice 2 Overview: Viewing New Features Viewlet 2-53
3 Installation and Configuration
Objectives 3-2 Road Map 3-3 Domain: Overview 3-4 Domain Diagram 3-6 Domain Restrictions 3-8 Server 3-10 Administration Server 3-11 Managed Server 3-13
Interaction Between the Administration Server and Managed Servers 3-14 What Is a Machine? 3-15
Relationship of Machines to Other Components 3-16 Cluster 3-17
Cluster Guidelines 3-19
WebLogic Scripting Tool (WLST) 3-20 WLST Modes 3-21
WLST Example 3-22
Oracle WebLogic Server ILT Courses 3-23 Road Map 3-24
Oracle Fusion Middleware Home and Oracle WebLogic Server Home 3-25 Oracle Home 3-26
Installing and Configuring Oracle Identity Management: Sequence of Steps 3-27 Wizards: Installation Versus Configuration 3-28
System Requirements for Oracle Identity Management 11g R1(11.1.1.3.0) 3-29 Road Map 3-30
Oracle WebLogic Server 11g R1 PS 2 (10.3.3) Installation 3-31 System Requirements for Oracle WebLogic Server 3-33
GUI Mode Installation 3-35
Choosing or Creating a Home Directory 3-36 Registering for Support 3-37
Choosing an Installation Type and Products 3-38 Choosing the JDK and Product Directory 3-39 Windows-Specific Screens 3-40
Installation and Summary 3-41 QuickStart 3-42
Console and Silent Mode Installations 3-43 Post-Installation: Middleware Home 3-44
Oracle WebLogic Server Directory Structure 3-45 Setting Environment Variables 3-47
Practice 3 Overview: Installing Oracle WebLogic Server 10.3.3 3-48 Road Map 3-49
Installing Oracle Database 3-50
Creating Schemas by Using RCU 3-51
Practice 3 Overview: Running the Repository Creation Utility 3-55 Road Map 3-56
Installing Oracle Identity Management: Welcome and Prerequisite Checks 3-57 Installing Oracle Identity Management: Install Location and Summary 3-58 Installing Oracle Identity Management: Progress Bar and Install Complete 3-59 Practice 3 Overview: Installing Oracle Identity Management 11g 3-61
Road Map 3-62
Configuration Wizard: Creating Domain and Domain Source 3-63 Configuration Wizard: Domain and Administrator Settings 3-65
Configuration Wizard: Server Start Mode, JDK, and Customization Options 3-66 Configuring JDBC Data Source: OAM with Database Policy Store 3-68
Configuration Wizard: Administration and Managed Servers 3-69 Configuration Wizard: Clusters and Machines 3-72
Configuration Wizard: Assigning Servers to Machines and Target Deployments 3-75
Configuration Wizard: Target Services and RDBMS Security Store 3-77 Configuration Wizard: Configuration Summary and Creating Domain 3-79 Configuring OHS For Oracle WebLogic Server 3-80
Practice 3 Overview: Creating a New Domain and Configuring OAM Server 3-83 Configuration Wizard: Extending Domain and Domain Source 3-84
Output of Configuration Wizard: Directory Structure 3-92 Road Map 3-94
Starting Oracle Access Manager 3-95
Practice 3 Overview: Starting Administration and Managed Server 3-97 Validating a Successful Installation and Configuration 3-98
Oracle WebLogic Server Administration Console 3-99
Oracle WebLogic Server Administration Console: Server Status 3-100 OAM_Server1: Applications Deployed 3-101
AdminServer: Applications Deployed 3-102
Oracle Access Manager Administration Console 3-103 Oracle Enterprise Manager Fusion Middleware Control 3-105 Relationship Between Farm and Domain 3-107
Practice 3 Overview: Sanity Checks and Walkthrough of Management Interfaces 3-108
Road Map 3-109
Uninstalling Oracle WebLogic Server 3-110
Uninstalling Oracle Identity Management Home 3-111
Uninstalling Oracle Common Home and Deleting Domain Home 3-112 Summary 3-113
Quiz 3-114
4 System Configuration: Servers, Data Sources, and Agents
Objectives 4-2
Practice 4 Overview: Installing and Configuring OHS 11g 4-3 Road Map 4-4
Servers 4-5
Creating and Deleting a New Managed Server 4-7 Managing Servers 4-8
Individual Server Properties 4-9 OAM Proxy 4-11
Managing Servers from WLS Admin Console and Command Line 4-12 Road Map 4-13
Agents 4-14
WebGate Provisioning and Installation 4-17 Installing and Configuring WebGate 11g 4-18
Practice 4 Overview: Installing, Creating, and Configuring an OAM 11g WebGate 4-21
Road Map 4-22
Registering Agents 4-23
Creating or Registering OAM Agents by Using OAM Admin Console 4-26
Viewing and Editing OAM Agent Registration by Using OAM Admin Console 4-28 Creating or Registering OSSO Agents by Using OAM Admin Console 4-32
Viewing and Editing OSSO Agent Registration by Using OAM Admin Console 4-33 Configuring OAM 10g WebGate in an Existing OAM 10g Deployment to Use OAM 11g Server 4-35
In-Band Versus Out-of-Band Registration of Agents 4-37 Registration Tool 4-39
Output Files 4-42 Registration Tool 4-43 Request File 4-45
Sample Request File: Short Version 4-47 Key Request Parameters 4-51
In-Band Registration Using oamreg Tool 4-54 Out-of-Band Registration Using oamreg Tool 4-58 Remote Registration: Common Issues 4-62
10g WebGate Installation: General Comments 4-63 Practice 4 Overview: Registering Agents: OAM Admin Console, In-Band, Out-Of-Band Modes 4-64 Road Map 4-65
WLS Agent (or OAM Agent) Topology 4-66 General Features of OAM Agent 4-68 WLS Agent Configuration 4-70
Resources Protected via WLS Agent 4-73 Road Map 4-74
Data Sources 4-75 Data Repositories 4-77
User Identity Store: WLS Embedded LDAP Server 4-78 User Identity Store: Managing LDAP Servers 4-80 Testing LDAP Connection 4-84
Practice 4 Overview: WLS Embedded LDAP, OID as LDAP Store, WLS Agent 4-85 Road Map 4-86
Keystore 4-87
Securing Communication Between WebGate and OAM Server 4-88 Generating Private Key, Certificate Request, and Downloading Certificates from CA 4-90
Configuring OAM Server to Use Certificates 4-91 Configuring WebGate to Use Certificates 4-96 Summary 4-98
Quiz 4-99
Practice 4 Overview: SSL Enabling WebGate and OAM 11g Server 4-104
5 Policy Configuration: Shared Components and Application Domains
Objectives 5-2 Road Map 5-3
Shared Components: Resource Types 5-4 Shared Components: Host Identifier 5-5 Road Map 5-8 Access Control 5-9 Authentication 5-11 Authorization 5-12 Road Map 5-13 Authentication Module 5-14
Step-Up Authentication Feature 5-19
Shared Components: Authentication Schemes 5-20 Multi-Level Authentication 5-25
Road Map 5-27
Policy Object Comparison: OSSO 10g 5-28
Policy Model: Key Differences Between OAM 11g and OSSO 10g 5-29 Policy Model: Key Differences Between OAM 11g and OAM 10g 5-30 Other Policy Features in OAM 11g 5-32
Road Map 5-33
Application Domain: AuthN Policies 5-34 Application Domain: AuthZ Policies 5-36 Resource 5-38
Key URL Patterns 5-40 Authentication Policies 5-42 Authorization Policies 5-44 What Are Responses? 5-46 Responses 5-47
How Are Responses Used? 5-49
Authentication and Authorization Responses 5-50 Response Expressions 5-51
Response Examples 5-52 Response Flows 5-54 Response Providers 5-56
Supported Variable Names Request information 5-58 Supported Variable Names Session information 5-59 Supported Variable Names User information 5-60 Authorization Constraints 5-61
Road Map 5-63
Application Domain 5-64
Conceptual Relationships for Policy Objects 5-65 Summary 5-67
Quiz 5-68
Practice 5 Overview: Protecting Resources by Using Application Domains 5-72
6 Single Sign-On and Session Management
Road Map 6-2 Objectives 6-3 Road Map 6-4
Oracle Access Manager Single Sign-On 6-5
Oracle Access Manager Single Sign-On Scenario 6-6 Oracle Access Manager Single Logout Scenario 6-7
Road Map 6-8
Session and Cookie Creation in Authentication 6-9
Session and Cookie Usage After Successful Authentication 6-12 The OAM Session and the OAM_ID Cookie 6-14
Agent Cookies 6-15
Single Sign-On Cookie Reference 6-16 Cookie and Communication Security 6-20 Session and Cookies in Single Logout 6-22 Quiz 6-24
Road Map 6-27
Session Life Cycle 6-28 Session Timeouts 6-30 Road Map 6-31
Session Caching and Persistence 6-32 Road Map 6-34
Configuring Single Sign-On: Overview 6-35 Road Map 6-36
Default Login Page 6-37
Options for Displaying the Single Sign-On Login Page by Using Form-Based Authentication 6-38
Configuring an Authentication Scheme for a Customized Login Page 6-41 Customizing Logout 6-42
Road Map 6-44
Configuring Session Management Options 6-45 Managing Sessions 6-46
Road Map 6-47
Windows Native Authentication 6-48
User Validation Replaces Credential Collection 6-49
Configuring an Oracle Access Manager Deployment for WNA 6-50 Quiz 6-52
Summary 6-53
Practice 6 Overview: Examining Single Sign-On and Managing Sessions 6-54
7 Using Oracle Access Manager With WebLogic Applications
Road Map 7-2 Objectives 7-3 Road Map 7-4
Java EE Authentication and Authorization 7-5
Using OAM for Perimeter Authentication and Authorization With a WebGate 7-6 Using OAM for Perimeter Authentication Without a WebGate 7-8
Identity Assertion Providers 7-10
Oracle Access Manager Identity Assertion Provider 7-11 OAM Identity Assertion Provider Event Sequence 7-12 Road Map 7-14
OAM Authenticator 7-15 Quiz 7-16
Summary 7-17
Practice 7 Overview: Using an Identity Assertion Provider 7-18
8 Auditing and Logging
Road Map 8-2 Objectives 8-3 Road Map 8-4
Auditing and Logging: Overview 8-5 Road Map 8-9
The Fusion Middleware Audit Framework 8-10 Road Map 8-12
Audit Output Options 8-13
Audit Architecture Using a Database as the Audit Store 8-14 Deploying Auditing by Using a Database as the Audit Store 8-15 Road Map 8-17
Audit Settings 8-18 Road Map 8-20
Examples of Audited Events 8-21
Examples of Data Recorded When an Audited Event Occurs 8-22 Quiz 8-23
Road Map 8-25
Oracle Business Intelligence Publisher 8-26
Deploying BI Publisher to Support FMW Audit Framework and Oracle Access Manager Reports 8-27
Generating Oracle BI Publisher Reports 8-28 Navigating to Common User Activities Reports 8-29 Navigating to Oracle Access Manager Reports 8-30
Oracle BI Publisher Reports for Oracle Access Manager 8-31 Road Map 8-33
Administrator Tasks: Logging 8-34 Logging Configuration Objects 8-35 Log Levels 8-37
Oracle Access Manager Loggers and Log Level Inheritance 8-38 Log Handler Settings 8-39
Viewing the Logging Configuration by Using FMW Control 8-42 Modifying Log Level by Using FMW Control 8-43
Creating or Configuring Log Handlers by Using FMW Control 8-44 Using the WLST Tool to Configure Logging 8-45
Road Map 8-50
Locating Log Files 8-51
Viewing and Downloading Log Files by Using FMW Control 8-52 Road Map 8-53
Log Files from Other Servers in an Oracle Access Manager Deployment 8-54 Quiz 8-55
Summary 8-57
Practice 7 Overview: Auditing and Logging 8-58
9 Upgrading Oracle Single Sign-On 10g to Oracle Access Manager 11g
Objectives 9-2
Overall Sequence 9-3
Retain Ports Versus Change Ports 9-4 Summary of Upgrade Process 9-5
Upgrade OSSO 10g Associated with Oracle Portal 9-6 Verifying a Successful Upgrade 9-10
Scenarios Not Supported for Upgrade to OAM 11g 9-11 Typical OSSO 10g to OAM 11g Upgrade Topology 9-12 Components Involved in an Upgrade 9-14
Upgrade Flow 9-16 Upgrade Assistant 9-17 Post-Upgrade Validation 9-18
Coexistence of OSSO 10g and OAM 11g 9-20 Key Functionality for Coexistence Model 9-22
Coexistence Scenario I: User Authenticated by OAM 11g 9-23 Coexistence Scenario II: User Authenticated by OSSO 10g 9-25 Typical OSSO Server Production Deployment Topology 9-26 Typical Production Deployment Topology 9-27
Rolling Upgrade: Hybrid Configuration 9-28 Upgrade Process 9-30
Interplay of SSO_ID and OAM_ID cookies 9-31 Summary 9-32
Quiz 9-33
10 Troubleshooting and Management
Objectives 10-2 Road Map 10-4 Access Tester 10-5
Use Cases: Access Tester 10-6
Access Tester Simulating Steps 1, 3, 5, 6 of Agent and OAM Server Interaction 10-8
Access Tester: Core Functionality 10-9 Access Tester Architecture 10-10
Output Files and Security Features 10-12 Starting Access Tester 10-13
System Properties 10-15 Access Tester Console 10-18 Test Cases and Test Scripts 10-20 Road Map 10-24
Using weblogic.Admin Utility to Check the State of Servers 10-25 Examining Admin Server and Managed Server Logs 10-26
WebLogic Admin Server and Managed Server Thread Dump 10-28 Agent and Server Monitoring 10-30
OAM Proxy Errors 10-31 Configuration Data 10-32 Road Map 10-33
Top Problem Areas 10-34 LDAP Server 10-35
OAM Runtime Servers 10-36 Agent Side Issues 10-37 Run-Time DB Issues 10-38
Admin Change Propagation and Activation 10-39 Policy Repository DB Issues 10-40
Road Map 10-41
WLST Architecture 10-42
Offline Mode And Online Mode 10-43 Executing WLST Commands 10-44
Example: Create Identity Store Embedding WLST Command in Python Script 10-45 WLST Commands for OAM 11g 10-46
Road Map 10-49
Oracle Enterprise Manager Fusion Middleware Control 10-50 FMW Control: Performance Overview 10-51
Topology 10-52 MBean Browser 10-53
Summary 10-55 Quiz 10-57
Practice 10 Overview: Working with Access Tester, WLST, and FMW Control 10-61
11 Horizontal Migration
Objectives 11-2
Use Cases: Horizontal Migration 11-3
Perform Horizontal Migration Using WLS Template Builder 11-4 Performing Horizontal Migration by Using WLS Template Builder 11-5 Source and Target Processing 11-6
Policy Migration 11-7 Partner Migration 11-8 Dependencies 11-9
Horizontal Migration Use Cases 11-10 Summary 11-12
Quiz 11-13
Practice 11 Overview: Performing Horizontal Migration 11-15
12 High Availability
Road Map 12-2 Objectives 12-3 Road Map 12-4
High Availability (HA) Goals 12-5 Road Map 12-7
Potential Points of Failure in an Oracle Access Manager Deployment 12-8 Load Balancing on the Web Tier 12-10
Clustering the Oracle Access Manager Server on the Application Tier 12-12 WebLogic Server Cluster 12-13
Configuring a WebLogic Cluster of Oracle Access Manager Servers on Multiple Hosts 12-15
Converting a Single OAM Server on a Single Host to a Clustered Configuration 12-17
Handling Administration Server Failure in a Cluster of Oracle Access Manager Servers 12-20
Data Tier 12-22
Other Issues to Be Aware of in HA Deployments 12-23 Road Map 12-24
Session Replication and Configuration Change Distribution 12-25 User Session Continuity in a Single Oracle Access Manager Server Environment 12-28
User Session Continuity in a Clustered Oracle Access Manager Server Environment 12-29
Road Map 12-30
Backing up an Oracle Fusion Middleware Deployment 12-31 Recovering Your Environment 12-33
HA Topology Review 12-35 Summary 12-36
Quiz 12-37
Practice 12 Overview: Configuring Oracle Access Manager for HA 12-38
A Introduction to Oracle Access Manager
Oracle Access Manager 11g Comparison with Oracle Access Manager 10g
and OSSO 10g A-2
Credential Collection A-7 Kerberos Operation A-8
Coexistence and Backward Compatibility A-9 Request Flow: Authentication A-11
Request Flow: Authorization A-14
B Installation and Configuration
WebLogic JMX: Overview B-2 Navigating JMX MBeans B-4 Node Manager B-6
Node Manager Architecture B-8
C System Configuration: Servers, Data Sources, and Agents
Coherence Properties C-2 Common Server Properties C-3 Backward Compatibility C-9
WLS Agent Without a WebGate C-11
D Policy Configuration: Shared Components and Application Domains
Custom Resource Types D-2
Custom Authenticator Use Case D-4 Fusion Applications SSO Use Case D-5 Creating Custom Resources D-6
Authentication Parity with OAM 10g D-7
OAM 10g Parity Items Features Not Implemented in 11g R1 D-8 Authentication: Troubleshooting Tips D-9
Success and Failure URL D-10
Validating Authentication and Authorization in an Application Domain D-13 Authentication Module Features D-14
Shared Components: Authentication Schemes D-15
E Monitoring OAM 11g by Using Oracle Grid Control
Objectives E-2
Enterprise Manager Architecture E-3
Oracle Enterprise Manager Grid Control Identity Management Pack E-5
Oracle Identity Management Pack Key Capabilities: Performance Monitoring and Diagnostics E-7
Oracle Identity Management Pack Key Capabilities: Service Level Management E-10
Features in the Upcoming Release of Grid Control Comprehensive Monitoring E-11 Features in the Upcoming Release of Grid Control Integration with FMW Control and WLS Admin Console E-13
Features in the Upcoming Release of Grid Control Improved Performance Monitoring and Diagnostics E-14
Grid Control: Home Page E-15 Identity and Access Targets E-16 Identity and Access System E-18 Generic Service E-19
Discovering Oracle Access Manager E-20 Create Identity and Access System E-21 Create Service E-22
Create a Service Dashboard Report E-24
Adding or Removing Targets from the System Topology E-26
Removing Servers or Components from an Existing Identity Management Topology E-27
Updating Monitoring Configuration E-28
Alerts Based on Performance and Usage Metrics E-29 Metric Baselines E-31
View All Metrics Collected for Oracle Identity Management Target E-33 View All Metrics for Oracle Access Manager E-34
Metric and Policy Settings E-36 Availability E-37
Service-Level Rules E-39 Topology E-41
Service Performance and System Component Status E-42 Performance Summary for Oracle Access Manager E-43 Managing Oracle Access Manager and Running Reports E-44 Alerts and Alert History E-45
Blackouts E-47
User-Defined Metrics E-50 Summary E-52
F Introduction to Access SDK
Road Map F-2 Objectives F-3 Road Map F-4
Custom Requirements for Authentication and Authorization Services F-5 Road Map F-7
Access SDK F-8 Road Map F-10
Oracle Access Manager Clients F-11 AccessGate Variations F-12
Road Map F-13
Developing and Deploying AccessGates: Overview F-14
Preparing Systems for AccessGate Development and Deployment F-15 Installing Access SDK F-17
Developing the AccessGate F-19
Example of Access SDK API Usage in an AccessGate F-20
Configuring Oracle Access Manager to Support AccessGates F-22 Road Map F-24
Access SDK Support in Oracle Access Manager 11g F-25 Quiz F-26
Summary F-28
G Single Sign-On and Session Management
Intranet Single Sign-On: End-User Experience G-2 Internet Single Sign-On: End-User Experience G-3
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Auditing and Logging
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Objectives
After completing this lesson, you should be able to:
•
Differentiate between auditing and logging
•
Describe the Fusion Middleware Audit Framework
•
Describe audit output options
•
Configure audit settings
•
Describe audited events and data recorded when an
audited event occurs
•
Generate audit reports
•
Configure logging settings
•
Locate and examine logging output
•
Locate log files from other servers in an Oracle Access
Manager deployment
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
Auditing and Logging: Overview
This section describes the auditing and logging features of Oracle Access Manager server at a high level. Subsequent sections describe auditing and logging in greater detail.
Auditing
Compliance is a major requirement in the enterprise. With regulations such as Sarbanes-Oxley (financial) and Health Insurance Portability and Accountability Act (health care), many organizations must be able to audit identity information and user access of applications and devices. Events that require auditing might include the following:
• User authentication and access activities • Administrative changes to systems
By reviewing recorded audit data, compliance officers can perform periodic reviews of compliance policies.
While auditing can be enabled or disabled, it is normally enabled in production
environments. Auditing has a minimal performance impact, and the information captured by auditing is useful; sometimes mission-critical.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Auditing and Logging: Overview
Auditing:
•
Helps users attain compliance with regulatory
requirements; for example, Sarbanes-Oxley and Health
Insurance Portability and Accountability Act (HIPAA)
•
Is normally enabled in production environments
•
Records authentication, authorization, and administrative
events
•
Uses the Oracle Fusion Middleware Audit Framework:
–
Writes to a single, centralized Oracle Database instance or
to flat files
–
Integrates with Oracle Business Intelligence Publisher, which
provides a predefined set of compliance reports
Auditing and Logging Overview (continued)
Oracle Fusion Middleware Audit Framework
Oracle Fusion Middleware Audit Framework is a new service in Oracle Fusion Middleware 11g Release 1, designed to provide a centralized audit framework. The framework provides a common audit service for Oracle Access Manager and other Fusion Middleware component products.
With the Oracle Fusion Middleware Audit Framework, you can write all audit data to a single Oracle Database instance, or to flat files. The framework also integrates with Oracle Business Intelligence Publisher, which provides a predefined set of compliance reports.
Auditing and Logging: Overview (continued)
Logging
Oracle Access Manager server logging records messages from various OAM components. You control the amount of logging output by specifying log levels for each OAM component for which a logger is defined.
Log messages are used for problem diagnosis, either by users or by Oracle Technical Support. Documentation for log messages is not available. In some cases, users might be able to diagnose problems on their own by reading log files. More typically, you enable logging to produce files that you send to Oracle Technical Support for problem diagnosis.
Note: Diagnosing problems by using the information in the log files is not an objective for
users of this course. Configuring logging and locating log files are objectives for users of this course.
By default, the log level for all OAM server components is the notification level. Logging at the notification level generates log records for system errors and notifications only, therefore producing a relatively small amount of output. However, other log levels result in voluminous logging output; so much output that enabling some log levels can impact OAM server
performance.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Auditing and Logging: Overview
Logging:
•
Records OAM component messages that are useful when
diagnosing problems.
•
Normally configured to log only errors and system
notifications in production environments.
Auditing and Logging: Overview (continued)
Therefore, in production environments, the log level is set to a level (for example, the notification or error level) that results in a relatively small volume of logging output. The OAM logging system writes output to flat files only. Logging to an Oracle Database instance is not supported.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
The Fusion Middleware Audit Framework
Writing audit records to a database provides numerous advantages over writing to flat files, and is the preferred mode of operation for Oracle Access Manager server in production environments. Advantages include the following:
• Database logging implements a common auditing framework employed across a range of Oracle Fusion Middleware component products. Fusion Middleware products that leverage the common audit framework benefit from the commonality of auditing functionality at the platform level.
Other Oracle Fusion Middleware component products that leverage the Fusion Middleware Auditing Framework include (but are not limited to) Oracle Identity Manager, Oracle Web Services Manager, Oracle Internet Directory, Oracle Virtual Directory, and Oracle Directory Integration and Provisioning. Stand-alone applications can be integrated with the Oracle Fusion Middleware Audit Framework.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
The Fusion Middleware Audit Framework
A common audit framework across the Fusion Middleware
product stack that includes the following features:
•
Audit-aware component products
•
Audit policies
•
Configuration through Enterprise Manager and WLST
commands
•
Flat file and database audit data stores
•
Audit database initialized by Repository Creation Utility
•
Pre-defined reports in Oracle Business Intelligence
Publisher
The Fusion Middleware Audit Framework (continued)
• Audit policies are declarations of the types of events to be captured by the audit
framework for particular components. For Java components, audit policies are defined at the domain level. For system components, audit policies are managed at the component instance level.
Pre-defined policy types include the following: – None
– Low (audits fewer events) – Medium (audits many events)
– Custom (implements filters to narrow the scope of audited events)
• The Fusion Middleware Audit Framework integrates with Oracle Enterprise Manager Fusion Middleware Control for UI-based configuration and management, thus leveraging the Oracle Fusion Middleware 11g infrastructure. It also supports the WLST tool for command-line configuration.
• Two output formats—flat files and database—are provided. Maintaining a common location for all audit records simplifies maintenance.
• When you use Oracle Database as the audit data store, you run the Repository Creation Utility (RCU) to initialize the predefined Oracle Fusion Middleware Audit Framework schema. Once configured, all the audit loaders are aware of the data store and upload data to it periodically. The audit data in the database is expected to be cumulative and grow over time. Ideally, this should not be an operational database used by any other applications; rather, it should be a stand-alone database used for audit purposes only. • The data in the audit store is exposed through predefined reports in Oracle Business
Intelligence Publisher (Oracle BI Publisher). By using Oracle BI Publisher reports, you can drill down through the audit data to perform analyses based on selected criteria. For example:
– Username – Time range – Application type
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
Audit Output Options
You can write audit records to a flat file or to an Oracle Database instance. Although the formats differ, the content in the flat file and the database is identical.
Writing Audit Records to a Flat File
The default configuration for audit output is to write audit records to a flat file.
Writing Audit Records to a Oracle Database
You can configure Oracle Access Manager to write audit records to an Oracle database. Subsequent slides describe the architecture for database logging, and the advantages of using a database for audit logging rather than a flat file. A section later in this module describes how you configure audit logging to a database.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Audit Output Options
Flat File
Oracle DB Default OAM Server
Auditing Configuration
OAM Server Auditing to Oracle DB
Audit Architecture Using a Database as the Audit Store
The following features comprise the architecture for auditing when using a database as the audit store:
• An Oracle Database instance is required. For the required version of Oracle Database software, refer to the Oracle Fusion Middleware Administrator's Guide for Oracle
Access Manager.
• Schema for the audit log tables is provided by the Repository Creation Utility. You must run this utility before you can log to a database.
• The Oracle Access Manager server writes its audit data to a flat file.
• An independent process, called the audit loader, reads the flat file and inserts records in the log table in the Oracle database.
• Pre-defined reports in Oracle Business Intelligence Publisher expose the data in the audit database.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Audit Architecture Using a Database
as the Audit Store
Audit Loader Oracle BI Publisher Repository Creation Utility Oracle Access Manager Server
Deploying Auditing by Using a Database as the Audit Store
To deploy auditing when using a database as the audit store, perform the following tasks.
Creating the Audit Database
Before you can configure Oracle Access Manager to write audit records to a database, you must create the database.
Refer to the Oracle Access Manager Certification Matrix on Oracle Technology Network to obtain a list of supported Oracle Database versions for Oracle Access Manager 11g.
Running Repository Creation Utility
Next, run the Repository Creation Utility (RCU) to insert the auditing schema into the Oracle Database instance. Select the Audit Services check box when running RCU, as shown on the screen shot on the following page.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Deploying Auditing by Using a Database
as the Audit Store
Audit Loader Oracle BI Publisher Repository Creation Utility
2
3
4
1
Use FMW Control to enable auditing by using a databaseRun Create database
Configure a data source on the admin server and managed server instances
5
admin and managed Restart WebLogic server instances Oracle AccessDeploying Auditing by Using a Database as the Audit Store (continued)
Configuring a Data Source for the Audit Database
In this step, you define a JDBC data source for the audit database so that the WebLogic server can access the database. You must configure the data source on the administration server and on all WebLogic managed server instances running Oracle Access Manager server. Refer to the Oracle Fusion Middleware Security Guide 11g Release 1 for specific steps to follow to configure the data source.
Enabling Auditing by Using a Database in FMW Control
You must define the auditing type as database logging by using FMW Control.
To enable auditing in FMW Control, you select the WebLogic Domain > Security > Audit Store option and specify the JNDI name of the data source for the audit database.
Restarting WebLogic Server Instances
Finally, you must restart all the WebLogic Server instances—the admin server and all the managed server instances—in the domain. During the restart, the audit loader rereads the audit store configuration and starts using the database for auditing.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
Audit Settings
The screen shot shows configurable options for Oracle Access Manager auditing. Options include the following:
• Maximum Directory Size – The maximum size of the directory that contains audit
output files. For example, assuming that the maximum file size is 10 MB, a value of 100 for this parameter implies that the directory allows a maximum of 10 files. Once the maximum directory size is reached, auditing stops.
The Maximum Directory Size setting applies to auditing by using flat files only.
• Maximum File Size – The maximum size, in MB, of the audit file. Once the size of the
audit file reaches the maximum size, a new audit file is created and the previous log file is renamed.
The Maximum Directory Size setting applies to auditing by using flat files only.
Note: The two users listed by default in the filter settings—the orcladmin and SSOAdmin
user—are provided only as examples and can be removed if they are not required.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Audit Settings
Audit Settings (continued)
• Filter options:
– Filter Enabled – Select this check box to enable event filtering.
– Filter Preset – Controls the amount of audit information recorded. Events for the preset levels are defined in the MIDDLEWARE_HOME/user_projects/
domains/DOMAIN/config/fmwconfigcomponent_events.xmlfile. You cannot modify the content in this file.
When the filter preset is set to the level NONE, no auditing takes place.
– Audit Users – A list of users whose actions are audited irrespective of filter preset. This setting is effective if the filter preset is not set to the level NONE.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
Examples of Audited Events
The slide shows several examples of audited events.
For a complete list of audited events, refer to the Oracle Fusion Middleware Administrator's
Guide for Oracle Access Manager.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Examples of Audited Events
Type of Audited Event Event
Authentication Credentials collected
Authentication succeeded Authentication failed
Authorization Authorization succeeded
Authorization failed
Administrative Authentication scheme created
Administration console login failed Server configuration changed
Examples of Data Recorded When an Audited Event Occurs
The slide shows several examples of the different types of data that is recorded when an Oracle Access Manager event is audited.
For a complete list of the data collected during event auditing, refer to the Oracle Fusion
Middleware Administrator's Guide for Oracle Access Manager. Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Examples of Data Recorded When an Audited
Event Occurs
Audited Event Data Collected
Authentication failed IP address, username, user DN, resource ID,
authentication scheme ID, failure error code, retry count, authentication policy ID, partner ID
Authorization succeeded IP address, user DN, resource ID, authorization policy ID
Administration console login succeeded
Answer: c, d
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Quiz
To deploy auditing by using Oracle Database as the audit store,
which two of the following actions must you take?
a.
Create a separate WebLogic managed server instance that
executes the auditing logic
b.
Configure an identity data source in Oracle Access
Manager
c.
Enable auditing using a database by using FMW Control
Answer: c
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Quiz
Which tool can you use to view predefined audit reports for
Oracle Access Manager?
a.
The WLST tool
b.
grep
c.
Oracle BI Publisher
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
Oracle Business Intelligence Publisher
Oracle Business Intelligence is a general-purpose reporting and analysis tool that you can use to answer a range of business questions. For example:
• How is my business performing?
• Which factors are influencing my business? • Where is my business headed?
• Where should we focus our efforts?
The Fusion Middleware Audit Framework leverages Oracle BI Publisher to analyze audit data recorded to an audit database. A set of predefined Oracle BI Publisher report templates are provided with Oracle Access Manager. By using these report templates, you can run reports to analyze audit data. By using Oracle BI Publisher, you can take advantage of powerful reporting features such as flexible report display, filtering, scheduling, and custom reporting.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Oracle Business Intelligence Publisher
•
Supports Fusion Middleware Audit Framework predefined
reports
•
Provides flexible report display:
–
Output type
–
Appearance
•
Provides report filtering
•
Provides report scheduling
Deploying BI Publisher to Support FMW Audit Framework and Oracle Access Manager Reports
To deploy Fusion Middleware Audit Framework reports and reports specific to Oracle Access Manager in Oracle BI Publisher, perform the following steps:
1. Install the Oracle BI Publisher Web application.
2. In the Web container in which you installed Oracle Business Intelligence Publisher, define a data source for the audit database if you have not already done so.
3. Copy the AuditReportTemplates.jar file from the Fusion Middleware software installation directory to the XMLP/Reports subdirectory of the Oracle BI Publisher top-level installation directory. Unjar the AuditReportTemplates.jar file. 4. Copy the oam_audit_reports_11_1_1_3_0.zip file from the
middleware_home/idm_home/oam/server/reportsdirectory to the
XMLP/Reportssubdirectory of the Oracle BI Publisher top-level installation directory. Unzip the oam_audit_reports_11_1_1_3_0.zip file.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Deploying BI Publisher to Support FMW Audit
Framework and Oracle Access Manager Reports
Oracle BI Publisher
2
1
InstallConfigure a data source in Oracle BI Publisher (if not already configured)
BI Publisher Installation Directory
XMLP/ReportsSubdirectory
3
Copy and unjarAuditReport Templates.jarFile
4
Copy and unzip oam_audit_reports_Generating Oracle BI Publisher Reports
To generate Fusion Middleware Audit Framework reports in Oracle BI Publisher, perform the following steps:
1. Log in to Oracle BI Publisher. The default user ID is Administrator and the default password is Administrator.
2. Select the Reports tab.
3. Click More to expose the list of standard reports, including audit reports.
4. Click Oracle _Fusion_Middleware_Audit, then navigate to the report you want to run. 5. Use filter options in the top part of the report page to filter reported data in various
ways. Report data appears on the bottom part of the report page.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Generating Oracle BI Publisher Reports
Report filtering and sorting options
OAM audit data
Navigating to Common User Activities Reports
Perform the following steps to run the Fusion Middleware common user activities reports in Oracle BI Publisher:
1. Start the Oracle BI Publisher console. The console’s default URL is http://host:9704/xmlpserver.
2. Log in to Oracle BI Publisher. The default user ID is Administrator, and the default password is also Administrator.
3. Click More.
4. Click Oracle_Fusion_Middleware_Audit. 5. Click Common_Reports.
6. Select the report that you want to run.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Navigating to Common User Activities Reports
Navigation Path Is Shared Folders / Oracle_Fusion_Middleware_Audit
User Activities Report
Navigating to Oracle Access Manager Reports
Perform the following steps to run the Oracle Access Manager reports in Oracle BI Publisher:
1. Start the Oracle BI Publisher console. The console’s default URL is http://host:9704/xmlpserver.
2. Log in to Oracle BI Publisher. The default user ID is Administrator, and the default password is also Administrator.
3. Click More.
4. Click Oracle_Fusion_Middleware_Audit. 5. Click Component_Specific.
6. Click Oracle_Access_Manager.
7. Select the report that you want to run.
Note: The common user activities reports appear both in the Common_Reports folder and
in the Oracle_Access_Manager folder. You can run the common user activities reports from either location in the Oracle BI Publisher console.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Navigating to Oracle Access Manager Reports
Navigation path Is Shared Folders / Oracle_Fusion_Middleware_Audit /
Component_Specific / Oracle_Access_Manager
Oracle BI Publisher Reports for Oracle Access Manager
The BI Publisher reports for Oracle Access Manager are divided into two categories: • Reports that are not specific to Oracle Access Manager
• Reports that are specific to Oracle Access Manager
Fusion Middleware Common User Activity Reports
The Fusion Middleware Audit Framework includes a set of user activity reports that provide information about events that occurred in both Oracle Access Manager and other Fusion Middleware component products. For example, the Authentication History report includes authentications to Oracle Access Manager, but might include binds to Oracle Internet Directory as well.
Oracle Access Manager Specific Reports
In addition, reports that are specific to Oracle Access Manager are included in the predefined set of Fusion Middleware Audit Framework reports. These reports provide information solely about audit events recorded by Oracle Access Manager.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Oracle BI Publisher Reports for
Oracle Access Manager
•
Fusion Middleware Common User Activity Reports:
–
Authentication History
–
Multiple Logins from Same IP
–
Authorization History
–
Event Details
–
Dashboard
•
Oracle Access Manager reports:
–
Authentication from IP by User
–
Authentication per IP
–
Authentication Statistics per Server
Oracle BI Publisher Reports for Oracle Access Manager (continued)
The following reports specific to Oracle Access Manager are available:
• Authentication From IP by User – For each IP address from which users have attempted to authenticate, this report shows the number of distinct users who have attempted to authenticate, the total authentication attempts, and the IDs of users who have attempted to authenticate.
• Authentication Per IP – The Authentication Per IP report is an abbreviated form of the Authentication From IP by User report. For each IP address from which users have attempted to authenticate, this report shows the number of distinct users who have attempted to authenticate and the total authentication attempts.
• Authentication Statistics Per Server – This report shows the authentication success and failure count for each Oracle Access Manager server instance.
• Authentication Statistics – This report provides a list of users who incurred the most successful and failed authentication attempts.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
Objectives
•
Auditing and logging
•
Fusion Middleware Audit Framework
•
Audit output options
•
Configuring audit settings
•
Audited events and recorded data
•
Generating audit reports
•
Configuring logging settings
•
Locating and examining logging output
•
Locating log files from other servers
Administrator Tasks: Logging
Administrators and Oracle Support use Oracle Access Manager server logging to diagnose problems. When the Oracle Access Manager server does not operate as expected, a customer might call Oracle Support to determine the cause of the problem. If the cause of the problem is not easily diagnosed, Oracle Support might ask the customer to generate logs to help Oracle Support analyze the problem and make recommendations for correcting the problem.
Therefore, administrators need to know how to configure Oracle Access Manager server logging in order to produce diagnostic output for Oracle Support. They need to know how to locate output log files so that they can send them to Oracle Support upon request. They need to know how to reset the logging configuration back to default levels after requested logs have been produced, so that logging overhead does not adversely affect Oracle Access Manager server performance.
Administrators are not expected to interpret logging output. Oracle Access Manager documentation does not describe log file formats or content; nor does this course. While experienced administrators might learn to interpret logging output, being able to do so is not a learning objective of this course.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Administrator Tasks: Logging
•
Configure logging as requested by Oracle Support
•
Locate logging output in order to send to Oracle Support
for problem diagnosis
•
Reset logging to the default level after obtaining needed
log output to minimize performance impact
Logging Configuration Objects
Like all Fusion Middleware 11g component products, Oracle Access Manager implements the Oracle Diagnostic Logging (ODL) framework, an architecture that complements and extends the Java EE logging framework encapsulated in the java.util.logging classes. Two components—loggers and log handlers—work together in this architecture.
Loggers
Oracle Access Manager calls component loggers when events require logging. The set of component loggers is predefined in the Oracle Access Manager configuration. Some examples of component loggers are the authentication engine logger, the SSO controller logger, and the credential collector logger.
Oracle Access Manager logger names begin with the string oracle.oam.
For a complete list of Oracle Access Manager loggers, refer to the Oracle Fusion
Middleware Administrator's Guide for Oracle Access Manager. Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Logging Configuration Objects
Authentication engine logging at TRACE:32 level
SSO controller logging at TRACE:32 level
Credential collector logging at TRACE:32 level
All other OAM components logging at NOTIFICATION:1 level
Loggers Log Handler(s)
Logging Configuration Objects (continued)
Log Handlers
Log handlers typically receive messages from loggers and write the messages to files. By default, Oracle Access Manager loggers use the odl-handler log handler. This log handler writes to the DOMAIN_HOME/servers/OAM_SERVER/logs/OAM_SERVER-diagnostic.logfile.
Log Levels
You can change the amount of logging output for loggers by modifying their log levels. The ODL log levels are listed on the slide. The INCIDENT_ERROR:1 level produces the least logging output. The TRACE:32 level produces the most output. The default log level for Oracle Access Manager server loggers is the NOTIFICATION:1 level.
While you can control the volume of output produced by logging, you cannot customize individual messages that loggers write when you set a given log level on a logger. The level associated with a log message is predefined in the Oracle Access Manager code.
ODL and Java EE Log Levels
Oracle Access Manager uses log levels defined in the ODL. The log levels are analogous to log levels defined in the java.util.logging.Level class in the Java EE logging
architecture. The Oracle Fusion Middleware Administrator's Guide for Oracle Access
Manager provides a table that correlates ODL log levels to Java EE log levels. Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Log Levels
•
INCIDENT_ERROR:1
•
ERROR:1
•
WARNING:1
•
NOTIFICATION:1
(default log level)
•
NOTIFICATION:16
•
TRACE:1
•
TRACE:16
Oracle Access Manager Loggers and Log Level Inheritance
The ODL framework uses an inheritance model to determine loggers' log levels.
Logger names can consist of multiple strings delimited by periods. For example, the logger for Oracle Access Manager audit events is the oracle.oam.audit logger.
To determining a logger's log level, the logging system first looks to see if a log level is explicitly defined for the logger. In the example, no explicit log level is defined for the oracle.oam.auditlogger.
If no explicit log level is found for the logger, the logging system strips the right-most string and period from the logger name to construct a new logger name. In the example, the new logger name is oracle.oam. The logging system then checks to see if a log level is explicitly set for this logger. If a log level has been explicitly defined, the original logger inherits this log level.
The logging system repeats this action until the logger name has been stripped of all characters, oracle. The Oracle Access Manager logging configuration explicitly defines the NOTIFICATION:1 log level as the oracle logger's log level. Therefore, Oracle Access Manager loggers that do not have explicitly defined log levels default to the
NOTIFICATION:1log level.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Oracle Access Manager Loggers and
Log Level Inheritance
Log level explicitly set to NOTIFICATION:1 level
Log level not explicitly set, inherits log level from oracle logger
Log level not explicitly set,
inherits log level from oracle.oam logger oracle logger oracle.oam logger oracle.oam.audit logger
Log Handler Settings
Log handlers receive messages from one or more loggers and typically write the message to files.
You can configure a variety of log handler settings.
Log Handler Name
When you define a new log handler, you specify a unique log handler name.
Log Size
Two configuration settings determine the log size:
• The maximum size of any single log file. When this file size is exceeded, the logging system no longer writes to the current log file. Instead, it renames the log file and creates a new log file with the same name as the original log file.
• The maximum size of the log file and saved log files.
Log File Rotation Configuration
The logging system can rotate the log files based on a configurable start time, a rotation frequency, and a retention period.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Log Handler Settings
•
Name
•
Maximum log size
•
Log file rotation configuration
•
Log file path
•
Log handler type
•
Loggers that write to the log handler
Log Handler Settings (continued)
Log File Path
You can specify the path to which the log handler writes.
Log Handler Type
The Oracle Access Manager server loggers use the
oracle.core.ojdl.logging.ODLHandlerFactoryhandler type.
Loggers
You can specify loggers that write to the given log handler, or remove loggers from the list of loggers that write to the log handler.
Log Level
You can specify a log level to be used by all loggers that write to the log handler. If desired, you can override this setting for individual loggers.
Logging Configuration Tools
You use the Oracle Enterprise Manager Fusion Middleware Control (FMW Control) and the WLST tool to configure Oracle Access Manager logging. The Oracle Access Manager console does not provide the ability to configure Oracle Access Manager logging.
Oracle FMW Control
Oracle Enterprise Manager Fusion Middleware Control is a Web-based management system for administering Oracle Fusion Middleware products. With Fusion Middleware Control, you can manage services in your enterprise, including hosts, databases, listeners, application servers, HTTP Servers, and Web applications as one cohesive unit.
You start the FMW Control by navigating to the following URL: http://host:port/em, where
hostand port are the host name and port number of the WebLogic admin server.
The WLST Tool
You can use the WLST tool to perform a variety of logging configuration tasks. Specific WLST commands that you use to configure logging are described later in this lesson.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Logging Configuration Tools
•
The Oracle Enterprise Manager Fusion Middleware
Control (FMW Control) Web-based management system
Viewing the Logging Configuration by Using FMW Control
View the logging configuration for the domain in which Oracle Access Manager is installed as follows:
1. Start Enterprise Manager Fusion Middleware Control by navigating to the following URL: http://host:port/em. In this example, host and port are the host name and port number of the WebLogic admin server.
2. In the navigator that appears in the left window pane, select Identity and Access > OAM > oam_server.
3. The Oracle Access Manager menu appears in the right window pane below the label, oam_server. Select Logs > Log Configuration from the pull-down menu.
4. The logger structure appears in the right window pane. The oracle logger appears in the list. Other Oracle Access Manager server loggers appear when you expand the list's nodes.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Viewing the Logging Configuration by
Using FMW Control
OAM loggers
Modifying Log Level by Using FMW Control
FMW Control provides a user interface for modifying log levels.
To modify the log level by using FMW Control, perform the following steps: 1. Start FMW Control and view the logging configuration.
2. Select the Log Levels tab.
3. Locate the logger that you want to modify.
4. Select the new log level from the drop-down list to the right of the logger's name. 5. Click Apply.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Modifying Log Level by Using FMW Control
Locate logger Select log level
1
2
Creating or Configuring Log Handlers by Using FMW Control
You can use FMW Control to create new log handlers and change the configuration of existing log handlers.
To locate the functionality for creating and configuring log handlers, start FMW Control and view the logging configuration. Then select the Log Files tab.
Buttons for creating new log handlers and modifying the configuration of existing log handlers appear on the page.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Creating or Configuring Log Handlers by
Using FMW Control
Select Log Files tab Provide log handler details1
3
Click Create, Create Like, or Edit Configuration
Using the WLST Tool to Configure Logging
You can use the WLST tool to perform a variety of logging configuration tasks.
Two Versions of the WLST Tool
Every WebLogic Server installation provides the WLST tool. The WebLogic Server WLST tool is located in the WLS_HOME/common/bin directory.
When you install Oracle Access Manager or other Fusion Middleware identity management products, a second version of the WLST tool is installed. This version contains commands unique to Fusion Middleware software, including the commands that you can run to
configure logging, if you want to configure logging by using the command line. This version of the WLST tool is located in the ORACLE_HOME/common/bin directory.
To verify that you are using the version of the WLST tool that provides the commands unique to Fusion Middleware software, you can run the WLST help("listLoggers") command. If help is available for the listLoggers command, then you are using the version of the WLST tool that you need for configuring Oracle Access Manager logging.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
