Monday, November 10, 2014

Monitoring OAM Environment


Security systems, including OAM, reside in a dynamic environment where the parameters that affect system performance are ever changing. On top of that, access management Infrastructure like OAM serve as the front door or gate to every application/system in an organization. Therefore continuous monitoring of such key components is mandatory to ensure continuous success of not just your access and SSO solution but indeed your very applications themselves. Effective monitoring involves two types of controls; preventive monitoring and detective monitoring. Preventive monitoring makes sure failure does not take place and detective monitoring helps you detect any failure if it occurred and take corrective measures. OAM has features to facilitate both the types of monitoring. We will go over all the monitoring capabilities offered by the product.

1. HealthCheck URL

Starting R2PS2, OAM provides health check URL that either Load Balancer or Infrastructure monitoring (or any perimeter devices) can leverage to check if OAM server is running healthy. This is preventive monitoring where it helps prevent sending user request to unhealthy server and in turn prevent failure. The HealthCheck URL is http://$MANAGED_SERVER_HOST:$MANAGED_SERVER_PORT/oam/server/HeartBeat Replace $MANAGER_SERVER_HOST with OAM Managed server host name and $MANAGED_SERVER_PORT with OAM Managed server port number (Default port number is 14100). When you hit HeartBeat URL, Access Manager checks following services
  • User data store connectivity
  • Policy store connectivity
  • Validate credentials collector is reachable
  • NAP service connectivity (WebGates use NAP service to communicate with OAM server)
  • Validate coherence service
If all these tests are successful, then OAM server responds back with “HTTP 200” response with blank body. If any of the above mentioned tests is unsuccessful, OAM server responds back with “HTTP 404” response.

If I shutdown user data store that is OVD in this environment, I will get HTTP 404 response back instead of HTTP 200.

2. Monitor Performance Metrics

There are a couple of avenues to monitor performance for OAM. One of them is DMS (Dynamic Monitoring Service) and Second one is EM (Enterprise Manager). However both DMS and EM are separate applications than OAM Admin console running on domain Admin Server. OAM R2PS2 introduced a new feature in OAM Admin console itself to monitor OAM system and performance. Users with valid Administrative privileges can check various metrics of OAM server instances and WebGates. Based on these metrics, OAM Administrator can take preemptive measures to sustain growing load and take corrective measures if any service failure is detected. Here is how you can monitor OAM server instance and SSO agent instance. This is detective form of monitoring where Administrator can look for any failures or impact on performance due to growth and take corrective measures.
  • OAM Server Instance Monitoring

  • SSO Agent Monitoring

  • OAM Server Instance or SSO Agent failure detection

3. DMS (Dynamic Monitoring Service) Monitoring

Oracle DMS (Dynamic Monitoring Service) is a key component of Oracle Fusion Middleware that captures and provides an interface to access data regarding component’s performance, state and on-going behavior. It can be leveraged to monitor any Fusion Middleware product. Enterprise Manager also uses DMS service to fetch and report system performance data. The URL to browse DMS (It is an application deployed on OAM domain Admin Server) is, http://$ADMIN_SERVER_HOST:$ADMIN_SERVER_PORT/dms Replace $ADMIN_SERVER_HOST with hostname of OAM Admin server and replace $ADMIN_SERVER_PORT with OAM Admin server port number. There are number of OAM metrics (as shown in the screen below with Red ink) that you can check.

More information about DMS monitoring and its effective usage can be found here.

4. Enterprise Manager Monitoring

There are two parts to Enterprise Manager. One is Enterprise Manager Application installed as part of OAM domain and the other is Enterprise Manager 12c application. Most of the metrics that Administrator user can monitor from DMS service, can be monitored from Enterprise Manager application as well. However Enterprise Manager 12c is full fledged monitoring product that monitors not only OAM product related metrics but also monitors system state (CPU usage, Memory usage, Free memory available on the server, OAM process running on the server). Apart from that, It allows Administrator to define thresholds on performance metrics or define SLAs and if performance is below threshold or if SLA breaks, It can alert Administrator so Administrator can take corrective measures. Enterprise Manager is feature rich product with many advanced monitoring features and alert mechanisms. More about those features is for next blog post. Until then, Happy Reading!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.