Troubleshooting and Management

Copyright © 2010, Oracle and/or its affiliates.. After completing this lesson, you should be able to: • Identify connectivity issues – Between agents and servers impact of load balancers

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

Troubleshooting and Management

After completing this lesson, you should be able to:

• Identify connectivity issues

– Between agents and servers (impact of load balancers and

firewalls)

• Work with Oracle Enterprise Manager Fusion Middleware

Control

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 3

Objectives

After completing this lesson, you should be able to:

• Describe the diagnostic capabilities within OAM 11g

– OAM Access Tester

– Server processes and charts

– Topology viewer

– Farm and domain

– OAM server management

– MBean browser

Road Map

• Working with Access Tester

• WLS troubleshooting tips and agent and

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 5

Access Tester

• Simulates interactions between registered OAM agents

and OAM 11g servers

– You can verify agent connection and test policy definitions.– An administrator emulates the end user and the Access

Tester emulates agents.

• Is a stand-alone Java application that ships with Oracle

Access Manager 11g

• Has both a GUI (manual testing) and command-line

interface (automated testing)

Use Cases: Access Tester

– Simulate interaction between OAM agents and the OAM

server

– Handle the response from the OAM server in the same

manner as a real agent

– Review the results of intended policy changes

– Troubleshoot issues with agent connections or access policy

definitions

– Track the latency of authentication and authorization

requests

– Stress-test the OAM server

– Establish performance metrics

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 8

Access Tester Simulating Steps 1, 3, 5, 6

of Agent and OAM Server Interaction

WebGate (agent)

Oracle Access Manager Server

User Store

Policy Store

1 Agent connects to OAM server - Connect

2 User accesses application resource

3 Agent makes IsProtected (Validate) request

• OAM server returns Yes/No and type of

credentials required

4 For protected resources, agent prompts user for

credentials

• User or user agent submits credentials

5 Agent makes IsAuthenticated request

• OAM server validates user credentials and

returns Y/N and additional responses

6 For authenticated users, agent makes IsAuthorized

request

• OAM server evaluates policies and returns Y/N

and additional responses

7 Agent grants or denies access to application

1

Access Tester: Core Functionality

Testing

• Connect to policy servers

• Validate resource protection

• Authenticate users

• Authorize users

Automation and Analysis

• Collect test cases

• Generate test scripts

• Run test scripts

• Evaluate results and analyze differences

Usability

• GUI (manual) and command-line (automated) testing modes

• Scalable testing framework via separation of test cases from physical servers

• Auto-import of resources to test

• XML persistence

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 10

Access Tester Architecture

Output Files and Security Features

• The following XML files are produced when you run the

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 13

Starting Access Tester

• Ensure that the computer from which the tester will be run

• Ensure that the nap-api.jar is present in the same

directory as oamtest.jar on any computer from which you want to run the Access Tester

– java –Dlog.traceconnfile=“d:\conn.txt” -jar

oamtest.jar

– java -Dscript.scriptfile=“d:\tests\script.xml" -Dcontrol.ignorecontent="true" -jar oamtest.jar

control.ignorecontent Command Line

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 18

Access Tester Console

Test Cases and Test Scripts

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 24

Road Map

• WLS troubleshooting tips and agent and

Using weblogic.Admin Utility to Check the State

of Servers

• weblogic.Admin utility is a command-line interface that

you can use to administrate, configure, and monitor

WebLogic Server

– Run setWLSEnv.bat

– java weblogic.Admin -url t3://localhost:7001 -username weblogic –password <Password> GET -pretty -type ServerRuntime

– java weblogic.Admin -url t3://localhost:7001

-username weblogic –password <Password> GETSTATE

– java weblogic.Admin -url t3://localhost:7001

-username weblogic –password <Password> GETSTATE oam_server1

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

• Domain log resides in:

– DOMAIN_NAME\servers\ADMIN_SERVER_NAME\logs\DO MAIN_NAME.log

• HTTP subsystem keeps a log of all HTTP transactions in:

– DOMAIN_NAME\servers\SERVER_NAME\logs\SERVER_N AME.out

• Node manager writes its startup and status messages to:

– NM_HOME\nodemanager.log

– WebLogic auditing provider saves auditing information to:

– WL_HOME\DOMAIN_NAME\servers\SERVER_NAME\logs\

DefaultAuditRecorder.log

WebLogic Admin Server and Managed Server

Thread Dump

• Thread dumps are JVM reports that can be used to

analyze admin and managed servers, as well as JVM hang situations, and determine the root cause of the issue

– Admin console > Server > <Server_Name> > Monitoring >

Threads > Dump Thread Stack – connect(‘weblogic’,'weblogic’,'t3://localhost:7001

′)

cd (”Servers’) ls()

cd (‘AdminServer’) ls()

threadDump()

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 30

Agent and Server Monitoring

OAM Proxy Errors

• Uses Apache log4j for logging

• Writes logging information into a log file mentioned in

log4j.properties

oracle.oam.proxy.oam

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 32

Configuration Data

– <Default Domain Directory>/config/fmwconfig

for changes; do not edit this file manually

Road Map

• WLS troubleshooting tips and agent and

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 34

Top Problem Areas

• LDAP server and identity store

• Agent side configuration and load

• Run-time database issues (audit and session data)

• Admin change propagation and activation

• Policy repository database issues

LDAP Server

Operational slowness:

• Capacity problems due to gradual increase in peak load

– Poor user experience

– Agent timeouts leading to retries

LDAP server availability

• Outage of all LDAP servers

• Load balancer timing out old connections

– Total loss of service

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

– Poor user experience due to slow operations

– Agent timeouts and retry may result in extra load

Interference with other services on host

• File system full

– Same as above

Agent Side Issues

Difference in clock time between agent and server

• Agent thinks the token issued by the server is invalid

• Agent keeps going back to the server to re-issue the token

– High CPU usage at both agent and server

– User experiences a hang

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 38

Run-Time DB Issues

Write versus Read tuning

• DB not tuned for write-intensive operations

Consequence:

• Audit operations and session operations are slow

• File system on server can get full with audit data yet to be

written out

• Loss of in-memory session data when one of the servers in

the cluster fails

Admin Change Propagation and Activation

servers due to:

– Servers being too busy handling run-time requests (CPU

contention)

– Coherence network slowness

– Changes to policy do not take immediate effect.

– Changes to system configuration do not take immediate effect.

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 40

Policy Repository DB Issues

DB unavailable due to maintenance:

• Consequence: No policy changes are allowed No impact

on run time

Space issues in DB:

• Consequence: No policy changes are allowed No impact

on run time

Road Map

• WLS troubleshooting tips and agent and

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 42

WLST Architecture

Shares the same foundation layer with the OAM admin console

Offline Mode And Online Mode

system configuration

– Connects to the MBean server running on the admin server– The MBean server can be running remotely.

– Invokes OAM WLST MBean methods; the methods are

executed in the server

– OAM WLST MBeans return the result of the execution to the WLST commands.

– Method invocation happens locally in the WLST shell– Requires OAM domain home as a mandatory input

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 44

Executing WLST Commands

1 Ensure that your OAM admin server is running

2 Set up the environment for WLST by running

DOMAIN_HOME\bin\setDomainEnv.sh

3 Go to <Oracle_IDM>\common\bin

4 Execute wlst.cmd to enter the WLST shell

5 Execute help(‘oam’) to list the available OAM WLST

commands

6 Execute help(‘<command name>’) to get help on a

specific WLST command

7 To run a command in offline mode, provide

‘domainHome’ as an input to the command

8 To execute online commands, connect to the MBean

server by using the command connect()

Example: Create Identity Store Embedding WLST

Command in Python Script

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 46

WLST Commands for OAM 11g

oamWlstCmd.py under <IDM_HOME>\common\wlst

createOAMAuthenticator (delete and update as well) displayWebgate11gAgent (edit and delete as well) displayOssoAgent

(edit and delete as well)

Road Map

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

• Performance overview and drilldown

• Dynamic log level changes and log searches (will be

discussed later in the course)

FMW Control: Performance Overview

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 52

Topology

View a graphical representation of the topology

MBean Browser

View key MBeans

Invoke methods

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 54

How to Re-register an Agent from the OAM Admin

Console

1 Delete the agent

2 Application Domain > AuthN and AuthZ policies > Delete

the resources under the protected and public resource

policies and then delete the protected and public resource policies

3 Delete the resources under the application domain

4 Delete the application domain

5 Delete the host identifier

In this lesson, you should have learned how to:

• Identify connectivity issues

– Between agents and servers (impact of load balancers and

firewalls)

• Work with Oracle Enterprise Manager Fusion Middleware

Control

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 56

Summary

• Learn the diagnostic capabilities within OAM 11g

– OAM Access Tester

– Server processes and charts

– Topology viewer

– Farm and domain

– OAM server management

– MBean browser

Which of the following is true:

a You must run Access Tester from the OAM server machine

b You must run Access Tester from the agent machine

c You can run Access Tester from any machine

d You must run Access Tester from the WLS admin server

machine

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

Copyright © 2010, Oracle and/or its affiliates All rights reserved.

10 - 60

Quiz

EM FMW Control allows you to:

a View performance overview and drilldown of the OAM

server environment

b Configure dynamic log level changes and view log

searches

d Interact with methods, attributes, and their operations by

using the MBean browser

e All of the above

Practice 10 Overview: Working with Access

Tester, WLST, and FMW Control

This practice covers the following topics:

• Practice 10-1: Working with Access Tester

• Practice 10-3: Working with Oracle Enterprise Manager

Fusion Middleware Control