Hi folks,
Environment:
OAM 11g R2 + OHS 11g R2 Webgate
Symptoms:
This problem may occur due to a clock skew between the browser host and the system hosting the OAM 11g WebGate.
The reason this may cause a problem is that when the initial request is made, the OAM 11g WebGate will set an OAMRequestContext<hostname> cookie, eg, OAMRequestContext_myhost.oracle.com:7777_1234.
This is a persistent cookie, meaning it has a set time to expire, generally 5 minutes after creation. After the user authenticates with the OAM server and is redirected back to the WebGate, the WebGate expects to see this request context cookie.
If it is not present, the OAMAuthnCookie is not set, which establishes the user's identity to the webgate. The user is redirected to the original resource, but with no OAMAuthnCookie set the WebGate determines the user is not authenticated,
and redirects the user to the OAM server for authentication. The OAM_ID cookie was set during the login by the OAM managed server, so the OAM managed server realizes the user is authenticated, and redirects back to the WebGate, creating a loop.
Resolution:
Fixed in OAM 11g R2 BP 01
Thanks
Siva Pokuri.
Environment:
OAM 11g R2 + OHS 11g R2 Webgate
Symptoms:
When attempting to access a resource protected by an OAM 11g WebGate using Internet Explorer, the access hangs or page fails to load. Accessing the same page from Firefox is successful.
Cause:
The reason this may cause a problem is that when the initial request is made, the OAM 11g WebGate will set an OAMRequestContext<hostname> cookie, eg, OAMRequestContext_myhost.oracle.com:7777_1234.
This is a persistent cookie, meaning it has a set time to expire, generally 5 minutes after creation. After the user authenticates with the OAM server and is redirected back to the WebGate, the WebGate expects to see this request context cookie.
If it is not present, the OAMAuthnCookie is not set, which establishes the user's identity to the webgate. The user is redirected to the original resource, but with no OAMAuthnCookie set the WebGate determines the user is not authenticated,
and redirects the user to the OAM server for authentication. The OAM_ID cookie was set during the login by the OAM managed server, so the OAM managed server realizes the user is authenticated, and redirects back to the WebGate, creating a loop.
Resolution:
Fixed in OAM 11g R2 BP 01
Thanks
Siva Pokuri.
Hi Siva,
ReplyDeleteDoes it mean that OHS 11gR2 resources can't be protected using OAM 11gR2? Is that a known bug?
-M
Nope, Only if the time difference between Client machine(where resource being accessed) & OAM server(where OAM instance running)is more than 5-10 minutes you will see this behavior. That to this behavior only in Internet Explorer.
DeleteThanks
Siva Pokuri