Oracle Fusion Applications Login Problem

Oracle Fusion Applications Login Problem

Fusion Applications environments use Oracle Access Manager to provide authentication and authorization services for all web applications.

OAM (along with OID, OVD, SOA, and OIM) is part of the Fusion Middleware side of the environment, and in most topologies, the IDM machine will be separated from the Applications server. When this happens, sometimes you can find yourself trying to login to a page, and receiving the following message from your browser:

Selection 001

1

This happens regardles of the user you're using to try to access the server, or the computer from where you're doing it.

Every application, managed server, and process in the environment seems to work just fine, and you'll not see many error messages either on the application logs or in the oam server log.

The most probable cause of this issue it's something rather trivial: time syncronization between hosts.

You see, the OAM Server works in conjunction with a component located on the application server called WebGate. When you try to login, WebGate will redirect you to OAM, which will receive your credentials, generate a token and redirect you back to the WebGate, which will serve your subsequent requests based on the cookies OAM generated for you:

 

http://docs.oracle.com/cd/E40329_01/admin.1112/e27239/sso.htm#AIAAG1807

 

oamArq3

When OAM generates this token, it embeds in it the date in which it was generated to make sure nobody tries to use old tokens as a method to bypass authentication. WebGate checks the validity of the token considering also the creation date before responding any request.

Now, this is the reason all servers in a Fusion Apps installation should be time-synchronized inside a 60 seconds window: If the dates don't match, WebGate will reject the cookie, and will redirect you to OAM to receive a new token, the problem is,  even if OAM server generates a new token, it will still have a wrong time, so it will redirect you to the WebGate with the new token, but the WebGate will again consider it invalid so it will redirect you to OAM which will... you get the idea.

This is a fairly well known issue in the OAM community, as you can see by the references at the end of this article, but it can be hard to debug if you are not a Middleware administrator and use OAM as installed by the Fusion Apps provisioning tool.

The solution is simple, synchronize the dates on all servers involved in the FA environment, obviously, the recommendation would be to set up NTP, but if for some reason that's not possible, you could at least do it manually, if you get all servers to be in sync within 60 seconds, you should be fine.

 

References:

support.oracle.com: OAM 11g : Redirect Loop Between OAM and WebGate Instance (Doc ID 1335301.1)

http://blog.warrenstrange.com/2013/05/oam-11g-webgate-redirect-loop.html

http://www.ateam-oracle.com/oam11g-the-redirect-infinite-loop/

 

Disclaimer - Views expressed in this blog are author's own and do not necessarily represents the policies of aclnz.com

 

Difference between DETETE, DROP and TRUNCATE Comma...
Installing Oracle Access Manager 11.1.2.2.4 on Win...