Oracle Access Manager 11g

Agenda:
Access Management introduction
Oracle Access Manager 11gR2 Overview
Q&A

Access Management Introduction

Identity Management Portfolio 11gR2

Modern, Innovative & Integrated
Governance

Directory

Directory

Password Reset

Web Single Sign-on

LDAP Storage

Privileged Accounts

Federation

Virtual Directory

Access Request

Mobile, Social & Cloud

Meta Directory

Roles Based Provisioning

External Authorization

Role Mining

SOA Security

Attestation

Integrated ESSO

Separation of Duties

Token Services
Fraud Detection

Taking a Platform Approach

Building on Components of Fusion Middleware

WebCenter

ADF

Workflow

SOA

Coher
ence

User Interface
Customization
Performance

F
CA

Fusion Middleware

Oracle Access Management

Access Management
Authentication
Single Sign-On
Federation
Fraud Prevention
Authorization & Entitlements
Web Services Security
Secure Token Services

Comprehensive security for

applications, data, and web
services
End-to-end authentication,
single sign-on, and fine
grained application protection
Innovative anomaly detection,
transaction security, and
multi-factor authentication
Extensive 3rd party
integrations

Oracle Access Management Suite Plus

Entitlements Server

Adaptive Access Manager

Entitlements
Management
Fine Grained
Authorization

Access Manager

Web Access
Control

Single Sign-On

Risk-based
Authentication
Real-time Fraud
Prevention

Identity Federation

Secure Token Services

Partner SSO &

Identity Federation
Fedlet SP integration

Security Token
Management
Identity Propagation
7

Oracle Access Management

Blueprint Architecture

Oracle Access Manager 11gR2 Overview

Oracle Access Manager 11g

Objectives

Provide foundation for Access Management Suite

Converge OAM, OSSO, and OpenSSO
Provide new and advanced functionality to customers
Tighten integrations

10

Oracle Access Manager 11g

Key Features

Benefits

Modular Architecture

Separated admin and runtime server to enable

independent operations

Secure Policy Model

Access is denied by default until policies are created to

allow access

Simplified Install & Config

One package to install and one series of steps to

configure a simple working environment

Session Management

Allows admin tracking and termination of user sessions

Diagnostics & Monitoring

Allows administrators to monitor key operational

metrics in real-time

Central Agent
Management

Administration console provides a holistic view of all

agents and shows the server they are connected to

Backwards Compatibility

Compatible with 10g webgates and 10g mod_osso

Windows Native AuthN

Enables Windows desktop to web single sign-on

Improved Utilities

Remote registration utility, remote access tester, and

WLST cmds for policy operations

11

Oracle Access Manager 11g

Architecture Runtime Server

Protocol Compatibility Framework

Credential
Collector

SSO Engine

Session
Management

Identity
Provider

AuthN
Service

OAM Server

Token
Processing

AuthZ
Service
Partner &
Trust

Policy Service
Configuration Service
Coherence Distributed Cache
Oracle Platform Security Services

12

Oracle Access Manager 11g

Administration Console
Integrated Security Administration, Agent Administration

13

Access Manager 11gR2

Deployment Overview

14

Access Manager 11gR2

Installation and Configuration
Installation process
OAM 11g installs using Oracle Universal Installer (OUI)
The installation process copies all the software bits to the host
machine
OUI does not perform product configuration
Configuration process requires 2 steps
Database schema configuration using Repository Creation
Utility (RCU)
Product configuration and deployment using WebLogic
Configuration Wizard
Oracle Support Note 340.1 provides a good starting point

15

Access Manager 11gR2

Deployment Detail

Internet

External
Client

Firewall
(Web Tier)

Protected

Load Balancer

WebHosts
OHS
WebGate

Web Hosts
OHS
WebGate

Firewall
(App Tier)
AppHosts

IAM Hosts

WLS
AccessGate

WLS_OAM
OAM

IDMHosts
Admin Server

Admin Server

Admin Console

Admin Console

WLS_ODSM
ODSM

EM

Firewall
(Data Tier)

LDAP Hosts
OVD

DB Hosts

RAC

OID

16
Metadata DB
(OAM, OID, Schema)

Access Manager 11gR2

Installation and Configuration
Installation process
OAM 11g installs using Oracle Universal Installer (OUI)
The installation process copies all the software bits to the host
machine
OUI does not perform product configuration
Configuration process requires 2 steps
Database schema configuration using Repository Creation
Utility (RCU)
Product configuration and deployment using WebLogic
Configuration Wizard
Oracle Support Note 340.1 provides a good starting point

17

Oracle Access Manager 11g

Windows Native Authentication
SPNEGO based credential validation for true Windows
desktop to web single sign-on
Allows single sign-on for WebGate and Oracle SSO
protected applications simultaneously
Does not need IIS based solution for WebGate
WebGates and Oracle SSO protected applications need
not run on Windows platform
Can be enabled for a subset of protected applications
Internal vs External websites

18

Oracle Access Manager 11g

Windows Native Authentication - Setup
Basic steps are as follows:
Edit /etc/krb5.conf file
Create Service Principal Name
Obtain Kerberos Ticket
Set-up OAM Kerberos AuthN Module
Configure Kerberos AuthN Scheme for WNA
Register AD as OAM User Store
Verify OAM configuration (oam-config.xml)
Enable Kerberos in Web Browser
Test

19

Q&
A

20