|Oracle® Access Manager Introduction
Part Number B25342-01
This chapter describes a listing of new features introduced with Oracle Access Manager 10g (10.1.4.0.1) and provides pointers to additional information in the suite of product manuals.
The following sections are included:
The original product name, Oblix NetPoint (also known as Oracle COREid) has changed to Oracle Access Manager. Many component names remain the same. However, there are several important changes that you should know about, as shown in the following table:
|Product Name||Oblix NetPoint
|Oracle Access Manager|
|Product Name||Oblix SHAREid
NetPoint SAML Services
|Oracle Identity Federation|
|Product Name||OctetString Virtual Directory Engine (VDE)||Oracle Virtual Directory|
|Product Release||Oracle COREid 7.0.4||Also available as part of Oracle Application Server 10g Release 2 (10.1.2).|
|Directory Name||COREid Data Anywhere||Data Anywhere|
|Component Name||COREid Server||Identity Server|
|Component Name||Access Manager||Policy Manager|
|Console Name||COREid System Console||Identity System Console|
|Identity System Transport Security Protocol||NetPoint Identity Protocol||Oracle Identity Protocol|
|Access System Transport Protocol||NetPoint Access Protocol||Oracle Access Protocol|
|Directory Tree||Oblix tree||Configuration tree|
|Data||Oblix data||Configuration data|
|Software Developer Kit||Access Server SDK
|Access Manager SDK|
|API||Access Server API
|Access Manager API|
|API||Access Management API
Access Manager API
|Policy Manager API|
|Default Policy Domains||NetPoint Identity Domain
COREid Identity Domain
|Default Policy Domains||NetPoint Access Manager
COREid Access Manager
|Default Authentication Schemes||NetPoint None Authentication
COREid None Authentication
|Default Authentication Schemes||NetPoint Basic Over LDAP
COREid Basic Over LDAP
|Oracle Access and Identity Basic Over LDAP|
|Default Authentication Schemes||NetPoint Basic Over LDAP for AD Forest
COREid Basic Over LDAP for AD Forest
|Oracle Access and Identity for AD Forest Basic Over LDAP|
|Access System Service||AM Service State||Policy Manager API Support Mode|
All legacy references in the product or documentation should be understood to connote the new names.
Identity System function names and user interface changes have been made to improve usability
Access System function names and user interface changes have been made to improve usability
See Also:This Oracle Access Manager Introduction provides an overview of 10g (10.1.4.0.1) and system behaviors.
Oracle Access Manager 10g (10.1.4.0.1) provides support for 29 languages though the use of Unicode and UTF-8 encoding.
See Also:This Oracle Access Manager Introduction provides an overview of globalization.
The Oracle National Language Support Library (NLSL) is installed automatically with each component. However, you may need to perform specific tasks before installation when you have a non-English (AMERICAN) Operating System. You can install language packs in concert with components, or independently after component installation.
See Also:Oracle Access Manager Installation Guide
Automated language processing occurs during an upgrade to Oracle Access Manager 10g (10.1.4.0.1). In addition, you may need to take specific actions before and after the upgrade to ensure that older plug-ins operate properly, incorporate workflows, ensure that auditing and access reporting work properly, and the like.
You must perform specific tasks to use multiple installed languages and display information in various supported languages.
As a result of globalization and translation of messages into 29 languages, some .lst files have been transformed into .xml files
See Also:Specific file names in all manuals in this suite of books.
You must use form-based authentication for non-ASCII login credentials
Multi-byte support impacts IdentityXML functions and parameters, compatability with XML pages, SOAP/IdentityXML requests, and Identity Event Plug-in data sent to executables; compatability with the Access Manager SDK, Access Manager APIs, and custom AccessGates.
Oracle Access Manager uses a locale-based case insensitive sorting method when you click the column heading (Full Name, for example) in the search results table.
Multi-byte support and custom C programming language Authorization Plug-in Interfaces behavior in 10g (10.1.4.0.1) (and earlier releases) is discussed, as well as backward compatability with custom authorization plug-ins.
Globalization and multi-byte support impacts stylesheets and customizations.
You can now audit to an Oracle Database as well as to Microsoft SQL Server. The Crystal Reports package is no longer provided with the Oracle Access Manager package. You must obtain this product from the vendor.
Disabling Authentication Schemes: It is no longer necessary to disable an authentication scheme before you modify it.
Persistent Cookies in Authentication Schemes: You can configure an authentication scheme that allows the user to log in for a period of time rather than a single session.
Overview: A brief overview of Oracle Access Manager 10g (10.1.4.0.1) product behaviors is outlined for quick reference.
See Also:This Oracle Access Manager Introduction
Summary of Earlier Behaviors and New Behaviors in Upgraded Environments: Numerous changes have been made to support globalization. In addition, a number of other changes have been made to improve usability and performance. A brief overview of Oracle Access Manager 10g (10.1.4.0.1) product behaviors is outlined for quick reference.
Information on configuring Oracle Access Manager for multiple directory searchbases, also called disjoint domains or realms, has been expanded.
You can dynamically assign a user to a target on a create user workflow. For example, you can define a create user workflow that enables user A to log in under
ou=users, invoke the workflow, and create user B whose entry is automatically determined to be in the same
ou as user A. This ability always existed in the Identity System, and is now explicitly documented in the chapter on workflows.
You can authorize users by querying external authentication systems.
When the Access System at a Service Provider site receives a request from a user in a federated environment, it may need to get additional information about the user from the user's Identity Provider. You can configure the Access System to query external Identity Providers for user authorization.
Oracle HTTP Server (OHS) support is provided with this release for WebPass, Access Manager, and WebGate components.
Oracle Internet Directory support is included in this release for general use.
Updates and additions to Apache v1 and v2 chapters.
A new chapter has been added that describes how to install the globalized product as well as describing how to prepare to install in multi-language environment.
Following the acquisition of OctetString by Oracle, this chapter moved from the Oracle Access Manager Integration Guide and includes minor changes for clarification, product branding, and new information to describe graphics.
See Also:Oracle Access Manager Installation Guide.
All chapters in the Oracle Access Manager Integration Guide describe implementation details for a specific integration
MIIS: The MIIS provisioning solution is deprecated in this release.
OracleAS Single Sign-On Server: You can configure single sign-on between the Access System and the . An older version of this chapter previously existed in the Oracle Access Manager Developer Guide. It provides updated information on configuring single sign-on between Oracle Access Manager and Oracle Application Server 10g (OracleAS 10g). When you configure single sign-on you also provide identity management functionality across the Web-based applications running on Oracle Application Servers, for example, Oracle eBusiness Suite, Oracle Forms, Portals, and other Access System-protected resources. Included in this new version is information about the OHS WebGate (Apache WebGate information has been removed).
SAP: The SAP Enterprise Portal 6.0 can now be protected by the Access System.
RSA Securid: Minor clarifications have been made to this chapter based on input from the field.
Oracle Virtual Directory: Integration with Oracle Virtual Directory (formerly known as OctetSTring Virtual Directory Engine) has been updated and moved to the Oracle Access Manager Installation Guide from the Oracle Access Manager Integration Guide.
WebSphere: The integration with WebSphere Application Server (WAS) 4 is deprecated in this release. The information in this chapter has been updated for WAS 5 and 6.
Plumtree: The previous integration with Plumtree Corporate Portal is supported in this release. However, that the most recent version of Plumtree Corporate Portal is now known as BEA Aqualogic Interaction.
Changes to logging parameters take effect within one minute, rather than requiring you to restart the server where the changes were made.
There have been several schema changes in this release to support password policy enhancements and lost password management.
The following oblixPersonPwdPolicy attributes have been added: obAnsweredChallenges, obYetToBeAnsweredChallenges, obLastSuccessfulLoginTime, obLastFailedLoginTime.
A new object class named oblixLPMPolicy has been added.
This object class stores information about new lost password management policies, including the challenges and responses that have been configured and how challenge phrases are presented to users.
The following attributes have been added to oblixDBInstance: obDatabaseName, obDSNName
The following attributes have been added to oblixAAAEngineConfig: obSessionTokenCache, obMaxSessionTokenCacheElements
The definition of obCompoundData has been updated throughout the Oracle Access Manager Schema Description.
See Also:Oracle Access Manager Schema Description
If you use complex stylesheets, you may want to increase the value of the StringStack parameter in globalparams.xml.
See Also:Oracle Access Manager Customization Guide for stylesheet and parameter references.
You can configure the minimum and maximum number of characters users can specify in a password. For lost password management, you can set multiple challenge-response pairs, create multiple stylesheets, and configure other aspects of the user's lost password management experience. You can also redirect users back to the originally requested page after resetting a password.
Web Services code samples has been added to illustrate how to use Identity XML Web Services to make calls to a WebPass. Two samples have been added, to show how to create a Web service call when a WebPass is protected by a WebGate and when a WebPass is not protected by a WebGate.
Additional IdentityXML samples have been added to the book.
Many samples are provided in the \unsupported directory.
See Also:Oracle Access Manager Developer Guide.
Typically, authentication actions are triggered after authentication has been processed and before the ObSSOCookie is set. However, in a complex environment, the ObSSOCookie may be set before a user is redirected to a page containing a resource. In this case, you can configure an authentication scheme to trigger these events.
To optimize performance, you should ensure that your directory performance is optimal.
There are best practices for optimizing workflow performance.
To minimize the impact that workflows have on server performance, you can tune various parameters in workflowdbparams.xml. You can also tune various workflow search parameters to enhance performance.
There are best practices for optimizing network and Oracle Access Manager performance.
You can get a quick look at the upgrade paths from various starting releases, as well as the upgrade process.
There has been a change in the release numbering, which you should be aware of.
Review the summary of 10g (10.1.4.0.1) behaviors as compared with behaviors in previous releases
Find out what is preserved and what manual processes are needed after the upgrade.
WebGates have been updated to use the same code as the Access System, and WebGate configuration parameters that once existed in WebGateStatic.lst have been moved to the Access System Console. The WebGateStatic.lst file no longer exists.
After installing new WebGates or upgrading to 10g (10.1.4.0.1) WebGates, you can now configure such parameters as
IPValidationExceptions from the Access System Console, Access System Configuration tab.
When you have older WebGates and new 10g (10.1.4.0.1) Access Servers, you must set the
isBackwardCompatible flag to "
true" in new 10g (10.1.4.0.1) Access Server globalparams.xml file.
Check for new details about customizing to allow auto-login.
Look for new information about denying access to unprotected resources automatically.
A new lazyload method has been added to the ObUserSession constructor in the Access Manager API as a result of the WebGate rewrite.
New diagnostics have been added as a result of the WebGate rewrite.
New status codes have been added as a result of the WebGate rewrite.