|Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager
11g Release 1 (11.1.1)
Part Number E15478-02
This chapter provides a high-level overview of Oracle Access Manager 11g, administration tasks, and links to chapters in this book where you can find more information. This chapter contains the following sections:
This book provides information to help administrators manage OAM 11g components and policies within one or more WebLogic administration domains.
Each WebLogic Server domain is a logically related group of Oracle WebLogic Server resources. WebLogic administration domains include a special Oracle WebLogic Server instance called the Administration Server. Usually, the domain includes additional Oracle WebLogic Server instances called Managed Servers, where Web applications and Web Services are deployed.
Information in this book is grouped into the following main parts to help administrators quickly locate information:
Part I, Introduction and Getting Started
Part II, OAM 11g System Management
Part III, Single Sign-on, Policies, and Testing
Part IV, Session Management and Life Cycle Management
Part V, Logging and Auditing
Part VI, Monitoring OAM Performance
Part VIII, Appendixes
This section introduces the information in Part I of this guide and includes the following topics:
OAM administration tasks can be organized around daily and periodic system administration, policy creation and management, session management, diagnostics, and troubleshooting. Initially, the LDAP group used to define administrators is the same for OAM and WebLogic. Initially, the same credentials are used for log in to both the OAM Administration Console and the WebLogic Server Administration Console. The LDAP group for OAM administrators can be changed.
Oracle Access Manager and Oracle Identity Management are components of Oracle Fusion Middleware 11g. Oracle Fusion Middleware is a collection of standards-based software products that spans a range of tools and services from Java EE and developer tools, to integration services, business intelligence, and collaboration. Oracle Fusion Middleware offers complete support for development, deployment, and management.
For more information about Oracle Access Manager, see the following topics:
Single sign-on (SSO) enables users, and groups of users, to access multiple applications after authentication. SSO eliminates multiple sign-on requests. Oracle Access Manager 11g is the Oracle Fusion Middleware 11g single sign-on solution. Oracle Access Manager 11g operates independently as described in this book and also operates with the Authentication Provider as described in the Oracle Fusion Middleware Application Security Guide
Oracle Access Manager 11g is a Java Platform, Enterprise Edition (Java EE)-based enterprise-level security application that provides restricted access to confidential information and centralized authentication and authorization services. All existing access technologies in the Oracle Identity Management stack converge in Oracle Access Manager 11g.
A Web server, Application Server, or any third-party application must be protected by a WebGate or mod_osso instance that is registered with Oracle Access Manager as an agent. to enforce policies The agent acts as a filter for HTTP requests. Oracle Access Manager enables administrators to define authentication and authorization policies.
Note:WebGates are agents provided for various Web servers by Oracle as part of the product. AccessGates are custom access clients created using the Access Manager SDK for use with non-Web applications. Unless explicitly stated, information in this book applies equally to both.
Oracle Access Manager 11g provides single sign-on (SSO), authentication, authorization, and other services to registered agents (in any combination) protecting resources. Agents include:
OAM 11g WebGates
OAM 10g WebGates
IDM Domain Agent
OSSO Agents (10g mod_osso)
You can also integrate with OAM 11g, any Web applications currently using Oracle ADF Security and the OPSS SSO Framework, as described in Appendix C.
There are several important differences between Oracle Access Manager 11g and Oracle Access Manager 10g, as described in "Enhancements in Oracle Access Manager 11g".
Oracle Access Manager 11g includes several important enhancements that were not available with Oracle Access Manager 10g. These enhancements are listed in Table 1-1.
Table 1-1 Enhancements in Oracle Access Manager 11g
|New Functionality for Oracle Access Manager 11g|
Built-in support for OracleAS 10g SSO partner applications, and for single sign-on across OSSO 10g-protected applications and OAM 10g WebGate protected applications. See Part III.
Per-agent-based shared secret key increases security and performance by moving cookie encryption and decryption to the agent. See Chapter 5
Embedded LDAP for user and group information is described in Chapter 3.
Integration with Oracle Entitlement Server MicroSM to enable database storage of policies. See Chapter 3.
A new OAM 11g Access Tester replaces the OAM 10g Access Tester for on-the-fly evaluation of Oracle Access Manager policies. See Chapter 10
Session Management functions are provided, as described in Chapter 12:
Events can be audited using the underlying Oracle Fusion Middleware Common Audit Framework, as described in Chapter 14
Windows Native Authentication is supported with applications protected with either an OSSO Agent or OAM Agent. For more information, see Oracle Fusion Middleware Integration Guide for Oracle Access Manager.
Oracle Access Manager 10g provides several functions that are not included with Oracle Access Manager 11g. Table 1-2 provides an overview.
Table 1-2 Functionality Not Available with Oracle Access Manager 11g
|Unavailable or Unsupported Functions|
Extensibility framework required for building customizations
Application-domain-level delegated administration
Complex policy constructs (AND, OR semantics for multiple rules)
LDAP filter-based authorization and response calculations
Authorization for mod_osso-protected resources
Replaced by Oracle Fusion Middleware Identity Manager: Identity Server, WebPass, Identity System Console, User Manager, Group Manager, Organization Manager
The Oracle Fusion Middleware Supported System Configurations document provides certification information on supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity Management 11g. You can access the Oracle Fusion Middleware Supported System Configurations document by searching the Oracle Technology Network (OTN) Web site:
Following installation, you can configure Oracle Access Manager in a new WebLogic Server domain or in an existing WebLogic Server domain. Using the Oracle Fusion Middleware Configuration Wizard, the following components are deployed for a new domain:
WebLogic Administration Server
Oracle Access Manager Console deployed on the WebLogic Administration Server (sometimes referred to as the OAM Administration Server, or simply AdminServer)
A Managed Server for Oracle Access Manager
An application deployed on the Managed Server
OracleAS 10g SSO deployments can be upgraded to use Oracle Access Manager 11g SSO. After upgrading and provisioning OSSO Agents with OAM 11g, authentication is based on OAM 11g Authentication Policies. However, only OAM Agents (WebGates/AccessGates) use OAM 11g Authorization Policies. Over time, all mod_osso agents in the upgraded environment should be replaced with WebGates to enable use of OAM 11g Authorization policies.
For details about co-existence after the upgrade, see:
Oracle Fusion Middleware Upgrade Planning Guide
Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management (E10129-02)
Administrators use the:
OAM Administration Console to register and manage OAM system configurations and security elements and policies.
For a quick tour of OAM 11g Administration Console and the most common functions and tasks, see Chapter 2, "Getting Started with OAM Administration and Navigation".
Note:Custom Administrative command-line tools (WebLogic Scripting Tool, also known as WLST) provide an alternative to the OAM Administration Console for a specific set of functions, as noted when appropriate in this guide
WebLogic Server Administration Console to view the Summary of Server Configuration (Cluster, Machine, State, Health, and Listening Port) of deployed OAM Servers within the WebLogic Server domain, and also to Start, Resume, Suspend, Shutdown, or Restart SSL on these servers.
For details about the WebLogic Server Administration Console, see Oracle Fusion Middleware Administrator's Guide.
Custom OAM WebLogic Scripting Tool for command-line input
Remote registration tool for registering agents and applicatin domains
This section introduces the information in Part II of this guide and includes the following topics:
The term "data source" is a Java Database Connectivity (JDBC) term that is used within Oracle Access Manager to refer to a collection of user identity stores or a database for policies.
Oracle Access Manager 11g supports several types of data sources that are typically installed for the enterprise. Each data source is a storage container for various types of information.
Note:Oracle Access Manager configuration data is stored in an XML file: oam_config.xml. Oracle recommends that you use only the OAM Administration Console or WebLogic Scripting Tool (WLST) commands for changes; do not edit this file.
A data source must be registered with Oracle Access Manager 11g to enable authentication when a user attempts to access a protected resource (and during authorization, to ensure that only authorized users can access a resource).
The data source must be installed and registered for OAM 11g during the initial deployment process described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
User Identity Store: Central LDAP storage in which an aggregation of user-oriented data is kept and maintained in an organized way.
Note:Oracle Access Manager 11g does not include identity services; there is no native user, group, or role store.
By default, OAM 11g uses the embedded LDAP in the WebLogic Server domain as the user identity store. However, a number of other external LDAP repositories can also be registered as user identity stores.
Database: A collection of information that is organized and stored so that its content can be easily accessed, managed, and updated.
Policy Store: OAM 11g policy data must be stored in a database that is extended with the OAM-specific schema and registered with Oracle Access Manager 11g.
Session Store: By default, OAM session data is stored within in-memory caches that is migrated to the policy store (database). You can also have an independent database for session data, as described in Chapter 3. For information about sessions, see Chapter 12.
Audit Store: Audit data can be stored either in a file or in a separate database (not the policy store database). For information on auditing, see Chapter 14.
A Java keystore is associated with OAM 11g and used to store security keys that are generated to encrypt agent traffic and session tokens. Every OAM and OSSO Agent has a secret key that other agents cannot read. There is also a key to encrypt Oracle Coherence-based session management traffic. However, the keystore is not visible and cannot be managed or modified.
Note:Passwords for keys are stored in a credential store.
Within Oracle Access Manager, User Identity Store details can be managed (registered, viewed, modified, or deleted) from the Oracle Access Manager Administration Console. For more information, see Chapter 3, "Managing Data Sources".
See Also:Appendix F, "Introduction to Custom WLST Commands for OAM Administrators" introduces custom WLST commands to create, edit, or display user identity store configuration.
OAM Servers were known as Access Servers in OAM release 10g. OAM Servers provide the Oracle Access Manager 11g runtime instance deployed on Oracle WebLogic Managed Servers. Registered agents communicate with the OAM Server.
Note:Administrators can extend the WebLogic Server domain and add more OAM Servers whenever needed, as described in theOracle Fusion Middleware Installation Guide for Oracle Identity Management.
The OAM Administration Console was known as Policy Manager in OAM release 10g. The OAM 11g Administration Console is a Java EE application that must be installed and run on the same computer as the WebLogic Administration Server. Other key applications that run on the WebLogic Administration Server include the WebLogic Server Administration Console and Enterprise Manager for Fusion Middleware Control.
Note:The OAM Administration Console might also be referred to as the OAM Administration Server. However, it is not a peer of the OAM Server deployed on a WebLogic Managed Server.
Several global settings are shared among all OAM Servers, which can be managed using the OAM Administration Console:
SSO Engine, as introduced in "Single Sign-On"
Session Management, as introduced in "Session Management"
Auditing, as introduced in "Component Event Message Logging"
Oracle Coherence settings shared by all OAM Servers, as described in
OAM Proxy details for Simple or Cert mode communication are described in "Managing Common OAM Proxy Simple and Cert Mode Security"
You can use the OAM Administration Console to manage server registrations, as described in Chapter 4, "Managing OAM Server Registration".
Note:You can add a new managed server instance with the OAM Server runtime using either:
The WebLogic Server Administration Console, which requires that you manually register the OAM Server instance as described in Chapter 4
The WebLogic Configuration Wizard
Customized Oracle WebLogic Scripting Tool (WLST) commands for OAM
The last two methods automatically register the OAM Server instance, which appears in the OAM Administration Console; no additional steps are required.
See Also:Appendix F, "Introduction to Custom WLST Commands for OAM Administrators" introduces custom WLST commands to manage server configuration.
Oracle Access Manager 11g Servers are compatible with various policy enforcement Agents. For more information, see "Policy Enforcement Agents".
A policy-enforcement agent is any front-ending entity that acts as an access client to enable single sign-on across enterprise applications.
To secure access to protected resources, a Web server, Application Server, or third-party application must be associated with a registered policy enforcement agent. The agent acts as a filter for HTTP requests, and must be installed on the computer hosting the Web server where the application resides.
Individual agents must be registered with Oracle Access Manager 11g to set up the required trust mechanism between the agent and OAM Server. Registered agents delegate authentication tasks to the OAM Server.
Oracle Access Manager 11g supports the following types of agents in any combination:
OAM Agents: A WebGate is one type of agent. It is a Web server plug-in that acts as an access client. WebGate intercepts HTTP requests for Web resources and forwards them to the OAM Server for authentication and authorization).
WebGate 11g: Must be installed independently. After registration with OAM 11g, WebGates directly communicates with Oracle Access Manager 11g services. No proxy is used.
WebGate 10g: Must be installed independently. After registration with Oracle Access Manager 11g, OAM 10g WebGates communicate with OAM 11g services through a Java EE-based OAM proxy that acts as a bridge.
IDM Domain Agent: This Java agent is installed and registered out of the box to provide SSO protection for resources in the Identity Management domain. The agent's oamsso_logout application is also configured and deployed in the WebLogic (and OAM) AdminServer and all managed servers. The IDMDomainAgent performs as an OAM 10g Agent to enforce OAM 11g policies.
AccessGate 10g: An AccessGate is a custom access client that was created using the Access Manager software developer kit (SDK). AccessGates can protect Web and non-web resources.
OSSO Agent (mod_osso 10g): After registration with Oracle Access Manager, OSSO 10g Agents communicate directly with Oracle Access Manager 11g services through an OSSO proxy.
The OSSO proxy supports existing OSSO agents when upgrading to OAM 11g. The OSSO proxy handles requests from OSSO Agents and translates the OSSO protocol into a protocol for Oracle Access Manager 11g authentication services.
You can use the following methods and tools to register agents with Oracle Access Manager 11g:
OAM Administration Console: Register and manage OAM and OSSO agent registration as described in Chapter 5
Remote Registration: Use the Oracle-provided command-line tool as described in Chapter 6.
From an existing 10g OAM or OSSO deployment you can:
Provision OAM 10g WebGates with OAM 11g, as described in Chapter 17.
Upgrade OracleAS 10g SSO (OSSO) as described in the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management. Read about co-existence with OAM 11g Servers in Appendix B.
This section introduces the information in Part III of this guide and includes the following topics:
Oracle Access Manager 11g converges SSO architectures such as Identity Federation for Partner Networks, and Service Oriented Architecture (SOA), to name a few. Oracle Access Manager 11g provides single sign-on (SSO) through a common SSO Engine that provides consistent service across multiple protocols.
To delegate authentication tasks to Oracle Access Manager 11g, agents must reside with the relying parties and must be registered with Oracle Access Manager 11g. Registering an agent sets up the required trust mechanism between the agent and Oracle Access Manager 11g SSO.
Note:Single Sign-on for the Oracle Access Manager 11g Administration Console, and other Oracle Identity Management consoles deployed in a WebLogic container, is enabled using the pre-registered IDM Domain Agent and companion application domain. No further configuration is needed for the consoles.
Single sign-on can be implemented in a variety of ways:
Single Network Domain SSO: You can set up OAM 11g single sign-on for resources within a single network domain (mycompany.com, for example). This includes protecting resources belonging to multiple WebLogic administration domains within a single network domain.
Multiple Network Domain SSO: With OAM 11g, this is a standard feature. When 11g WebGates are used exclusively all cookies in the system are host-based. However, you must have control over all the domains. If some domains are controlled by external entities (not part of the OAM deployment), Oracle recommends that you use Oracle Identity Federation. For details, see Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Multiple WebLogic Server Domain SSO: The basic administration unit for WebLogic Server instances is known as a domain. You can define multiple WebLogic administration domains based on different system administrators' responsibilities, application boundaries, or the geographical locations of WebLogic servers. However, all Managed Servers in a cluster must reside in the same WebLogic Server domain.
SSO with Mixed Release Agents: Oracle Access Manager 11g seamlessly supports registered OAM 11g and OAM 10g Agents, and OSSO Agents (mod_osso 10g), which can be used in any combination.
The Oracle Access Manager 11g policy model provides both authentication and authorization services within the context of an application domain.
Note:Oracle Access Manager 10g provides authentication and authorization services within the context of a policy domain. OracleAS SSO 10g provides only authentication.
In the Oracle Access Manager 11g policy model, the following components are shared and can be configured for use within any application domain:
Resource Types: Defines the type of resource to be protected and the associated operations. The default resource type is HTTP. However, administrators can define non-http resource types that can be applied to specific resources in an application domain. The Access Tester can be used to evaluate policy enforcement for HTTP resources only.
Host Identifiers: Simplifies the identification of a Web server host by enabling administrators to include all possible hostname variations within a named definition. When adding resources to an application domain, administrators can choose one of the named definitions and then specify the resource URL.
Virtual Web Hosting: Enables support of multiple domain names and IP addresses that each resolve to their unique subdirectories on a single server. The same host can have multiple sites being served either based on multiple NIC cards (IP based) or multiple names (for example, abc.com and def.com) resolving to same IP.
Authentication Schemes: Identifies the authentication level, challenge method and redirect URL, and the underlying authentication module to perform user authentication. When adding authentication policies to an application domain, administrators can choose one of the named authentication schemes to use with specified resources, as well as the success and failure URLs.
For more information about the policy model and shared components, see Chapter 8, "Managing Policy Components".
Application domains are the top-level constructs of the Oracle Access Manager 11g policy model. Each application domain provides a logical container for resources or sets of resources, and the associated policies that dictate who can access specific resources. Certain shared components are used within each application domain, as described in "OAM Policy Model and Shared Policy Components".
Note:To enhance security, OAM 11g default behavior is to deny access when a resource is not protected by a policy that explicitly allows access. In contrast, OAM 10g default behavior allowed access when a resource was not protected by a rule or policy that explicitly denied access.
OAM 10g provided authentication and authorization within the context of a policy domain. In contrast, OracleAS SSO 10g provides only authentication.
Each Oracle Access Manager 11g application domain includes the following elements:
Each resource definition in an application domain requires a Resource Type, Host Identifier (only for HTTP resources), and a URL to the specific resource. You can have as many resource definitions as you need in an application domain.
Authentication Policies and Responses for Specific Resources
Each authentication policy includes a unique name, one authentication scheme, success and failure URLs, one or more resources to which this policy applies, and administrator-defined responses to be applied after successful authentication.
Authorization Policies, Constraints, and Responses for Specific Resources
Each authorization policy includes a unique name, success and failure URLs, and one or more resources to which this policy applies. In addition, administrators can define specific constraints (conditions) that must be fulfilled for a successful authorization and define responses to be applied after successful authorization.
Note:OAM 10g enables authorization actions to be taken depending on the evaluation of the administrator-defined authorization expression contained one or more authorization rules.
For more information about the policy model and application domains, see Chapter 9, "Managing Policies to Protect Resources and Enable SSO".
Oracle Access Manager 11g provides single logout (also known as global log out) for user sessions. With OAM, single logout refers to the process of terminating an active user session.
For details, see Chapter 11, "Configuring Centralized Logout for OAM 11g".
Oracle provides a portable, stand-alone Java application that replaces the OAM 10g Access Tester function. The OAM 11g Access Tester simulates registered Agents connecting to OAM Servers. The scripted execution allows for command-line processing. You can record and playback scripts and capture output for different functions. Encrypted and multiple-server connections are supported.
You can use the Access Tester to troubleshoot agent to server connections in addition to on-the-fly testing of request and response semantics and access policy designs.
Part IV of this book describes session management.
With OAM 11g, session management refers to the process of managing user session information with support for user- or administrator-initiated events, and time-out based events.
Administrators can configure Oracle Access Manager 11g session lifecycle settings. The database for session storage is initially configured with Oracle Access Manager configuration.
In-memory Session Store: Uses embedded technology from Oracle Coherence to provide a distributed cache with low-data access latencies and to transparently move data between distributed caches (and the database policy store)
Database Session Store: Provides fault-tolerance and scaleability for very large deployments (hundreds of thousands of simultaneous logins). In this case, you must be using a database policy and session-data store that is extended with the OAM-specific schema.
For more information, see Chapter 12, "Managing Sessions".
This section introduces the information in Part V of this guide and includes the following topics:
Logging is the mechanism by which components write messages to a file to capture critical component events. Each Oracle Access Manager component instance writes process and state information to a log file.
You can configure logging to provide information at various levels of granularity. For instance, you can record errors, errors plus state information, or errors and states and other information to the level of a debug trace. You can also eliminate sensitive information from the logs. For more information, see Chapter 13, "Logging Component Event Messages".
You can also use a custom Oracle WebLogic Scripting Tool (WLST) command to change OAM logging levels.
See Also:Appendix F, "Introduction to Custom WLST Commands for OAM Administrators" introduces custom WLST commands to change OAM logging levels
With Oracle Access Manager 11g, auditing refers to the process of collecting for review specific information related to administrative, authentication, and run-time events. Auditing can help you evaluate adherance to polices, user access controls, and risk management procedures.
Note:Auditing is not available for every Oracle Access Manager 11g component. However, logging is available for every OAM component.
Events are audited using the underlying Oracle Fusion Middleware Common Audit Framework. This framework uses a database audit store to provide scalability and high-availability for the audit framework. The database must include the audit schema.
Note:The Oracle Fusion Middleware Common Audit Framework database audit store does not include OAM policy or session-data and is not configured through the OAM Administration Console.
Administrators can control and specify certain auditing parameters using the Oracle Access Manager Administration Console. Oracle Access Manager auditing configuration is recorded in the file
oam-config.xml. Event configuration (mapping events to levels) occurs in the
component_events.xml. An audit record contains a sequence of items that can be configured to meet particular requirements.
Note:Oracle recommends that you use only the OAM Administration Console or WebLogic Scripting Tool (WLST) commands for changes; do not edit oam_config.xml.
Out-of-the-box, there are several sample audit reports available with Oracle Access Manager and accesible with Oracle Business Intelligence Publisher. You can also use Oracle Business Intelligence Publisher to create your own custom audit reports.
For more information, see Chapter 14, "Auditing OAM Administrative and Run-time Events".
Part VI of this book describes:
Performance metrics can be collected in memory for components during the completion of particular events. You can monitor the time spent in a particular area or track particular occurrences or state changes.
OAM administrators monitor performance for Oracle Access Manager 11g using the Monitoring command in the OAM Administration Console.
For more information, see Chapter 15, "Monitoring OAM Metrics by Using Oracle Access Manager".
Live, dynamic OAM performance metrics can be viewed in Fusion Middleware Control.
For more information, see Chapter 16, "Monitoring OAM Performance by Using Fusion Middleware Control".
This section introduces the information in Part VII of this guide and includes the following topics:
Everything you need to know about installing and using OAM 10g WebGates with OAM 11g is provided in Chapter 17, "Managing OAM 10g WebGates with OAM 11g".
Details about installing and configuringApache v2-based Web Servers (OHS and IHS) for OAM 10g WebGates with OAM 11g is provided in Chapter 18, "Configuring Apache, OHS, IHS for 10g WebGates".
Details about installing and configuring IIS Web servers for OAM 10g WebGates with OAM 11g is provided in Chapter 19, "Configuring the IIS Web Server for 10g WebGates".
Everything you need to know about configuring the ISA Server for OAM 10g WebGates with OAM 11g is provided in Chapter 20, "Configuring the ISA Server for 10g WebGates".
Everything you need to know about installing and configuring Lotus Domino for use with OAM 10g WebGates and OAM 11g is provided in Chapter 21, "Configuring Lotus Domino Web Servers for 10g WebGates".
This section introduces the information in Part VIII of this guide and includes the following topics:
Table 1-3 outlines several ways to use OAM 11g when you have various starting points.
Table 1-3 OAM 11g Co-existence Summary
|If you have ...||To use OAM 11g SSO ...|
OAM 10g integrated with OSSO 10g
You can upgrade the OSSO deployment to OAM 11g as introduced in Appendix B.
Web Servers other than Oracle HTTP Server
See Chapter 17 for details on:
OracleAS 10g SSO (OSSO)
Use the Oracle-provided Upgrade Assistant, which scans the existing OracleAS 10g SSO server configuration, accepts as input the 10g OSSO policy properties file and schema information, and carries configured partner applications into the destination Oracle Access Manager 11g SSO.
After running the upgrade assistant and performing post-upgrade tasks, existing partner apps (including Portal, Forms, Reports, and Discoverer) would be using OAM instead of OSSO as their SSO provider.
Note: Existing mod_osso modules and OracleAS 10g SSO server partners can work seamlessly with OAM Servers and OAM 11g SSO. However, eventually all mod_osso modules should be replaced with OAM Agents to enable use of OAM 11g Authorization Policies.
See Appendix B for an introduction to post-upgrade co-existence between OAM 11g and OSSO 10g Servers.
OAM 11g streamlines the transfer of configuration data from one deployment to another. For instance, from a small test environment to a larger production deployment (and vice versa).
For more information, see Appendix A, "Transitioning OAM 11g from a Test to a Production Environment".
The Oracle Application Developer Framework (ADF) and applications that are coded to Oracle ADF standards interface with the OPSS SSO Framework. The Oracle Platform Security Services (OPSS) single sign-on framework provides a way to integrate applications in a domain with a single sign-on (SSO) solution.
You can integrate a Web application that uses Oracle ADF security and the OPSS SSO Framework with an Oracle Access Manager 11g SSO security provider for user authentication. For more information, see Appendix C, "Integrating Oracle ADF Applications with Oracle Access Manager 11g SSO".
Appendix D, "Internationalization and Multibyte Data Support for OAM 10g WebGates" provides information on internationalization and multibyte data support.
With Oracle Access Manager 11g, credential collection occurs using the HTTP(S) channel; authorization occurs over the NetPoint Access Protocol (NAP) channel (also referred to as the Oracle Access Manager Protocol channel).
HTTP(S) Channel: Oracle recommends enabling the secure sockets layer (SSL) for communication across the HTTP(S) channel to transport credentials and to exchange security tokens. Both functions require signing or encryption with certificates.
Oracle Access Manager 11g provides a central component to manage certificates used across all Oracle Access Manager components, including WebGates.
NAP Channel: Oracle recommends using either Simple (Oracle-signed certificates) or Cert mode (outside certificate authority) to secure communication between WebGates and OAM Servers during authorization. Oracle provides a certificate import utility that you can use when you have signed certificates. For information, see Appendix E, "Securing Communication with OAM 11g".
Note:Oracle Access Manager 11g does provide support for customers who use self-signed certificates.
OAM administrators can use custom WebLogic Scripting Tool (WLST) commands to perform certain configuration tasks.
For more information, see Appendix F, "Introduction to Custom WLST Commands for OAM Administrators".
Oracle Access Manager supports Internet Protocol Version 4 (IPv4). Oracle Fusion Middleware supports Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6). IPv6 is enabled with Oracle HTTP Server with the mod_wl_ohs plug-in.
For more information, see Appendix G, "Configuring OAM 11g for IPv6 Clients".
For tips and troubleshooting information, see Appendix H, "Troubleshooting".