Skip Headers
Oracle® Access Manager Introduction
10g (

Part Number E12494-01
Go to Documentation Home
Go to Book List
Book List
Go to Table of Contents
Go to Index
Go to Feedback page
Contact Us

Go to previous page
Go to next page
View PDF

3 About the Access System

The Oracle Access Manager Access System is an optional companion to the Oracle Access Manager Identity System. The Access System provides centralized authentication, authorization, and auditing to enable single sign-on and secure access control across enterprise resources. Resources include Web content, applications, services, objects in applications on the Web, and similar types of data in non-Web (non-HTTP) resources.

This chapter provides a more in depth look at:

3.1 Key Access System Features

Table 3–1 outlines key access-control features. Details follow the table.

Table 3-1 Access System Features

  • Authentication

  • Authorization

  • Auditing

  • Personalization

  • Single sign-on

  • Delegated access administration

Primary Access System features include authentication, authorization, and auditing (sometimes known as AAA). These features help enforce your company's access security policies for Web applications and content as described in more detail below:

The next discussion provides a sample Access System installation.

3.2 Access System Components and Functions

The Oracle Access Manager Access System enables you to centralize access policy creation while decentralizing policy management and enforcement. The following types of resources can be protected using the Access System:

Figure 3-1 shows the basic components of the Access System. The WebGate communicates with the Access Server; the Access Server communicates with the directory server; the Policy Manager communicates with the directory server through a WebPass.

Figure 3-1 Basic Access System Installation

Basic Access System Installation
Description of "Figure 3-1 Basic Access System Installation"

The Oracle Access Protocol (formerly known as the NetPoint or COREid Access Protocol) enables communication between Access System components during user authentication and authorization. Transport security between Oracle Access Manager Web clients (Policy Manager and WebPass; Access Server and WebGate) can be Open, Simple (Oracle-provided), or Cert (third-party CA). In both Simple and Cert mode, Oracle Access Manager components use X.509 digital certificates only.

Transport security between Access Servers and the directory server (and Policy Managers and directory server) may be either open or SSL-enabled. The same mode must be used between all Policy Managers and the directory server.

During Policy Manager installation and setup, the LDAP directory server is updated to include policy data (access policy data). All access policy definitions defined in the Policy Manager are stored in the directory server.

Access System components and operations are discussed in greater detail in the discussions:

3.2.1 Policy Manager and Access System Console

This discussion introduces the Policy Manager, Access System Console, and functions available with each.

Policy Manager—Provides a Web-based interface where administrators can create and manage access policies. The Policy Manager also communicates with the directory server to write policy data, and communicates with the Access Server over the OAP to update the Access Server when certain policy modifications are made.

Master Access Administrators and Delegated Access Administrators use the Policy Manager to:

  • Create and manage policy domains that consist of:

    • Resource types to protect

    • Authentication, authorization, and audit rules

    • Policies (exceptions)

    • Administrative rights

  • Add resources to policy domains

  • Test access policy enforcement

The Policy Manager must be installed on a computer hosting a Web server instance with a WebPass (installed at the same directory level as the Policy Manager). Oracle recommends that you install multiple Policy Managers for fault tolerance. For details about installing and setting up the Policy Manager, see the Oracle Access Manager Installation Guide.

Access System Console—Included with the Policy Manager installation. The Web-based Access System Console provides a login interface to the tabs and functions that allow any Master Administrator, Master Access Administrator, and Delegated Access Administrator to perform specific operations, including:

  • System Configuration Tab—Enables a Master Administrator to assign one or more users to be a Master Access Administrator, and also add or remove Delegated Access Administrators and their rights. Responsibilities of a Master Access Administrator include defining resource types, policy domains, and authentication and authorization schemes.

    From the System Configuration tab, administrators can also view and change server settings. For example, specify email addresses for bug reports, user feedback, and the company Web master.; change the default logout URL for single sign-on; configure directory server settings; view cache settings.

  • System Management Tab—Enables a Master Administrator to manage:

    • Diagnostics—Show Access Server details, including connection information.

    • Manage Reports—Create, view, or modify user access privilege reports.

    • Manage Sync Records—Archive or purge synchronization records generated by the Policy Manager before a given date. To help manage the space these records consume on the directory server, it is a good idea to periodically archive or purge all the records before a specified date.

  • Access System Configuration Tab—Enables a Master Access Administrator or Delegated Access Administrator to complete the following tasks:

    • View, add, modify, and delete AccessGates, Access Servers, Access Server clusters, Host Identifiers

    • View and modify authentication and authorization parameters; Web resource user rights; and common information

    • Configure common information, including:

      Shared Secret: Generate a cryptographic key that encrypts cookies to a browser.

      Master Audit Rule: Create the default Master Audit Rule for this installation.

      Resource Type Definitions: Define and manage resource types.Flush Password Policy Cache: Select a password policy and flush all associated caches or select a Lost Password Management policy and flush all associated caches.Duplicate Actions: Select a policy for handling Duplicate Action Headers

Administrators access the Policy Manager and Access System Console by entering the following URL in a browser, where hostname refers to the computer that hosts the WebPass and Web server; port refers to the HTTP port number of the WebPass Web server instance; and /access/oblix connects to the targeted Access System.


3.2.2 The Access Server

The Oracle Access Manager Access Server plays a key role in authentication and authorization:

  • Authentication involves determining what authentication method is required for a resource and gathering credentials from the directory server, then returning an HTTP response based on the results of credential validation to the access client (WebGate or AccessGate).

  • Authorization involves gathering access information and granting access based on a policy domain stored in the directory and the identity established during authentication.

To perform these operations, you may have multiple standalone Access Server instances that communicate with both the directory server and WebGate. Before you can install an Access Server instance, you must define it in the Access System Console.


Oracle recommends that you install multiple Access Servers for failover and load balancing.

Process overview: The Access Server

  1. Receives requests from an Oracle Access Manager access client (WebGate or AccessGate)

  2. Queries authentication, authorization, and auditing rules in the directory server to determine whether:

    1. The resource is protected (and if so, how)

    2. The user is already authenticated (if the user is not yet authenticated, a challenge is provided)

    3. The user credentials are valid

    4. The user is authorized for the requested resource, and under what conditions

  3. Responds to the access client as follows:

    1. Sends the authentication scheme

    2. Validates credentials

    3. Authorizes the user

    4. Audits

  4. Manages the session, by:

    1. Helping the WebGate terminate user sessions

    2. Re-authenticating when there is a time out

    3. Tracking user activity during a session

    4. Setting session timeouts for users

3.2.3 WebGates and AccessGates

Throughout Oracle Access Manager manuals, the terms AccessGate and WebGate may be used interchangeably. However, there are differences worth noting:

  • A WebGate is a Web server plug-in access client that intercepts HTTP requests for Web resources and forwards them to the Access Server for authentication and authorization. A WebGate is shipped out-of-the-box with Oracle Access Manager.

  • An AccessGate is a custom access client that is specifically developed using the Software Developer Kit (SDK) and Oracle Access Manager APIs, either by you or by Oracle. An AccessGate is a form of access client that processes requests for Web and non-Web resources (non-HTTP) from users or applications. For more information, see "Custom Access Clients".

A WebGate intercepts requests for resources from users or applications and forwards requests to the Access Server for authentication and authorization. See "Access System Operation" for more information.

Before you can install a WebGate, you must define it in the Access System Console and associate it with an Access Server or cluster of Access Servers. For details, see Oracle Access Manager Installation Guide.

3.2.4 Access System Operation

Figure 3-2 illustrates how Access System components work in concert during authentication and authorization. A description follows the figure.

Figure 3-2 Basic Access System Operations

Basic Access System Operations
Description of "Figure 3-2 Basic Access System Operations"

Process overview: When a user requests access

  1. The WebGate intercepts the request.

    Servers that can be protected include Web servers, application servers, and FTP servers (using the Oracle Access Manager SDK), among others.

  2. The WebGate forwards the request to the Access Server to determine whether the resource is protected, how, and if the user is authenticated (if not, there is a challenge).

  3. The Access Server checks the directory server for credentials such as a user ID and password, sends the information back to WebGate, and generates an encrypted cookie to authenticate the user.

    The Access Server authenticates the user with a customer-specified authentication method to determine the identity, leveraging information stored in the directory server. Oracle Access Manager authentication supports any third-party authentication method and also different authentication levels. Resources with varying degrees of sensitivity can be protected by requiring higher levels of authentication that correspond to more stringent authentication methods.

  4. Following authentication, the WebGate prompts the Access Server to look up the appropriate security policies, compare them to the user's identity, and determine the user's level of authorization.

    • If the access policy is valid, the user is allowed to access the desired content or applications.

    • If the policy is false, the user is denied access and redirected to another URL determined by the organization's administrator.

As mentioned earlier, the Policy Manager communicates with the directory server to write policy data, and communicates with the Access Server over the OAP to update the Access Server when you make certain policy modifications. The WebPass intercepts and forwards administrator requests for the Policy Manager.

3.3 Access System Customization

Various components and methods are provided to help you customize the Oracle Access Manager Access System, including:

3.3.1 Custom Access Clients

AccessGates are custom-built Access Server clients (or agents) that process user requests for access to resources within the LDAP domain protected by Oracle Access Manager. The code for processing user requests can be embedded in a plug-in or written as a standalone application.

An AccessGate uses an Access Server to control attempts to access a Web site. AccessGates allow you to extend authorization and authentication rules to other resources in addition to URLs and to control user interaction with applications outside of Oracle Access Manager. This provides you with centralized policy information that applies to Web and non-Web resources.

For more information about AccessGates, see the Oracle Access Manager Developer Guide. See also "Access Manager API".

3.3.2 Custom Authentication and Authorization Plug-ins

You can either use the standard authentication and authorization plug-ins that are installed with the product, or create your own custom plug-ins using the Oracle Access Manager Authentication Plug-In API and Authorization Plug-In API. Each custom plug-in implements the appropriate interface (authentication or authorization). Depending on the plug-in, the interface is activated to pass relevant information between the Access Server and the plug-in. Methods within the interface parse the data.

Custom plug-ins can be developed using the C language and C# (.NET managed code) Authentication Plug-In API and Authorization Plug-In API.

3.3.3 Access Manager API

The Access Manager API is a subset of the Software Developer Kit. You can use the Access Manager API to write custom access client code in any of the four supported development languages to integrate with Java, C and C++, and C# (.NET) applications. The four implementations are functionally equivalent even though each takes advantage of platform-specific features to implement the API.

For more information, see "Custom Access Clients".

3.3.4 Policy Manager API

You can use the Policy Manager API (a subset of the Access Manager SDK) to create and manage policy domains and their contents and to allow custom applications to access the authentication, authorization, and auditing services of the Access Server. For example, you can write applications that use the programmatic interface instead of the GUI to create, modify, delete, and retrieve policy domains and their contents.

To better understand the functions provided by the Policy Manager (and Policy Manager API), explore the Policy Manager GUI and see information in the Oracle Access Manager Access Administration Guide.

The Policy Manager API provides Java, C, and managed code bindings for classes which you can use to instantiate specific objects. For more information, see Oracle Access Manager Developer Guide.

3.3.5 Software Developer Kit

The Oracle Access Manager Software Developer Kit is an optional component that must be installed independently. It provides libraries, build instructions, examples and resources for Access System APIs for each of the supported development platforms. Using the APIs, you can construct interfaces that can be built into commercially available application servers such as IBM WebSphere, Sun, or another application that can access the Access Server for authentication and authorization.

Individual Access System APIs are introduced in this chapter. For details about the Software Developer Kit and all APIs, see the Oracle Access Manager Developer Guide.

3.4 External Authentication

Oracle Access Manager external authentication enables you to integrate multiple security systems across corporate boundaries through trust and technology relationships.

After installation, Oracle Access Manager must be configured to trust an external SSO solution for authentication. During authentication run time, identity information provided by the third-party authentication mechanism is accepted and mapped to the appropriate user being authorized by Oracle Access Manager.

For details about external authentication mechanisms, see the Oracle Access Manager Access Administration Guide and the Oracle Access Manager Integration Guide.

3.5 Federated Authentication

The term federation is derived from the Latin word for trust. When used in the context of security management, federation essentially means integrating multiple security systems together through trust and technology relationships. Federated authentication enables you to integrate multiple security systems across corporate boundaries.

For details about external authentication mechanisms supported by Oracle Identity Federation, see the Oracle Identity Federation Administrator's Guide.

3.6 Looking Ahead

Other chapters in this guide provide a more in depth look at concepts, behaviors, manuals, and terminology: