|Oracle® Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager
Release 11g (11.1.1)
Part Number E14568-06
This chapter introduces the new and changed administrative features of Oracle Adaptive Access Manager 11g Release 1 (11.1.1). It contains these topics:
Oracle Adaptive Access Manager 11g Release 1 (11.1.1) includes many important features and enhancements that were not available with Oracle Adaptive Access Manager 10g. The following is a list of the new features and enhancements:
|Areas||Features and Enhancements|
|Interface||The new rich Oracle Adaptive Access Manager user interface provides
|Security Policies||Newly updated security policies that incorporate:
|Policy Creation||New features in policy creation enables you to:
|Rule Creation||Rules are now much easier to create.
|OTP Anywhere||OTP Anywhere can create universal delivery options for auto-generated one-time-passwords used for secondary, risk-based user challenges to add sophisticated security to basic authentication flows.|
|Investigation||New investigation tools have been added to make investigations quicker and easier
|Encryption Keys||Encryption keys required by Oracle Adaptive Access Manager can be securely managed using Fusion Middleware Control without having to create Keystore files|
|Universal Risk Snapshot||Snapshots can be created allowing security administrators to simply and easily migrate security data across environments or restore security configuration to a known state|
|Multitenancy||Multitenant access controls for customer service representative interface to allow protection of multiple application tenants with a single instance of OAAM|
|OAAM Batch Risk Analysis||Oracle Adaptive Access Manager batch risk analysis tool to be used as:
|Audit||Most of the administrative operations are now audited using Oracle Audit Service. Audit events can be viewed using the standard audit reports.|
|Web Services||Oracle Adaptive Access Manager Web services are implemented using Oracle Web Services.|
|Application Logging||Oracle Adaptive Access Manager 11g uses Java logging instead of log4j. Logging can be configured using Fusion Middleware Control.|
|Integration with the Dynamic Monitoring System||Some performance metrics are now integrated with Dynamic Monitoring System. These metrics and related reports can be viewed using Fusion Middleware Control|
|Real-time and offline rules engine||X||X||X|
|Virtual authentication devices||X||X||X|
|Adaptive device identification*||X||X||X|
|Base security policies (ongoing updates)||X||X||X|
|Real-time dashboard (improved)||X||X||X|
|Customer service module||X||X||X|
|Real-time access to activity data||X||X||X|
|Actions, alerts, and risk scoring||X||X||X|
|Optimized log data management||X||X|
|Enhanced caching of rules data object||X||X|
|Expanded integration APIs||X||X|
|Investigation agent workflow||X|
|Rules authoring user interface||X||X|
|Transaction definition and mapping user interface||X||X|
|Data entity definition and mapping user interface||X||X|
|Behavior pattern configuration interface||X||X|
|Server-generated one-time password||X (Native only)||X (All deployment types)|
|Customizable reporting BI Publisher (bundled)||X||X|
|Tree-based navigation and policy browse||X|
|Tabular multitasking user interface||X|
|Customizable search screens||X|
|Common audit framework||X|
|Integrated Oracle Identity Manager password management flows||X|
|Oracle Installer and Repository Creation Utility||X|
|Oracle Adaptive Access Manager Offline User Interface||X||X||X|
|Oracle Access Manager integration||X||X||X|
|Oracle Identity Manager integration||X|
|Oracle Entitlements Server integration||X||X|
|Juniper SSL VPN integration||X|
Customers migrating from Oracle Adaptive Access Manager 10g to 11g will notice a few key conceptual and terminology changes. These changes are intended to align terminology used across the Identity Management suite products and simplify administration. Full definitions of these and many other terms can be found in the glossary.
|10g Term||11g Term|
A checkpoint is a specified point in a session when Adaptive Access Manager collects and evaluates security data using the rules engine.
Policies contain security rules and configurations used to evaluate the level of risk at each checkpoint.
|manual override||trigger combination
Trigger combinations are additional results and policy evaluation that are generated if a specific sequence of rules trigger.
|Application ID||Organization ID
From the administration perspective, each application/primary user group is translated into an "Organization ID." The term, "Application ID" has been renamed as "Organization ID," which represents the primary user group of a particular user.
For the OAAM Server side, the term "Application ID" remains the same as before. When communicating with proxies, OAAM Server passes the Applications ID, which uniquely identifies an application.
Concepts changes are listed in the following table.
|10g Concept||11gR1 Concept|
|OAAM Adaptive Risk Manager||The rules engine is now part of OAAM Server. The Administration Console is now a separate application named OAAM Admin.|
|OAAM Adaptive Strong Authenticator||The end-user flows including the virtual authentication devices, Knowledge-Based Authentication and One-Time Password authentication are now contained in OAAM Server.|
|rule template||The concept has been removed from product|
|policy type||The concept has been removed from the product|
Oracle Adaptive Access Manager's deployed applications in 11g are:
OAAM Server - Adaptive Risk Manager, Adaptive Strong Authenticator, Web services, LDAP integration and user Web application used in all deployment types except native integration
OAAM Admin - Administration Web application for all environment, Adaptive Strong Authenticator and Adaptive Risk Manager features
Architecture and deployment changes are listed as follows:
Administration User Interface is now a separate Web application called OAAM Admin.
Adaptive Strong Authenticator is now deployed as part of the OAAM Server Web application.
OAAM Web applications are now packaged as
.ear files. Exploding them is neither recommended nor supported.