|Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service
11g Release 1 (11.1.1)
Part Number E15478-06
This section describes new features of the Oracle Access Manager 11g Release 1 (11.1.1), Patch Set 1.
Patch set 1 provides new functions and enhancements, as introduced in the following topics:
The System Configuration tab has been divided into three new sections:
Access Manager Settings
Security Token Service Settings
Authentication is governed by specific authenticating schemes that rely on one or more plug-ins that test the credentials provided by a user when she tries to access a resource. The plug-ins can be taken from a standard set provided with OAM Server installation, or custom plug-ins created by your own Java developers.
The Policy Model supports Query String-based HTTP Resource Definitions within Access Policies.
Oracle Access Manager provides support to help you keep certain resources public (not protected by the OAM Agent).
User-session lifecycle settings are part of the Common Settings shared by all OAM Servers. These have moved to the Common Settings page
Authenticated clients can manage Session operations.
See Also:Table 7-1, "Common Session Settings" for details on the Allow Management Operations parameter.
Database Persistence for Active Sessions: You can persist active sessions to the configured database session store, in addition to the local and distributed caches. Sessions are retained even if all managed servers die off.
See Also:Table 7-1, "Common Session Settings" for details about the Database Persistence for Active Sessions parameter.
Oracle Access Manager provides enhanced Session Search controls that enable you to create a query based on filter conditions.
Multiple user identity stores are supported:
Only the User Identity Store designated as the System Store is used to authenticate Administrators signing in to use the Oracle Access Manager Console, remote registration, and custom administrative commands in WLST.
Users attempting to access an OAM-protected resource can be authenticated against any store, not necessarily the only one marked as Default User Identity Store.
Oracle Security Token Service uses only the Default User Identity Store. When adding User constraints to a Token Issuance Policy, for instance, the identity store from which the users are to be chosen must be Default User Identity Store.
See Also:"About User Identity Stores"
CERT mode connections are supported in this release which requires having stores with a client certificate and a root certificate. Both stores can be generated using the IMPORTCERT tool.The OAM Tester can also run concurrent tests in multi-threaded mode, which can be used to stress test the policy server. The tests are run in command-line mode only and the input configuration file specifies the number of threads and the number of iterations each thread should execute. Each thread then open a dedicated connection to the policy server and run the specified input script the specified number of iterations.
Oracle Security Token Service is deployed with Oracle Access Manager and can be activated as a service.
Oracle Security Token Service provides a foundation to the current security infrastructure to facilitate a consistent and streamlined model for token acquisition, renewal, and cancellation that is protocol and security infrastructure agnostic.
Oracle Security Token Service is a Web Service (WS) Trust-based token service that allows for policy-driven trust brokering and secure identity propagation and token exchange between Web Services. Oracle Security Token Service can be deployed as a Security and Identity Service needed to simplify the integration of distributed or federated Web services within an enterprise and its service providers.
The Oracle Access Manager 11g Access SDK is a platform independent package that Oracle has certified on a variety of enterprise platforms (using both 32-bit and 64-bit modes) and hardware combinations. It is provided on JDK versions that are supported across Oracle Fusion Middleware applications.
Oracle Access Manager 11g provides authentication plug-in interfaces and SDK tooling to build customized authentication modules (plug-ins) to bridge the out-of-the-box features with individual requirements.
When Oracle Security Token Service does not support the token that you want to validate or issue out-of-the-box, you can write your own validation and issuance module classes.
Remote registration tooling permits Administrators and application deployers to remotely register an application for protection by Oracle Access Manager. Enhancements to the remote registration tool, oamreg, have been made to mirror enhancements to Webgate registration. Certain changes have been made to the templates used to perform remote registration. New modes are available to manage Agents remotely. A new option is available to pipe in passwords.
Table 10-2, "Remote Registration Sample Commands" provide details of the -noprompt option
Table 10-6, "Elements Common to Full Remote Registration Requests" provides details about the
ipValidationExceptions parameter; and more.
Webgate caches resources from an exception list that should not be checked for authorization and should just be allowed to pass through.
You can implement certain user-defined parameters in the Webgate registration page.
See Also:"About User-Defined Webgate Parameters"
Only privileged agents can invoke session management operations. The Agent Privilege function enables the provisioning of session operations per agent.
You can configure single sign-on between Webgate and an access client that does not have the client IP address at authentication.
You can configure Webgate only settings to control the browser's cache.
See Also:"Expanded OAM 11g and 10g Webgate Elements and Defaults" for details about:
Cache Pragma Header
Cache Control Header
During Agent searches, if you do not know the exact name you can use a wild card (*) in the search string.
See Chapter 2, "Introduction to This Book" for a full introduction, and the following topic for product and component name changes.
The original product name, Oblix NetPoint, was changed to Oracle Access Manager and v7.x releases were available from Oracle as part of Oracle Application Server 10g Release 2 (10.1.2). Oracle Access Manager 10.1.4 provided some product and component name changes, with more in Oracle Access Manager 11g, as shown in the following table.
|OAM 10g||OAM 11g|
|Deployment||Stand alone server||Deployed in a container|
|Component Names||Access Server
OAM Administration Console
|Webgate (also OAM Agent)
Access Client (also OAM Agent)
|Console Names||Policy Manager
Identity System Console
Access System Console
|OAM Administration Console
|Directory Profiles||Directory Profiles||User-Identity Stores|
|Identity Administration||Identity Server||Identity agnostic (Oracle Identity Manager 11g is used by default)|
Master Identity Administrator
Master Access Administrator
|Agent and partner application registration||N/A||Oracle Access Manager Console
Remote registration tool provides automated Agent registration and application domain creation with default security policies
|Automated creation of OAM 10g form-based authentication scheme, policy domain, access policies, and Webgate profile for the Identity Asserter for single sign-on||OAMCfgTool
Platform-agnostic tool and scripts
Remote registration of OAM Agents (10g and 11g Webgates and Access Clients), application domain, default policies for SSO.
|Configuration Store||LDAP||XML file|
|Policy Store||LDAP||XML file or RDBMS|
|Policy Model||Open (default allow)||Closed (default deny)|
|Policy Domain||Policy Domain||Application Domain|
|Session management||Stateless, stored in a cookie||Stateful, stored on the server|
|Authentication to LDAP||LDAP defined system wide||LDAP defined in an authentication scheme|
|Resource Types||Resource Type||Resource Type|
|Host Identifiers||Host Identifiers||Host Identifiers|
|Software Developer Kit||Access Manager SDK||Access Manager SDK|
|Access Protocol||NetPoint Access Protocol (NAP)||Oracle Access Protocol (OAP)|
|Access Protocol port number||6021||5575 (assigned by the Internet Assigned Numbers Authority (IANA))|