Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service
11g Release 1 (11.1.1)

Part Number E15478-09
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

What's New

This section describes new features of the Oracle Access Manager 11g Release 1 (11.1.1), Patch Set 1.

New Features in 11.1.1.7

See Integrating a Supported LDAP Directory with Oracle Access Manager in Chapter 5.

New Features in Patch Set 1

Patch set 1 provides new functions and enhancements, as introduced in the following topics:

Administration Console Enhancements

The System Configuration tab has been divided into three new sections:

See Also:

Authentication Plug-in Enhancements

Authentication is governed by specific authenticating schemes that rely on one or more plug-ins that test the credentials provided by a user when she tries to access a resource. The plug-ins can be taken from a standard set provided with OAM Server installation, or custom plug-ins created by your own Java developers.

See Also:

Query String-based HTTP Resource Definitions

The Policy Model supports Query String-based HTTP Resource Definitions within Access Policies.

See Also:

Excluded Resource List

Oracle Access Manager provides support to help you keep certain resources public (not protected by the OAM Agent).

See Also:

Session Search and Session Management Enhancements

User-session lifecycle settings are part of the Common Settings shared by all OAM Servers. These have moved to the Common Settings page

See Also:

"About Common Session Lifecycle Setting Page"

Authenticated clients can manage Session operations.

See Also:

Table 7-1, "Common Session Settings" for details on the Allow Management Operations parameter.

Database Persistence for Active Sessions: You can persist active sessions to the configured database session store, in addition to the local and distributed caches. Sessions are retained even if all managed servers die off.

See Also:

Table 7-1, "Common Session Settings" for details about the Database Persistence for Active Sessions parameter.

Oracle Access Manager provides enhanced Session Search controls that enable you to create a query based on filter conditions.

See Also:

Table 7-2, "Session Management Controls and the Results Table"

Multiple Identity Store Support

Multiple user identity stores are supported:

See Also:

"About User Identity Stores"

OAM Tester Enhancements

CERT mode connections are supported in this release which requires having stores with a client certificate and a root certificate. Both stores can be generated using the IMPORTCERT tool.The OAM Tester can also run concurrent tests in multi-threaded mode, which can be used to stress test the policy server. The tests are run in command-line mode only and the input configuration file specifies the number of threads and the number of iterations each thread should execute. Each thread then open a dedicated connection to the policy server and run the specified input script the specified number of iterations.

See Also:

"Validating Connectivity and Policies Using the Access Tester"

Oracle Secure Token Service

Oracle Security Token Service is deployed with Oracle Access Manager and can be activated as a service.

Oracle Security Token Service provides a foundation to the current security infrastructure to facilitate a consistent and streamlined model for token acquisition, renewal, and cancellation that is protocol and security infrastructure agnostic.

Oracle Security Token Service is a Web Service (WS) Trust-based token service that allows for policy-driven trust brokering and secure identity propagation and token exchange between Web Services. Oracle Security Token Service can be deployed as a Security and Identity Service needed to simplify the integration of distributed or federated Web services within an enterprise and its service providers.

See Also:

Oracle Access Manager SDK, Custom Authentication Plug-ins, Custom Tokens

The Oracle Access Manager 11g Access SDK is a platform independent package that Oracle has certified on a variety of enterprise platforms (using both 32-bit and 64-bit modes) and hardware combinations. It is provided on JDK versions that are supported across Oracle Fusion Middleware applications.

Oracle Access Manager 11g provides authentication plug-in interfaces and SDK tooling to build customized authentication modules (plug-ins) to bridge the out-of-the-box features with individual requirements.

When Oracle Security Token Service does not support the token that you want to validate or issue out-of-the-box, you can write your own validation and issuance module classes.

See Also:

Remote Registration Enhancements

Remote registration tooling permits Administrators and application deployers to remotely register an application for protection by Oracle Access Manager. Enhancements to the remote registration tool, oamreg, have been made to mirror enhancements to Webgate registration. Certain changes have been made to the templates used to perform remote registration. New modes are available to manage Agents remotely. A new option is available to pipe in passwords.

See Also:

Webgate Enhancements

Webgate caches resources from an exception list that should not be checked for authorization and should just be allowed to pass through.

See Also:

Table 9-5, "Expanded OAM 11g and 10g Webgate Elements and Defaults"

You can implement certain user-defined parameters in the Webgate registration page.

See Also:

"About User-Defined Webgate Parameters"

Only privileged agents can invoke session management operations. The Agent Privilege function enables the provisioning of session operations per agent.

See Also:

Table 9-5, "Expanded OAM 11g and 10g Webgate Elements and Defaults"

You can configure single sign-on between Webgate and an access client that does not have the client IP address at authentication.

See Also:

"About IP Address Validation for Webgates"

You can configure Webgate only settings to control the browser's cache.

See Also:

"Expanded OAM 11g and 10g Webgate Elements and Defaults" for details about:

During Agent searches, if you do not know the exact name you can use a wild card (*) in the search string.

See Also:

"Searching for an OAM Agent Registration"

Release 11g Release 1 (11.1.1)

See Chapter 2, "Introduction to This Book" for a full introduction, and the following topic for product and component name changes.

Product and Component Name Changes

The original product name, Oblix NetPoint, was changed to Oracle Access Manager and v7.x releases were available from Oracle as part of Oracle Application Server 10g Release 2 (10.1.2). Oracle Access Manager 10.1.4 provided some product and component name changes, with more in Oracle Access Manager 11g, as shown in the following table.


OAM 10g OAM 11g

Deployment

Stand alone server

Deployed in a container

Component Names

Access Server

Policy Manager

Webgate

AccessGate

Identity Server

WebPass

OAM Server

OAM Administration Console

Webgate

Access Client

N/A

N/A

Agents

Webgate

AccessGate

Webgate (also OAM Agent)

Access Client (also OAM Agent)

Console Names

Policy Manager

Identity System Console

Access System Console

OAM Administration Console

N/A

N/A

Directory Profiles

Directory Profiles

User-Identity Stores

Identity Administration

Identity Server

Identity agnostic (Oracle Identity Manager 11g is used by default)

Administrators

Master Administrator

Master Identity Administrator

Master Access Administrator

Delegated Administrators

Administrator

N/A

N/A

N/A

Agent and partner application registration

N/A

Oracle Access Manager Console

Remote registration tool provides automated Agent registration and application domain creation with default security policies

Automated creation of OAM 10g form-based authentication scheme, policy domain, access policies, and Webgate profile for the Identity Asserter for single sign-on

OAMCfgTool

Platform-agnostic tool and scripts

oamreg

Remote registration of OAM Agents (10g and 11g Webgates and Access Clients), application domain, default policies for SSO.

Configuration Store

LDAP

XML file

Policy Store

LDAP

XML file or RDBMS

Policy Model

Open (default allow)

Closed (default deny)

Policy Domain

Policy Domain

Application Domain

Session management

Stateless, stored in a cookie

Stateful, stored on the server

Authentication to LDAP

LDAP defined system wide

LDAP defined in an authentication scheme

Resource Types

Resource Type

Resource Type

Resources

Resource

Resource

Host Identifiers

Host Identifiers

Host Identifiers

Authentication

Authentication

Authentication Scheme

Authentication Plug-ins

Authentication Rule

Authentication

Authentication Scheme

Authentication Modules

Authentication Policy

Authorization

Authorization

Authorization Rule

Authorization Expression

Authorization

Constraint

Authorization Policy

Actions

Actions

Responses

Software Developer Kit

Access Manager SDK

Access Manager SDK

Access Protocol

NetPoint Access Protocol (NAP)

Oracle Access Protocol (OAP)

Access Protocol port number

6021

5575 (assigned by the Internet Assigned Numbers Authority (IANA))