Oracle® Adaptive Access Manager Installation and Configuration Guide Release 10g (10.1.4.5) Part Number E12050-03 |
|
|
View PDF |
This chapter provides an introduction to the architecture, installing and configuring of Oracle Adaptive Access Manager. Topics include
Oracle Adaptive Access Manager (OAAM) is Oracle Identity Management's solution for web access real-time fraud detection and multi-factor online authentication security for the enterprise. Oracle Adaptive Access Manager includes two core components.
Adaptive Risk Manager Web Application (ARM)
Adaptive Risk Manager is Oracle Adaptive Access Manager's back-end, proactive real-time fraud detection product.
Adaptive Risk Manager provides a comprehensive anti-fraud software solution which works behind the scenes to provide second and third factors of security by verifying a host of factors used to confirm identity-from the computer and mobile device used to login to a user's location and online behavioral profiles. Based on these factors, Adaptive Risk Manager scores risk and alerts the organization of potential fraud in real-time. Adaptive Risk Manager can also trigger numerous actions, such as challenging or blocking the user.
Adaptive Risk Manager comes with:
Rules Engine embedded
SOAP Server
Admin Console
Fraud Case Management tool
Fraud Investigation tool
Adaptive Strong Authenticator Web Application (ASA)
Adaptive Strong Authenticator is Oracle Adaptive Access Manager's user-facing "front-end" product with fraud protection against online Identity theft.
Oracle Adaptive Access Manager is an authentication agnostic security mechanism that incrementally protects sensitive credentials and data from phishing, pharming, trojans, and proxy-based fraud without the need for proprietary software downloads. It secures the data inputs at the point where they are first entered into an Internet browser; this ensures maximum protection because the raw information never resides on a user computer or anywhere on the Internet where it can be vulnerable to theft.
Adaptive Strong Authenticator comes with:
Rules Engine embedded (optional)
Best practice security user flows
Out of the box models for managing registration flows
Support for upgrading security preferences
Common base for Universal Installation Option, Access Management, SAML integrations
All the integration options are listed below. This section contains the following topics:
The client portion of Oracle Adaptive Access Manager can be natively integrated. In the native integration, the client application invokes the Oracle Adaptive Access Manager APIs directly and manages the authentication and challenge flows. The Adaptive Strong Authenticator web application is not used in this integration.
SOAP/Web Services and Static Linked Integrations
The two flavors of native integration are:
The web application communicates with Adaptive Risk Manager Online using the Adaptive Risk Manager Online Native Client API or via Web Services.
Static Linked (In Proc) Integration
The native integration involves only local API calls and therefore no remote server risk engine calls. The integration embeds the processing engine for Adaptive Risk Manager with the application and enables it to leverage the underlying database directly for processing.
Both flavors use the same APIs, but during runtime, the appropriate option can be chosen by configuring the properties.
SOAP v/s Static (In Proc) Decision?
What advantages each one has over the other are listed below.
SOAP
Network Architecture
Outer DMZ v/s Inner DMZ for access database
Scalability
Few high end servers for rules processing
More low end servers for processing web requests
Static
Rules Engine embedded
No SOAP/HTTP(s) calls, better performance
Oracle Adaptive Access Manager's Universal Installation Option (UIO) is a proxy-based deployment of Adaptive Risk Manager and Adaptive Strong Authenticator that requires little or no integration with enterprise applications.
A proxy intercepts site traffic and routes it through Adaptive Risk Manager Online for strong authentication and fraud detection and prevention.
Oracle Adaptive Access Manager is integrated or used along with an access management product. This option uses both the Adaptive Strong Authenticator and Adaptive Risk Manager Web applications.
There are many flavors of Web Application deployment for Oracle Adaptive Access Manager. The deployment you choose is based on your needs. A chart is presented below showing the combinations of each flavor of Web Application deployment.
Integration Type | Adaptive Risk Manager Web Application | Adaptive Strong Authenticator Web Application | Native |
---|---|---|---|
Oracle Adaptive Access Manager – Universal Installation Option
See Section 1.2.2, "Universal Installation Option Integration" and "Oracle Adaptive Access Manager Proxy" in Oracle Adaptive Access Manager Developer's Guide. |
X | X | |
Oracle Adaptive Access Manager – Access Management (like Oracle Access Manager, etc.)
Refer to Section 1.2.3, "Access Management Integration", and for an Oracle Access Manager integration, see "Integration with Oracle Access Manager" in Oracle Adaptive Access Manager Developer's Guide. |
X | X | |
Oracle Adaptive Access Manager – SAML (e.g. SSL VPN*)
Refer to Section 1.2.4, "SAML Integration." |
X | X | |
Oracle Adaptive Access Manager – Application (Embedded) **
See Section 1.2.1, "Native Integration" and "API Integration" in Oracle Adaptive Access Manager Developer's Guide. |
X | X | |
Only Authenticators
See Section 1.2.1, "Native Integration" and "API Integration" in Oracle Adaptive Access Manager Developer's Guide. |
X |
* Oracle Adaptive Access Manager is the authentication provider and uses LDAP for password authentication
** Supports with and without Authenticators
Oracle Adaptive Access Manager can be installed in an n-tier deployment to allow horizontal as well as vertical scalability.
The diagram below shows the relationship between the Internet, the Web/Application Server that hosts Adaptive Risk Manager and Adaptive Strong Authenticator, and the database that stores Oracle Adaptive Access Manager's data. The Web server accepts requests from the browser and forwards all site traffic to the Oracle Adaptive Access Manager engine for processing. To store and retrieve configuration data, the Oracle Adaptive Access Manager engine communicates with the database through the JDBC or JNDI driver. The Application Server is able to access and store data in the database at all times.
The diagram below depicts an out-of-the-box deployment. In this simple (out-of-the-box) deployment, Adaptive Strong Authenticator and Adaptive Risk Manager are on the same server.
The diagram below depicts the recommended architectural scenario for deployment.
In this scenario, Adaptive Access Manager is separated for performance and scalability, and horizontal scalability for the Adaptive Risk Manager application and database.
Adaptive Risk Manager Offline has its own database. This additional database has an identical schema to that of the Adaptive Risk Manager Online version. Customer login and/or transaction data must be loaded into the Adaptive Risk Manager Offline database, and Adaptive Risk Manager Offline uses this database to perform risk analysis.
For the Adaptive Risk Manager Offline database, follow the instructions in Chapter 3, "Creating an Oracle Database Schema," or Chapter 4, "Creating a SQL Server Schema," for creating the database schema and populating it with the default values.
An installation checklist is provided below.
Task | Adaptive Risk Manager | Adaptive Strong Authenticator SOAP | Adaptive Strong Authenticator Static | Native SOAP | Native Static |
---|---|---|---|---|---|
Create Oracle Adaptive Access Manager database schema.
Refer to Chapter 3, "Creating an Oracle Database Schema" or Chapter 4, "Creating a SQL Server Schema." |
[ ] | ||||
Create background images directory. | [ ] | [ ] | [ ] | [ ] | [ ] |
Create log directories.
Refer to Chapter 16, "Setting Up Logging." |
[ ] | [ ] | [ ] | [ ] | [ ] |
Install application server. | [ ] | [ ] | [ ] | ||
Create user roles in application server.
Refer to Chapter 6, "Installing Adaptive Risk Manager" and Appendix A, "Adaptive Risk Manager User Groups." |
[ ] | ||||
Configure JNDI in application server. | [ ] | [ ] | [ ] | ||
Unjar war file. | [ ] | [ ] | [ ] | [ ] | [ ] |
Configure encryption.
Refer to Chapter 10, "Setting Up Encryption." |
[ ] | [ ] | [ ] | [ ] | [ ] |
Configure SOAP/Web services access.
Refer to Chapter 11, "Configuring SOAP/Web Services Access." |
[ ] | [ ] | [ ] | ||
Copy bharosa_server.properties.sample to bharosa_server.properties. | [ ] | [ ] | [ ] | ||
Update bharosa_server.properties. | [ ] | [ ] | [ ] | ||
Copy sample.sessions.xml or sample_jndi.sessions.xml to sessions.xml and update it accordingly. | [ ] | [ ] | [ ] | ||
Copy sample.bharosa_client.properties to bharosa_client.properties. | [ ] | [ ] | |||
Update bharosa_client.properties for
|
[ ] | [ ] | |||
Update log4j.xml.
Refer to Chapter 16, "Setting Up Logging." |
[ ] | [ ] | [ ] | [ ] | [ ] |
Rejar and deploy the war file. | [ ] | [ ] | [ ] | [ ] | [ ] |
Take backup of all updated files. | [ ] | [ ] | [ ] | [ ] | [ ] |
If you are installing the Universal Installation Option, see "Oracle Adaptive Access Manager Proxy" in Oracle Adaptive Access Manager Developer's Guide.
If you are planning to install Adaptive Risk Manager Offline, refer to Chapter 8, "Installing and Configuring Adaptive Access Manager Offline."
If you are planning to load IP location data, see "IP Location Data Import" in Oracle Adaptive Access Manager Reference Guide.
A validation checklist is provided below.
Task | Adaptive Risk Manager | Adaptive Strong Authenticator SOAP | Adaptive Strong Authenticator Static | Native SOAP | Native Static |
---|---|---|---|---|---|
Start the Application Server. | [ ] | [ ] | [ ] | [ ] | [ ] |
Log into Adaptive Risk Manager. | [ ] | ||||
Import Base Models. | [ ] | ||||
Import Rule Conditions. | [ ] | ||||
Import Base Questions. | [ ] | ||||
Go to Adaptive Strong Authenticator URL and try to log in. | [ ] | [ ] | |||
Enable phase 2 scenarios by adding default user group to Phase2 pre- and post- authentication business models. | [ ] | ||||
Check log file for errors. | [ ] | [ ] | [ ] | [ ] | [ ] |
Adaptive Strong Authenticator (oaam_sample_models_for_asa_integration.zip) and SAMPLE (oaam_sample_models_for_native_integration.zip) models should not be imported into the same application. The models and rules are for different flows and need different sets of properties. Adaptive Strong Authenticator models are used for all Universal Installation Option-based integration/deployment. Examples for Universal Installation Option deployments are integrations with Oracle Access Manager, Site Minder, SAML, and so on. The SAMPLE models are used for native integrations where the users want to use their own user flows