Oracle® Access Manager Introduction 10g (10.1.4.2.0) Part Number B32410-01 |
|
|
View PDF |
This chapter provides an overview of Oracle Access Manager 10g (10.1.4.0.1) and includes the following topics:
Oracle Access Manager (formerly known as Oblix NetPoint and Oracle COREid) provides a full range of identity administration and security functions, that include Web single sign-on; user self-service and self-registration; sophisticated workflow functionality; auditing and access reporting; policy management; dynamic group management; and delegated administration.
Oracle Access Manager offers a DMZ-type three-tier architecture to provide a highly secure deployment with maximum protection of data and applications that includes the following:
Identity System: The industry's first and most mature enterprise identity management system. The Identity System (formerly known as NetPoint COREid) provides user management and self service, dynamic group management and organization management, privacy enforcement, delegated administration, and powerful workflow to secure additions and changes to any of these. The Identity System is used to manage hundreds of thousands to millions of users in some of the world's largest extranets and portals.
Access System: The access-control system (formerly known as the NetPoint Access System). The Access System, Network Computing's 2003 Product of the Year, provides single sign-on across any Web application. It supports a variety of access policies, and is fully integrated with the Identity System so that changes in user profiles are instantly reflected in the Access System's policy enforcement.
Integration Services: Extends Oracle Access Manager capabilities to all your applications. By providing integration points with systems and applications from other vendors, Oracle Access Manager enables out-of-the box integrations with most leading application servers, Web servers, directories, portal servers, system management products, and packaged applications.
Deployment Lifecycle Services: Oracle Access Manager provides a new application that offers sophisticated features to ensure that configuration management of Oracle Access Manager metadata is handled according to change-control-management best practices.
Oracle Access Manager includes a Web-based interface that provides a single point of entry. The Web-based System Console enables administrators to assign and delegate administrative responsibilities and to manage the appearance and behavior of Access and Identity components and applications.
10g (10.1.4.0.1) enables you to present static data such as error messages and display names for tabs, panels, and attributes to users in their native language. Unicode UTF-8 encoding enables data transmission and storage in a universal format, as described in Chapter 4, "About Globalization and Multibyte Support". English is the default language and is always installed.
Oracle Access Manager Identity System—Provides delegated administration, user self-service, and real-time change management. For example, you can create, manage, and delete groups in the directory server. You can define a subscription policy for a group, including self-service with no approval needed, subscription with approvals, rule-based subscription, and no subscription allowed.
Administrators can build password management and other functions on top of the Oracle Access Manager identity management system. You can integrate other applications with the primary Identity System components using a single identity management system so that access cards, computer accounts, and payroll functions can all be modified from one identity change function when an employee leaves an organization. Customization and XML-based integration features are included.
End users can search for and view other users and groups, depending on the rights granted to them by an administrator; modify personal information such as phone numbers and passwords; and display organizational information such as floor plans and asset lists.
For details about Identity System components, applications, features, and functions, see Chapter 2, "About the Identity System".
Oracle Access Manager Access System—Stores information about configuration settings and security policies that control access to resources in a directory server that uses Oracle Access Manager-specific object classes. You can use the same directory to store the Access System configuration settings, access policy data, and user data, or you can store this data on separate directory servers.
Administrators can use the Access System to protect Web resources and enterprise resources such as J2EE applications, servlets, Enterprise Java Beans (EJBs), and legacy systems. The Access System also supports both Web (HTTP) and similar types of data in non-Web (non-HTTP) resources. Using the Access System for security administration enforces your company's access security policies for Web applications and content; provides common security measures across multiple Web servers and applications; combines centralized policy creation with decentralized management and enforcement; and enables granular control over security across heterogeneous applications and systems.
For more information about Access System components, features, and functions, see Chapter 3, "About the Access System"
Oracle Access ManagerIntegration Services—Oracle Access Manager integrations exist across multiple operating systems and third-party products to support the heterogeneous nature of most large-enterprise IT environments. The following is only a short list of the integration options Oracle offers:
Single sign-on integrations
Portal integrations
Application server integrations
Third-party authentication integrations
For more information, see the Oracle Access Manager Integration Guide.
In addition, you may also perform the following integrations:
Real-time integration of multiple directories and user repositories through a single LDAP service using Oracle Access Manager combined with Oracle Virtual Directory. For details, see the Oracle Access Manager Installation Guide.
Integration with an optional Simple Network Management Protocol (SNMP) Agent. This provides data that can be used by SNMP and a Network Management System (NMS) to monitor the status and activity of the Identity and Access Servers resident on the same server host where the agent was installed. To install SNMP, see the Oracle Access Manager Installation Guide. For monitoring details, see the Oracle Access Manager Identity and Common Administration Guide.
You can also use the Oracle Enterprise Manager 10g Identity Management pack to help improve performance and availability, and reduce the cost and complexity of managing Oracle Access Manager. The Oracle Enterprise Manager 10g Identity Management pack provides out-of-box system modeling for Oracle Access Manager and other products in the Oracle Identity and Access Management Suite. Collection of key performance metrics help accelerate diagnostics. You can monitor availability, performance and overall deployment health. Service Level Management capabilities help you proactively monitor the performance and availability of Identity and Access services using pre-recorded transactions. You can ensure that services are meeting performance expectations and provide visibility to stake holders on Service Level Performance. For more information, see see the Oracle Enterprise Manager Concepts Guide and Oracle Enterprise Manager Advanced Configuration Guide. Online help is available through Oracle Enterprise Manager.
Deployment Lifecycle Services—Oracle Access Manager Configuration Manager is a new application that automates the process of migrating (pushing a copy) of Oracle Access Manager configuration and access policy data from a designated source directory in one deployment to a designated target directory in a different deployment. This data is stored in the oblix
tree of a Lightweight Directory Access Protocol (LDAP) directory within each Oracle Access Manager deployment.
The process of pushing selected data to another deployment is sometimes known as horizontal data migration, because you are copying configuration data changes for a specific release only. For example after installing and configuring Oracle Access Manager 10g (10.1.4.0.1) for a small audience for testing, you will most likely need to migrate to a larger deployment that is availble to a wider audience.
The Oracle Access Manager Configuration Manager Installation and Administration Guide provides considerations, prerequisites, and step-by-step instructions to help ensure your success.
Oracle Access Manager enables you to change from a perimeter defense model in which you unilaterally block outside access to your resources to a security model based on business rules. You can securely provide business systems and data to employees, customers, and suppliers.
Automated bank tellers (ATMs) provide a useful analogy for the Oracle Access Manager solution. At one time, people had to conduct bank transactions in person. With the advent of ATM technology, banks could move to a self-service model for most transactions. Similarly, Oracle Access Manager enables you to move away from a centralized administration model to a distributed model where you provide data and applications securely over the Internet.
Oracle Access Manager helps your enterprise facilitate delivery of corporate functions to extended groups of employees, customers, partners, and suppliers; maintain a high level of security across applications; enable users and business partners to access the information they need.
For example, suppose that your internal users, your suppliers, and your customers require access to unique data sets. In addition, suppose that you also have common data that everyone should see. Using Oracle Access Manager, your identity-based policies can provide the right levels of access to each group while ensuring that everyone can securely access only the data that they need and that they have the right to access.
Using Oracle Access Manager, it is possible to manage a corporate portal that is open to external business partners. For instance, for a portal that allows customers to order manufacturing materials and equipment, all applications exposed through the portal are protected with one platform (Oracle Access Manager) which grants access rights. Administration of the access policies protecting these resources can be delegated throughout the corporation so that business units, rather than the IT department, make decisions about the customers, suppliers, and partners who are to be given access rights. This is possible even for companies with billions of dollars of revenue and tens of thousands of employees.
Using Oracle Access Manager, it is also possible to grant different types of privileges to different classes of users. For instance, a health-care organization can manage its data so that different groups can view different kinds of data, as follows:
Health-care plan members can view their health-care information.
Companies providing health-care services to their employees can manage their health-care plans.
Doctors and hospitals can view patient information.
An organization can use Oracle Access Manager to aggregate application accounts. For example, financial institutions can configure self-service portals to allow their customers to access different accounts from a single login, including online banking, mortgage information, and insurance.
The Oracle Access Manager applications that access sensitive data reside within the firewall. The directory server is isolated so it is not exposed. The only server outside the firewall (or in the DMZ) is a Web server with a WebGate or WebPass installed.
The installation and setup sequence is outlined next and described in detail the Oracle Access Manager Installation Guide.
Task overview: Installing Oracle Access Manager
Prepare the host computer
Install the Identity Server and update the schema with Oracle Access Manager configuration data
Install a WebPass
Set up the Identity System
Install the Policy Manager and policy data, then set up the Policy Manager
Install the Access Server
Install the WebGate
Non-Production/Test Environments—Oracle Access Manager components may be installed on a single computer. In this case, the computer must be hosting a Web server when you perform installation and setup tasks. Do not install the WebPass in the same directory as the Identity Server. Do install the Policy Manager at the same directory level as a WebPass.
Production Environments—In a production environment, Oracle Access Manager components are usually installed on different computers in your network. For example, a simple deployment may include:
The Identity Server and Access Server can be installed on separate computers, protected by the firewall. For better performance, the Identity and Access Servers should reside on different hosts.
The Web servers, WebPass, WebGate, and Policy Manager can reside in the DMZ.
See also the Oracle Access Manager Installation Guide and Oracle Access Manager Deployment Guide.
All Oracle Access Manager installations include a directory named \lang, which contains a named subdirectory for each installed language. For example, \lang\en-us contains English-language-specific subdirectories and files and is provided with each installation automatically. When you install a Language Pack (for French or Arabic, for instance), additional language-specific directories are included. For example:
IdentityServer_install_dir\identity\oblix\lang\en-us IdentityServer_install_dir\identity\oblix\lang\fr-fr IdentityServer_install_dir\identity\oblix\lang\ar-ar
Your installation will be English only unless one or more Oracle-provided Language Packs are installed. For more information about directories, see Chapter 4, "About Globalization and Multibyte Support".
Other chapters in this guide provide a more in depth look at Oracle Access Manager components, applications, functions, features, manuals, and terminology:
Chapter 2, "About the Identity System", which includes the diagram of a simple installation
Chapter 3, "About the Access System", which includes the diagram of a simple installation