What's New in This Guide?

This section describes changes and updates to this book. See the following sections for details:

November 2012 Book Refresh

The following information has been added or updated:

August 2012 Book Refresh

This book has been updated to address reported issues. Global updates include cosmetic changes and updated screens.

See Also:

The following topics are new or updated in this release.

Product Enhancements in Oracle Access Management

Oracle Access Management provides new functions and enhancements outlined in following topics:

Access Management Services

Several previously separate access products of the Oracle Identity Management portfolio are combined into one product: Oracle Access Management.

Access Tester

The Access Tester can validate the connections in the pool and make cache flush (SYNC_INFO) requests to be sent over a connection that is already established; instead of using out-of-band connection for cache flush requests.

Attribute Type Authorization Condition

Authorization conditions enable you to implement dynamic security policies and resulted in changes to the Policy Configuration interface in the Oracle Access Management Console:


Standard Authentication Modules (LDAP, Kerberos, and X509) are targeted for deprecation in future releases. Oracle strongly recommends using native or custom Plug-ins rather than standard Authentication Modules.

Detached Credential Collection

Detached credential collection is an additional capability of the 11g Webgate (OAM Agent). This is required for secure dynamic multi-factor/multi-step authentication. You can easily enable the 11g Webgate to use as a DCC; or continue using the embedded credential collector (ECC) in the OAM Server.

Dynamic Multi-Factor/Multi-Step Authentication

Multi-factor authentication requires a custom authentication plug-in to transmit information to the back-end authentication scheme several times during the login process. All information collected by the plug-in and saved in the context will be available to the plug-in through the authentication process. Context data can also be used to set cookies or headers in the user's login page.

Identity Context

Identity Context leverages the context-aware policy management and authorization capabilities built into the Oracle Access Management platform. Identity Context secures access to resources using traditional security controls (roles and groups) as and dynamic data established during authentication and authorization (strength, risk levels, device trust, and so on).

Integration with Third Party Products

Details of integrating Access Manager with third-party products have moved from the earlier Oracle Fusion Middleware Integration Guide for Oracle Access Manager to this book. The following integrations are supported:

LDAP Search Filters in Identity Conditions

Access Manager authorization conditions accept a list of users, groups, and LDAP search filters as part of allowed or denied identities. LDAP search filters provide a simple way of specifying a target identity population without having to reorganize or create new groups in the identity store (directory server). This brings to Access Manager 11g, parity with Oracle Access Manager 10g.

Leverage SubjectAltName Extension Data/Integrate with Multiple OCSP Endpoints

Access Manager support for personal identity verification (PIV) cards (a United States Federal smart card), is to use FASC-N and EDIPI attributes from the SubjectaltName extension to map the user during X.509 authentication. While multiple OCSP providers are not supported, you can use an OCSP Gateway or write a custom authentication plug-in that uses the OSDT OCSP APIs to validate against multiple OCSP providers.

Mobile and Social

Mobile and Social serves as an intermediary between a user seeking to access protected resources, and the back-end Oracle Access Management and Oracle Identity Management services that protect those resources. Mobile and Social services' pluggable architecture enables Administrators to add, modify, and remove Identity and Access Management services without having to update user installed software.

Multiple Identity Store Support

Administrators can install multiple user identity stores for Access Manager. Each identity store can rely on a different LDAP provider. Each authentication module (or plug-in within an authentication step) can be configured to use a specific user identity store.

OpenSSO Support

Access Manager supports Web and Java Agents deployed on Web or J2EE containers. Each OpenSSO Agent is a filter that is plugged into the container (Oracle WebLogic Server, JBoss, Apache, and so on) that hosts applications.

Access Manager provides an OpenSSO Proxy to handle requests for resources protected by OpenSSO Agents. The Oracle-provided OpenSSO Proxy facilitates single sign-on to OpenSSO Agent-protected applications by enabling communication between the agent and the OAM Server.

Password Policy Management

Access Manager enables password policy management through the Oracle Access Management Console. The global password policy applies to Access Manager users when the Password Policy Validation Module is implemented. The password policy is stored within the policy store and applies to all resources protected by Access Manager.

Query String Name and Value Parameters in a Resource Definition Pattern

The Policy Model supports Query String Name and Value Parameters in a Resource Pattern Definition:

Resource Type TokenServiceRP for Non-Browser Client-enabled Webgate

A TokenServiceRP type resource represents resources for, and is based on, the Token Service Relying Party (required for non-browser clients such as Identity Connect).

RESTful Services

Oracle Access Management supports programmatic RESTful services.

Shared Secret Key: Access Client and Software Developer Kit Enhancement

Custom Access Clients developed using the Access Manager 11g Access Software Developer Kit support the 11g Shared Secret Key Per Agent (Webgate or Access Client) security feature. Each agent has its own secret key that is shared between the Access Client and the OAM Server to encrypt or decrypt the host-based Access-Client-specific OAMAuthnCookie. Even if one Access Client is compromised, the impact is limited to that particular Access Client; no other Access Clients are affected.


There is no impact to existing 10g ASDK users. Oblix class wrappers can be modified to create Access Client instances with 10g mode transparently. However, to operate in 11g compatible mode, Oracle java APIs should be used.

Access Manager 11g Pure Java ASDK provides both Oracle Java APIs (in oracle.security.am.asdk packages) and Oblix Java APIs (in com.oblix.access packages). Access Manager 11g Pure Java Access Clients:

  • Communicate with OAM Servers using Oracle Java APIs and either Oracle Access Protocol version 3 (or version 4 which supports Shared Secret Key Per Webgate security feature)

  • Communicate with 10g Servers using Oblix Java APIs and Oracle Access Protocol version 3 only (with no support for SSKPA)

Token Issuance Policy for Mobile and Social

A Token Issuance Policy is required for clients for Mobile and Social performing authentication and authorization.

See Also:

Part IX, "Managing Oracle Access Management Mobile and Social" for details about Mobile and Social Authentication Service

Tuning Performance

A survey of topics is provided to help tune a deployed Oracle Access Management environment to ensure optimal performance and stability.

User-Defined Parameters: 11g Webgate

11g Webgate works with browser clients. However, there are cases where a non-browser (Representational State Transfer (REST) client needs to access HTTP resources and perform authentication and authorization.

Product and Component Name Changes with 11.1.2

Oracle Access Management provided some product and component name changes, as shown in the following table.

Item In Oracle Access Management 11.1.2 In Oracle Access Management 11.1.1
Services Access Manager

Identity Federation

Security Token Service

Mobile and Social

Identity Context (always enabled)

Access Manager


Security Token Service


Agents Webgate (OAM Agent)

Access Client (OAM Agent)

OSSO Agent

OpenSSO Agent

Webgate (OAM Agent)

Access Client (OAM Agent)

OSSO Agent


Console Names Oracle Access Management Console Oracle Access Manager Console
Administrators Administrator or Oracle Access Management Administrator Oracle Access Manager Administrator
Agent and Application Domain Registration

Policy Creation

Oracle Access Management Console

Remote registration tool for automated Agent registration, Application Domain creation with default security policies.

Oracle Access Manager Console

Remote registration tool

Authorization Conditions and Rules Constraints