Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 (11.1.1) Part Number E15478-06 |
|
|
PDF · Mobi · ePub |
This section describes new features of the Oracle Access Manager 11g Release 1 (11.1.1), Patch Set 1.
Patch set 1 provides new functions and enhancements, as introduced in the following topics:
The System Configuration tab has been divided into three new sections:
Common Configuration
Access Manager Settings
Security Token Service Settings
See Also:
Authentication is governed by specific authenticating schemes that rely on one or more plug-ins that test the credentials provided by a user when she tries to access a resource. The plug-ins can be taken from a standard set provided with OAM Server installation, or custom plug-ins created by your own Java developers.
See Also:
The Policy Model supports Query String-based HTTP Resource Definitions within Access Policies.
Oracle Access Manager provides support to help you keep certain resources public (not protected by the OAM Agent).
See Also:
User-session lifecycle settings are part of the Common Settings shared by all OAM Servers. These have moved to the Common Settings page
Authenticated clients can manage Session operations.
See Also:
Table 7-1, "Common Session Settings" for details on the Allow Management Operations parameter.Database Persistence for Active Sessions: You can persist active sessions to the configured database session store, in addition to the local and distributed caches. Sessions are retained even if all managed servers die off.
See Also:
Table 7-1, "Common Session Settings" for details about the Database Persistence for Active Sessions parameter.Oracle Access Manager provides enhanced Session Search controls that enable you to create a query based on filter conditions.
Multiple user identity stores are supported:
Only the User Identity Store designated as the System Store is used to authenticate Administrators signing in to use the Oracle Access Manager Console, remote registration, and custom administrative commands in WLST.
Users attempting to access an OAM-protected resource can be authenticated against any store, not necessarily the only one marked as Default User Identity Store.
Oracle Security Token Service uses only the Default User Identity Store. When adding User constraints to a Token Issuance Policy, for instance, the identity store from which the users are to be chosen must be Default User Identity Store.
See Also:
"About User Identity Stores"CERT mode connections are supported in this release which requires having stores with a client certificate and a root certificate. Both stores can be generated using the IMPORTCERT tool.The OAM Tester can also run concurrent tests in multi-threaded mode, which can be used to stress test the policy server. The tests are run in command-line mode only and the input configuration file specifies the number of threads and the number of iterations each thread should execute. Each thread then open a dedicated connection to the policy server and run the specified input script the specified number of iterations.
Oracle Security Token Service is deployed with Oracle Access Manager and can be activated as a service.
Oracle Security Token Service provides a foundation to the current security infrastructure to facilitate a consistent and streamlined model for token acquisition, renewal, and cancellation that is protocol and security infrastructure agnostic.
Oracle Security Token Service is a Web Service (WS) Trust-based token service that allows for policy-driven trust brokering and secure identity propagation and token exchange between Web Services. Oracle Security Token Service can be deployed as a Security and Identity Service needed to simplify the integration of distributed or federated Web services within an enterprise and its service providers.
See Also:
Chapter 16, "Oracle Security Token Service Implementation Scenarios"
Chapter 17, "Managing Oracle Security Token Service Settings and Set Up"
Chapter 18, "Managing Oracle Security Token Service Certificates and Keys"
Chapter 20, "Managing Token Service Partners and Partner Profiles"
Chapter 21, "Troubleshooting Oracle Security Token Services"
The Oracle Access Manager 11g Access SDK is a platform independent package that Oracle has certified on a variety of enterprise platforms (using both 32-bit and 64-bit modes) and hardware combinations. It is provided on JDK versions that are supported across Oracle Fusion Middleware applications.
Oracle Access Manager 11g provides authentication plug-in interfaces and SDK tooling to build customized authentication modules (plug-ins) to bridge the out-of-the-box features with individual requirements.
When Oracle Security Token Service does not support the token that you want to validate or issue out-of-the-box, you can write your own validation and issuance module classes.
See Also:
Remote registration tooling permits Administrators and application deployers to remotely register an application for protection by Oracle Access Manager. Enhancements to the remote registration tool, oamreg, have been made to mirror enhancements to Webgate registration. Certain changes have been made to the templates used to perform remote registration. New modes are available to manage Agents remotely. A new option is available to pipe in passwords.
See Also:
Table 10-2, "Remote Registration Sample Commands" provide details of the -noprompt option
Table 10-6, "Elements Common to Full Remote Registration Requests" provides details about the virtualhost
and hostportVariations
parameters; excludedresourcesList
parameter; allowManagementOperations
parameter; cachePragmaHeader
and cacheControlHeader
parameters; ipValidationExceptions
parameter; and more.
"Creating or Updating an Application Domain Without an Agent"
Webgate caches resources from an exception list that should not be checked for authorization and should just be allowed to pass through.
You can implement certain user-defined parameters in the Webgate registration page.
See Also:
"About User-Defined Webgate Parameters"Only privileged agents can invoke session management operations. The Agent Privilege function enables the provisioning of session operations per agent.
You can configure single sign-on between Webgate and an access client that does not have the client IP address at authentication.
You can configure Webgate only settings to control the browser's cache.
See Also:
"Expanded OAM 11g and 10g Webgate Elements and Defaults" for details about:Cache Pragma Header
Cache Control Header
During Agent searches, if you do not know the exact name you can use a wild card (*) in the search string.
See Chapter 2, "Introduction to This Book" for a full introduction, and the following topic for product and component name changes.
The original product name, Oblix NetPoint, was changed to Oracle Access Manager and v7.x releases were available from Oracle as part of Oracle Application Server 10g Release 2 (10.1.2). Oracle Access Manager 10.1.4 provided some product and component name changes, with more in Oracle Access Manager 11g, as shown in the following table.