1 Introducing Oracle Access Management

This book provides information on Oracle Access Management, the enterprise-level security platform, and how to administer and configure it. Oracle Access Management includes Oracle Access Management Access Manager (Access Manager) and its incorporated services: Identity Federation, Mobile and Social, Security Token Service, Identity Context and Access Portal.

This chapter provides a high-level overview of the Oracle Access Management architecture and these services.

1.1 Understanding Oracle Access Management Services

Oracle Access Management is a Java, Enterprise Edition (Java EE)-based enterprise-level security application that provides a full range of Web-perimeter security functions and Web single sign-on services including identity context, authentication and authorization; policy administration; testing; logging; auditing; and more. It leverages shared platform services including session management, Identity Context, risk analytics, and auditing, and provides restricted access to confidential information. Many existing access technologies in the Oracle Identity Management stack converge in the Oracle Access Management stack as illustrated in Figure 1-1.

Figure 1-1 Oracle Access Management Overview

Description of Figure 1-1 follows
Description of "Figure 1-1 Oracle Access Management Overview"

Starting with release 11.1.2, Oracle Access Management includes these services.

OpenSSO 8.0 and Sun Access Manager 7.1 have also converged into Oracle Access Management 11.1.2. For more information, see:

With the release, Oracle Access Management has integrated Oracle Access Portal, a hosted single sign-on proxy service that enables Web applications with Oracle's form-fill single sign-on technology. For more information, see Part I, "Managing Oracle Access Management Oracle Access Portal."

1.2 Using Oracle Access Management Access Manager

Oracle Access Management Access Manager (Access Manager) is the former (standalone) product named Oracle Access Manager. Access Manager provides the Oracle Fusion Middleware 11g single sign-on (SSO) solution. It operates independently (as described in this book) but can also operate with the Access Manager Authentication Provider as described in the Oracle Fusion Middleware Application Security Guide.


For information on the differences between Access Manager 11g, 10g and other software, see:

Access Manager SSO allows users and groups to access multiple applications after authentication, eliminating the need for multiple sign-on requests. To enable SSO, a Web server, Application Server, or any third-party application must be protected by a WebGate (or mod_osso instance) that is registered as an agent with Access Manager. Administrators then define authentication and authorization policies to protect the resource. To enforce these authentication policies, the agent acts as a filter for HTTP requests.


WebGates are agents provided for various Web servers by Oracle as part of the product. Custom access clients, created using the Access Manager SDK, can be used with non-Web applications. Unless explicitly stated, information in this book applies equally to both.

You can also integrate any Web applications currently using Oracle ADF Security and the OPSS SSO Framework with Access Manager. (See Appendix A, "Integrating Oracle ADF Applications with Access Manager SSO.") The following sections contain more details on Access Manager.

1.2.1 Architecting Access Manager

Access Manager 11g sits on an instance of Oracle WebLogic Server and is part of the Oracle Fusion Middleware Access Management architecture. While providing backward compatibility and co-existence with existing solutions, Access Manager 11g replaces and converges the earlier technologies Access Manager 10g and Oracle Application Server SSO (OSSO) 10g. Figure 1-2 illustrates the primary Access Manager 11g components and services. The Protocol Compatibility Framework interfaces with OAM WebGates, mod_osso agents, and custom Access Clients created using the Access Manager Software Developer Kit (SDK).

Figure 1-2 Access Manager 11g Components and Services

Description of Figure 1-2 follows
Description of "Figure 1-2 Access Manager 11g Components and Services"

Figure 1-3 illustrates the distribution of Access Manager components.

Figure 1-3 Access Manager 11g Component Distribution

Description of Figure 1-3 follows
Description of "Figure 1-3 Access Manager 11g Component Distribution"

The Oracle Access Management Console resides on the Oracle WebLogic Administration Server (referred to as AdminServer). WebLogic Managed Servers hosting OAM runtime instances are known as OAM Servers. Information shared between the two includes:

  • Agent and server configuration data

  • Access Manager policies

  • Session data (shared among all OAM Servers)

1.2.2 Deploying Access Manager

Table 1-1 describes the types of deployments in which Access Manager might be installed by your enterprise.

Table 1-1 Access Manager Deployment Types

Deployment Type Description

Development Deployment

Ideally a sandbox-type setting where the dependency on the overall deployment is minimal

QA Deployment

Typically a smaller shared deployment used for testing

Pre-production Deployment

Typically a shared deployment used for testing with a wider audience

Production Deployment

Fully shared and available within the enterprise on a daily basis

During initial installation and configuration of Access Manager in your deployment, you create a new WebLogic Server domain (or extend an existing domain). Regardless of the deployment size or type, in a new WebLogic Server domain, the following components are installed using the Oracle Fusion Middleware Configuration Wizard.

  • WebLogic Administration Server


    In an existing WebLogic Server domain, the WebLogic Administration Server is already installed and operational.
  • Oracle Access Management Console deployed on the WebLogic Administration Server

  • A WebLogic Managed Server for Oracle Access Management services

  • Application deployed on the Managed Server

See Also:

"Understanding Oracle WebLogic Server Domains" in the Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server guide provides information about Oracle WebLogic Server administration domains.

Once the domain is configured, additional details are defined for OAM Servers, Database Schemas, (optional) WebLogic Managed Servers and clusters, and the following store types:

  • Policy Store: The default policy store is file-based for development and demonstration purposes, and is not supported in production environments. All policy operations and configurations are performed directly on the database configured as the policy store in production environments.

  • Identity Store: The default Embedded LDAP data store is set as the primary user identity store for Access Manager.

  • Keystore: A Java keystore is configured for certificates for Simple or Certificate-based communication between OAM Servers and WebGates during authorization. The keystore bootstrap also occurs on the initial AdminServer startup after running the Configuration Wizard.

1.3 Features of Access Manager 11.1.2

The following sections provide details on the features available (and not available) in Access Manager 11.1.2.

1.3.1 Features In Access Manager 11.1.2

Table 1-2 provides an overview of Access Manager 11.1.2. For a list of names that have changed with 11.1.2, see "Product and Component Name Changes with 11.1.2".

Table 1-2 Features in Access Manager 11.1.2

Access Manager 11g Description

Oracle Identity Management Infrastructure

Enables secure, central management of enterprise identities.

Policy Enforcement Agents

Resides with the relying parties and delegate authentication and authorization tasks to OAM Servers.


Nine Administrator languages are supported.

Unless explicitly stated, the term "Webgate" refers to both an out of the box Webgate or a custom Access Client.

See Chapter 15 for an introduction to agents.

Server-side components

  • OAM Server (installed on a WebLogic Managed Sever),


Oracle Access Management Console provides access to all services and configuration details.

See Chapter 2.

Protocols for information exchange on the Internet

Front channel protocols exchanged between Agent and Server: HTTP/HTTPS.

Back channel protocols: Authenticated clients can perform session operations using enhancements in the Oracle Access Protocol (OAP).


Provides support for legacy systems

See Also: About the Embedded Proxy Server and Backward Compatibility and the new Part I, "Managing Oracle Access Management Oracle Access Portal."

Cryptographic keys

Note: One key is generated and used per registered mod_osso or 11g Webgate. However, one single key is generated for all 10g Webgates.

  • During 11g agent registration, one per-agent secret key shared is generated for encrypting and decrypting SSO cookies between 11g Webgate and OAM Server. See Chapter 16.

  • During 10g agent registration, a global shared secret key is generated across all of Access Manager 11g (all Agents and OAM Servers). See Chapter 25.

  • During OSSO agent registration, One key per partner shared between mod_osso and OSSO server. See Chapter 24.

  • OpenSSO Agent Host- or Domain-based key stored locally in Agent bootstrap file on the Agent host. See Chapter 23.

  • During OAM Server registration, one server key is generated.

Keys storage

  • Agent side: A per-agent key is stored locally in the Oracle Secret Store in a wallet file

  • OAM Server side: Per- agent keys, and server keys, are stored in the credential store on the server side

Encryption / Decryption (The process of converting encrypted data back into its original form)

Introduces client-side cryptography and ensures that cryptography is performed at both the agent and server ends:

  1. Webgate encrypts obrareq.cgi using the agent key.

    Note: obrareq.cgi is the authentication request in the form of a query string redirected from Webgate to OAM Server.

  2. OAM Server decrypts the request, authenticates, creates the session, and sets the server cookie.

  3. OAM Server also generates the authentication token for the agent (encrypted using the agent key), packs it in obrar.cgi with a session token (if using cookie-based session management), authentication token and other parameters, then encrypts obrar.cgi using the agent key.

    Note: obrar.cgi is the authentication response string redirected from the OAM Server to Webgate.

  4. Webgate decrypts obrar.cgi, extracts the authentication token, and sets a host-based cookie.

Policy Store

Database in production environments; file-based in demonstration and development environments, as described in "Managing the Policy and Session Database".


An application that delegates authentication and authorization to Access Manager and accepts headers from a registered Agent.

Note: External applications do not delegate authentication. Instead, these display HTML login forms that ask for application user names and passwords. For example, Yahoo! Mail is an external application that uses HTML login forms.

SSO Engine

Manages the session lifecycle, facilitates global logout across all relying parties in the valid session, and provides consistent service across multiple protocols. Uses Agents registered with Access Manager 11g:

  • Authentication with the default embedded credential collector occurs across the HTTP (HTTPS) channel

  • Authentication with the optional detached credential collector occurs across the Oracle Access Protocol (OAP) channel

  • Authorization occurs across the Oracle Access Protocol (OAP) channel

See: Chapter 18

Session Management

  • Global session specifications are enabled for all Application Domains and resources. In addition, Application Domain-specific session overrides can be configured.

See Chapter 17.


Registered agents rely on Access Manager authentication, authorization, and token issuance policies to determine who gets access to protected applications (defined resources).

See: Chapter 20

Client IP

  • Maintains this client's age, and includes it in the host-based cookie: OAMAuthnCookie for 11g Webgate (or ObSSOCookie for 10g Webgate)

Response token replay prevention

  • Include RequestTime (the timestamp just before redirect) in obrareq.cgi and copy it to obrar.cgi (the authentication response string redirected from the OAM Server to Webgate) to prevent response token replay.

Multiple network domain support

Access Manager 11g supports cross-network-domain single sign-on out of the box.

Oracle recommends you use Oracle Federation for this situation.


Host-based authentication cookie:

  • 11g Webgate, One per agent: OAMAuthnCookie_host:port_random_number set by Webgate using the authentication token received from the OAM Server after successful authentication.

    Note: A valid OAMAuthnCookie is required for a session.

  • 11g Webgate, Transient: OAM_REQ is scoped to the OAM Server. OAM_REQ is set or cleared by the OAM Server if the Authentication request context cookie is enabled. Protected with keys known to the OAM Server only. This cookie is configured as a high availability option to store the state about the user's original request to a protected resource while his credentials are collected and authentication is performed.

  • 10g Webgate, One ObSSOCookie for all 10g Webgates.

  • One for the OAM Server: OAM_ID, which is scoped to the OAM Server. OAM_ID is generated by the OAM Server when the user is challenged for credentials and submitted to the server on every redirect to the server.

See Chapter 18.

Centralized log-out

  • The logOutUrls (10g Webgate configuration parameter) is preserved. 10g logout.html requires specific details for Access Manager 11g. See Chapter 25.

  • 11g Webgate parameters are new:

    Logout Redirect URL

    Logout Callback URL

    Logout Target URL

See Chapter 22.

1.3.2 Features Not In Access Manager 11.1.2

Table 1-3 lists several features provided in Access Manager 10g but not included in Access Manager 11.1.2.

Table 1-3 Features Not Available In Access Manager 11.1.2

Unavailable or Unsupported Feature

Extensibility framework required for building custom authorization plug-ins.

Authorization for mod_osso-protected resources

1.4 System Requirements and Certification

Refer to the system requirements and certification documentation on Oracle Technology Network (OTN) for information about hardware and software requirements, platforms, databases, and other information.

The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:


The certification document covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products:


1.5 Installing Oracle Access Management

The following sections contain information and links regarding Access Manager installation and post-installation tasks.

1.5.1 About Oracle Access Management Installation

The Oracle Fusion Middleware Supported System Configurations document provides certification information on supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity Management 11g. You can access the Oracle Fusion Middleware Supported System Configurations document by searching the Oracle Technology Network (OTN) Web site:


Using the Oracle Fusion Middleware Configuration Wizard, the following components are deployed for a new domain:

  • WebLogic Administration Server

  • Oracle Access Management Console deployed on the WebLogic Administration Server (sometimes referred to as the OAM Administration Server, or simply AdminServer)

  • A Managed Server for Oracle Access Management

  • An application deployed on the Managed Server

OracleAS 10g SSO deployments can be upgraded to use Oracle Access Management 11g SSO. After upgrading and registering OSSO Agents, authentication is based on Access Manager 11g Authentication Policies. However, only OAM Agents (Webgates/Access Clients) use Access Manager 11g Authorization Policies. Over time, all mod_osso agents in the upgraded environment should be replaced with Webgates to enable use of 11g Authorization policies.

For details about co-existence after the upgrade, see Oracle Fusion Middleware Upgrade Guide for Oracle Identity and Access Management:

1.5.2 About Oracle Access Management Post-Installation Tasks

Each WebLogic Server domain is a logically related group of Oracle WebLogic Server resources. WebLogic administration domains include a special Oracle WebLogic Server instance called the Administration Server. Usually, the domain includes additional Oracle WebLogic Server instances called Managed Servers, where Web applications and Web Services are deployed.

During initial deployment, the WebLogic Administrator userID and password are set for use when signing in to both the Oracle Access Management and WebLogic Server Administration Console. A different Administrator can be assigned for Oracle Access Management, as described in "Specifying the Oracle Access Management Console Administrator". Administrators can log in and use the Oracle Access Management Console for the post-installation tasks documented in Table 1-4.

Table 1-4 Oracle Access Management Post-Installation Tasks

Service Requirements

Access Manager

Enable Access Manager Service.


  • Data Sources

  • OAM Server instances

  • Agents for Access Manager

  • Application domains and policies that protect resources


  • Common Settings, including Session-timing

  • Certificate Validation

  • Common Password Policy

Configure Access Manager Settings.

Identity Federation

Enable Identity Federation Service

Configure Federation Settings

Register Identity Provider and Service Provider partners

Security Token Service

Enable Security Token Service Service.

Configure Security Token Service Settings.

Register Endpoints

Create Token Issuance and Validation Templates

Register Partner Profiles and Partners

Mobile and Social

Enable Mobile and Social Service

Configure Mobile and Social