1 Introduction to Oracle Adaptive Access Manager
Oracle Adaptive Access Manager (OAAM) is a key component of Oracle Access Management Suite Plus, delivering risk-aware, context-driven access management across the industry's most complete set of access management services.
This guide provides information to help Administrators manage Oracle Adaptive Access Manager configurations and policies. This chapter provides a high-level overview of Oracle Adaptive Access Manager with links to more information.
This chapter contains the following sections:
-
Oracle Adaptive Access Manager 11g Release 2 (11.1.2) Features
-
Oracle Adaptive Access Manager Releases Integration Options Comparison
1.1 Introduction to Oracle Adaptive Access Manager
Oracle Adaptive Access Manager is an innovative, comprehensive feature set to help organizations prevent fraud and misuse. Strengthening standard authentication mechanisms, innovative risk-based challenge methods, intuitive policy administration and integration across the Identity and Access Management Suite and with third party products make Oracle Adaptive Access Manager uniquely flexible and effective.
Oracle Adaptive Access Manager provides:
-
Real-time and batch risk analytics to combat fraud and misuse across multiple channels of access. Real-time evaluation of multiple data types helps stop fraud as it occurs. Oracle Adaptive Access Manager makes exposing sensitive data, transactions and business processes to consumers, remote employees or partners via your intranet and extranet safer.
-
An extensive set of capabilities including device fingerprinting, real-time behavioral profiling and risk analytics that can be harnessed across both Web and mobile channels.
-
Risk-based authentication methods including knowledge-based authentication (KBA) challenge infrastructure with Answer Logic and OTP Anywhere server-generated one-time passwords, delivered out of band via Short Message Service (SMS), e-mail or Instant Messaging (IM) delivery channels.
-
Standard integration with Oracle Identity Management, the industry leading identity management and Web Single Sign-On products, which are integrated with leading enterprise applications.
Table 1-1 summarizes OAAM risk analysis and end-user facing fraud prevention functionality.
Table 1-1 Oracle Adaptive Access Manager Functionality
| Functionality | Description |
|---|---|
|
Real-time or offline risk analysis |
Oracle Adaptive Access Manager provides functionality to calculate the risk of an access request, an event or a transaction, and determines proper outcomes to prevent fraud and misuse. A portion of the risk evaluation is devoted to verifying a user's identity and determining if the activity is suspicious. Functionality that support risk analysis are:
|
|
End-user facing functionality to prevent fraud |
Oracle Adaptive Access Manager protects end users from phishing, pharming, and malware. The virtual authentication devices secure credential data at the entry point; this ensures maximum protection because the credential never resides on a user's computer or anywhere on the Internet where it can be vulnerable to theft. As well, Oracle Adaptive Access Manager provides interdiction methods including risk-based authentication, blocking, and configurable actions to interdict in other systems. Functionality that supports end-user facing security are:
|
With Oracle Adaptive Access Manager, corporations can protect themselves and their online users against potent fraudulent attacks like Phishing, Malware, Transaction and Insider Fraud, in a cost-effective manner. Table 1-2 summarizes fraud attack threats and Oracle Adaptive Access Manager defense mechanisms.
Table 1-2 Oracle Adaptive Access Manager Defense Mechanisms
| Threat | Oracle Adaptive Access Manager Offense |
|---|---|
|
Phishing |
Oracle Adaptive Access Manager offenses for phishing are:
|
|
Malware |
Oracle Adaptive Access Manager offenses for malware are:
|
|
Transaction fraud |
Oracle Adaptive Access Manager offenses for transaction fraud are:
|
|
Insider fraud |
Oracle Adaptive Access Manager offenses for insider fraud are:
|
1.2 Oracle Adaptive Access Manager Features
Oracle Adaptive Access Manager can provide the high levels of security with context-sensitive online authentication and authorization. Thus, situations are evaluated and proactively acted upon based on various types of data.
This section outlines key components/features used for authentication and fraud monitoring and detection.
1.2.1 Autolearning
Oracle Adaptive Access Manager employs a unique mixture of real-time and predictive auto-learning technology to profile behavior and detect anomalies. Because of this, Oracle Adaptive Access Manager can recognize high risk activity and proactively take actions to prevent fraud and misuse. Also, as Oracle Adaptive Access Manager is evaluating and learning behaviors in real-time it constantly learns what is typical for each individual user and for users as a whole. In addition to the autolearning, the continuous feedback from experienced fraud and compliance investigators "teach" the OAAM engine what constitutes fraud and misuse. In this way, Oracle Adaptive Access Manager fully harnesses both the human talent in your organization and multiple forms of machine learning to prevent fraud and misuse.
A simple example would be the behavioral profiling and evaluation of access times for a nurse. Nurses often work in a couple of hospitals; they may work different shifts on a rotating schedule, but they will most likely work one shift more than the others in any given month. In such a scenario, Oracle Adaptive Access Manager keeps track of when a nurse is at work accessing the medical records system. If during the same month a nurse has been working mostly night shifts to fill in, then, seeing an access request from her between 10:00 am and 12:00 pm would be an anomaly. This of course does not mean fraud or misuse is occurring, but the risk is elevated, so Oracle Adaptive Access Manager could challenge the nurse for additional identity verification. As the nurse accesses various applications and information during the day shift, Oracle Adaptive Access Manager learns in real-time that this is typical and is therefore low risk.
One of the main goals of automated anti-fraud solutions is to eliminate unnecessary manual processes and remove much of the inconsistency and costs that can occur when humans are directly involved in access evaluations. Oracle Adaptive Access Manager automates not only risk evaluations but also keeps track of changing behaviors so humans do not have to. Based on this dynamic risk evaluation, proactive action can be taken to prevent fraud with various forms of interdiction including blocking and challenge mechanisms. In this way, Oracle Adaptive Access Manager prevents fraud with little or no need for human interaction. However, in instances when human investigators are needed to follow up directly with end users or make final decisions based on additional contextual information, Oracle Adaptive Access Manager seamlessly captures their insights to improve the accuracy of future risk evaluations.
For information on configuring patterns to profile users, devices, and location to evaluate the risk of the current behavior, see Chapter 15, "Managing Autolearning."
1.2.2 Configurable Risk Engine
The OAAM risk engine uses a flexible architecture based on highly configurable components. Oracle Adaptive Access Manager employs three methods of risk evaluation that work in harmony to evaluate risk in real-time. The combination of configurable rules, real-time behavioral profiling and predictive analysis make Oracle Adaptive Access Manager unique in the industry. Administrators can easily create, edit and delete security policies and related objects directly in the business user friendly administration console. Business users can understand and administer OAAM policies and view dashboards and reports in the graphical user interface with little or no dependence on IT resources. Administrators create security rules by combining any number of configurable rule conditions. Both access and transaction based rules are created from the library of conditions available with Oracle Adaptive Access Manager.
Oracle Adaptive Access Manager also profiles behavior and evaluates risk using a fully transparent and auditable rules based process. This allows high performance, flexibility and complete visibility into how and why specific actions were or were not taken during a session. If Oracle Adaptive Access Manager blocks access for an end user there is a complete audit trail that shows exactly what data was evaluated and the specific evaluations that occurred.
For information on configuring policies and rules used to evaluate the level of risk at decision and enforcement points, see Chapter 10, "OAAM Policy Concepts and Reference" and Chapter 11, "Managing Policies, Rules, and Conditions."
1.2.3 Virtual Authentication Devices
Oracle Adaptive Access Manager provides many rich features that strengthen existing Web application login flows. Regardless of the type of authentication in place, Oracle Adaptive Access Manager can improve the level of security. Insider fraud, session hijacking, stolen credentials, and other threats cannot be eliminated by strong, credential based authentication alone. Adding a risk-based challenge layer behind existing authentication can increase the level of security with minimal impact to the user experience.
Oracle Adaptive Access Manager's suite of virtual authentication devices combats phishing with personalized images and phrases known only to the server and the end user. Through the use of KeyPad and PinPad, security of the user credentials during entry can be assured by not capturing or transmitting the actual credential of the end user. This protects the credential from theft by malware and other similar threats. The virtual authentication devices are server driven; all features are provided without any client-side software or logic that can be compromised by key-loggers and other common malware. Additionally, Oracle Adaptive Access Manager performs device fingerprinting and behavioral profiling on every access to determine the likelihood that the authentication is being attempted by the valid user.
Descriptions of the various text pads in the virtual authentication suite follow.
TextPad is a personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing primarily. TextPad is often deployed as the default for all users in a large deployment. Then, each user individually can upgrade to another device if he wants. The personalized image and phrase a user registers and sees every time he logs in to the valid site serves as a shared secret between the user and server. If this shared secret is not presented or presented incorrectly, the users will notice.
As shown in Figure 1-1, the TextPad contains a field where the user enters a valid password, a personalized image and phrase, and a timestamp.
PinPad is a lightweight authentication device for entering a numeric PIN. As shown in Figure 1-2, the PinPad contains keys to enter a valid PIN, a personalized image and phrase, and timestamp.
QuestionPad is a personalized device for entering answers to challenge questions using a regular keyboard. The QuestionPad is capable of incorporating the challenge question into the Question image. Like other Adaptive Strong Authentication devices, QuestionPad also helps in solving the phishing problem.
As shown in Figure 1-3, the OAAM QuestionPad contains a challenge question, an Answer field where the user enters a valid answer, a personalized image and phrase, and a timestamp.
KeyPad is a personalized graphics keyboard used to enter alphanumeric and special character. KeyPad is ideal for entering passwords and other sensitive data. For example, the user can enter credit card numbers.
As shown in Figure 1-4, the KeyPad contains a keypad to enter alphanumeric and special characters, a personalized image and phrase, and a timestamp.
Figure 1-5 shows the Security Image and Phrase page with the option for the user to register the profile now or skip registration for a later date.
1.2.4 Device Fingerprinting
Oracle Adaptive Access Manager provides both proprietary, clientless technologies and an extensible client integration framework for device fingerprinting. Device usage is tracked and profiled to detect elevated levels of risk. Devices are used to log in and conduct transactions. They include desktop computers, laptop computers, mobile devices or other web-enabled devices. OAAM customers can secure both standard browser-based access and mobile browser-based access without additional client software or choose to integrate a custom developed client such as a JAVA applet. For securing access to mobile applications, customers and partners can easily integrate OAAM device fingerprinting capabilities via the Mobile and Social SDK and REST interface. Oracle Adaptive Access Manager generates a unique single-use cookie value mapped to a unique device ID for each user session. The device cookie value is refreshed on each subsequent fingerprinting process with another unique value. The fingerprinting process can be run multiple times during a user's session to allow detection of mid-session changes that could indicate session hijacking. Oracle Adaptive Access Manager monitors a comprehensive list of device attributes. The single-use cookie and multiple attribute evaluations performed by server-side logic and client extensions make OAAM device fingerprinting flexible, easy to deploy and secure.
For information on fingerprinting and identification concepts, technology, and use cases, see Appendix E, "Device Fingerprinting and Identification."
1.2.5 Knowledge-Based Authentication
Oracle Adaptive Access Manager provides, as standard, secondary authentication in the form of knowledge-based authentication (KBA) questions. The KBA infrastructure handles registration, answers, and the challenge of questions. Since KBA is a secondary authentication method, it is presented after successful primary authentication.
KBA is used to authenticate an individual based on knowledge of personal information, substantiated by a real-time interactive question and answer process. Oracle Adaptive Access Manager's Rules Engine and organizational policies are responsible for determining if it is appropriate to use challenge questions to authenticate the customer.
Figure 1-6 shows an example of the Security Questions page where the user is presented with a Question Set. The Question Set is broken up into several menus that contain questions to select from. A QuestionPad is also provided for the user to enter answers.
For the concepts behind KBA and information about managing tasks that impact how KBA is handled, see Chapter 7, "Managing Knowledge-Based Authentication."
1.2.6 Answer Logic
Answer Logic increases the usability of knowledge-based authentication (KBA) questions by accepting answers that are fundamentally correct but may contain a small typo, abbreviation or misspelling. For example, if abbreviation is enabled in Answer Logic a user is challenged with the question "What street did you live on in high school?" They may answer "1st St." which is fundamentally correct even though when they registered the answer six months ago they entered "First Street". By allowing a configurable variation in the form of correct answers, Answer Logic dramatically increases the usability of registered challenge questions making the balance between security and usability firmly in the control of the enterprise.
For the information configuring Answer Logic, see Chapter 7, "Managing Knowledge-Based Authentication."
1.2.7 OTP Anywhere
OTP Anywhere is a risk-based challenge mechanism consisting of a server generated one time use password delivered to an end user via a configured out of band channel. Supported OTP delivery channels include short message service (SMS), e-mail, and IM (instant messaging). You can use OTP Anywhere to compliment knowledge-based authentication (KBA) challenge or instead of KBA. Oracle Adaptive Access Manager provides an innovative challenge processor framework. You can use this framework to implement custom risk-based challenge solutions combining third party authentication products or services with OAAM real-time risk evaluations. Both KBA and OTP Anywhere actually use this same challenge processor framework internally. OTP Anywhere via SMS uses a person's cell phone as a form of second factor, the identity assurance level is elevated without the need for provisioning hardware or software to end users.
For the information configuring OTP, see Chapter 8, "Setting Up OTP Anywhere."
1.2.8 Mobile Access Security
Oracle Adaptive Access Manager provides mobile security features both directly and via the Mobile and Social Access Services component of Oracle Access Management using the ASDK and RESTful web services. Users accessing OAAM protected web applications through a mobile browser will navigate the user interface and flows optimized for the mobile form factor without performing any development. Security policies available with Oracle Adaptive Access Manager can dynamically adjust when user access originates from a mobile device.
This improves the range of analysis and accuracy of the risk evaluation, which reduces false positives. For example, IP geolocation velocity rules behave differently if the access request is via a cell connection than it does when using a Wi-Fi connection.
When customers use the Mobile and Social (MS) Access Services component of the Oracle Access Management Suite, Oracle Adaptive Access Manager provides enhanced device fingerprinting, device registration, mobile specific risk analysis, risk-based challenge mechanisms, and lost and stolen device management. Mobile Access Services allow enterprises to extend their existing access security solution to cover both the web and mobile access channels.
For information on Oracle Access Management Mobile and Social, see Administrator's Guide for Oracle Access Management.
1.2.9 Universal Risk Snapshot
Change control is important in an enterprise deployment, especially concerning mission critical security components. The Universal Risk Snapshot feature allows an administrator in a single operation to save a full copy of all OAAM policies, dependent components, and configurations for backup, disaster recovery and migration. Snapshots can be saved to the database for fast recovery or to a file for migration between environments and external backup. Restoring a snapshot is an automated process that includes visibility into exactly what the delta is and what actions will be taken to resolve conflicts.
For information on using the Universal Risk Snapshot, see Chapter 25, "Managing OAAM Snapshots."
1.2.10 Fraud Investigation Tools
Oracle Adaptive Access Manager provides a streamlined and powerful forensic interface for security analysts and compliance officers. Agents are provided a repository for findings and investigation workflow management. Users can easily evaluate alerts and identify related access requests and transactions to uncover fraud and misuse. Security analysts and compliance officers' record notes and link suspect sessions to a case as they perform an investigation so all findings are captured for use and to influence future real-time risk analysis.
The following figure shows an example of the Agent Case Details page. The Case Details page provides general details about the case as the Fraud Investigator working on the case, status, severity level, description, and last actions performed and time they were performed.
Figure 1-7 shows an Agent Cases page which contains Summary, Linked Sessions, and Log tabs.
For information on using OAAM investigation tools, see Chapter 5, "Using Agent Cases for Fraud Investigation" and Chapter 6, "Viewing Additional Details for Investigation."
Search and Compare Transactions
Oracle Adaptive Access Manager provides an intuitive interface for security analysts and compliance officers to search and compare transactions that have been subjected to risk analysis. The full data and context of each transaction is available even for encrypted data fields. This allows security and compliance professionals deep visibility into user activity while still protecting the data from administrators or other types of enterprise users. The ability to compare multiple transactions side by side is extremely useful for expanding investigations from known high risk transactions to transactions that may not have initially appeared high risk on their own.
Figure 1-8 shows an example of the Compare Transactions interface where session and transaction details of four transactions are compared.
The investigation utility panel provides a persistent interface for common operations security analysts and compliance officers perform multiple times in the process of an investigation. Both quick search and case notes are always available regardless of what other functionality is being used. This ensures that findings from any process can be combined to search for suspect sessions and transactions. Also, the utility panel ensures that any thoughts or findings can be captured in case notes.
Figure 1-9 shows an example of the Utility Panel and individual data points to perform targeted searches.
Figure 1-9 Utility Panel and Data Points for Targeted Search
Description of "Figure 1-9 Utility Panel and Data Points for Targeted Search"
1.2.11 Policy Management
Policies and rules can be used by organizations to monitor and manage fraud or to evaluate business elements. The policy and rules are designed to handle patterns or practices, or specific activities that you may run across in the day-to-day operation of your business. Using Oracle Adaptive Access Manager, you can define when the collection of rules is to be executed, the criteria used to detect various scenarios, the group to evaluate, and the appropriate actions to take when the activity is detected.
For information on configuring policies and rules used to evaluate the level of risk at decision and enforcement points, see Chapter 10, "OAAM Policy Concepts and Reference" and Chapter 11, "Managing Policies, Rules, and Conditions."
1.2.12 Dashboard
The Oracle Adaptive Access Manager Dashboard is a unified display of integrated information from multiple components in a user interface that organizes and presents data in a way that is easy to read. The Oracle Adaptive Access Manager dashboard present monitor data versions of key metrics. Administrators can easily see up-to-the-minute data on application activity from a security perspective. The reports that are presented help users visualize and track general trends.
For information on using the OAAM Dashboard, see Chapter 23, "Monitoring OAAM Administrative Functions and Performance."
1.2.13 Reports
Reporting is available through Oracle Adaptive Access Manager. A limited license of Oracle Business Intelligence Publisher is included for customizable reporting capabilities.
Oracle Identity Management BI Publisher Reports uses Oracle BI Publisher to query and report on information in Oracle Identity Management product databases. With minimal setup, Oracle Identity Management BI Publisher Reports provides a common method to create, manage, and deliver Oracle Identity Management reports.
The report templates included in Oracle Identity Management BI Publisher Reports are standard Oracle BI Publisher templates—though you can customize each template to change its look and feel. If schema definitions for an Oracle Identity Management product are available, you can use that information to modify and generate your own custom reports.
For information on configuring reports, see Chapter 24, "Reporting and Auditing."
1.3 Oracle Adaptive Access Manager Component Architecture
Oracle Adaptive Access Manager is built on a J2EE-based, multitier deployment architecture that separates the platform's presentation, business logic, and data tiers. Because of this separation of tiers, Oracle Adaptive Access Manager can rapidly scale with the performance needs of the customer. The architecture can leverage the most flexible and supported cross-platform J2EE services available: a combination of Java, XML and object technologies. This architecture makes Oracle Adaptive Access Manager a scalable, fault-tolerant solution.
The run-time components including the rules engine and end user interface flows are contained in one managed server while the administration console functionality is separated out into its own managed server. The administration console contains the customer service and security analyst case management functionality which must always be available to employees in potentially large call centers with high call volumes.
Depending on the deployment method used the topology changes slightly. Native application integration deployments embed the run-time components so the administration console is the only additional managed server added to the deployment. Oracle Adaptive Access Manager is also completely stateless and fully supports clustered deployments to meet high performance requirements. As well, all high availability features of the Oracle Database are supported for use with Oracle Adaptive Access Manager.
Oracle Adaptive Access Manager consists of the following two components:
-
OAAM_ADMIN: This component is used for administration and configuration of OAAM_SERVER application. This component is developed using the Oracle JAVA ADF Framework the Identity Management shell and deployed as Web applications in a J2EE container. It is packaged as an EAR file.
-
OAAM_SERVER: This component contains the OAAM Admin and OAAM Server sub-components within a single web application. The OAAM_SERVER component is packaged as an EAR file and is composed of servlets and JSPs in addition to Java classes. The subcomponents of OAAM_SERVER are described below by layer:
-
Presentation Layer: typically a Web application serving JSPs, servlets, and so on. The presentation layer provides the strong authenticator functionality; it uses the interfaces provided by the business layer (SOAP or Java native) to access its services.
-
Business Logic Layer: this layer contains the core application logic that implements the risk analyzing engine. This layer provides Java and SOAP interfaces for the presentation layer. When the Java interface is used, the business logic layer and presentation layer can be part of a single web application. With the SOAP interface, these layers are deployed as different applications.
-
Data Access Layer: contains data access components to connect to the supported relational databases. Oracle Adaptive Access Manager uses Oracle's TopLink, which provides a powerful and flexible framework for storing Java objects in a relational database.
-
1.4 OAAM Components
Oracle Adaptive Access Manager consists of the following two components:
-
OAAM Admin
-
OAAM Server
1.4.1 OAAM Admin
The OAAM Admin is the OAAM Administration Console used by Security Administrators (Rule Administrators), Investigators and Support Personnel, and System Administrators. Security Administrators import and export policies, create new policies, view sessions, and configure Oracle Adaptive Access Manager functionality such as KBA and OTP Anywhere. Investigators (Fraud Investigators and Fraud Investigation Managers) and support personnel (CSR and CSR Managers) use Oracle Adaptive Access Manager's case management tools to handle security and customer cases. System Administrators configure environment-level properties and transactions.
1.5 Deployment Options
Oracle Adaptive Access Manager supports many deployment options, as shown in Figure 1-10, to meet the specific needs of practically any deployment. The decision of which deployment type to employ is usually determined based on the use cases required and the applications being protected.
Figure 1-10 shows the following scenarios:
-
The SOAP service wrapper API integration scenario in which the application communicates with Oracle Adaptive Access Manager using the OAAM Native Client API (SOAP service wrapper API).
-
The In-Proc integration scenario which only involves local API calls and therefore no remote server risk engine calls (SOAP calls)
-
The UIO Proxy scenario where a reverse proxy intercepts the HTTP traffic between the client (browser) and the server (Web application) and redirects the traffic to OAAM Server, and OAAM Server, in turn, communicates with OAAM Admin.
Note:
Although you can still use the UIO Proxy, it is deprecated starting with 11.1.2.2 and will be desupported and no longer shipped in 12.1.4 and future releases. The recommendation is to use the native integration or Advanced Oracle Access Management Access Manager and Oracle Adaptive Access Manager integration using Trusted Authentication Protocol (TAP) instead of UIO Proxy. For information about native integration, see Chapter 2, "Natively Integrating Oracle Adaptive Access Manager," Chapter 3, "Integrating Native .NET Applications," and Chapter 4, "Natively Integrating OAAM with Java Applications" in Developer's Guide for Oracle Adaptive Access Manager. For information about Access Manager and Oracle Adaptive Access Manager integration using TAP, see Integration Guide for Oracle Identity Management Suite. -
The OAAM Administration Console that contains administration and customer service and fraud investigation case management functionality
Table 1-3 describes the types of OAAM deployments.
Table 1-3 Oracle Adaptive Access Manager Deployment Options
| Deployment | Description |
|---|---|
|
Single Sign-On Integration |
Oracle Adaptive Access Manager has a standard integration with Oracle Access Management Access Manager to provide advanced login security including the virtual devices, device fingerprinting, real-time risk analysis and risk-based challenge. New to 11g there are two versions of the Oracle Adaptive Access Manager and Access Manager integration, basic and advanced. The "basic" integration embeds Oracle Adaptive Access Manager into the Access Manager run-time server. It includes many of the login security use cases available from Oracle Adaptive Access Manager and reduces the footprint. To gain advanced features and extensibility customers can deploy using the "advanced" integration. Features such as OTP anywhere, challenge processor framework, shared library framework and secure self-service password management flows require the advanced integration option. Oracle Adaptive Access Manager can also be integrated with third party single sign-on products via systems integrators if required. Figure 1-10 does not show this option. For information on integrating Access Manager and Oracle Adaptive Access Manager, see Integration Guide for Oracle Identity Management Suite. |
|
Universal Installation Option Reverse Proxy |
Oracle Adaptive Access Manager can be deployed using an Apache module to intercept login requests and provide advanced login security. The flows available are the same as for the advanced single sign-on integration option. The main benefit of the Oracle Universal Installation Option (UIO) deployment is that it requires little or no integration with protected applications and Single Sign-On (SSO) is not required. For information on the Universal Installation Option deployment option, see the Oracle Adaptive Access Manager Proxy chapter in Developer's Guide for Oracle Adaptive Access Manager. |
|
Native Application Integration |
Oracle Adaptive Access Manager can be natively integrated with an application to provide extreme high performance and highly customizable security. A native integration embeds OAAM in-process inside the protected applications. The application invokes the Oracle Adaptive Access Manager APIs directly to access risk and challenge flows. For information on native integration, see Developer's Guide for Oracle Adaptive Access Manager. |
|
Web Services Application Integration |
Customers who have advanced requirements similar to native integration but who prefer to use SOAP web services instead of Java API integration directly can choose this option. For information on web services application integration, see Developer's Guide for Oracle Adaptive Access Manager. |
|
Java Message Service Queue Integration |
Customers with access monitoring requirements involving multiple applications and data sources now have the ability to take a proactive security and compliance posture. Using the provided Java Message Service Queue (JMSQ) customers can implement near real-time risk analysis to actively identify suspected fraud or misuse. Figure 1-10 does not show this option. For information on Java Message Service Queue integration, see Developer's Guide for Oracle Adaptive Access Manager. |
1.6 Oracle Adaptive Access Manager 11g Release 2 (11.1.2) Features
Oracle Adaptive Access Management 11.1.2 provides new features and enhancements outlined in the following table.
| Areas | Features and Enhancements |
|---|---|
| Enhanced mobile security | Enhanced mobile security includes:
|
| Transactional autolearning | New transactional autolearning includes:
|
| Investigation tools | New investigation tools have been added to make investigations quicker and easier:
|
| Entity enhancements | Enhanced entities includes:
|
| Access monitoring toolkit | The Access monitoring toolkit includes:
|
1.7 Oracle Adaptive Access Manager Releases Features Comparison
| Features | 10.1.4.5 | 11.1.1.3.0 | 11.1.2 | 11.1.2.2 | 11.1.2.3 |
|---|---|---|---|---|---|
| Real-time and offline rules engine | X | X | X | X | X |
| Virtual authentication devices | X | X | X | X | X |
| Knowledge-based authentication | X | X | X | X | X |
| Adaptive device identification* | X | X | X | X | X |
| Base security policies (ongoing updates) | X | X | X | X | X |
| Real-time dashboard (improved) | X | X | X | X | X |
| Customer service module | X | X | X | X | X |
| Real-time access to activity data | X | X | X | X | X |
| Actions, alerts, and risk scoring | X | X | X | X | X |
| Rule conditions | X | X | X | X | X |
| Optimized log data management | X | X | X | X | X |
| Enhanced caching of rules data object | X | X | X | X | X |
| Expanded integration APIs | X | X | X | X | X |
| Rules authoring user interface | X | X | X | X | X |
| Transaction definition and mapping user interface | X | X | X | X | X |
| Data entity definition and mapping user interface | X | X | X | X | X |
| Behavior pattern configuration interface | X | X | X | X | X |
| Configurable actions | X | X | X | X | X |
| Server-generated one-time password (OTP) | X (All deployment types) | X (All deployment types) | X | X | |
| Customizable reporting BI Publisher (bundled) | X | X | X | X | X |
| Tree-based navigation and policy browse | X | X | X | X | |
| Tabular multitasking user interface | X | X | X | X | |
| Customizable search screens | X | X | X | X | |
| Common audit framework | X | X | X | X | |
| Better mobile browser user experience | X | X | X | ||
| Mobile tuned security policies | X | X | X | ||
| REST services and SDK for mobile application developers | X | X | X | ||
| Mobile device fingerprinting | X | X | X | ||
| Lost and stolen mobile device security | X | X | X | ||
| Customizable patterning | X | X | X | ||
| Transaction rule conditions | X | X | X | ||
| Improved case management | X | X | X | ||
| Utility panel quick search | X | X | X | ||
| Utility panel notes pane | X | X | X | ||
| Search transactions | X | X | X | ||
| Transaction details | X | X | X | ||
| Compare transactions | X | X | X | ||
| Streamlined white/black listing | X | X | X | ||
| Linked entities | X | X | X | ||
| Entity CRUD operations | X | X | X | ||
| Targeted purging | X | X | X | ||
| JMSQ interface | X | X | X | ||
| Database view generation | X | X | X | ||
| Integrated Oracle Identity Manager password management flows | X | X | X | X | |
| Oracle Installer and Repository Creation Utility | X | X | X | X | |
| Oracle Patch | X | X | X | X | |
| Oracle Adaptive Access Manager Offline User Interface | X | X | X | X | X |
| Document Models | X | ||||
| Globalization | X | X | X | X | X |
| tracker.transaction.condition.computeDuration.useSystemTime property | X | X | X | ||
| Display of triggered and untriggered rules | X | X | |||
| Session Details page: paginated list of checkpoints and transactions within a session | X | X | |||
| Session Details page: Table query tool | X | X | |||
| Session Details page: Checkpoint panel displays actions, alerts, configurable actions, and policies in a table | X | X | |||
| Session Details page: addition of User, Devices, and Locations tabs | X | X | |||
| JavaScript fingerprinting | X | X | |||
| Search by user friendly name of a device | X | X | |||
| Changes to OAAM Post-Authentication Security Policy | X | X | |||
| New OAAM Mobile and Social Integration Post-Authentication Security policy | X | X | |||
| Rules context evaluation | X | X | |||
| Import and export of snapshot via CLI | X | X | |||
| Single Login Page configuration | X | X | |||
| Challenge choice - end-user can decide by what means the user wishes to authenticate if the user is registered for OTP via SMS and also registered for OTP via Email | X | ||||
| Changes to OAAM Challenge Policy | X | ||||
| OTP multiple UMS support in OTP | X | ||||
| New Challenge Choice Task Processor | X | ||||
| Enhanced OAAM Library Interface on Oracle Technology Network (OTN) | X |
1.8 Oracle Adaptive Access Manager Releases Integration Options Comparison
| Integrations | 10.1.4.5 | 11.1.1.3.0 | 11.1.2 | 11.1.2.2 | 11.1.2.3 |
|---|---|---|---|---|---|
| Oracle Access Management Access Manager integration | X | X | X | X | X |
| Oracle Identity Manager integration | X | X | X | X | |
| Juniper SSL VPN integration | X | X | X | ||
| OAAM integration with Oracle Access Manager 10g and Access Manager 11g in coexistence | X | ||||
| Access Manager and OAAM TAP integration with DCC WebGate using tunneling | X |
1.9 System Requirements and Certification
Refer to the system requirements and certification documentation for information about hardware and software requirements, platforms, databases, and other information. Both of these documents are available on Oracle Technology Network (OTN).
You can access OTN at
http://www.oracle.com/technetwork
The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:
The certification document covers supported installation types, platforms, operating systems, databases, JDKs, directory servers, and third-party products: