This chapter describes new features and changes and updates to this book. See the following sections for details:
Updates in July 2015 Documentation Refresh for 11g Release 2 (11.1.2.3)
Updates in June 2015 Documentation Refresh for 11g Release 2 (11.1.2.3)
Updates in February 2014 - January 2015 Documentation Refreshes for 11g Release 2 (11.1.2.2)
Significant Changes in this Document for 11g Release from 10g to 11g
Administering Oracle Adaptive Access Manager contains these updates in the documentation refresh:
Editorial corrections.
Fix for Bug 21308750 - procedure on how to disable KBA (Section 7.3.2.2, "Disabling KBA.")
Administering Oracle Adaptive Access Manager contains these updates in the documentation refresh:
Editorial corrections.
Note about restarting the managed servers when creating any new user defined enum element or changing the enabled attribute of an enum element from false to true in Appendix C, "OAAM Properties."
Addition of Section 30.22, "OAAM Sessions are Not Recorded When IP Address from Header is an Invalid IP Address."
Administering Oracle Adaptive Access Manager contains these updates in the documentation refresh:
Editorial corrections
Removal of Index chapter
New features and enhancements include:
OAAM integration with Oracle Access Manager 10g and Access Manager 11g coexisting. For information, see the "Integrating OAM 10g, Access Manager 11g, and OAAM" chapter in Developer's Guide for Oracle Adaptive Access Manager.
Challenge choice - If the end user is registered for OTP via SMS and also registered for OTP via Email, he can choose the challenge type by which he wants to be challenged. For information, see Section 8.12.6, "Configuring Challenge Choice."
OAAM Server can be configured to connect to multiple UMS servers individually or via load-balancing to send OTP through. For information, see Section 8.12.1, "Configuring OAAM Server to Connect to Multiple UMS Servers to Send OTP."
Changes to the Challenge Policy for challenge choice feature. For information, see Section 10.6.12, "OAAM Challenge."
Challenge Choice Task Processor. For information, see the "Integrating Task Processors" chapter in Developer's Guide for Oracle Adaptive Access Manager.
Access Manager and OAAM TAP integration with DCC WebGate using tunneling. For information, see the "Integrating Oracle Adaptive Access Manager with Access Manager" chapter in Integration Guide for Oracle Identity Management Suite.
Addition of Schema Reference for Oracle Adaptive Access Manager in Oracle Fusion Middleware 11g Release 2 (11.1.2) documentation set.
Enhanced OAAM library interface on Oracle Technology Network (OTN).
Bug fixes and editorial corrections.
Administering Oracle Adaptive Access Manager contains these updates in the documentation refreshes:
Bug fixes and editorial corrections
New chapter for rules context evaluation, Chapter 12, "Evaluating Rules Context"
New appendix for VCryptUser table, Appendix K, "VCryptUser Table"
Oracle Adaptive Access Manager 11g Release 2 (11.1.2.2) includes these new features and enhancements:
Search by user friendly name of a device
Search by the user friendly name of a device is available in the Device tab of the User Details page and the User tab of the Device Details page. User friendly names for devices are provided by the end-user during device registration and available to OAAM if integrated natively.
For information, see
Enhancements include:
Paginated list of checkpoints and transactions within a session if the session has multiple checkpoints and transactions
Table query tool to search checkpoint and transaction tables
Checkpoint panel displays actions, alerts, configurable actions, and policies in a table
Addition of User, Devices, and Locations tabs
For information, see Section 5.3.23, "Viewing Forensic Record and Details of a Session."
Changes to policies for Mobile and Social
Changes to the OAAM Post-Authentication Security Policy and a new OAAM Mobile and Social Integration Post-Authentication Security policy. For details, see
JavaScript fingerprinting
OAAM provides fingerprinting with JavaScript, which is enabled by default. JavaScript fingerprinting can be used as the primary digital fingerprint or co-exist with Flash fingerprinting. For details, see Appendix E, "Device Fingerprinting and Identification."
Display of triggered and untriggered rules and rules with no execution time in Session Details
The Session Details page can use database table and fingerprint rule logging information to display triggered and untriggered rules and rules with no execution time. For details, see Section J.8, "Viewing Rule Execution in Session Details."
Oracle Adaptive Access Manager 11g Release 2 (11.1.2) includes many important features and enhancements that were not available with Oracle Adaptive Access Manager 11g Release 1 (11.1.1). Oracle Adaptive Access Manager 11g Release 2 (11.1.2) includes these new features and enhancements:
Enhanced mobile security includes:
Better mobile browser user experience
Mobile tuned security policies
REST services and SDK for mobile application developers
Lost and stolen mobile device security
New transactional autolearning includes:
Customizable patterning
Transaction rule conditions
New investigation tools have been added to make investigations quicker and easier:
Improved case management
Utility panel quick search
Utility panel notes pane
Search transactions
Additional search filters for transaction and entity data, alert messages, geographic location, and IP addresses range
Transaction details
Compare transactions
Streamlined white/black listing
Multitenant access controls for customer service representative interface to allow protection of multiple application tenants with a single instance of OAAM
"Add to Group" feature in search sessions and details pages that enables entities to be added to groups easily
Enhanced entities includes:
Linked entities
Entity CRUD operations
Targeted purging
The Access monitoring toolkit includes:
JMSQ interface
Database view generation
Administering Oracle Adaptive Access Manager contains these updates:
New section on virtual authentication devices
For information, see Section 1.2.3, "Virtual Authentication Devices."
New section on mobile access security
For information, see Section 1.2.8, "Mobile Access Security."
New section on fraud investigation tools
For information, see Section 1.2.10, "Fraud Investigation Tools."
Revised investigation chapter to include Search and Compare Transactions, Utility Panel features, and enhanced Session Details page
For information, see Chapter 5, "Using Agent Cases for Fraud Investigation."
New chapter on KBA and OTP challenges
For information, see Chapter 9, "KBA and OTP Challenge Scenarios."
New OAAM Policy Concepts and Reference chapter
For information, see Chapter 10, "OAAM Policy Concepts and Reference."
New section on transaction -based patterns
For information, see Chapter 15, "Using Transaction-Based Patterns."
New chapter on modeling transactions
For information, see Chapter 18, "Modeling Transactions in OAAM."
Updated entities chapter to include more screen examples
For information, see Chapter 19, "Managing Entity Definitions."
Updated transactions chapter
For information, see Chapter 20, "Managing Transaction Definitions."
New chapter on performance considerations and best practices
For information, see Chapter 29, "Performance Considerations and Best Practices."
New sections on troubleshooting and frequently asked questions
For information, see Chapter 30, "FAQ/Troubleshooting."
New appendix on using OAAM.
For information, see Appendix A, "Using OAAM."
New sections in conditions chapter
For information, see Appendix B, "Conditions Reference."
New appendix on OAAM properties
For information, see Appendix C, "OAAM Properties."
Oracle Adaptive Access Manager 11g Release 2 (11.1.1) includes many important features and enhancements that were not available with Oracle Adaptive Access Manager 10g. Oracle Adaptive Access Manager 11g Release 2 (11.1.1) includes these new features:
The new rich Oracle Adaptive Access Manager user interface provides
Navigation and Policy trees, which allow quick and visible access to features
Tabs and accordion panels that reduce real estate usage for multitasking
Streamlined flows that capture use case flows of execution. For example, the flow for rules is search, create, edit, and copy rules
Improved search and filtering, where you can save searches and filter directly on columns
New and improved screens in Oracle Adaptive Access Manager. Oracle Adaptive Access Manager provides enhanced usability for fraud analysis and forensic operations
Advanced table display controls to add and remove columns, reposition and resize columns, and detach columns
Additional search filters for alert messages, geographic location, and IP range
Export feature that enables search results to be exported to an Excel file format
New "Add to Group" feature in search sessions and details pages that enables entities to be added to groups easily
Direct access to documentation from Oracle Adaptive Access Manager
Newly updated security policies that incorporate:
Patterns and other techniques to improve the accuracy and risk analysis
Oracle Data Miner along with new rule conditions and improved learning patterns to create a unique and optimized real-time risk analytics solution more capable of profiling behaviors than previous versions
New features in policy creation enables you to:
Copy policies to checkpoints
Policies can be copied to other checkpoints. When policies are copied, all the details are copied including the nested policies, trigger combinations, preconditions, group linking, and others
Configure trigger combinations more easily
The new design enables you to more easily define and manage trigger combinations and allows the appending or overriding of actions and alerts
Execute nested conditions
New conditions support the execution of nested policies
View indicators
Indicators are available to show the number of policies linked to a policy, rules, trigger combinations, group linking, conditions in policies, and so on
Rules are now much easier to create.
Rule creation has been simplified with the removal of rule templates from the product.
Rules can be copied to different policies under any checkpoint
OTP Anywhere can create universal delivery options for auto-generated one-time-passwords used for secondary, risk-based user challenges to add sophisticated security to basic authentication flows.
New investigation tools have been added to make investigations quicker and easier
Details screen that allow investigators, security administrators, and other power users to cross-reference on data points to find related data in a quick and easy way
The new agent cases that make forensic investigations quicker, easier and more successful. You can configure events to create a case automatically. An investigator can quickly view the data involved in an incident and quickly locate related situations by easily harnessing the complex data relationships captured by OAAM
Encryption keys required by Oracle Adaptive Access Manager can be securely managed using Fusion Middleware Control without having to create Keystore files
Snapshots can be created allowing security administrators to simply and easily migrate security data across environments or restore security configuration to a known state
Multitenant access controls for customer service representative interface to allow protection of multiple application tenants with a single instance of OAAM
Oracle Adaptive Access Manager batch risk analysis tool to be used as:
A standalone security tool to analyze, detect and alert high risk transactions
A research and development tool to create and verify new policies and rules using offline customer data without impacting customers in real-time environment
A supplemental batch analysis tool in the tuning of rules and verification of rules behavior against real customer and transaction data without impacting customers in real-time environment
Oracle Adaptive Access Manager batch risk analysis tool to be used as:
A standalone security tool to analyze, detect and alert high risk transactions
A research and development tool to create and verify new policies and rules using offline customer data without impacting customers in real-time environment
A supplemental batch analysis tool in the tuning of rules and verification of rules behavior against real customer and transaction data without impacting customers in real-time environment
Most of the administrative operations are now audited using Oracle Audit Service. Audit events can be viewed using the standard audit reports.
Oracle Adaptive Access Manager Web services are implemented using Oracle Web Services.
Oracle Adaptive Access Manager 11g uses Java logging instead of log4j. You can configure logging using Fusion Middleware Control.
Integration with the Dynamic Monitoring System
Some performance metrics are now integrated with Dynamic Monitoring System. These metrics and related reports can be viewed using Fusion Middleware Control
Customers migrating from Oracle Adaptive Access Manager 10g to 11g will notice key changes. These changes are intended to align terminology used across the Identity Management suite products and simplify administration.
Oracle Adaptive Access Manager 11g terminology changes are as follows:
runtime
The new term is checkpoint.
A checkpoint is a specified point in a session when Adaptive Access Manager collects and evaluates security data using the rules engine.
model
The new term is policy.
Policies contain security rules and configurations used to evaluate the level of risk at each checkpoint.
manual override
The new term is trigger combination.
Trigger combinations are additional results and policy evaluation that are generated if a specific sequence of rules trigger.
Application ID
The new term is Organization ID.
From the administration perspective, each application or primary user group is translated into an "Organization ID." The term, "Application ID" has been renamed as "Organization ID," which represents the primary user group of a particular user.
For the OAAM Server side, the term "Application ID" remains the same as before. When communicating with proxies, OAAM Server passes the Applications ID, which uniquely identifies an application.
Oracle Adaptive Access Manager 11g conceptual changes are as follows:
Old 10g concept: OAAM Adaptive Risk Manager
New 11g concept: The rules engine is now part of OAAM Server. The Administration Console is now a separate application named OAAM Admin.
Old 10g concept: OAAM Adaptive Strong Authenticator
New 11g concept: The end-user flows including the virtual authentication devices, knowledge-based authentication (KBA) and One-Time Password authentication are now contained in OAAM Server.
Old 10g concept: rule template
The concept has been removed from product
Old 10g concept: policy type
The concept has been removed from the product
For information on Oracle Adaptive Access Manager 11g concepts, see the following chapters:
Oracle Adaptive Access Manager application deployment changes in 11g are as follows:
OAAM Server: Runtime component that includes Adaptive Risk Manager (rules engine), Adaptive Strong Authenticator (end user interface flows), Web services, LDAP integration, and user Web application used in all deployment types except native integration
OAAM Admin: Administration Console for all environment, Adaptive Strong Authenticator, and Adaptive Risk Manager features. It contains customer service and fraud investigation case management functionality
For information on the Oracle Adaptive Access Manager 11g web applications, see Section 1.3, "Oracle Adaptive Access Manager Component Architecture."
Architecture and deployment changes in 11g are listed as follows:
Administration User Interface is a separate Web application called OAAM Admin.
Adaptive Strong Authenticator is now deployed as part of the OAAM Server Web application.
OAAM Web applications are now packaged as EAR files. Exploding them is neither recommended nor supported.
For information on architectural and deployment of Oracle Adaptive Access Manager 11g, see Section 1.3, "Oracle Adaptive Access Manager Component Architecture."