14.2 Introduction to Agent Registration

You can use either the Oracle Access Management Console or the remote registration tool for Agent registration and updates. Unless explicitly stated, information in this section applies to agent registration using either of these tools.

This section provides the following details.

14.2.1 Keys and Policies Generated during Agent Registration

Administrators must register each Agent to operate with Access Manager. Only registered agents can communicate with an OAM Server, and process information for a user attempting to access a protected resource.

The agent is presumed to reside on the computer hosting the application to be protected. However, it can reside on a proxy Web server and the application on a different host.

An agent key and partner key are created during registration. You can also create policies to protect the application during agent registration. If you choose to automatically create policies during agent registration, a host identifier and Application Domain are created with basic policies and resource definitions. Later on, you can view and manage the Application Domain and policies.


You can register multiple WebGates or Access Clients under a single host identifier, with the same Application Domain and policies, as follows:

  1. When you register a WebGate, allow the process to create a host identifier (a name of your choice), and enable "Auto Create Policies".

  2. Register a second WebGate with the same host identifier as Step 1, and clear the "Auto Create Policies" box to eliminate policy creation.

Following a successful registration (using either the console or remote registration tool), the full agent registration appears in the Oracle Access Management Console and is propagated to all Managed Servers in the cluster. Table 14-4 identifies the keys and policies generated during agent registration.

Table 14-4 Keys and Policies Generated During Agent Registration

Keys and Policies Accessible to Accessible through

One key per 11g WebGate Agent

One key for all 10g Agents

One key per OpenSSO Agent stored in local Agent bootstrap file

One key per OSSO Agent

See Also: "Key Use, Generation, Provisioning, and Storage"

  • OAM Server

  • Client-side: Secure local storage on the client host (a local wallet file)

  • Server side: The Java Keystore

Partner key for the application

(None for OpenSSO Agents)

  • 11g WebGate


Application Domain and default Policies are generated during Agent registration on demand:

  • Named for the Agent

  • Populated with default authentication and authorization policies (but not Token Issuance Policies)

  • Identified by the same host identifier that was specified for the Agent during registration

  • Administrators can view, modify, or remove a registered agent using either the Oracle Access Management Console or custom WLST commands for Access Manager

  • All agent types at run time monitor attempts to access a Web site and use OAM Servers to provide authentication and authorization services before completing the request

  • Oracle Access Management Console
  • Policy Configuration
  • Application Domains
  • DomainName

14.2.2 File System Changes and Artifacts for Registered Agents

When you register an agent using the Oracle Access Management Console, a new file system directory is created for the Agent on the Oracle Access Management Console host (AdminServer).

This new directory includes generated files for the registered agent, as described in Table 14-5.

Table 14-5 Artifacts Associated with Agent Registration

Registration Artifact Generated for ...

All WebGates or Access Client


All WebGates/Access Clients on the console host (AdminServer).

During run time, periodic update checks are made. ObAccessClient is updated automatically when a change is discovered.

Note: The pre-registered 10g IAMSuiteAgent does not use ObAccessClient.xml for bootstrap or configuration.

See Also: Properties files generated on the client in this table.


11g WebGate only

11g WebGates, regardless of the transport security mode.

Certificate and password files for secure communication

All WebGates/Access Clients. For example:

  • password.xml (nominally encrypted file for Simple Mode Global passphrase)

  • aaa_cert.pem (reserved name for WebGate certificate file, which cannot be changed)

  • aaa_key.pem (reserved name for WebGate key file, which cannot be changed)

Cert Mode:

  • PEM keystore Alias

  • PEM keystore Alias Password

Note: When editing an 11g WebGate registration, password.xml is updated only when the mode is changed from Open to Cert or Simple to Cert. In Cert mode, once generated, password.xml cannot be updated. Editing the agent Key Password does not result in creation of a new password.xml.

See: Configuring Access Manager Settings for details about Simple and Cert mode transport security)

OpenSSO Properties files

See: Registering and Managing Legacy OpenSSO Agents

osso.conf file

See: Registering and Managing Legacy OSSO Agents

Generated or updated artifacts must be copied from the console host (AdminServer) into the agent's installation directory, as shown in Table 14-6.

Table 14-6 Copying Generated Artifacts

Agent Type & Artifacts Copy Generated Artifacts to Agent Installation Directory ...


(and 11g WebGate cwallet.sso)

11g WebGate or Access Client

Before agent startup, copy the ObAccessClient file (and cwallet.sso) from the generated location (AdminServer (Console) host) to the agent installation directory.

See: Registering and Managing OAM 11g Agents


10g WebGate or Access Client

Before agent startup, copy ObAccessClient.xml from the generated location to the agent installation directory. For example, from the AdminServer (Console) host:

Note: The pre-registered IAMSuiteAgent does not use ObAccessClient.xml and should not be modified.

See: Registering and Managing 10g WebGates with Access Manager 11g

OpenSSO Agent Properties Files

See: Registering and Managing Legacy OpenSSO Agents

10g OSSO Agent osso.conf

See: Registering and Managing Legacy OSSO Agents