30.2 Introduction to 10g OAM Agents for Access Manager 11g

The following topics provide an overview:

30.2.1 About IAMSuiteAgent: A Pre-Configured 10g WebGate Registered with Access Manager

IAMSuiteAgent is a Java agent filter that is pre-registered with Access Manager 11.1.2 out of the box. This agent and the companion Application Domain are installed pre-configured with Access Manager.

The IAMSuiteAgent is a domain-wide agent:

Once Access Manager is deployed, the IAMSuiteAgent is installed on every server in the domain
Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent
Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console.

IAMSuiteAgent and related policies provide SSO protection for the IDM Administration Console, Oracle Identity Console, Oracle Access Management Console, and specific resources in the Identity Management domain.

You can replace the IAMSuiteAgent with a 10g WebGate to protect Oracle Identity Management Consoles and resources in the Identity Management domain, if you choose.

See Configuring Centralized Logout for IAMSuiteAgent

See Replacing the IAMSuiteAgent with an 11g WebGate

See Bundled 10g IAMSuiteAgent Artifacts

30.2.2 About Legacy Oracle Access Manager 10g Deployments and WebGates

11g OAM Servers support 10g WebGates that are registered to operate with Access Manager 11.1.2.

Such WebGates may include:

Legacy 10g WebGates currently operating with Oracle Access Manager 10g.
Legacy 10g WebGates configured as the Identity Assertion Provider (IAP) for SSO (for applications using IAP WebLogic container-based security with Oracle Access Manager 10g, as described in the Securing Applications with Oracle Platform Security Services).
Legacy 10g WebGates currently operating with Web Applications coded for Oracle ADF Security and the OPSS SSO Framework

You can register these agents to use Access Manager SSO using either the Oracle Access Management Console or the remote registration tool. After registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM Proxy that acts as a bridge.

See Table 1-2.

See Integrating Access Manager With Web Applications Using Oracle ADF Security and the OPSS SSO Framework.

The following topics outline the tasks that you must perform to set up an existing 10g WebGate to operate with Access Manager:

Task overview: Setting up a legacy 10g WebGate to operate with Access Manager:

Registering a 10g WebGate with Access Manager 11g Remotely
Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
Optional: Deploying Applications in a WebLogic Container

See the Securing Applications with Oracle Platform Security Services.

30.2.3 About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2

You can install fresh 10g WebGates for use with Access Manager 11g. 10g WebGates are available for a number of Web server platforms.

After installation and registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM proxy that acts as a bridge.

Note:

When installing fresh 10g WebGates for Access Manager, Oracle recommends that you use the latest WebGates. Oracle also recommends that you install multiple WebGates for failover and load balancing.

There are several differences between installing a 10g WebGate to operate in an 11g Access Manager deployment versus installing the 10g WebGate in an 10g Oracle Access Manager deployment.

Table 30-1 outlines these differences.

Table 30-1 Installation Comparison with 10g WebGates

10g WebGates in 11g Deployments	10g WebGates in 10g Deployments
Packages: 10g WebGate installation packages are found on media and virtual media that is separate from the core components. Provisioning: Before installation, provision WebGate with Access Manager 11g. See Registering a 10g WebGate with Access Manager 11g Remotely. Associating with OAM Server: Occurs during WebGate registration (task 2 of this sequence). Installing: Install the 10g WebGate in front of the application (or for Fusion Middleware, in front of the WebLogic Server). Language Packs: 10g WebGate Language Packs are supported with Access Manager. Web Server Configuration: Copy Access Manager generated files to the WebGate installation directory path to update the Web server configuration. Certificate Installation: Copy files to the WebGate installation directory path. Forms: 10g forms provided with 10g WebGates cannot be used with 11g OAM Servers. Using 10g WebGates with 11g OAM Servers is similar in operation and scope to a resource WebGate (one that redirects in contrast to the Authentication WebGate). With a 10g WebGate and 11g OAM Server, the 10g WebGate always redirects to the 11g credential collector which acts like the authenticating WebGate. Single Log Out: Configure using information. See Configuring Centralized Logout for Sessions Involving 11g WebGates. Multi-Domain Support: Does not apply with Access Manager 11g.	Packages: 10g WebGate installation packages are found on media and virtual media that is separate from the core components. Provisioning: Before installation, you create a WebGate instance in the Access System Console. Associating with AAA: Before installation, you associated the WebGate with an Access Server in the Access System Console. Installing: Using 10g WebGate packages. Language Packs: 10g WebGate Language Packs could be installed during WebGate installation (or later). Web Server Configuration: Automatic during WebGate installation (or manually after WebGate installation). Certificate Installation: You copied files to the WebGate installation directory path. Forms: Were provided for use in 10g deployments. Centralized Log Out for Oracle Access Manager 10g. Multi-Domain Support: Could be configured for Oracle Access Manager 10g.

10g WebGates in 11g Deployments

10g WebGates in 10g Deployments

Packages: 10g WebGate installation packages are found on media and virtual media that is separate from the core components.
Provisioning: Before installation, provision WebGate with Access Manager 11g.

See Registering a 10g WebGate with Access Manager 11g Remotely.
Associating with OAM Server: Occurs during WebGate registration (task 2 of this sequence).
Installing: Install the 10g WebGate in front of the application (or for Fusion Middleware, in front of the WebLogic Server).
Language Packs: 10g WebGate Language Packs are supported with Access Manager.
Web Server Configuration: Copy Access Manager generated files to the WebGate installation directory path to update the Web server configuration.
Certificate Installation: Copy files to the WebGate installation directory path.
Forms: 10g forms provided with 10g WebGates cannot be used with 11g OAM Servers.

Using 10g WebGates with 11g OAM Servers is similar in operation and scope to a resource WebGate (one that redirects in contrast to the Authentication WebGate). With a 10g WebGate and 11g OAM Server, the 10g WebGate always redirects to the 11g credential collector which acts like the authenticating WebGate.
Single Log Out: Configure using information.

See Configuring Centralized Logout for Sessions Involving 11g WebGates.
Multi-Domain Support: Does not apply with Access Manager 11g.

Packages: 10g WebGate installation packages are found on media and virtual media that is separate from the core components.
Provisioning: Before installation, you create a WebGate instance in the Access System Console.
Associating with AAA: Before installation, you associated the WebGate with an Access Server in the Access System Console.
Installing: Using 10g WebGate packages.
Language Packs: 10g WebGate Language Packs could be installed during WebGate installation (or later).
Web Server Configuration: Automatic during WebGate installation (or manually after WebGate installation).
Certificate Installation: You copied files to the WebGate installation directory path.
Forms: Were provided for use in 10g deployments.
Centralized Log Out for Oracle Access Manager 10g.
Multi-Domain Support: Could be configured for Oracle Access Manager 10g.

The following overview lists the topics that describe 10g WebGate installation and registration tasks for Access Manager 11g in detail.

30.2.3.1 Task Overview: Registering and installing a 10g WebGate for Access Manager 11g

You must complete all the following procedures for a successful operation with Access Manager 11g:

Registering a 10g WebGate:
See Locating and Downloading 10g WebGates for Use with Access Manager 11g
See Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
Optional: Deploying Applications in a WebLogic Container.

See Securing Applications with Oracle Platform Security Services.

30.2.4 About Centralized Logout with 10g OAM Agents and 11g OAM Servers

Logout is initiated when an application causes the invocation of the logout.html file configured for any registered 10g WebGate.

Generally speaking, during centralized logout with 10g WebGates the SSO Engine receives a user-session-exists request. The Session Management Engine looks up the session and responds that the session exists. The SSO engine sends a Clear Session request. The Session management engine clears the token and session context. The SSO engine sends a Session Cleared response.

Clearing the user token and the session context clears the server-side state, which includes clearing the OAM_ID cookie set on the server side. When the agent is notified, the agent clears the client-side state of the application. For more information, see Configuring Centralized Logout for 10g WebGate with 11g OAM Servers.