5.1 Data Sources for Oracle Access Management

Oracle Access Management supports several types of data sources that are typically installed for the enterprise.

Table 5-1 describes each data source is a storage container for the various types.

Table 5-1 Data Sources for Oracle Access Management

Data Source Description


A collection of information that is organized and stored so that its content can be easily accessed, managed, and updated.

  • Access Manager policy data, including password management data, must be stored in a database that is extended with the Access Manager-specific schema and registered with Access Manager.

    See Managing the Policy and Session Database.

  • Session Store: By default, Access Manager session data is stored within in-memory caches that is migrated to the policy store. In production environments, you can have an independent database for policy data and another for session data.

    For details about sessions and session data, see Maintaining Access Manager Sessions.

  • Audit Store: Audit data can be stored either in a file or in a separate database (not the policy store database).

    For information on auditing administrative and run time events, see Auditing Administrative and Run-time Events.

User Identity Store

Central LDAP storage in which an aggregation of user-oriented data is kept and maintained in an organized way. (Access Manager does not include identity services; there is no native user, group, or role store.) The identity store must be installed and registered with Access Manager to enable authentication when a user attempts to access a protected resource (and during authorization, to ensure that only authorized users can access a resource). During the initial deployment process, described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management, the embedded LDAP store is used as the User Identity Store.

Oracle recommends that you use only the Oracle Access Management Console or WebLogic Scripting Tool (WLST) commands for changes; do not edit oam-config.xml.

By default, Access Manager uses the Embedded LDAP in the WebLogic Server domain as the user identity store. However, a number of other external LDAP repositories can also be registered as user identity stores. In this case, one store must be designated as the System Store that contains Administrator roles and users.

Oracle Access Management configuration data file: oam-config.xml

During the initial deployment process, described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management, Oracle Access Management configuration data is stored in an XML file: oam-config.xml.

See "oam-config.xml Configuration Data File".


Several keystores are associated with Oracle Access Management services as described in "Introduction to Oracle Access Management Keystores".

  • Embedded Java Keystore: Used for certificates for Simple or Certificate-based communication between OAM Servers and Webgates. The keystore bootstrap occurs upon initial AdminServer startup after running the Configuration Wizard.

    See: "Access Manager Security Keys and the Embedded Java Keystore"

  • Security Token Service Keystores: Access Manager and Security Token Service keystore should always be different. For more information, see "Access Manager Keystores".

  • Identity Federation Keystores: Keystore settings enable you to create aliases (a short hand notation) for keys in the keystore.

    See: "Identity Federation Keystore"

Table 5-2 contains the Oracle Access Management services and links to information about the data sources used for each.

Table 5-2 Data Sources for Oracle Access Management Services

Service Description

Access Manager

Access Manager supports multiple Identity Stores and provides SSO authentication using data sources:

Identity Federation

Identity Federation supports multiple Identity Stores which can be assigned on a per Identity Partner basis. Each Identity Store must be registered with Access Manager. If no Identity Store is defined in the Identity Partner, the designated Default Store is used.

Security Token Service

Security Token Service uses only the designated Default Store for user identities.

Mobile and Social

Mobile and Social provides its own Identity Directory Service configuration that points to directory servers for user authentication and/or user profile services. There is no dependency on the global data sources upon which Access Manager and other Oracle Access Management services rely.

See Also:

The following sections contain additional details.

5.1.1 oam-config.xml Configuration Data File

Oracle Access Management provides an XML file (oam-config.xml) containing all Access Manager-related system configuration data. Any changes made to the Access Manager deployment configuration, including server and agent registration, are stored in oam-config.xml and are automatically propagated to each Access Manager server. Each Access Manager server has a local copy of the latest configuration XML file. Whether you have failover configured in a high-availability environment or not, all Access Manager servers always have the latest oam-config.xml file.

Oracle recommends not editing oam-config.xml directly. Manual changes to this file could result in lost data or overwriting of the file during data sync operations. However, if you must edit oam-config.xml, use the following guidelines:

  • Back up oam-config.xml in: $DOMAIN_HOME/config/fmwconfig/ and store the copy in a different location for use if needed.

  • Make your changes on the node running the AdminServer to minimize possible conflicts that another AdminConsole user might make.

  • If Access Manager Servers are running, increment the configuration version number at the top of the file to associate your change and enable automatic propagation and dynamic activation across all OAM Servers. For example, see the next to last line of this example (existing value + 1):

    <Setting Name="Version" Type="xsd:integer">
      <Setting xmlns="http://www.w3.org/2001/XMLSchema"
        Name="NGAMConfiguration" Type="htf:map:> 
      <Setting Name="ProductRelease" Type="xsd:string"></Setting>
        <Setting Name="Version" Type="xsd:integer">2</Setting>

5.1.2 About the Default LDAP Group

The default LDAP group, Administrators, is set during initial deployment using the Oracle Fusion Middleware Configuration Wizard.

For more information, see "About Oracle Access Management Administrators".