Oracle Access Management supports several types of data sources that are typically installed for the enterprise.
Table 5-1 describes each data source is a storage container for the various types.
Table 5-1 Data Sources for Oracle Access Management
Data Source | Description |
---|---|
Database |
A collection of information that is organized and stored so that its content can be easily accessed, managed, and updated.
|
User Identity Store |
Central LDAP storage in which an aggregation of user-oriented data is kept and maintained in an organized way. (Access Manager does not include identity services; there is no native user, group, or role store.) The identity store must be installed and registered with Access Manager to enable authentication when a user attempts to access a protected resource (and during authorization, to ensure that only authorized users can access a resource). During the initial deployment process, described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management, the embedded LDAP store is used as the User Identity Store. Oracle recommends that you use only the Oracle Access Management Console or WebLogic Scripting Tool (WLST) commands for changes; do not edit oam-config.xml. By default, Access Manager uses the Embedded LDAP in the WebLogic Server domain as the user identity store. However, a number of other external LDAP repositories can also be registered as user identity stores. In this case, one store must be designated as the System Store that contains Administrator roles and users. |
Oracle Access Management configuration data file: oam-config.xml |
During the initial deployment process, described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management, Oracle Access Management configuration data is stored in an XML file: oam-config.xml. |
Keystores |
Several keystores are associated with Oracle Access Management services as described in "Introduction to Oracle Access Management Keystores".
|
Table 5-2 contains the Oracle Access Management services and links to information about the data sources used for each.
Table 5-2 Data Sources for Oracle Access Management Services
Service | Description |
---|---|
Access Manager |
Access Manager supports multiple Identity Stores and provides SSO authentication using data sources: |
Identity Federation |
Identity Federation supports multiple Identity Stores which can be assigned on a per Identity Partner basis. Each Identity Store must be registered with Access Manager. If no Identity Store is defined in the Identity Partner, the designated Default Store is used. |
Security Token Service |
Security Token Service uses only the designated Default Store for user identities. |
Mobile and Social |
Mobile and Social provides its own Identity Directory Service configuration that points to directory servers for user authentication and/or user profile services. There is no dependency on the global data sources upon which Access Manager and other Oracle Access Management services rely. |
See Also:
Maintaining Access Manager Sessions for details about sessions stored in-memory using Oracle Coherence and propagated to Oracle Database
Auditing Administrative and Run-time Events for details about Audit data stored within audit files or a separate Oracle Database
The following sections contain additional details.
Oracle Access Management provides an XML file (oam-config.xml
) containing all Access Manager-related system configuration data. Any changes made to the Access Manager deployment configuration, including server and agent registration, are stored in oam-config.xml and are automatically propagated to each Access Manager server. Each Access Manager server has a local copy of the latest configuration XML file. Whether you have failover configured in a high-availability environment or not, all Access Manager servers always have the latest oam-config.xml file.
Oracle recommends not editing oam-config.xml directly. Manual changes to this file could result in lost data or overwriting of the file during data sync operations. However, if you must edit oam-config.xml, use the following guidelines:
Back up oam-config.xml in: $DOMAIN_HOME/config/fmwconfig/ and store the copy in a different location for use if needed.
Make your changes on the node running the AdminServer to minimize possible conflicts that another AdminConsole user might make.
If Access Manager Servers are running, increment the configuration version number at the top of the file to associate your change and enable automatic propagation and dynamic activation across all OAM Servers. For example, see the next to last line of this example (existing value + 1):
<Setting Name="Version" Type="xsd:integer">
<Setting xmlns="http://www.w3.org/2001/XMLSchema"
Name="NGAMConfiguration" Type="htf:map:>
<Setting Name="ProductRelease" Type="xsd:string">11.1.1.3</Setting>
<Setting Name="Version" Type="xsd:integer">2</Setting>
</Setting>
The default LDAP group, Administrators, is set during initial deployment using the Oracle Fusion Middleware Configuration Wizard.
For more information, see "About Oracle Access Management Administrators".