1 Introducing Oracle Access Management

Oracle Access Management provides an enterprise-level security platform, which comprises Oracle Access Manager and many incorporated services including (but not limited to) Identity Federation and Identity Context

The following topics provide a high-level overview of the Oracle Access Management architecture and services:

1.1 Understanding Oracle Access Management Services

Oracle Access Management is a Java, Enterprise Edition (Java EE)-based enterprise-level security application that provides a full range of Web-perimeter security functions and Web single sign-on services including identity context, authentication and authorization; policy administration; testing; logging; auditing; and more.

It leverages shared platform services including session management, Identity Context, risk analytics, and auditing, and provides restricted access to confidential information. Many existing access technologies in the Oracle Identity Management stack converge in the Oracle Access Management stack as illustrated in Figure 1-1.

Figure 1-1 Oracle Access Management Overview

Description of Figure 1-1 follows
Description of "Figure 1-1 Oracle Access Management Overview"

Oracle Access Management includes these services.

1.2 Understanding Oracle Access Management Access Manager

Oracle Access Management Access Manager (Access Manager) is the former (standalone) product named Oracle Access Manager. Access Manager, it provides the Oracle Fusion Middleware single sign-on (SSO) solution. It operates independently or with the Access Manager Authentication Provider.

Access Manager SSO allows users and groups to access multiple applications after authentication, eliminating the need for multiple sign-on requests. To enable SSO, a Web server, Application Server, or any third-party application must be protected by a WebGate that is registered as an agent with Access Manager. Administrators then define authentication and authorization policies to protect the resource. To enforce these authentication policies, the agent acts as a filter for HTTP requests.


WebGates are agents provided for various Web servers by Oracle as part of the product. Custom access clients, created using the Access Manager SDK, can be used with non-Web applications. Unless explicitly stated, information in this book applies equally to both.

You can also integrate any Web applications currently using Oracle ADF Security and the OPSS SSO Framework with Access Manager. (See Integrating Oracle ADF Applications with Access Manager SSO.) The following sections contain more details on Access Manager.

See Also:

Authentication Basics in Securing Applications with Oracle Platform Security Services

1.2.1 About Components in Access Manager

Access Manager sits on an instance of Oracle WebLogic Server and is part of the Oracle Fusion Middleware Access Management architecture.

Figure 1-2 illustrates the primary Access Manager components and services. The Protocol Compatibility Framework interfaces with OAM WebGates, and custom Access Clients created using the Access Manager Software Developer Kit (SDK).


This section does not illustrate or discuss all Access Manager components.

Figure 1-2 Access Manager Components and Services

Description of Figure 1-2 follows
Description of "Figure 1-2 Access Manager Components and Services"

Figure 1-3 illustrates the distribution of Access Manager components.

Figure 1-3 Access Manager Component Distribution

Description of Figure 1-3 follows
Description of "Figure 1-3 Access Manager Component Distribution"

The Oracle Access Management Console resides on the Oracle WebLogic Administration Server (referred to as AdminServer). WebLogic Managed Servers hosting OAM runtime instances are known as OAM Servers. Information shared between the two includes:

  • Agent and server configuration data

  • Access Manager policies

  • Session data (shared among all OAM Servers)

Policy Manager Console can optionally be deployed on the WebLogic Managed Servers. See Oracle Access Management Console and the Policy Manager Console for details.

1.2.2 Understanding Access Manager Deployments

Your enterprise may have more than one Oracle Access Manager deployments. Irrespective of the deployment size, the configuration wizard installs various components in a newly created WebLogic Server domain.

Table 1-1 describes the types of deployments in which Access Manager might be installed by your enterprise.

Table 1-1 Access Manager Deployment Types

Deployment Type Description

Development Deployment

Ideally a sandbox-type setting where the dependency on the overall deployment is minimal

QA Deployment

Typically a smaller shared deployment used for testing

Pre-production Deployment

Typically a shared deployment used for testing with a wider audience

Production Deployment

Fully shared and available within the enterprise on a daily basis

During initial installation and configuration of Access Manager in your deployment, you create a new WebLogic Server domain (or extend an existing domain). Regardless of the deployment size or type, in a new WebLogic Server domain, the following components are installed using the Oracle Fusion Middleware Configuration Wizard.

  • WebLogic Administration Server


    In an existing WebLogic Server domain, the WebLogic Administration Server is already installed and operational.

  • Oracle Access Management Console deployed on the WebLogic Administration Server

  • A WebLogic Managed Server for Oracle Access Management services

  • Application deployed on the Managed Server

See Also:

Understanding Oracle WebLogic Server Domains in Understanding Domain Configuration for Oracle WebLogic Server

Once the domain is configured, additional details are defined for OAM Servers, Database Schemas, (optional) WebLogic Managed Servers and clusters, and the following store types:

  • Policy Store: The default policy store is file-based for development and demonstration purposes, and is not supported in production environments. All policy operations and configurations are performed directly on the database configured as the policy store in production environments.

  • Identity Store: The default Embedded LDAP data store is set as the primary user identity store for Access Manager.

  • Keystore: A Java keystore is configured for certificates for Simple or Certificate-based communication between OAM Servers and WebGates during authorization. The keystore bootstrap also occurs on the initial AdminServer startup after running the Configuration Wizard.

1.3 System Requirements and Certification

Ensure that your environment meets the system requirements such as hardware and software , minimum disk space, memory, required system libraries, packages, or patches before performing any installation.

Refer to the system requirements and certification documentation on Oracle Technology Network (OTN) for information about hardware and software requirements, platforms, databases, and other information.

The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:


The certification document covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products:


1.4 Understanding Oracle Access Management Installation

Using the Oracle Fusion Middleware Configuration Wizard deploy components for a new domain and perform post-installation tasks.

The following sections contain information and links regarding Access Manager installation and post-installation tasks.

1.4.1 About Oracle Access Management Installation

The Oracle Fusion Middleware Supported System Configurations document provides certification information on supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity Management

You can access the Oracle Fusion Middleware Supported System Configurations document by searching the Oracle Technology Network (OTN) Web site using the document name, or click the link below.


Using the Oracle Fusion Middleware Configuration Wizard, the following components are deployed for a new domain:

  • WebLogic Administration Server

  • Oracle Access Management Console deployed on the WebLogic Administration Server (sometimes referred to as the OAM Administration Server, or simply AdminServer)

  • A Managed Server for Oracle Access Management

  • An application deployed on the Managed Server

See About the Oracle Identity and Access Management Installation in Installing and Configuring Oracle Identity and Access Managementfor details on installation.

1.4.2 About Oracle Access Management Post-Installation Tasks

Each WebLogic Server domain is a logically related group of Oracle WebLogic Server resources. WebLogic administration domains include a special Oracle WebLogic Server instance called the Administration Server. Usually, the domain includes additional Oracle WebLogic Server instances called Managed Servers, where Web applications and Web Services are deployed.

During initial deployment, the WebLogic Administrator userID and password are set for use when signing in to both the Oracle Access Management and WebLogic Server Administration Console. A different Administrator can be assigned for Oracle Access Management, as described in "About Oracle Access Management Administrators". Administrators can log in and use the Oracle Access Management Console for the post-installation tasks documented in Table 1-2.

Table 1-2 Oracle Access Management Post-Installation Tasks

Service Requirements

Access Manager

Enable Access Manager Service


  • Data sources

  • OAM server instances

  • Agents for Access Manager

  • Application domains and policies that protect resources


  • Common settings, including session-timing

  • Certificate validation

  • Common password policy

Configure Access Manager settings

Identity Federation

  • Enable Identity Federation Service

  • Configure federation settings

  • Register identity provider and service provider partners