This post covers overview of Policy Enforcement Points (known as Agents) in OAM 11g. For Step by Step installation of OAM 11g click here and to know about changes in Access Manager (OAM) 11g click here

Agent in OAM 11g : is Policy Enforcement Point (PEP) registered with  WebServer (Apache, OHS, IBM HTTP Server), Application Server (WebLogic…) or third party application to protect using Oracle Access Manager 11g.  Example of OAM 11g Agent (aka Policy Enforcement Agents) are WebGate, AccessGate, OSSO Agent and IDM Domain Agent

a) WebGate: WebGate is pre-packaged webserver plug-in to protect web-server via OAM11g. There are two versionof WebGate i.e. 10g WebGate and 11g WebGate . OAM 11g server supports both 10g WebGate and 11g WebGate

b) AccessGate : is custom access client developed using AccessSDK to protect non web-based applications protected by OAM 11g

c) mod_osso or OSSO agent: Agents introduced in OAM 11g for Oracle AS 10g SSO (Single Sign-On)

d) IDM Domain Agent :  IDM Domain agent provides SSO for OAM Console and other IDM consoles (OIM, OAAM..) deployed on WebLogic Domain in Identity Management 11g.



Key points for OAM 11g Agents
1. A Web server, Application Server, or any third-party application must be protected by a WebGate, mod_osso or AccessGate instance that is registered with Oracle Access Manager as an agent.

2. Agent (access gate/webgate/mod_osso) communicate with OAM Server (in OAM 10g this is Access Server) to check protected resource and configured access policies

3. Individual agents must be registered (from OAM console or Remote Registration Tool) with Oracle Access Manager 11g to set up the required trust mechanism between the agent and OAM Server.

4. Registering an Agent with OAM Server 11g is also known as “Registering a partner application” or “Regsitering a partner application with OAM

5. When you register an Agent, a key is created and stored at Agent side in local wallet file, and at OAM Server side in Java Key Store. There is one key-pair per Agent with exception to WebGate 10g (There is only one secret key for all 10g Webgates registered with OAM 11g)

6. On Agent registration, it create files on OAM’s WebLogic Admin Server under $DOMAIN_HOME/output/<agent_name>(ObAccessClient.xml, cwallet.sso, osso.conf, )


How various agents talk to OAM Server ?

a) WebGate 11g :After registration with OAM Server 11g, WebGate 11g directly communicates with OAM 11g server (No Proxy)

b) WebGate 10g: After registration with OAM Server 11g, WebGate 10g communicates with OAM 11g server through J2EE based OAM Proxy.

c) IDM Domain Agent: This agent is installed as part of Identity Management Domain (WebLogic Domain) and performs as an OAM 10g Agent.

d) OSSO Agent (mod_osso 10g) : After registration with OAM Server 11g, OSSO agents communicate with OAM server via OSSO Proxy (OSSO proxy converts OSSO protocol to OAM 11g authentication service protocol).



How to register Agent with OAM server ?

To register Agents you can use
a) OAM Administration Server Console: ( http://server:7001/oamconsole ) where 7001 is Admin server port for WebLogic server on which OAM server 11g is installed.

Administration Console -> System Configuration -> Agent Node

b) Command Line Tool (aka Remote Registration Tool) (Unix) or oamreg.bat (Windows) 
More on Remote Registration Tool for WebGate/Access Gate/mod_osso agent later

Related Posts for Access Manager

  1. Integration Steps – 10g AS with OAM (COREid)
  2. OAS – OAM (Access Manager / Oblix COREid) Integration Architecture
  3. Oblix COREid and Oracle Identity Management
  4. Installing Oracle Access Manager (Oblix COREid / Netpoint)
  5. Oracle Access Manager (Oblix COREid) Upgrade
  6. Access Manager: WebGate Request Flow
  7. Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager
  8. Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
  9. Install Oracle Access Manager (OAM) Identity Server, WebPass, Policy Manager, Access Server, WebGate
  10. Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
  11. OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
  12. OAM Installation Part II – Indentity Server Installation
  13. OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
  14. Oracle Access Manager Installation Part III : Install WebPass
  15. OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
  16. OAM : Create User Identity – You do not have sufficient rights : Create User Workflow
  17. Password Policy in Oracle Access Manager #OAM
  18. Changes in Oracle Access Manager 11g R1 (
  19. Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)
  20. How to install Patches in Oracle Access Manager 10g : Bundle Patch / BPXX
  21. Session Management in #OAM 11g : SME , Idle Timeout, Session Lifetime
  22. Part IX : Install OAM Agent – 11g WebGate with OAM 11g
  23. How to integrate OAM 11g with OID 11g for User/Identity Store
  24. How to install Bundle Patch (BP) on OAM – BP02 (10368022) OAM
  25. Error starting OAM on IBM AIX : AMInitServlet : failed to preload on startup oam java. lang. Exception InInitializer Error
  26. OAMCFG-60024 The LDAP operation failed. OAMCFG-60014 Oracle Access Manager is not configured with this directory
  27. How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) – editUserIdentityStoreConfig
  28. OAM WebGate Registration RREG – Resource URL format is not valid
  29. Blank Screen on OAM 10g Identity Server Console : /identity/oblix
  30. Oracle 10g/11g webgate software download location
  31. How to find Webgate 10g/11g Version and Patches Applied
  32. OAM integration with OIF : Authentication Engine or Service Provider
  33. OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On
  34. OAM 11g : How to change Security Mode (OPEN, SIMPLE, CERT) – WebGate to Access Server Communication
  35. Forgot Password link on OAM Login Page
  36. OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit
  37. How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ?
  38. OAM 10g WebGate installation failed with Sorry Invalid User or Invalid Group
  39. Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized
  40. Troubleshooting : 11g WebGate with OHS 11g integrated with OAM 11g : OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized
  41. Deploying OAM in high availability across data centres in Active Active cluster : New Feature in OAM 11gR2 PS2
  42. New OAMConsole in OAM 11gR2 PS2 : Enabling Federation, STS, Mobile & Social in Oracle Access Management Suite
  43. OAM/WebGate troubleshooting : WebGate on Apache/OHS Unable to read the configuration file
  44. Is OAM alone enough or should I also learn OIM/SOA for Apps DBA ?