Oracle Adaptive Access Manager Questions & Answers

Oracle Adaptive Access Manager:

Q: What is auto-learning?
A: Auto-learning is a set of functions in OAAM that profiles behavior. The behavior of users, devices and locations themselves are recorded and used to evaluate current behavior. For example, OAAM can profile a user based on login time. If John logs in between 8am – 10am 87% of the time then the risk level is elevated if he is attempting to login at 2am. In other words he is outside of his normal login time profile.

Q: How can OAAM prevent phishing?
A: There are a number of anti-phishing features of OAAM. Phishing attacks are often aimed at credential theft. A Phishing site will usually send the users to the real site once they steal their credentials so the user does not suspect anything has gone wrong. When this happens OAAM can recognize that the user is coming from a referral URL not sanctioned by the bank. When OAAM sees this it can add the user to a “Blacklisted ” group. Users of this group will need to answer security questions while attempting transactions.

Q: What are different keystores used in OAAM?
A: There are 3 keystores, System, Database and SOAP/WebServices. Encryption of SOAP keystore is optional.

  1. System Keystore: Used for encrypting properties and other non-db related data
  2. Database: VCryptPassword and Transaction tables. Containing data such as password, PIN, Transaction data (like credit card #, etc)…
  3. SOAP/WebServices: On the client side to authenticate Web Services request

Q: Can OAM provide SSO access to the OAAM admin console application? 
A: Yes, OAAM Admin is a standard web application and uses container provided Authentication out of the box.

This is pretty much standard integration for OAM that we support for any custom application. This case is simply more special because the custom application turns out to be OAAM.

Share This Post with Your Friends over Social Media!

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog:

Leave a Comment:

Rajeev says October 20, 2010

Can OAAM provide all the functionality provided by OAM?I understand it provide some additional functionalities like Fraud management and Real time risk assessment.
The objective is-Can i replace OAM with OAAM?

Atul Kumar says October 20, 2010

@ Rajeev,
No OAAM can’t provide all functionality of OAM. These two provide different functionality however some of functions are common in two.

Mahendra says October 20, 2010


As Atul said, you cannot replace OAM with OAAM. This is because OAAM is used for fraud prevention and OAM is used for web access control mechanism. Both are two different leaves altogether.


» Oracle Adaptive Access Manager (OAAM) for beginners Online Apps DBA: One Stop Shop for Apps DBA’s says May 19, 2012

[…] OES, OIF, eSSO, OpenSSO Fedlet, OWSM, and STS ).  To know more about OAAM check Mahendra’s post and for OAAM version my previous post here. For list of all Oracle Identity and Access […]

Mick says May 21, 2012

Can the case management module in OAAM be made to integrate to OCH, so that customer details (name, address, etc) need not be copied to the OAAM database when a case is created, but instead only accessed via service calls from the case management screens? The customer details are not required for any of the detection rules.

carmel says February 27, 2014

Hello Mahendra,

I come along your good posts and I need to clarify for the exam preparation one question please:

1z0-459 exam question) To keep a OIM deployment secure you should have a user set for receiving questions and answers , however this behavior need to be changed when you are using OAAM settings. How can you change this behavior in OIM?

Looking forward to hear from you! thanks!

Mahendra says February 27, 2014


OIM by default provides challenge questions for secure login. You don’t need OAAM. If your OIM web application is accessed by your organization or external users to perform some job (like self service requests etc.,) and you wish to enforce runtime checks such as fingerpriting etc., then you can use OAAM.



carmel says February 27, 2014

Hi Mahendra,

we want to use OAAM to enforce security for an user , same way like the regular one that uses Q&A’s from OIM.

But how to enforce this security ?
what features/benefits brings OAAM for this enhancement?

Can you share with me also a link with documentation besides your comments ?

Thanks !

carmel says February 28, 2014

Hello Mahendra and Atul,

thank you for comments, really appreciate it since I will write the exam by next month:

I want to know more about integration OPAM with OIA (if I am correct here about OIA or OIM is the integration possible)

what set of tasks must be performed on OPAM when integrate OPAM with OIA?

Thanks and Regards!

    Atul Kumar says March 1, 2014

    You integrate OPAM with provisioning server like OIM or other business applications that uses superusers like EBS, AD etc

      Atul Kumar says March 1, 2014

      Just to add to previous comment, you can integrate OPAM with OIA to manage OIA system accounts but there are no step by step documented steps.

Add Your Reply