Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager

[…] I am going to use this ADAM (Active Directory Application Mode) instance as directory store for Oracle Access Manager’s  (OAM) Policy and Configuration […]

[…] discussed in my previous post “Introduction to Oracle Access Manager“, OAM consists of Identity System(Identity Server, WebPass) and Access System(Policy Manager, […]

We currently have the following setup:

Apache Server 2.0 (installed with webgate plugin) ———-[mod_wl_20.so weblogic proxy plugin]———> Weblogic Cluster(9.2.1)

Here the apache web server and backend weblogic are being administered by us. The webgate plugin installed on our apache web server communicates with backend WebGate/Access servers which are managed by Identity/Management group.

Recently the Identity/Management group wanted us to eliminate our apache web server because they had their webgate running on their apache server which has mod_wl plugin installed and capable of redirecting to our weblogic cluster. This way they can centralize the webgate plugin and manage all the different applications.

However we do not want to relinquish our apache server and looking at alternatives. We found a solution and asked the identity/Management team to use ProxyPass / ProxyPassReverse apache directives to redirect the user requests to our apache server instead of weblogic cluster. This way we still have our apache servers arbitrating requests to backend weblogic. In this scenario, the user requests traverse the following path

user request —-> Webgate Reverse Proxy(managed by Identity/mgmt group) ——–ProxyPass/ProxyPassReverse——-> Apache web server(installed with mod_wl)———->Weblogic Cluster.

However we are discovering some issues. For instance, we have some application scenrio where the backend weblogic server works on a user’s request for nearly six minutes(360 seconds). In our Apache web server we have made changes to accommodate this scenario and preventing any timeout. However the predecessor webgate proxy server has apache which has a default ‘Timeout’ set to 300.(5 minutes). Because of this the connection is reset even though the backend weblogic is working on the request. This webgate reverse proxy server, managed by the other group needs this Timeout to be increased. However if they did that it would affect the whole Apache container and there are whole set of other applications which will be affected.

So is there a way to overcome this?
I am curious if we can configure the webgate reverse proxy server to handoff the whole control to our apache web server once the login/policy information is retrieved and ObSSOCookie with the session token is set. May be use RedirectMatch or Rewrite instead of “ProxyPass/ProxypassReverse” so that we do not have to go to the webgate reverse proxy server once the user is authenticated successfully.

Please let me know if you have any ideas.

P.S: we do not use Webgate for authorization. We have our won application which does that task.

I would like to develop a WebApplication that call Identity Function Trough Identity XML, but it seems that the folder Samples containing the sample code for invoking Web services using Java and .NET here:

WebPass_install_dir\oblix\WebServices\CompositeWebServices\

Is missing Anyone know where i find it ?

Thanks

Atul,

This is a good article. By any chance do you know what is the latest OAM release and it’s corresponding components. Basically, what kind of http server needed, what versions of components needed, etc.? Looking for all the components needed to get the OAM working.

Thanks in advance. Appreciate your help.

@ Paul,
Latest OAM version is 11.1.1.3 and there is no identity server or webpass . Check difference between OAM 10g & 11g at http://onlineappsdba.com/index.php/2010/09/01/changes-in-oracle-access-manager-11g-r1-11113/

Components of OAM 11g are :

1. Database (configuration is now stored in database)
2. WebLogic Server (application server on which oam server runs)
3. Identity and Access Software (this contains binaries/software for OAM)
4. RCU – Repository Creation Utility to create OAM schema (search this site to know more about RCU)

For step by step installation of OAM 11g check http://onlineappsdba.com/index.php/2010/08/05/oracleidm-11g-step-by-installation-of-oam-oim-oaam-oapm-oin-111130-part-i-load-schema/

(Ignore steps related to SOA and OIM, if you need just OAM)

Hi…
Atul

i Want to upgrade my OAM 10.1.4.0.1 to OAM 10.1.4.0.4..your previos comment you mentioned that why to install 10.1.4.0.1 directly you can install 10.1.4.0.3 but my task is to upgrade frm OAM 10.1.4.0.1 to OAM 10.1.4.0.4 so can u please provide the necessary doccument…if present

@ MohanKumar,
What is your O.S. ?

As far as I know there was BP 03 which you can apply on top of 10.1.4.0.1 to make it 10.1.4.0.4 but that is just for Solaris and available via patch 7135436

Check note number 736372.1 OAM Bundle Patch Release History for more information on patches and release of OAM

@Athul..

Thank you..
my o.s is solaris..
using microsoft ad 2003
and remaining all i.e..,identity server,webpass and etc.. are all of 10.1.4.0.1 and need to upgrade to 10.1.4.0.3

@ Mohankumar,
Apply patch 7135436

Mohankumar said,
in May 20th, 2011 at 12:29 am

Hi…
Atul,

As in my previous comment i mentioned that i need to upgrade from 10.1.4.0.1 to 10.1.4.0.4..but i am sorry i need to upgrade from 10.1.4.0.1 to 10.1.4.0.3..and in the above comment i mentioned the details..

Hi…
Atul,..

Sorry for the wrong comments i have made..i will make sure and this time i won’t repeat back…thank u..for your valuable comments

Hi..,

Atul Kumar..

I installed OAM identity server (10.1.4.0.1) with microsoft ad 2003..now i want OAM identity server (10.1.4.0.1) upgrade to (10.1.4.0.3) would i get any problem with my active directory…can you please provide how to upgrade

@ Manikanth,
Do you want to go to 10.1.4.0.3 or 10.1.4.3 (This is terminal release for 10g OAM)

For 10.1.4.0.3 upgrade patch check note Manikanth

Hi..,

Atul Kumar..

Hi..thanx for your reply athul…sorry for my wrong post i want to upgrade from OAM 10.1.4.0.1 to 10.1.4.3….only

i have some information regarding that..could you please tell me is it correct or not and can you provide me any document if there and patches where can i download..

step: 10.1.4.0.4——> remove bps——->10.1.4.2——>10.1.4.3—–>apply latest bp

@ Manikanth

Check this OAM 10g Upgarde Guiide at http://download.oracle.com/docs/cd/E15217_01/doc.1014/e12495/scenario.htm#CEGJDFAG

Hi Atul,

Your updates are awesome, I was wondering if you direct me to a more detail setup for using Policy Manager to protect sites.

Thank you,

Dan

@ dxodonn,

For detailed setup to protect site, you can look at Chapter 5, 6 & 7 of my book https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

Hi Atul

Your updates are awesome, I was wondering if you direct me to a more detail setup for

for example there are two type of users internal users and external users probably internel users are employes and external users are customers,and if iam having two seperate web applications one for internal users and other for exernal user with two different schemas…let say the internal apps is like—containing a go page in which they will have all the links regarding the company also having supportsite which is an external users app…so my question is that using oam can we provide sign on to..?
1.when the internal user login to the system using IWA and access the external app(support site) as the second app is protected it prompts for the authentication but as the internal user already authenticated using IWA he should directly redirected to that second app home page.
2.Here in this situation the internal app login crediantials are entirely differnt from external app crediantials i.e..,internal users login using their employee crediantials where as the external user login using a valid mail address..
3.As for the two apps entire schema values are different..can we do this by installing two oracle access manager say 1 oam for internal users ,2 oam for external users.if this happenes…? while authenticating internal users the oamserver1 generates obsso cookie..,when the same user try to access the second app from the same browser(protected by oamserver2) will he directly redirected to second app home page…using the previous cookie as this is done in the same browser….?

Could you please help to solve this issue

[…] type of components Identity System and Access System. For OAM 10g architecture and components click here  . In OAM 11g, there is NO identity system (Identity functions in OAM 11g are moved to another […]

Hi Atul,

Having a few questions on OAM 10g :

1) No Error in Access Server Log File , Webgate/Apache log file , But when the user is requesting for a page , it hanging. Restart of access Server Help ? What may be reason ? Lots of stale connections , Load on Access Server. Access server is not accepting the connections.

2) With the Policy Definition , Even to access a page first Time , Does access server come into the picture. It is necessary that web gate communicate to Access Server ?

I Know for User Authentication and Authorization it comes into the picture.

Great Article

Atul,
I see two products from Oracle for SSO, OAM and ESSO.
With further reading it suggest that OAM is for web based applications and ESSO is for web based and non-web based applications.

I am terrible confused between this two.
Can you suggest something between two like where OAM should be sued and where ESSO should be used?

Thanks,
Mann

Atul,

We are in a stage to decide to use OAM 10g or 11g, but can you please help me how that can be integrated with Websphere Application Server with portal 8.0 version.

Incase if you have any blog/link/documentation which explains how to setup and also how it works, it will be of good help to me.

regards
Prashanth

Atul:
Good book on OAM. Question please; I want to pull Logon Failures on OAM from IAU_BASE, do you have a way and an example on how to write the SQL scripts to do this?
Thanks.
Randolph.

[…] Introduction to Oracle Access manager : Identity and … – Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager […]

can you provide video materials for oracle identity and access manager ?

i want training please send me your phone number vijayannangi1@gmail.com