Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager

This post covers overview of Oracle Access Manager (Oracle’s main Single Sign-On solution for Oracle Fusion Middleware 11g ) which is one of main component from Oracle’s Identity Management stack 

.

1. Oracle Access Manager (OAM) mainly consists of two main systems

a) Identity System – to create/manage users & groups, self registration and password management. 
b) Access System – to configure single/multi domain SSO solution for Web and non-Web based applications, web pages and other resources. To configure access management (authentication and authorization) to various type of resources (applications – web or non-web based, web pages)

2. It is possible to implement only Identity System or only Access Systemor both components of Access Manager.

3. Using Access Manager’s Identity System you can –
i) Create, remove or manage identity information related to users or groups.
ii) provide delegated administration and self service on identity (users/groups/resources)
iii)use workflow engine to automate requests and approvals related to identity data
iv)Password Management – Define multiple password policy, change passwords, lost password management…
v) configure auditing and reporting on identity events

.

A. Oracle Access Manager – Identity System 

1. Oracle’s Access Manager Identity system mainly contains four applications to provide above functionality (mentioned in step 3 above)
i) User Manager – Application to add, remove or manage users.
ii) Group Manager – Application to add, delete, manage groups (static, dynamic, nested). use this application to Add/remove users from group or search members in group.
iii) Organization Manager– to manage system rules, access privileges and workflows for entire Organizations.
iv) Identity System Console – to create administrators and delegated administrator for identity system and setup identity system application including object classes and attributes.

.

oracle identity system
.

2. Oracle Access Manager’s Identity System has two sub components
i) Identity Server – stand-alone server process that communicates with Directory Server (AD, OID, Sun Directory server..)
ii) WebPass – is webserver plug-in that communicates between webserver (Apache, OHS, IIS..) and Identity Server.

Identity Server is to manage information about users, groups, and other objects stored in Directory Server.
There can be one or more identity server in Access Manager solution.
WebPass receives requests from users and forwards to identity server. After processing that request by identity server, WebPass receives reply from Identity Server and passes it to Webserver.
WebPass can connect to one to more Identity Server
Communication between WebPass and Identity Server is via Oracle’s proprietary protocol i.e. “Oracle Identity Protocol”
Communication between Identity Server and Directory server is using LDAP (Light weight Directory Access Protocol)

.

B. Oracle Access Manager – Access System

.
Oracle Access System
.

1. Consists of following four subcomponents

i) Access Server– provides dynamic policy evaluation service for web-based and non-Web resources and applications. Access server receives request from webgate or custom AccessGate, Access Server then queries LDAP server for authentication , authorization and auditing rules.

ii) WebGate – is a webserver plug-in that intercepts HTTP requests from users for web resource and forward them to access server for authentication and authorization.

iii) Policy Manager– Administrators use policy manager to define resources to be protected by Access System. Policy Manager is implemented on WebServer with WebPass and Communicates with directory server (OID, AD or iPlanet) to write policy data. Policy Manager Communicates with Access Server (using Oracle Access Protocol) to update access server for any policy modification.
– Policy Manager contains following modules
a) Authentication Module
b) Authorization Module
c) Auditing Module

d) Session Management Module

iv) Access System Console – is used to configure access server and has following tabs – System Configuration, System Management and Access System Configuration

i) System Configuration – To define
a) Master and Delegated Access Administrator
b) Resource type, Policy domain, authentication and authorization schemes

ii) System Management – to manage diagnostics, reports

iii) Access System Configuration
a) To view, add, modify or delete Access Server, Access Gate or Access Server cluster.
b) To view and modify authentication/authorization parameters ….

.

There can be one or more Access server in Access Manager solution.
– WebGate receives requests from users and forwards to Access server;After processing that request by Access Server, WebGate receives reply from Access Serverand passes it to Webserver.
– WebGate can connect to one or more Access Server
Communication between WebGate and Access Server is via Oracle’s proprietary protocol i.e. “Oracle Access Protocol”
Communication between Access Server and Directory Server is using LDAP (Light weight Directory Access Protocol)

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

28 comments
» Install Active Directory Application Mode (ADAM) for Oracle Access Manager (OAM) LDAP store Online Apps DBA: One Stop Shop for Apps DBA’s says April 27, 2010

[…] I am going to use this ADAM (Active Directory Application Mode) instance as directory store for Oracle Access Manager’s  (OAM) Policy and Configuration […]

Reply
» Install Oracle Access Manager (OAM) 10.1.4.3 Identity Server, WebPass, Policy Manager, Access Server, WebGate Online Apps DBA: One Stop Shop for Apps DBA’s says May 3, 2010

[…] discussed in my previous post “Introduction to Oracle Access Manager“, OAM consists of Identity System(Identity Server, WebPass) and Access System(Policy Manager, […]

Reply
champrince says July 22, 2010

We currently have the following setup:

Apache Server 2.0 (installed with webgate plugin) ———-[mod_wl_20.so weblogic proxy plugin]———> Weblogic Cluster(9.2.1)

Here the apache web server and backend weblogic are being administered by us. The webgate plugin installed on our apache web server communicates with backend WebGate/Access servers which are managed by Identity/Management group.

Recently the Identity/Management group wanted us to eliminate our apache web server because they had their webgate running on their apache server which has mod_wl plugin installed and capable of redirecting to our weblogic cluster. This way they can centralize the webgate plugin and manage all the different applications.

However we do not want to relinquish our apache server and looking at alternatives. We found a solution and asked the identity/Management team to use ProxyPass / ProxyPassReverse apache directives to redirect the user requests to our apache server instead of weblogic cluster. This way we still have our apache servers arbitrating requests to backend weblogic. In this scenario, the user requests traverse the following path

user request —-> Webgate Reverse Proxy(managed by Identity/mgmt group) ——–ProxyPass/ProxyPassReverse——-> Apache web server(installed with mod_wl)———->Weblogic Cluster.

However we are discovering some issues. For instance, we have some application scenrio where the backend weblogic server works on a user’s request for nearly six minutes(360 seconds). In our Apache web server we have made changes to accommodate this scenario and preventing any timeout. However the predecessor webgate proxy server has apache which has a default ‘Timeout’ set to 300.(5 minutes). Because of this the connection is reset even though the backend weblogic is working on the request. This webgate reverse proxy server, managed by the other group needs this Timeout to be increased. However if they did that it would affect the whole Apache container and there are whole set of other applications which will be affected.

So is there a way to overcome this?
I am curious if we can configure the webgate reverse proxy server to handoff the whole control to our apache web server once the login/policy information is retrieved and ObSSOCookie with the session token is set. May be use RedirectMatch or Rewrite instead of “ProxyPass/ProxypassReverse” so that we do not have to go to the webgate reverse proxy server once the user is authenticated successfully.

Please let me know if you have any ideas.

P.S: we do not use Webgate for authorization. We have our won application which does that task.

Reply
cristiano says February 18, 2011

I would like to develop a WebApplication that call Identity Function Trough Identity XML, but it seems that the folder Samples containing the sample code for invoking Web services using Java and .NET here:

WebPass_install_dir\oblix\WebServices\CompositeWebServices\

Is missing Anyone know where i find it ?

Thanks

Reply
Paul says March 9, 2011

Atul,

This is a good article. By any chance do you know what is the latest OAM release and it’s corresponding components. Basically, what kind of http server needed, what versions of components needed, etc.? Looking for all the components needed to get the OAM working.

Thanks in advance. Appreciate your help.

Reply
Atul Kumar says March 9, 2011

@ Paul,
Latest OAM version is 11.1.1.3 and there is no identity server or webpass . Check difference between OAM 10g & 11g at http://onlineappsdba.com/index.php/2010/09/01/changes-in-oracle-access-manager-11g-r1-11113/

Components of OAM 11g are :

1. Database (configuration is now stored in database)
2. WebLogic Server (application server on which oam server runs)
3. Identity and Access Software (this contains binaries/software for OAM)
4. RCU – Repository Creation Utility to create OAM schema (search this site to know more about RCU)

For step by step installation of OAM 11g check http://onlineappsdba.com/index.php/2010/08/05/oracleidm-11g-step-by-installation-of-oam-oim-oaam-oapm-oin-111130-part-i-load-schema/

(Ignore steps related to SOA and OIM, if you need just OAM)

Reply
Mohankumar says May 20, 2011

Hi…
Atul

i Want to upgrade my OAM 10.1.4.0.1 to OAM 10.1.4.0.4..your previos comment you mentioned that why to install 10.1.4.0.1 directly you can install 10.1.4.0.3 but my task is to upgrade frm OAM 10.1.4.0.1 to OAM 10.1.4.0.4 so can u please provide the necessary doccument…if present

Reply
Atul Kumar says May 20, 2011

@ MohanKumar,
What is your O.S. ?

As far as I know there was BP 03 which you can apply on top of 10.1.4.0.1 to make it 10.1.4.0.4 but that is just for Solaris and available via patch 7135436

Check note number 736372.1 OAM Bundle Patch Release History for more information on patches and release of OAM

Reply
Mohankumar says May 25, 2011

@Athul..

Thank you..
my o.s is solaris..
using microsoft ad 2003
and remaining all i.e..,identity server,webpass and etc.. are all of 10.1.4.0.1 and need to upgrade to 10.1.4.0.3

Reply
Atul Kumar says May 25, 2011

@ Mohankumar,
Apply patch 7135436

Reply
Mohankumar says May 25, 2011

Mohankumar said,
in May 20th, 2011 at 12:29 am

Hi…
Atul,

As in my previous comment i mentioned that i need to upgrade from 10.1.4.0.1 to 10.1.4.0.4..but i am sorry i need to upgrade from 10.1.4.0.1 to 10.1.4.0.3..and in the above comment i mentioned the details..

Reply
Mohankumar says May 25, 2011

Hi…
Atul,..

Sorry for the wrong comments i have made..i will make sure and this time i won’t repeat back…thank u..for your valuable comments

Reply
Manikanth says May 25, 2011

Hi..,

Atul Kumar..

I installed OAM identity server (10.1.4.0.1) with microsoft ad 2003..now i want OAM identity server (10.1.4.0.1) upgrade to (10.1.4.0.3) would i get any problem with my active directory…can you please provide how to upgrade

Reply
Atul Kumar says May 25, 2011

@ Manikanth,
Do you want to go to 10.1.4.0.3 or 10.1.4.3 (This is terminal release for 10g OAM)

For 10.1.4.0.3 upgrade patch check note Manikanth

Reply
Manikanth says May 26, 2011

Hi..,

Atul Kumar..

Hi..thanx for your reply athul…sorry for my wrong post i want to upgrade from OAM 10.1.4.0.1 to 10.1.4.3….only

i have some information regarding that..could you please tell me is it correct or not and can you provide me any document if there and patches where can i download..

step: 10.1.4.0.4——> remove bps——->10.1.4.2——>10.1.4.3—–>apply latest bp

Reply
dxodonn says June 8, 2011

Hi Atul,

Your updates are awesome, I was wondering if you direct me to a more detail setup for using Policy Manager to protect sites.

Thank you,

Dan

Reply
Atul Kumar says June 8, 2011

@ dxodonn,

For detailed setup to protect site, you can look at Chapter 5, 6 & 7 of my book https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book

Reply
Mohankumar says June 15, 2011

Hi Atul

Your updates are awesome, I was wondering if you direct me to a more detail setup for

for example there are two type of users internal users and external users probably internel users are employes and external users are customers,and if iam having two seperate web applications one for internal users and other for exernal user with two different schemas…let say the internal apps is like—containing a go page in which they will have all the links regarding the company also having supportsite which is an external users app…so my question is that using oam can we provide sign on to..?
1.when the internal user login to the system using IWA and access the external app(support site) as the second app is protected it prompts for the authentication but as the internal user already authenticated using IWA he should directly redirected to that second app home page.
2.Here in this situation the internal app login crediantials are entirely differnt from external app crediantials i.e..,internal users login using their employee crediantials where as the external user login using a valid mail address..
3.As for the two apps entire schema values are different..can we do this by installing two oracle access manager say 1 oam for internal users ,2 oam for external users.if this happenes…? while authenticating internal users the oamserver1 generates obsso cookie..,when the same user try to access the second app from the same browser(protected by oamserver2) will he directly redirected to second app home page…using the previous cookie as this is done in the same browser….?

Could you please help to solve this issue

Reply
» Blank Screen on OAM 10g Identity Server Console : /identity/oblix Online Apps DBA: One Stop Shop for Apps DBA’s says August 15, 2011

[…] type of components Identity System and Access System. For OAM 10g architecture and components click here  . In OAM 11g, there is NO identity system (Identity functions in OAM 11g are moved to another […]

Reply
Sourabh Gupta says October 1, 2012

Hi Atul,

Having a few questions on OAM 10g :

1) No Error in Access Server Log File , Webgate/Apache log file , But when the user is requesting for a page , it hanging. Restart of access Server Help ? What may be reason ? Lots of stale connections , Load on Access Server. Access server is not accepting the connections.

2) With the Policy Definition , Even to access a page first Time , Does access server come into the picture. It is necessary that web gate communicate to Access Server ?

I Know for User Authentication and Authorization it comes into the picture.

Reply
Mukesh Negi says October 8, 2012

Great Article

Reply
Mann says July 18, 2013

Atul,
I see two products from Oracle for SSO, OAM and ESSO.
With further reading it suggest that OAM is for web based applications and ESSO is for web based and non-web based applications.

I am terrible confused between this two.
Can you suggest something between two like where OAM should be sued and where ESSO should be used?

Thanks,
Mann

Reply
Swamy says February 12, 2015

Atul,

We are in a stage to decide to use OAM 10g or 11g, but can you please help me how that can be integrated with Websphere Application Server with portal 8.0 version.

Incase if you have any blog/link/documentation which explains how to setup and also how it works, it will be of good help to me.

regards
Prashanth

Reply
randolph says May 15, 2015

Atul:
Good book on OAM. Question please; I want to pull Logon Failures on OAM from IAU_BASE, do you have a way and an example on how to write the SQL scripts to do this?
Thanks.
Randolph.

Reply
Identity And Access Management Oracle | Home says June 5, 2016

[…] Introduction to Oracle Access manager : Identity and … – Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager […]

Reply
Dhrumil Shah says June 7, 2016

can you provide video materials for oracle identity and access manager ?

Reply
vijay says January 10, 2017

i want training please send me your phone number vijayannangi1@gmail.com

Reply
Add Your Reply

Not found