Oracle Access Manager 11g Overview

<Insert Picture Here>

Oracle Access Manager 11g Overview

Dmitry Nefedkin

Oracle ISV Migration Center FMW Consultant

[email protected]

mailto:[email protected]

2

ISV Migration Center Team

• Who we Are ISV Migration Center Team is a team of senior technical consultants based in

Eastern and Central Europe and represents Oracle's technical investment for partners.

• Mission Statement Enable partners to rapidly and successfully adopt and implement Oracle

latest technology

• What do we Offer Whether you are selling Oracle technology, building business solutions,

including hosted Internet solutions or providing system integration and implementation services

for Oracle technology, IMC Team can help you succeed.

• How can we assist We offer a wide range of free services for partners such as one2one

assistance, webinars, seminars and hands-on workshops.

ISV Migration Center blog: http://blogs.oracle.com/imc

Contacts:

Ruxandra Radulescu, ISV Migration Center Manager, EE&CIS

[email protected]

http://blogs.oracle.com/imc



Agenda

• Oracle Identity Management - The Big Picture

• Oracle Access Manager 11g architecture

• OAM 11g Installation & Deployment

• Session Management

• Authentication Engine

• Managing Authorization Policies

• OAM 11g Patchset 1 new features overview

• Getting more information

Oracle Identity Management CapabilitiesComplete, Innovative and Integrated

IdentityAdministration

AccessManagement

DirectoryServices

• Password Management

• Self-Service Request & Approval

• Roles based User Provisioning

• Analytics, Policy Monitoring

• Risk-based Access Certification

• Single Sign-On & Federation

• Web Services Security

• Authentication & Fraud Prevention

• Authorization & Entitlements

• Access from Mobile Devices

• LDAP Storage

• Virtualized Identity Access

• LDAP Synchronization

• Next Generation (Java) Directory

Platform Security Services

• Identity Services for Developers

Oracle Platform Security Services

Access ManagementIdentity Administration Directory Services

Access Manager

Adaptive Access Manager

Enterprise Single Sign-On

Identity Federation

Entitlements Server

Identity Manager

Directory Server EE

Internet Directory

Virtual Directory

Universal Directory

Identity Analytics

Management Pack For Identity Management

Operational Manageability

Identity & Access Governance

Oracle Identity Management


Agenda









Access Manager Suite 11g Architecture - The Big Picture

Oracle WebLogic Server

Authentication & SSO

IdentityFederation Security Token Service

Fraud Prevention Authorization & Entitlements

Shared Services for Access (SSA)

TokenProcessing SessionManagement

TrustManagement PasswordPolicy PasswordReset DelegatedAdmin

Shared Services for Identity (SSI)


AuthN Services IdentityServices AuthZServices CredentialStoreCommonAudit

FrameworkKeyStoreServices SSLConfiguration

Domain ManagementDeployment Management

Post Install Configuration

OAM Architecture

Protocol Compatibility Framework

OAM Server

Authorization Service


Single Sign-On Engine

Token Processing

Authentication Engine

Session Management

OAM Server

SSO log-in processing with OAM agents

OAM 11g R1 Deployment Architecture

• Isolated runtime and

admin server

• Configuration and policy

propagation

• User sessions shared

across all runtime servers

WebLogic Administration Server

WebLogic Admin Console

OAM 11g Admin

Console

OAM 11g Runtime Server

Shared Information

WebLogic Managed Server(s)

1. Policies

2. Configuration

3. User SessionsFMW Control


Agenda









Installation & Configuration

• Installation process

• OAM 11g installs using Oracle Universal Installer (OUI)

• The installation process copies all the software bits to the host

machine

• OUI does not perform product configuration

• Configuration process requires 2 steps

• Database schema configuration using Repository Creation Utility

(RCU)

• Product configuration and deployment using WebLogic Configuration

Wizard

OAM 11g Installation & Configuration

• Database schema configuration:

• RCU allows customers to choose the product for which they want

to create database schema and creates the schema after

providing the database details.

• Product configuration and deployment:

• OAM 11g is a J2EE application that deploys into a container.

• The deployment and configuration is handled by the WebLogic

Configuration Wizard.

• The Configuration Wizard uses configuration templates provided

by each product to configure the product.

• It deploys the product into a new or existing WLS domain.

Validating a Successful Installation and Configuration

• Oracle WebLogic Server administration console

• http://<host>:<AdminServer_Port>/console

• Go to Deployments and verify that the oam_admin and oam_server

applications are in Active state

• Oracle Enterprise Manager Fusion Middleware Control

• http://<host>:<AdminServer_Port>/em

• Check to make sure the status of the OAM server is up

• Oracle Access Manager administration console

• http://<host>:<AdminServer_Port>/oamconsole

• Make sure you can view the System and Policy Configuration tabs

Validating a Successful Installation and ConfigurationOracle WebLogic Server Administration Console

Validating a Successful Installation and Configuration Oracle Access Manager Administration Console

Validating a Successful Installation and Configuration Oracle Enterprise Manager Fusion Middleware Control


Agenda









Session Management

• Session management:

• Manages the life cycle requirements of a user session and notification of

session events to enable global logout

• Tracks active user sessions by using a high-performance distributed

cache

• Can limit the number of concurrent sessions a user can have at one time

• Performs out-of-band session termination

(Prevents unauthorized access to systems when a user has been

terminated.)

Session Management

Policy Engine

Session Management

End User

2. Create

Session

3. Return

Session ID

Oracle Access Manager 11g

Oracle Weblogic Server

1. Authenticate (anonymous)

4. Authentication success with Session ID

5. Authenticated Access 7. Application Access

6. Validate Session & Authorize

WebGate

Application

Admin User

Terminate Session

Oracle Coherence in Session Management

• provides a distributed cache with low-data access latencies

• transparently move data between distributed caches (that includes optional database store)

• Coherence traffic is encrypted

• enables failover and reconciliation

Manage Session

Common Session Settings

• Session Lifetime

• Idle Timeout

• Maximum Number of Sessions per User

Operations:

• Delete All User Sessions

• Delete Sessions based on Userid

Synchronizing OAM Server Clocks:

• Ensure all computer clocks are synchronized.

• Ensure Webgate clock is not ahead of the OAM Servers


Agenda









The 11g policy model was designed to support some key product goals:

• Simplify everything. Make it easier for new customers to pick up and

use the product,

• Secure by default

• Smooth migration path for OSSO and OAM 10g

• Improved diagnostics when things go wrong, whether due to user

error or a product issue

Policy Model

Resource Definitions

• resource definitions exist as a flat collection of objects

• Each resource is defined as a specific resource type

• The URL value of a resource must begin with / and must match a

resource value for the chosen host identifier.

• The asterisk (*) The asterisk matches zero or more characters.

• An ellipses (…) represents a sequence of zero or more intermediate

levels

• Examples

– /mydirectory/*

– /mydirectory/projects/myexe.exe

– /.../*.html

Host Identifiers

• Identifies a computer host

• Administrators can apply security policies to resources based on host identifiers

• Host Identifiers are automatically created during registration (Console or RREG)

• Each resource and host identifier combination must be unique across all application domains

• Host identifier variations: site.com,site.com:80, www.site.com, 216.200.159.58:80 etc or 3232236564 (decimal addressing)

Authentication

• The authentication engine is driven by authentication schemes.

• Authentication policies determine the applicable authentication

scheme.

• Each authentication scheme consists of a CHALLENGE metadata and

reference to an instance of an authentication module.

• Centralized credential collector

• Supported authentication module types are LDAP, X.509 and

Kerberos.

• Authentication or user mapping is performed against a primary

identity provider.

Authentication Module

• AuthN modules are plug-ins used in AuthN schemes.

• Three types of AuthN modules are supported:

• LDAP

• Kerberos

• X.509

• You can create several different AuthN modules based on one of the

three AuthN module types to use in AuthN schemes.

Authentication Modules

• LDAP Module

– Validates identity against Primary Id Store [LDAP]

– Credentials required - Username/Password

– Supports only Username verification

(no password required) for Identity Assertion

– Performs backend operation for BASIC & FORM credential

collection mechanism

• Kerberos Module

– Asserts identity using SPNEGO token & GSS API’s

– Credentials required - SPNEGO token

– Supported with Fallback mechanism (BASIC)

Authentication Modules

• X509 Module

– Asserts identity using X.509 client certificates

– Credentials required - Client Certificate

– Verifies certificate using Java Security API

• Anonymous Module

– Creation of subject/session without user identity validation

– Credentials required - NONE

– Anonymous username is configurable

Authentication Schemes

• Resources within an application domain are protected by authN policies

• Each authN policy is defined by one authentication scheme

• Authentication scheme defines:

– Challenge mechanism

• Challenge method: Form, Basic (LDAP), X.509, WNA, None

• Challenge Redirect URL

– Authentication level: 1, 2 etc.

– Authentication module: X.509, LDAP, Kerberos

• Authentication module is the smallest executable unit of an authentication

scheme

• Only one authentication module must be assigned to an authentication

scheme

Challenge Methods

Determining what credentials a user must supply when requesting

access to a resource

• Form – Custom html login page - LDAP Module

• Basic – Default web server challenge using pop-up box for

Username/Password fields – LDAP Module

• WNA – Uses Windows Native Authentication with AD – Kerberos

Module

• X509 – Requesting X509 Certificate from client browser for two

way SSL – X509 Module

• None

Multi-Level Authentication

• Different resources of the same application can be protected with

different authentication levels.

• Registered agents detect the different levels :

• mod_osso detects the authentication level from dynamic

directives.

• OAM agents receive an Insufficient Level error message from the

OAM server (in case of step-up AuthN).

• Both agent types redirect the user to the OAM server to re-

authenticate.

• All the resources protected by mod_osso on a host are protected at

the same level.

• For mod_osso, multi-level authentication applies to resources

across hosts.

Multi-Level Authentication


Agenda









Authorization

• Authorization performed through embedded OES engine with OAM

extensions

– OAM custom resource matching

– OAM constraint evaluation (IP and Time)

• Policies are persisted to Database (Oracle DB)

• Support for user/group, ip address and time constraints– ALLOW jdoe for RESOURCE(<hostid:uri>)

• IF ip=x.x.x.x & time=Sunday

• RESPOND WITH <header(name=val), cookie(name=val)>

– DENY jsmith for RESOURCE(<hostid:uri>)

• IF ip=x.x.x.x & time=Sunday

• RESPOND WITH <header(name=val), cookie(name=val)>

Authorization Policies

• OAM 11g provides coarse-level authorization using AuthZ policies

• Each authorization policy is a combination of:

– One or more resources to which the authorization policy applies

– Success and Failure URLs to direct events following an

authorization attempt

– Specific conditions or constraints whose outcome determines

whether access to the requested resource should be granted

– One or more responses performed by the web agent after the

authorization process

Access Tester

• Customers need a tool to test access to resources.

• OAM 10g had a server-side Access Tester.

• OAM 11g provides a tool that can be run anywhere.

• The new Access Tester simulates an actual WebGate.

• It simulates resource requests to ensure that policy evaluates

correctly.

• It also uncovers network issues that might impact WebGates or mod_osso agents because it can be run anywhere, including on

the Web server host.

Access Tester

• GUI Mode for manual testing

• Command line mode for

automated testing

• portable, standalone Java application

– Java [-Dxxx=“yyy”] –jar oamtest.jar

– 2 jars: oamtest.jar, nap-api.jar

• Ships with OAM

– Location: <Oracle Home>/oam/server/tester


Agenda









OAM 11g PS1 features

• Extensibility Framework

• Allows for customized authentication modules to be plugged into the

system

• Includes SDK tooling for users to create customized modules

• Allows for orchestration of authentication modules into a customized

flow for an authentication scheme

• Exclusion List Support and Authorization Caching

• Provide policy elements to define resources to be excluded from

policy evaluation altogether

• Increases runtime processing performance


• Pure Java ASDK

• Addition to OAM 10g C/C++ based ASDK

• Includes authentication and authorization APIs

• One platform independent package

• API support for the extended protocol-level op codes

• Will support working against OAM 10g and OAM 11g

• Does not include policy administration APIs• Java ASDK will include some session management calls

• Session Management Engine Enhancement• Wildcard in username search• Shows impersonation sessions


• Multiple ID Store

• Allows customers to pick which LDAP to authenticate and authorize

against

• Includes backend support for multiple ID Store connectivity

• Impersonation Support

• Allows for impersonation of users for help desk support

• Requires customers to set certain LDAP attributes to control

impersonation behavior

• Requires customers to build front-end application to initiate and

terminate impersonation sessions


• Oracle STS Integration

• Identity propagation from the web tier to the application tier and also

into web services tier

• Supports trust brokering between different identity domains using

standard WS-Trust protocol• Unified user interface with OSTS• OOTB co-installation and deployment of OAM and OSTS


Agenda









Getting more information

• Oracle Identity Management 11g documentation:

http://download.oracle.com/docs/cd/E21764_01/im.htm

• Oracle Learning Library, IdM tutorials:

http://apex.oracle.com/pls/apex/f?p=44785:2:5321303512854647::NO:RIR::

• Oracle Access Management blog:

http://oracleaccessmanagement.blogspot.com

• OAM Academy from Fusion Middleware Security blog:

http://fusionsecurity.blogspot.com/2011/03/oracle-access-manager-academy-

from.html

• ISV Migration Center can deliver free workshop on Oracle Access Manager

11g. Please contact [email protected] if you want to participate

http://download.oracle.com/docs/cd/E21764_01/im.htm

http://apex.oracle.com/pls/apex/f?p=44785:2:5321303512854647::NO:RIR

http://oracleaccessmanagement.blogspot.com/

http://fusionsecurity.blogspot.com/2011/03/oracle-access-manager-academy-from.html










Questions

©2011 Oracle Corporation

Dmitry Nefedkin

Oracle ISV Migration Center FMW Consultant

[email protected]

ISV Migration Center blog: http://blogs.oracle.com/imc


http://blogs.oracle.com/imc

Oracle Access Manager 11g Overview

Technology

Transcript of Oracle Access Manager 11g Overview