Oracle Access Manager 11g Overview

19,446 views

Published on

Oracle Access Manager 11g Overview:

Oracle Identity Management - The Big Picture
Oracle Access Manager 11g architecture
OAM 11g Installation & Deployment
Session Management
Authentication Engine
Managing Authorization Policies
OAM 11g Patchset 1 new features overview
Getting more information

Published in: Technology

Oracle Access Manager 11g Overview

  1. 1. <Insert Picture Here>Oracle Access Manager 11g OverviewDmitry NefedkinOracle ISV Migration Center FMW ConsultantDmitry.Nefedkin@oracle.com
  2. 2. ISV Migration Center Team• Who we Are ISV Migration Center Team is a team of senior technical consultants based in Eastern and Central Europe and represents Oracles technical investment for partners.• Mission Statement Enable partners to rapidly and successfully adopt and implement Oracle latest technology• What do we Offer Whether you are selling Oracle technology, building business solutions, including hosted Internet solutions or providing system integration and implementation services for Oracle technology, IMC Team can help you succeed.• How can we assist We offer a wide range of free services for partners such as one2one assistance, webinars, seminars and hands-on workshops. ISV Migration Center blog: http://blogs.oracle.com/imcContacts:Ruxandra Radulescu, ISV Migration Center Manager, EE&CISruxandra.radulescu@oracle.com 2
  3. 3. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  4. 4. Oracle Identity Management CapabilitiesComplete, Innovative and Integrated Identity Access Directory Administration Management Services• Password Management • Single Sign-On & • LDAP Storage Federation• Self-Service Request & • Virtualized Identity Access Approval • Web Services Security • LDAP Synchronization• Roles based User • Authentication & Fraud • Next Generation (Java) Provisioning Prevention Directory• Analytics, Policy • Authorization & Monitoring Entitlements• Risk-based Access • Access from Mobile Certification Devices Platform Security Services • Identity Services for Developers
  5. 5. Oracle Identity ManagementIdentity Administration Access Management Directory Services Access Manager Directory Server EE Identity Manager Adaptive Access Manager Internet Directory Enterprise Single Sign-On Virtual Directory Identity Federation Universal Directory Entitlements Server Identity & Access Governance Identity Analytics Oracle Platform Security Services Operational Manageability Management Pack For Identity Management
  6. 6. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  7. 7. Access Manager Suite 11g Architecture - The Big Picture Authentication & Identity Federation Security Token Fraud Prevention Authorization & SSO Service Entitlements Token Processing Session Trust Management Password Policy Password Reset Delegated Admin Management Shared Services for Access (SSA) Shared Services for Identity (SSI) Common Audit AuthN Services Identity Services AuthZ Services Credential Store Key Store Services SSL Configuration Framework Oracle Platform Security Services Deployment Post Install Domain Management Management Configuration Oracle WebLogic Server
  8. 8. OAM Architecture Protocol Compatibility Framework Authentication Single Sign-On Engine Engine OAM Server Session Token Processing Management OAM Server Authorization Service Oracle Platform Security Services
  9. 9. SSO log-in processing with OAM agents
  10. 10. SSO log-in processing with OAM agents
  11. 11. SSO log-in processing with OAM agents
  12. 12. OAM 11g R1 Deployment ArchitectureWebLogic Administration Server Shared Information • Isolated runtime and admin serverWebLogic Admin OAM 11g 1. Policies Console Admin Console 2. Configuration • Configuration and policy FMW Control 3. User Sessions propagation WebLogic Managed Server(s) • User sessions shared across all runtime servers OAM 11g Runtime Server
  13. 13. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  14. 14. Installation & Configuration• Installation process • OAM 11g installs using Oracle Universal Installer (OUI) • The installation process copies all the software bits to the host machine • OUI does not perform product configuration• Configuration process requires 2 steps • Database schema configuration using Repository Creation Utility (RCU) • Product configuration and deployment using WebLogic Configuration Wizard
  15. 15. OAM 11g Installation & Configuration• Database schema configuration: • RCU allows customers to choose the product for which they want to create database schema and creates the schema after providing the database details.• Product configuration and deployment: • OAM 11g is a J2EE application that deploys into a container. • The deployment and configuration is handled by the WebLogic Configuration Wizard. • The Configuration Wizard uses configuration templates provided by each product to configure the product. • It deploys the product into a new or existing WLS domain.
  16. 16. Validating a Successful Installation and Configuration• Oracle WebLogic Server administration console • http://<host>:<AdminServer_Port>/console • Go to Deployments and verify that the oam_admin and oam_server applications are in Active state• Oracle Enterprise Manager Fusion Middleware Control • http://<host>:<AdminServer_Port>/em • Check to make sure the status of the OAM server is up• Oracle Access Manager administration console • http://<host>:<AdminServer_Port>/oamconsole • Make sure you can view the System and Policy Configuration tabs
  17. 17. Validating a Successful Installation and ConfigurationOracle WebLogic Server Administration Console
  18. 18. Validating a Successful Installation and ConfigurationOracle Access Manager Administration Console
  19. 19. Validating a Successful Installation and ConfigurationOracle Enterprise Manager Fusion Middleware Control
  20. 20. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  21. 21. Session Management• Session management: • Manages the life cycle requirements of a user session and notification of session events to enable global logout • Tracks active user sessions by using a high-performance distributed cache • Can limit the number of concurrent sessions a user can have at one time • Performs out-of-band session termination (Prevents unauthorized access to systems when a user has been terminated.)
  22. 22. Session Management 5. Authenticated Access 7. Application Access 1. Authenticate (anonymous) WebGate Application 4. Authentication success with Session ID 6. Validate Session & AuthorizeEnd User Policy Engine 2. Create 3. Return Terminate Session Session Session ID Session ManagementAdmin User Oracle Access Manager 11g Oracle Weblogic Server
  23. 23. Oracle Coherence in Session Management • provides a distributed cache with low-data access latencies • transparently move data between distributed caches (that includes optional database store) • Coherence traffic is encrypted • enables failover and reconciliation
  24. 24. Manage Session Common Session Settings • Session Lifetime • Idle Timeout • Maximum Number of Sessions per User Operations: • Delete All User Sessions • Delete Sessions based on Userid Synchronizing OAM Server Clocks: • Ensure all computer clocks are synchronized. • Ensure Webgate clock is not ahead of the OAM Servers
  25. 25. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  26. 26. Policy ModelThe 11g policy model was designed to support some key product goals: • Simplify everything. Make it easier for new customers to pick up and use the product, • Secure by default • Smooth migration path for OSSO and OAM 10g • Improved diagnostics when things go wrong, whether due to user error or a product issue
  27. 27. Resource Definitions• resource definitions exist as a flat collection of objects• Each resource is defined as a specific resource type• The URL value of a resource must begin with / and must match a resource value for the chosen host identifier.• The asterisk (*) The asterisk matches zero or more characters.• An ellipses (…) represents a sequence of zero or more intermediate levels• Examples – /mydirectory/* – /mydirectory/projects/myexe.exe – /.../*.html
  28. 28. Host Identifiers• Identifies a computer host• Administrators can apply security policies to resources based on host identifiers• Host Identifiers are automatically created during registration (Console or RREG)• Each resource and host identifier combination must be unique across all application domains• Host identifier variations: site.com,site.com:80, www.site.com, 216.200.159.58:80 etc or 3232236564 (decimal addressing)
  29. 29. Authentication• The authentication engine is driven by authentication schemes.• Authentication policies determine the applicable authentication scheme.• Each authentication scheme consists of a CHALLENGE metadata and reference to an instance of an authentication module.• Centralized credential collector• Supported authentication module types are LDAP, X.509 and Kerberos.• Authentication or user mapping is performed against a primary identity provider.
  30. 30. Authentication Module• AuthN modules are plug-ins used in AuthN schemes.• Three types of AuthN modules are supported: • LDAP • Kerberos • X.509• You can create several different AuthN modules based on one of the three AuthN module types to use in AuthN schemes.
  31. 31. Authentication Modules• LDAP Module – Validates identity against Primary Id Store [LDAP] – Credentials required - Username/Password – Supports only Username verification (no password required) for Identity Assertion – Performs backend operation for BASIC & FORM credential collection mechanism• Kerberos Module – Asserts identity using SPNEGO token & GSS API’s – Credentials required - SPNEGO token – Supported with Fallback mechanism (BASIC)
  32. 32. Authentication Modules• X509 Module – Asserts identity using X.509 client certificates – Credentials required - Client Certificate – Verifies certificate using Java Security API• Anonymous Module – Creation of subject/session without user identity validation – Credentials required - NONE – Anonymous username is configurable
  33. 33. Authentication Schemes• Resources within an application domain are protected by authN policies• Each authN policy is defined by one authentication scheme• Authentication scheme defines: – Challenge mechanism • Challenge method: Form, Basic (LDAP), X.509, WNA, None • Challenge Redirect URL – Authentication level: 1, 2 etc. – Authentication module: X.509, LDAP, Kerberos• Authentication module is the smallest executable unit of an authentication scheme• Only one authentication module must be assigned to an authentication scheme
  34. 34. Challenge Methods Determining what credentials a user must supply when requesting access to a resource • Form – Custom html login page - LDAP Module • Basic – Default web server challenge using pop-up box for Username/Password fields – LDAP Module • WNA – Uses Windows Native Authentication with AD – Kerberos Module • X509 – Requesting X509 Certificate from client browser for two way SSL – X509 Module • None
  35. 35. Multi-Level Authentication• Different resources of the same application can be protected with different authentication levels.• Registered agents detect the different levels : • mod_osso detects the authentication level from dynamic directives. • OAM agents receive an Insufficient Level error message from the OAM server (in case of step-up AuthN). • Both agent types redirect the user to the OAM server to re- authenticate.• All the resources protected by mod_osso on a host are protected at the same level. • For mod_osso, multi-level authentication applies to resources across hosts.
  36. 36. Multi-Level Authentication
  37. 37. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  38. 38. Authorization• Authorization performed through embedded OES engine with OAM extensions – OAM custom resource matching – OAM constraint evaluation (IP and Time)• Policies are persisted to Database (Oracle DB)• Support for user/group, ip address and time constraints – ALLOW jdoe for RESOURCE(<hostid:uri>) • IF ip=x.x.x.x & time=Sunday • RESPOND WITH <header(name=val), cookie(name=val)> – DENY jsmith for RESOURCE(<hostid:uri>) • IF ip=x.x.x.x & time=Sunday • RESPOND WITH <header(name=val), cookie(name=val)>
  39. 39. Authorization Policies• OAM 11g provides coarse-level authorization using AuthZ policies• Each authorization policy is a combination of: – One or more resources to which the authorization policy applies – Success and Failure URLs to direct events following an authorization attempt – Specific conditions or constraints whose outcome determines whether access to the requested resource should be granted – One or more responses performed by the web agent after the authorization process
  40. 40. Access Tester• Customers need a tool to test access to resources. • OAM 10g had a server-side Access Tester. • OAM 11g provides a tool that can be run anywhere.• The new Access Tester simulates an actual WebGate. • It simulates resource requests to ensure that policy evaluates correctly. • It also uncovers network issues that might impact WebGates or mod_osso agents because it can be run anywhere, including on the Web server host.
  41. 41. Access Tester• GUI Mode for manual testing• Command line mode for automated testing• portable, standalone Java application – Java [-Dxxx=“yyy”] –jar oamtest.jar – 2 jars: oamtest.jar, nap- api.jar• Ships with OAM – Location: <Oracle Home>/oam/server/tester
  42. 42. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  43. 43. OAM 11g PS1 features• Extensibility Framework • Allows for customized authentication modules to be plugged into the system • Includes SDK tooling for users to create customized modules • Allows for orchestration of authentication modules into a customized flow for an authentication scheme• Exclusion List Support and Authorization Caching • Provide policy elements to define resources to be excluded from policy evaluation altogether • Increases runtime processing performance
  44. 44. OAM 11g PS1 features• Pure Java ASDK • Addition to OAM 10g C/C++ based ASDK • Includes authentication and authorization APIs • One platform independent package • API support for the extended protocol-level op codes • Will support working against OAM 10g and OAM 11g • Does not include policy administration APIs • Java ASDK will include some session management calls• Session Management Engine Enhancement • Wildcard in username search • Shows impersonation sessions
  45. 45. OAM 11g PS1 features• Multiple ID Store • Allows customers to pick which LDAP to authenticate and authorize against • Includes backend support for multiple ID Store connectivity• Impersonation Support • Allows for impersonation of users for help desk support • Requires customers to set certain LDAP attributes to control impersonation behavior • Requires customers to build front-end application to initiate and terminate impersonation sessions
  46. 46. OAM 11g PS1 features• Oracle STS Integration • Identity propagation from the web tier to the application tier and also into web services tier • Supports trust brokering between different identity domains using standard WS-Trust protocol • Unified user interface with OSTS • OOTB co-installation and deployment of OAM and OSTS
  47. 47. Agenda• Oracle Identity Management - The Big Picture <Insert Picture Here>• Oracle Access Manager 11g architecture• OAM 11g Installation & Deployment• Session Management• Authentication Engine• Managing Authorization Policies• OAM 11g Patchset 1 new features overview• Getting more information
  48. 48. Getting more information• Oracle Identity Management 11g documentation: http://download.oracle.com/docs/cd/E21764_01/im.htm• Oracle Learning Library, IdM tutorials: http://apex.oracle.com/pls/apex/f?p=44785:2:5321303512854647::NO:RIR::• Oracle Access Management blog: http://oracleaccessmanagement.blogspot.com• OAM Academy from Fusion Middleware Security blog: http://fusionsecurity.blogspot.com/2011/03/oracle-access-manager-academy- from.html• ISV Migration Center can deliver free workshop on Oracle Access Manager 11g. Please contact ruxandra.radulescu@oracle.com if you want to participate
  49. 49. QuestionsDmitry NefedkinOracle ISV Migration Center FMW ConsultantDmitry.Nefedkin@oracle.comISV Migration Center blog: http://blogs.oracle.com/imc ©2011 Oracle Corporation

×