Oracle Access Management 11gR2 (11.1.2.x) Frequently Asked Questions (FAQ)
Oracle Access Management 11gR2 (11.1.2.x) Frequently Asked Questions (FAQ)
x)
Frequently Asked Questions (FAQ)
Table of Contents
Overview ........................................................................................................................................................................................ 1
Key Features ................................................................................................................................................................................... 1
Oracle Access Management ............................................................................................................................................................ 3
General Questions....................................................................................................................................................................... 3
License Questions ....................................................................................................................................................................... 4
Certification Related Questions ................................................................................................................................................... 5
Feature Related Questions ........................................................................................................................................................... 5
Integration Questions .................................................................................................................................................................. 7
Oracle Access Management Access Manager (Access Manager) ...................................................................................................... 8
General Questions....................................................................................................................................................................... 8
Certification Questions ............................................................................................................................................................... 9
Migrations Questions .................................................................................................................................................................. 9
Oracle Access Management Mobile and Social (Mobile and Social) .............................................................................................. 12
General Questions..................................................................................................................................................................... 12
Oracle Access Management Access Portal (Access Portal)............................................................................................................. 14
General Questions..................................................................................................................................................................... 14
Oracle Adaptive Access Manager .................................................................................................................................................. 15
General Questions..................................................................................................................................................................... 15
Oracle Enterprise Single Sign-On Suite Plus.................................................................................................................................. 17
General Questions..................................................................................................................................................................... 17
Oracle Access Management Identity Federation (Identity Federation) ............................................................................................ 20
General Questions..................................................................................................................................................................... 20
Oracle Access Management Security Token Service (Security Token Service) ............................................................................... 23
General Questions..................................................................................................................................................................... 23
Oracle Web Services Manager....................................................................................................................................................... 25
General Questions..................................................................................................................................................................... 25
Oracle Entitlements Server ............................................................................................................................................................ 26
General Questions..................................................................................................................................................................... 26
Oracle API Gateway ..................................................................................................................................................................... 28
General Questions..................................................................................................................................................................... 28
3
https://support.oracle.com/CSP/main/article?cmd=show&ty
pe=NOT&id=1290894.1
3. What license is required to use OAuth?
OAuth is part of Access Management Federation Services.
6. What if I have a question about Access Management If you have licenses that include Federation, such as Oracle
products or have encountered an issue? Identity Federation, Oracle Access Management Suite Plus,
Oracle Identity and Access Management Suite Plus, are you
Refer to the product documentation first: entitled to OAuth capabilities.
http://docs.oracle.com/cd/E37115_01/index.htm
Oracle Support offers a wide variety of useful knowledge 4. I do not see my question about licensing answered here,
articles related to common questions raised by customers. If what do I do?
the documentation does not address your question, raise a
Service Request (SR) with Oracle Support at Additional questions and answers about licensing are
http://support.oracle.com. addressed in the Identity and Access Management
Licensing Document at
http://docs.oracle.com/cd/E28280_01/doc.1111/e14860/im_
License Questions options.htm
1. Where do I find pricing and licensing information?
If you still not sure about your license options or have
The pricing and licensing information for all Oracle additional questions, please discuss these with your Oracle
products can be found at Sales Representative.
http://www.oracle.com/us/corporate/pricing/index.html
5
Certification Related Questions Sign-On is a solution that provides seamless and secure
1. Where can I find the latest information about supported access to desktop, java and mainframe applications.
configurations (including Operating Systems, Browsers and
LDAP directories)?
3. Both Oracle Access Manager and Oracle Entitlements
For the latest supported 11g Access Management Server have authorization capabilities, but one is coarse-
configurations, refer to the certification matrix available on grained and the other fine-grained. What is the difference
Oracle Technology Network at: between the two and where is the appropriate place to use
http://www.oracle.com/technetwork/middleware/ias/downlo them?
ads/fusion-certification-100350.html Oracle Access Manager provides (what is sometimes
referred to as) coarse-grained authorization. This protects
access to a given web application at the URL level. For
2. Where can I find the latest information about example, can user A access application 1?
interoperability between Oracle Fusion Middleware 11g /
12c products and Oracle Access Management 11g Oracle Entitlements Server (OES) provides fine-grained
authorization by controlling what users can do with
products?
applications, portals, content management systems, web
Refer to the Oracle Fusion Middleware 11g / 12c services and databases. For example, OES can control:
certification matrix for interoperability details / support
with Oracle Access Management 11g products: UI widgets including menu items, tabs, portlets,
fields, and buttons that can be enabled or rendered.
http://www.oracle.com/technetwork/middleware/ias/downlo Access to information, documents, and database
ads/fusion-certification-100350.html records.
Operations that can be performed on the accessible
information.
Feature Related Questions
Access to API and Web services.
1. Oracle Access Manager, Oracle Identity Federation and The data that will be returned to the client by a
other products used to be installed and managed as REST service.
independent products. Has this changed in Oracle Access
Management 11.1.2.x releases?
4. What are the key features of the latest release of Access
Access Manager, Identity Federation, Security Token Management 11gR2 Patch Set 2 (11.1.2.2.0)?
Service, Mobile and Social, and Access Portal are installed A unified Administration Console for
as part of the same software bundle in 11.1.2.2.0. These
Access Manager, Identity Federation,
services are configured via the OAM Administration
Security Token Service, Mobile and
Console. Note that activation of these services is allowed
Social, and Access Portal
only if licensed.
configurations.
Automation tools for installation and
2. Both Oracle Enterprise Single Sign-On and Oracle patching
Access Manager provide single sign on capabilities. What is The new Access Portal Service
the difference between these two products? Identity Federation Identity Provider
integrated into the Access
Access Manager is a solution that provides seamless and Management Suite
secure access to web applications. Oracle Enterprise Single
Access Manager
6
Integration Questions
1. Where do I find information regarding Identity and
Management integration?
The Integration Overview for Identity and Access
Management products is the best place to start. It can be
found at
http://docs.oracle.com/cd/E37115_01/index_prod.htm
Oracle Access Management Access Manager including post data preservation and
language drop-down selection on the
(Access Manager)
login page
This section contains frequently asked questions related to Improved OpenSSO/SAM migration
Access Manager. tools
Excel based assessment report
OpenSSO 8.0 and SAM 7.1
General Questions Incremental mode migration
1. What is Oracle Access Manager? Multi-data Center support
enhancement – read-only Data Center
Oracle Access Manager (Access Manager) is the foundation enforcement
of the new Oracle Access Management platform; it provides
the core functionality for Web Single Sign-on (SSO),
authentication, authorization, centralized policy 4. What are the key features of Access Manager 11gR2
administration and agent management, real-time session (11.1.2.0)?
management, and auditing. Built as a 100% Java solution,
Access Manager is extremely scalable allowing it to handle LDAP Server Filters in Identity
Internet scale deployments. It also works with existing Conditions
heterogeneous environments with agents certified for Attribute Class Authorization
hundreds of web servers and application servers. Access Conditions - Session, request or user
Manager provides rich functionality, scalability and high attribute
availability thereby increasing security, improving user Complex Authorization Expressions
experience and productivity, and enhancing compliance Detached Credential Collection
while reducing total cost of ownership. Dynamic Multi-Factor / Multi-Step
2. What are the key features of Access Manager 11gR2 Authentication
Patch Set 2 (11.1.2.2)? Restful Policy Administration
Interfaces
• Delegated Administration
Password Management
• Granular Idle Timeout
• Dynamic Authentication / Advanced Rules Server side co-existence with OAM
• Policy Re-ordering 10g, OpenSSO 8 and SAM 7.1
• Enhanced 10g / 11g Co-existence approach Support for Multi-Data Center
• Cookie Based Session Management Deployment
• Improved Multi-Data Center Deployment Third party Integrations (including
• IPv6 Support
Microsoft Sharepoint, RSA
Authentication Manager 7.1, JBoss
3. What are the key new features of Access Manager 11gR2 5.0)
Patch Set 1 (11.1.2.1)?
Heterogeneity 5. What is the Detached Credential Collector in Access
- WebSphere Application Server Manager 11gR2?
7.0 support The Detached Credential Collector (DCC) is essentially an
- 11g WebGate for IBM HTTP 11g WebGate that has been extended to provide credential
Server collection capability. The DCC can be used to replace the
Enhanced security and user experience
9
6. What advantages does the DCC offer as compared to the 9. Does Access Manager 11g support x-509 authentication?
ECC?
Access Manager 11g supports x-509 authentication as long
The DCC offers a number of benefits from a security and a as the certificate is provided with the HTTP request.
flexibility point of view. Since the DCC is completely
decoupled from the Access Manager server, it can be
deployed anywhere in the DMZ. It also provides added Certification Questions
security because all unauthenticated end user login requests
1. Is there a direct link to the certification matrix for 10g
get terminated at the DCC in the DMZ so the server is
WebGates that are supported against Access Manager 11g
isolated from unauthenticated network traffic.
Server?
The certification matrix for 10g WebGates can be found
7. We are considering a high-availability deployment of under the WebGates tab at
Access Manager 11gR2. What are our options?
http://www.oracle.com/technetwork/middleware/downloads
Access Manager 11gR2 is built as a 100% Java solution and /oracle-accessmgr-10gr3-certmatrix-132000.xls.
is designed for extreme scalability and high availability.
Customers looking for a high-availability deployment
should consider: 2. I don't see the WebGate configuration I want listed on the
certification matrix. How do I request a new WebGate?
Deployment in WebLogic clusters for
scaling horizontally within a single Log a Service Request with Oracle Support and indicate
data center. that it is a request for certification to support a new Access
Multi-data Center deployments for Manager WebGate.
scaling across data centers. They can
be configured in Active – Active,
Active-Passive or Active – Hot Migrations Questions
Standby modes. 1. I am currently running Oracle Access Manager 10gR3.
How do I migrate to Access Manager 11gR2 (11.1.2.x)?
8. Access Manager 11g WebGates are supported on Oracle Access Manager 11gR2 provides assessment / migration
HTTP Server 11g and IBM HTTP Server 7.0 but I use tools, server side co-existence and agent backward
Apache Web Servers. What do I do if I want to use Access compatibility to help customers with 10g migration
Manager 11g? projects. For details, refer to the Migration Best Practices
for Oracle Access Manager 10gR3 Deployments
Access Manager 11g servers are capable of communicating
Whitepaper available at
with Oracle Access Manager 10g WebGates. Oracle Access
Manager 10g WebGates have a broad set of certifications http://www.oracle.com/technetwork/middleware/id-
for web servers including various versions of Apache, mgmt/index-090417.html
Domino, Microsoft IIS, and many more. Refer to the
certification matrix for a list of supported configurations: Additionally, the Upgrade and Migration Guide for Oracle
Identity and Access Management, published as part of the
11.1.2.x product documentation set, contains information.
10
2. I have a large Oracle Access Manager 10gR3 deployment Also the Upgrade and Migration Guide for Oracle Identity
with thousands of WebGates. Do I need to upgrade them all and Access Management published as part of the 11.1.2.x
to migrate to the new Access Manager 11gR2 platform? product documentation set.
No. Access Manager 11gR2 provides agent backward
compatibility that allows 10gR3 customers to continue
using their existing 10gR3 (10.1.4.3) WebGates. A protocol 5. I have a large Sun Access Manager 7.1 or OpenSSO 8.0
compatibility framework allows the Access Manager server deployment with thousands of Policy Agents. Do I need to
to communicate with 10gR3 WebGates the same way it can upgrade them all to migrate to the new Access Manager
communicate with the new 11g WebGates. Therefore, 11gR2 platform?
Access Manager 10gR3 customers with large deployments No. Access Manager 11gR2 provides agent backward
can focus on upgrading their server infrastructure first and compatibility that allows Sun Access Manager 7.1 or
adopt a more phased approach for replacing their existing OpenSSO 8.0 customers to continue using their existing
10gR3 WebGates with new 11g WebGates over time. Policy Agents (versions 2.2 and 3.0). A protocol
compatibility framework allows the Access Manager server
to communicate with Policy Agents the same way it can
3. I have a large Oracle Access Manager 10gR3 deployment communicate with the new 11g WebGates. Therefore, Sun
with thousands of applications. Do I need to migrate them Access Manager 7.1 and OpenSSO 8.0 customers with large
all to the new 11gR2 platform at once? deployments can focus on upgrading their server
infrastructure first and adopt a more phased approach for
No. Access Manager 11gR2 provides server side co- replacing their existing Policy Agents with new 11g
existence where both the Oracle Access Manager 10gR3 WebGates over time.
and Access Manager 11gR2 servers can be live in
production at the same time protecting different sets of
applications. End users will continue having a seamless
single sign-on experience as they navigate between 6. I have a large Sun Access Manager 7.1 or Sun Access
applications protected by the two servers. This capability Manager 7.1 deployment with thousands of applications.
can be leveraged by customers with large deployments to Do I need to migrate them all to the new Access Manager
perform the server migration in a phased manner over a 11gR2 platform at once?
period of time without impacting end users. No. Access Manager 11gR2 provides server side co-
existence where both the OpenSSO 8.0 (or Sun Access
Manager 7.1) and Access Manager 11gR2 servers can be
4. I am a Sun Access Manager 7.1 or OpenSSO 8.0 live in production at the same time protecting different sets
customer. How to I migrate to Access Manager 11gR2? of applications. End users will continue having a seamless
single sign-on experience as they navigate between
Access Manager 11gR2 provides assessment / migration applications protected by the two servers. This capability
tools, server side co-existence and agent backward can be leveraged by customers with large deployments to
compatibility to help customers with 10g migration perform the server migration in a phased manner over a
projects. period of time without impacting end users.
For more details, please refer to the Migration Best
Practices for OpenSSO 8 and Sun Access Manager 7.1
deployments Whitepaper available at 7. I am an Oracle Single Sign-on customer. How do I
migrate to Access Manager 11gR2?
http://www.oracle.com/technetwork/middleware/id-
mgmt/index-090417.html
11
Access Manager 11gR2 offers the upgrade path and server Guide that can be found at
side co-existence. The process is described in the Upgrade
http://docs.oracle.com/cd/E27559_01/index.htm
12
Oracle Access Management Mobile and Social Advanced device fingerprinting and historical
tracking
(Mobile and Social)
Advanced device registration
This section contains frequently asked questions related to
Mobile and Social. Policy support to address lost and stolen
devices
General Questions
1. What is Oracle Access Management Access Portal
(Access Portal)?
The Access Portal service provides a cross-platform single
sign-on service for web-based applications including SaaS
applications, Oracle Access Management protected
resources and business partner applications.
Oracle Adaptive Access Manager resulting from a publicized security breach can be very
expensive in both the short and long term for an enterprise.
This section contains frequently asked questions related to Additionally, prevention of fraud can directly save large
Oracle Adaptive Access Manager (OAAM). sums of money for an enterprise. By verifying user
identities via multiple security layers and evaluating the risk
of transactions in real-time, OAAM pays for itself in an
General Questions average of one year. For more ROI details, read the IDC
ROI study.
1. What is Oracle Adaptive Access Manager?
Oracle Adaptive Access Manager (OAAM) is utilized to
prevent web application access fraud and misuse. OAAM 4. How can OAAM improve self-service password
provides multiple layers of security such as device management flows?
fingerprinting, location intelligence, behavioral profiling,
Businesses primarily develop self-service flows to reduce
real-time risk analysis and risk-based identity verification,
costly help desk calls so the flows must be highly secure
interdiction and alerting. The OAAM security layers
and usable. One of the most critical flows is the Forgot
combat modern online threats including compromised
Password? reset. If the flow is not completed in a secure
authentication credentials, session hijacking and insider
manner, this can introduce a weak link in the perimeter
fraud.
security. As well, if the reset flow is not easy to follow, end
users will call the help desk, defeating the whole purpose of
a self-service flow. OAAM layered security secures flows
2. What are the new features of OAAM 11gR2 (11.1.2.x)? with device fingerprinting, behavioral profiling, risk
OAAM 11gR2 provides improved mobile access security, analysis and risk-based authentication. If challenge
enhanced multi-channel fraud detection capabilities, layered questions are utilized as the alternate authentication
security for cloud service providers and new forensic tools mechanism in the Forgot Password? Flow, OAAM can
to speed fraud investigations. Providing centralized, layered increase user success by allowing variability in the answers
security and risk-based authentication capabilities for both submitted; OAAM can even negotiate typos, abbreviations
standard web and mobile access is a new feature. The and date format variances to increase usability. The unique
ability to evaluate access and transactional risk from non- combination of layered security and the OAAM Knowledge
web sources will help customers to more holistically secure Based Authentication (KBA) Answer Logic can help your
their enterprise. business ensure that both help desk calls and fraud will be
reduced.
Security is still the main barrier to cloud service adoption in
the enterprise space so the ability for service providers to
provide added layers of protection is key to business 5. What impact does KBA have on user experience?
growth. When a human fraud investigator is required to
evaluate an alert, OAAM helps them to determine what the Large consumer facing OAAM deployments with multiple
situation is and locate the related fraud quickly and millions of users have reported that their customer support
painlessly. call volumes increased by approximately .2% during roll
out and decreased shortly thereafter. When all answer logic
was enabled and set to "low" approximately 7% of KBA
3. How can OAAM save my company money? challenges resulted in a call to support for reset with answer
logic turned up to high this number reduces by roughly half.
OAAM can help reduce negative impacts to a company's Large OAAM deployments actively using the CSR phone
bottom line by preventing fraud and misuse of sensitive challenge feature have been very satisfied with the results
applications and the data they contain. Brand damage
16
and have reported that valid users are consistently able to translated to the STD_ADMIN scope of 9 languages. The
answer their questions over the phone 95% of the time. up to date language scope can be found here.
Oracle Enterprise Single Sign-On Suite Plus Yes, eSSO is deployable using any software distribution
tool that can deploy a standard MSI file. The eSSO
This section contains frequently asked questions related to Administrative Console provides an easy way to customize
Oracle Enterprise Single Sign-On Suite Plus. the standard Oracle eSSO MSI and customize a deployment
package that is ready to be distributed with Microsoft's
SMS or nearly any other distribution tool (including
General Questions Novadigm, Tivoli, Marimba or even just a Web download).
1. What is Oracle Enterprise Single Sign-On Suite Plus? 4. Is Oracle Enterprise Single Sign-On Suite Plus available
on other platforms such as iOS and Android?
Oracle Enterprise Single Sign-on Suite Plus (eSSO) allows
users to log in to enterprise applications using a single Yes, eSSO customers can use the Access Portal service to
password for any password-protected application on the provide cross platform single sign-on for web based
desktop, network or Internet. It offers a highly scalable applications. See the FAQ regarding Access Portal for
enterprise single sign-on infrastructure, providing features details.
such as single sign-on, client-side Windows password reset,
5. Can I centrally control Oracle Enterprise Single Sign-On
centralized user provisioning, support for kiosk
Suite Plus administrative settings?
environments, strong authentication, and comprehensive
auditing. With eSSO, users can truly authenticate once and Yes. eSSO administrative settings are controlled using the
have access to all the applications they access on a day-to- Administrative Console's easy-to-use GUI. eSSO leverages
day basis. your existing infrastructure as the central repository. eSSO
supports various directories (including Oracle Unified
Directory (OUD), Oracle Directory Server Enterprise
2. What are the key features of Oracle Enterprise Single Edition (ODSEE), Oracle Internet Directory (OID),
Sign-On Suite Plus 11gR2 (11.1.1.2.x)? Microsoft Active Directory & ADAM) or a database
(Oracle, DB2, SQL) as a central repository for user and
administrative settings. Simply store the application
User to User Account Delegation
definitions, password policies and eSSO configuration
allows users to securely pass their settings in the eSSO configuration objects on the directory
credentials from one user to another. and each Oracle eSSO client will pull down the newest
Seamless integration with Oracle configuration data each time it starts up.
Access Manager provides
organizations the ability to implement
6. Can the administrator control which applications are
a single SSO session no matter what
accessed via single sign-on and which are not?
type of application is being accessed.
eSSO – UAM now supports Windows Yes. This is configurable globally, by role/group, or user.
7 for Smart Card, Proximity Card, As such, we can support flat directories or detailed
Biometric and Knowledge Based hierarchical directories.
Authentication
Re-engineered support for Firefox 7. Is it possible to deactivate a user account for some or all
browsers to take advantage of of the applications?
Mozilla’s rapid release schedule.
Yes. This can be done via the eSSO-Provisioning Gateway.
8. Can you limit (by user, group and/or application) the
3. Is Oracle Enterprise Single Sign-On Suite Plus ability of the user to see (have revealed to them) their own
deployable using software distribution tools? passwords?
18
Oracle Access Management Identity Federation Support for all OAM Authentication Schemes for
IDP authentication
(Identity Federation) Built-in support for risk and fraud awareness in a
federated session
This section contains frequently asked questions related to
Support for multiple identity stores for
Identity Federation. authentication and attribute exchange
General Questions Identity Provider Discovery
Identity Provider Proxy
1. What is Identity Federation? Support for industry standard attribute sharing
Identity Federation is a complete, enterprise-level and profiles
carrier-grade solution for exchanging secure identity Support for attribute profiles for both IDP and SP
information between partners. It significantly reduces the Quick and easy federation partnership setup across
need to create and manage unnecessary identities in an all protocols
enterprise directory and lowers the ongoing costs of partner Proven Internet Level Availability and Scalability
integrations through its support of industry federation Provisioning Plug-in Framework
standards. Identity Federation protects existing IT Unified administration, installation and deployment
investments by integrating with a wide variety of data within Oracle Access Management
stores, user directories, authentication providers and
applications. With Identity Federation, organizations can do
more business online by allowing their business partners 4. What protocols are supported by Oracle Access
secure access to protected applications. Management Identity Federation 11gR2 (11.1.1.2.x)?
OAuth 2.0 is a standards compliant OAuth 2.0 authorization issued a different set of credentials than those of the
service implementation that supports both 3-legged and 2- resource owner. Instead of using the resource owner's
legged OAuth flows and the following roles defined by credentials to access protected resources, the client obtains
OAuth: an access token - a string denoting a specific scope,
Resource Server: hosts the protected resources, duration, and other access attributes. An authorization
capable of accepting and responding to resource server with the approval of the resource owner issues access
requests using access tokens. tokens to third-party clients. The client uses the access
token to access the protected resources hosted by the
Client: makes protected resource requests on behalf resource server.
of the resource owner and with its authorization.
The term client is not specific to a particular entity; 8. What is the benefit of using the Oracle Access Manager
for example, the client could be an application that OAuth 2.0 Service?
executes on a server or on a mobile device.
Authorization Server: issues access tokens to the The OAuth 2.0 Service provides a fully standards compliant
client after successfully authenticating the resource OAuth 2.0 authorization Server with support for both 3-
owner and obtaining authorization. legged and 2-legged OAuth flows and enables the OAuth
. 2.0 Client and the OAuth 2.0 Resource Server roles. It
uniquely provides several compelling differentiations and
7. What is the benefit of using the OAuth2.0 protocol for innovations for mobile OAuth 2.0 clients (such as native
secure access? applications on mobile devices) specifically for extranet
access in enterprise scenarios. These include built-in
In the traditional client-server authentication model, the
client accesses a protected resource on the server by support for mobile application registration and device
authenticating with the server using the resource owner's identification during the OAM OAuth 2.0 mobile flow
credentials. In order to provide third-party applications ensuring trusted access from mobile devices and built-in
access to protected resources, the resource owner shares server side single sign on for mobile OAuth clients. It is
their credentials with the third-party. This creates the ideally suited for enterprise scenarios that may require
following problems and limitations: higher levels of security during an OAuth flow and would
benefit from built-in OAM integrations provided by the
OAM OAuth 2.0 service.
Third-party applications are required to store the
resource owner's credentials for future use -
typically a password in clear-text.
Servers are required to support password 9. What is the difference between OAM Classic OAuth and
authentication despite the security weaknesses OAM Mobile OAuth?
created by passwords. OAM Classic OAuth provides 3-legged and 2-legged
Third-party applications gain overly broad access to OAuth flows for non mobile clients while OAM Mobile
the resource owner's protected resources leaving OAuth enables those flows for mobile clients. Mobile
them without the ability to restrict duration or clients are categorized as native applications on mobile
access to a limited subset of resources. devices.
Resource owners cannot revoke access to an
individual third party without revoking access to all
10. What is the significance of securing enterprise mobile
third parties and must do so by changing their
password. clients using OAuth?
Several OAuth clients are consumer applications that
The OAuth 2.0 protocol addresses these issues by cannot keep the client secret confidential (application
introducing an authorization layer and separating the role of password or private key). These OAuth clients are called
the client from that of the resource owner. In OAuth 2.0, the public clients or non-confidential clients. Mobile Client
client requests access to resources controlled by the applications (native applications on mobile devices) are also
resource owner and hosted by the resource server and is categorized as public clients because when a native
22
application is first downloaded from an app store to a Common OAM configuration, deployment and
device it has the client credentials that uniquely identify the infrastructure
client application baked into the application. Since all users Multi-Tenancy support for Cloud deployments
that download the native application have access to the Extensions Support for OAuth Assertion
binary, a malicious user could easily decompile the client specifications for SAML bearer & JWT tokens
credentials out of the binary and insert their own
credentials. During an OAuth flow, a major vulnerability is 13. What are some key considerations for choosing between
apparent when the access code gets exchanged for the OAM OAuth and the OAuth service in Oracle Application
access token as there is no secure means of really Gateway?
identifying who is actually receiving and using the access
token. Hence, providing a mechanism to secure the mobile Both products support 3-legged and 2-legged OAuth flows
application on the device in order to ensure trusted access is but they are designed to support different use cases.
a key requirement specifically for enterprise mobile Customers that are looking for an access management
applications that routinely require access to sensitive data. platform or would like to leverage their existing investment
in Oracle Access Management but also require OAuth2.0
11. What are some key features provided by the OAM functionality are ideally suited to leverage the OAM OAuth
OAuth service to secure enterprise mobile access? 2.0 Service while those customers that are looking for an
API security solution which can coexist with Oracle or
The OAM OAuth 2.0 Service provides built-in support for a other Access Management platforms may leverage Oracle
mechanism that allows mobile applications to be first Application Gateway (OAG) OAuth. Use the OAM OAuth
registered with OAM to use OAuth Access Services. The 2.0 Service to leverage out of the box OAM integrations,
mobile application always submits this registration based provide secure mobile client access to APIs and provide
client token as an input parameter for accessing OAM higher levels of security that are required during enterprise
OAuth 2.0 Service end points. Furthermore, the OAM OAuth flows. Use the OAG OAuth 2.0 Service for
OAuth 2.0 service also allows built-in coupling of device enterprise access to cloud based APIs acting as a Cloud API
identification with mobile application registration where Gateway and to provide support for non confidential clients.
mobile devices and applications are checked against fraud
and security using a built-in integration with Oracle
Adaptive Access Manager (OAAM). In addition, the mobile
OAuth 2.0 flows in the OAM OAuth 2.0 provides the
following features for secure enterprise mobile access:
Oracle Access Management Security Token The message formats used to request and issue
Service (Security Token Service) security tokens
The mechanisms for key exchange
This section contains frequently asked questions related to
the Security Token Service (STS). 4. What features are supported by the WS-Trust provider in
Oracle Web Services Manager?
oracle/sts_trust_config_client_policy
oracle/sts_trust_config_service_policy
2. Issue-Token Policies
oracle/wss11_sts_issued_saml_hok_with_messa
ge_protection_client_policy
oracle/wss11_sts_issued_saml_hok_with_messa
ge_protection_service_policy
oracle/wss11_sts_issued_saml_with_message_p
rotection_client_policy
oracle/wss_sts_issued_saml_bearer_token_over
_ssl_client_policy*
oracle/wss_sts_issued_saml_bearer_token_over
_ssl_service_policy*
Oracle Web Services Manager 3. How can I integrate the Oracle API Gateway and Oracle
Web Services Manager?
This section contains frequently asked questions related to
Refer to the following OTN page for details on how to
Oracle Web Services Manager (OWSM).
integrate OAG and OWSM:
http://www.oracle.com/technetwork/articles/soa/oeg-owsm-
General Questions 1562313.html
1. What is Oracle Web Services Manager?
Oracle Web Services Manager (OWSM) provides last-mile 4. How is Oracle API Gateway different from the Oracle
SOA and REST API security. It is a standards-compliant Web Services Manager 10g Gateway?
solution delivered as part of Oracle SOA Suite and the
Oracle Access Management Suite that allows you to: OWSM 10g Gateway and OAG are two separate products.
OWSM 10g Gateway was discontinued with the release of
Centrally define and store declarative security Fusion Middleware 11gR1. OAG replaces the earlier
policies for the API’s and web services making up OWSM 10g Gateway and is Oracle’s strategic API
an organizations web services & SOA Security/Management and DMZ security solution. OAG
infrastructure also provides a large number of capabilities that were not
available in the OWSM 10g Gateway. Refer to the OWSM
Locally enforce security and management policies
10g Gateway to OEG Migration Guide as a starting point
through embedded agents
for OWSM 10g Gateway to OEG migration.
Monitor runtime security events such as failed
authentication or authorization.
5. Can I use Access Manager for protecting API’s and web
OWSM provides business agility to respond to security services?
threats and security breaches by allowing policy changes to Access Manager is a Web Single Sign-on solution and
be enforced in real time without the need to interrupt the shouldn’t be used for protecting REST API’s or SOAP
running business processes. based web services. OWSM and OAG are the API and Web
Services Security solutions; use one or the other depending
on whether you’re securing API in the DMZ or within the
2. Is Oracle Web Services Manager replaced by the Oracle
green zone (corporate network). OAG and OWSM are
API Gateway (OAG)? integrated with Oracle Access Manager for authentication
No. The two complement each other and together provide a and validation of tokens.
layered end-to-end security solution.
6. How does Identity Propagation between Web and Web
OWSM provides last mile / end point security for Oracle Services work when using Access Manager and Oracle Web
Fusion Middleware and Fusion Middleware based Services Manager?
applications such as Oracle Fusion Applications. OWSM is
the Oracle’s strategic solution for providing end point Refer to the following blog entry for details on Identity
Propagation:
security for REST / SOAP based API’s and Web Services
and provides embedded agents that run in the same process https://blogs.oracle.com/owsm/entry/identity_propagation_a
as the application. cross_web_and
OAG is designed based on a gateway pattern, and deployed
in front of an organizations web services and SOA
infrastructure, most often in the DMZ.
26
Control (ABAC), NIST Role Based Access Control Blocking or permitting incoming requests based on
(RBAC), “Enterprise” RBAC, Java2 / JAAS Permissions, fine-grained authorization policies
OpenAZ, and various models for enforcing data security. Perform deep packet inspection of SOAP or REST
OES can also act as a Java2 Security Provider and plug payloads and selectively permit or deny access
directly into the JVM for controlling access to the file based on request content (authorizing business
system, network and sensitive code. transactions)
Selectively redact or encrypt sensitive information
in the API / web services response
7. How does Oracle Enterprise Server enable Risk and
Context based Access Control? This is often achieved without any changes to the backend
OES and Oracle Access Management provide a unique end- web service or SOA application.
to-end solution that enables context aware computing.
Identity Context is automatically made available for OES integrates with API Gateways (e.g. Oracle API
authorization decisions by OES, allowing organizations to Gateway and 3rd party offerings) to secure web services and
control what users can do / what information they can APIs in the DMZ, and with Oracle or 3rd party ESB’s, SOA
access based on the user, device, and runtime context - this infrastructure, and a variety of web services in the “Green
includes but is not limited to: Zone” (corporate network).
their REST API’s, but once authenticated the tokens can be Content and context based routing
converted to SAML, Kerberos, or any other types of tokens Mapping between data formats such as XML and
that are required by the backend systems. JSON and bridging protocols (e.g. REST to SOAP)
Pre-fetch content and Caching of calls to back-end
OAG adds a large number of additional capabilities to an applications for scalability
organization’s REST API infrastructure – API access, Broker SSO and call-outs to external cloud services
business transactions, and the data requested/returned can Recompose and virtualize APIs to specific mobile
be monitored and audited. Requests from mobile clients (or identities, applications and devices
business partners, cloud applications etc) can be validated Mapping Web SSO and SAML to mobile-friendly
to ensure they are properly formed, are free from any OAuth, OpenID Connect and JSON web tokens
malicious content and threats such as SQL injection attacks, SLA Controls and response caching
denial of service attacks (even based on message payload
Fine-grained access control and data redaction
content), viruses, and a large number of other xml, crypto,
and other types of attacks.
Throttling policies can be defined to ensure that certain 4. What are the different API Security and API
types of clients – perhaps based on their subscription (gold, Management related features provided by Oracle API
silver, bronze) – can only perform a given number of Gateway?
transactions per day (or other time interval), charge per Threat Protection
usage, and ensure that a rogue client doesn’t overload the
Validate HTTP parameters, REST query/POST
system with a large number of requests.
parameters, JSON data structures, XML schemas
Protect against XSS, SQL Injection, XML
Perhaps most importantly the Oracle API Gateway is content/structural threats and viruses
integrated with Oracle’s Access Management technologies
Create custom threat profiles to extend built‐ in
– Oracle Access Manager and Access Management Mobile filters for message structure and XML threats
& Social solution for authentication, and validation of user Track failed authentications and/or policy
tokens, fraud detection, and Identity Context propagation, violations to identify patterns and potential threats
Oracle Entitlements Server for authorization and audit of
REST API access and selective data redaction of the
response payload, Oracle STS for centralized security token API Key Management
management, and also our LDAP directories for user Assign, suspend and revoke API Keys
lookup and enrichment of the message payload (adding
additional user information from LDAP to the payload). Throttling and Quality of Service
Throttling/rate limiting and quota controls provide
control over API traffic
3. What features does Oracle API Gateway provide as a
mobile access gateway? Usage Reporting and Analytics
Reports that track and meter API usage, successes
OAG as a Mobile Access Gateway (working with Oracle
versus errors
Access Management Mobile & Social and other
components in Oracle Access Management) provides the Real-time Monitoring Dashboard
following capabilities:
Access Control
Protect REST, SOAP and API access against Support for HTTP basic, digest, SSL certificate
Denial-Of-Service, SQL Injection and API attacks based authentication, Microsoft SPNEGO
Access Control and Identity Integration Support for SAML, X.509 certificates, LDAP,
OAuth
API Key Management
Authentication against Oracle Access Management
OAUTH 2.0 Client & Server support
30
Fine-grained access control and Data Redaction over a certain amount based on Identity and Device
(working with OES) Context.
5. What is the relationship between the Oracle API Gateway In both these examples, rules and authorization policies are
and Oracle Entitlements Server? defined to specify what data can be accessed and whether a
given business transaction can be submitted - without any
OAG is natively integrated with Oracle Entitlements Server coding or changes required to the backend systems. OAG
to meet the following use cases: and OES sit in front of the organizations backend systems
and can inspect and control what messages and message
Selective Data Redaction content are allowed to go in either direction (request or
A large number of organizations across Financial Services, response).
Healthcare, Public Sector / Government Agencies,
Telecom, Insurance, and most other industries are looking Organizations gain insight through audit trails and real time
to expose information and corporate systems to mobile as well as offline monitoring of transactions and
devices, business partners, customers, and the cloud. Many information flows, and can set up alerts and notifications if
organizations internally expose web services and/or have anomalies in access patterns and suspicious behavior are
corporate systems for accessing information about detected.
customers, patients, citizens, documents, or other sensitive
data. These web services and systems were likely built a 6. How are Oracle API Gateway and Oracle Web Services
long time ago, and often return any and all information Manager different?
about the customer or patient, including sensitive
information such as social security numbers, credit card OAG and OWSM are key components of Oracle's overall
numbers, or medical and health records to the requester. layered API and Web Services security solution and provide
With the combination of OES and OAG, organizations can complementary functionality to provide organizations an
expose REST based API (or other types of web services) to end-to-end security solution for their deployments. In an
their clients and define XACML based authorization enterprise, API and web services can be implemented using
policies that determine what information should actually be different approaches that need to be secured at the different
allowed to leave the network or need to be redacted. stages of the request / response cycle between clients
(relying parties such as users or applications) and service
Organizations can control what information Bob (for providers (organizations exposing web services); several
example) can access regarding a given customer or patient security layers are defined between the two. The first
from a given client device, location, or network; this security layer in the corporate DMZ (“red zone”) is handled
automatically redacted information is based on Bob’s by OAG by providing "perimeter security" or the first line
relationship with the customer/patient (account manager, of defense. The second security layer (corporate "green
doctor, something else, or none). In this example, we can zone") is located behind the inner firewall of the DMZ. In
determine that the current user should not be allowed to see some cases, the green zone may include several security
the customer/patients social security number or date of birth sub-layers designed to further filter access to web services.
whereas, if Bob were to query a different customer/patient Finally, agents co-located with the web services or
record he would be able to see all the information. applications to be protected provide the last security layer,
known as "last-mile security" and handled by OWSM.
Business Transactions
As in the data redaction example organizations can also
control what business transactions a given set of users are 7. What support is available in Oracle API Gateway for
allowed to perform under various conditions. This covers Microsoft .NET, ADFS and WCF?
not only whether the user is authorized to submit a specific
type of business transactions, salary changes as an example, OAG interoperates with Active Directory using LDAP, and
but also for what set of employees, the actual $$$ amount in the case of ADFS 2.0 (Active Directory Federation
being changed, and under what conditions. Another Services) it acts as an STS client, consuming tokens from
example could be whether you are allowed to submit orders
31
ADFS 2.0 using WS-Trust. This may be used for scenarios OAG is tightly integrated with Oracle Access Manager,
involving single-sign-on with Microsoft SharePoint. Oracle Entitlements Server, Oracle Access Management
Mobile & Social, Oracle Directory Services, Oracle Web
OAG interoperates with all versions of Microsoft .NET Services Manager, Oracle Service Registry, Oracle Service
services. Interoperability is provided for the WCF Bus, Oracle Business Transaction Monitor, Oracle SOA
(Windows Communication Foundation) policies used by Suite, Oracle Enterprise Manager Grid Control to provide
.NET. transport and application-level security across all layers
involved in API and web services requests.