Oam Interview Questions
Oam Interview Questions
1. What is SSO
2. What is Authentication
3. What is Authorization
4. What is Authentication Policies in OAM
5. What is Authorization Policies in OAM
6. Authentication Module
7. Authorization Modules
8. What is Webgate
9. What is OHS
10. What is IIS
11. What is Access Gate
12. What is Identity Store
13. Different Types of Identity Store
14. What is Security Mode in OAM
15. Different Types of Security Mode present in OAM
16. What is Protected Resource Policy
17. What is Public Resource Policy
18. What is Webgate Agent
19. Describe the different types of process to register any webgate agent
20. What is Host Identifiers
21. Explain the Architecture of OAM in High Availability
22. Explain the process of protecting any Web Application using OAM for SSO
23. How can you enable SSO between OIM and OAM
24. Describe Reverse Proxy
25. What are Header Variables
26. What is the use of Header Variables
27. What is Obsso Cookie
1. What is SSO
Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password
in order to access multiple applications. The process authenticates the user for all the applications they have
been given rights to and eliminates further prompts when they switch applications during a particular session.
Overview
• Provides users with unified sign-on and authentication across all their enterprise resources, including
desktops, client-server, custom, and host-based mainframe applications
• Provides a centralized framework for security and compliance enforcement
• Eliminates the need for multiple usernames and passwords
• Helps enforce strong password and authentication policies
• Uses any LDAP directory, Active Directory, or any SQL database server as its user profile and credential
repository
Benefits
Reduces deployment risk and operational costs
Allows enterprises to provide fast, secure access to applications for employees and partners
Eliminates the overhead and limitations of traditional desktop client deployment
Seamlessly integrates with Oracle Identity Management for common security policy enforcement and
compliance reporting across applications
2. What is Authentication
The process of identifying an individual usually based on a username and password. In security systems,
authentication is distinct from authorization , which is the process of giving individuals access to system objects
based on their identity. Authentication ensures that the individual is who he or she claims to be, but says nothing
about the access rights of the individual.
3. What is Authorization
After Authentication the process of granting or denying access to a network resource is called Authorization..
Most computer security systems are based on a two-step process. The first stage is authentication, which ensures
that a user is who he or she claims to be. The second stage is authorization, which allows the user access to
various resources based on the user's identity.
Authorization is the process of determining if a user has a right to access a requested resource.
Administrators can create one or more authorization policies to specify the conditions under which a subject or
identity has access to a resource. A user might want to see data or run an application program protected by a
policy. The requested resource must belong to an application domain and be covered within that domain by a
specific authorization policy.
5. Authentication Modules
Authentication Modules can be categorised as an application from where user authentication will be going to
take place.
The smallest executable unit of an authentication scheme. Several pre-defined modules are provided. Each
module contains standard plug-ins. The authentication module determines the exact procedure to be followed and
the method for challenging the user for
credentials.
6. Authentication Scheme
Authentication Scheme defines which type of
Authentication Module we are going to use for
Authentication.
several default authentication schemes provided with Oracle Access Manager 11g.
7. Authentication Policies
Authentication Policy defines the level of protection. Authentication policies specify the authentication
methodology to be used for authenticating the user for whom the access must be provided on a given resource.
Policies define the way in which the resource access is to be protected.
After a policy has been evaluated, two standard actions are performed:
8. Resource Types
Each resource is defined using a single resource type. However, you can define any number of resources using
that type.
Before you can add resources to an application domain for protection, *their* resource type must be defined.
Administrators typically use the default resource type, HTTP, but non-HTTP types can be defined.
When adding a resource to an application domain, administrators must choose from a list of defined Resource
Types. then enter a specific URL. For HTTP type resources, include a host identifier. For non-HTTP resource
types, use the type name.
The default resource type, HTTP, is used with HTTP and HTTPS protocols. Operations associated with the HTTP
resource type need not be defined by an administrator. Instead, policies developed and applied to the resource
apply to all operations.
When adding an HTTP type resource to an application domain, administrators must choose from a list of existing
host identifiers and add the resource URL.
Administrators can define a resource type for non-HTTP resources. Non-HTTP resource types have no associated
host identifier. When adding non-HTTP resources to an application domain, administrators must enter the type
name into the Resource URL field as a pointer. The name cannot match any host Identifier (and vice versa). This
is not a relative HTTP URL.
For instance, a non-HTTP resource type named wl_authen is available to use with resources deployed in a
WebLogic container. Resources of type wl_authen, require a custom AccessGate. The protected resource is
accessed using its URL on the Oracle WebLogic Server.
An Oracle WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager.
The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for
authentication and authorization.
Oracle HTTP Server is the Web server component for Oracle Fusion Middleware. It provides a listener for Oracle
WebLogic Server and the framework for hosting static pages, dynamic pages, and applications over the Web.
Oracle HTTP Server can also be a proxy server, both forward and reverse. A reverse proxy enables content
served by different servers to appear as if coming from one server.
Oracle HTTP Server 11g, Release 1 (11.1.1.4.0) is based on Apache HTTP Server 2.2.15 (with critical bug fixes
from higher versions) infrastructure, and includes modules developed specifically by Oracle. The features of
single sign-on, clustered deployment, and high availability enhance the operation of the Oracle HTTP Server.
Oracle HTTP Server has the following components to handle client requests:
• HTTP listener, to handle incoming requests and route them to the appropriate processing utility.
• Modules (mods), to implement and extend the basic functionality of Oracle HTTP Server. Many of the
standard Apache modules are included with Oracle HTTP Server. Oracle also includes several modules
that are specific to Oracle Fusion Middleware to support integration between Oracle HTTP Server and
other Oracle Fusion Middleware components.
• Perl interpreter, a persistent Perl runtime environment embedded in Oracle HTTP Server
through mod_perl.
Oracle HTTP Server enables developers to program their site in a variety of languages and technologies, such as
the following:
Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created
by Microsoft for use with Windows NT family.[2] IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It
has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some
editions (e.g. Windows XP Home edition). IIS is not turned on by default when Windows is installed. The IIS
Manager is accessed through the Microsoft Management Console or Administrative Tools in the Control Panel.
Identity store refers to store containing enterprise users & group. Weblogic comes with an embedded LDAP
which is used as identity store by fusion middleware components by default. You can configure external LDAP
servers like- OID, AD etc to be used as identity stores.
System Store- Represents the identity store which will have groups or users that will act as
“Administrators” to OAM that is only members of this identity store group/user can perform admin
functions via oam console.
Default Store- This will be the identity store that will be used at time of patching for migration purpose or
by Oracle security token service.
Security Mode helps OAM to identify the type of communication to be done with the Webgate for SSO. Open
Mode is Default mode in OAM.
The reason why OAM supports the notion of host identifier instead of just having policy authors use full URLs is
because a single web resource may be accessible through any number of hostnames.
A reverse proxy provides architectural flexibility and can enable you to expose the same application on the
intranet and the extranet without requiring any changes to the application already deployed.
You can protect all Web content from a single logical component by directing all requests through the proxy.
This is true even for platforms that are not supported by Oracle Access Manager. If you have different types of
Web servers, for example, iPlanet, Apache, and so on, on different platforms, for example, MacOS, Solaris x86,
mainframe and so on, all content on these servers can be protected.
A reverse proxy can be a workaround for unsupported Web servers, eliminating the need to write custom
AccessGates for unsupported Web servers or for platforms where there is no AccessGate support.
A reverse proxy can be a workaround for unsupported Web servers, eliminating the need to write custom
AccessGates for unsupported Web servers or for platforms where there is no AccessGate support.
You can install a WebGate on only the reverse proxy, rather than on every Web server.
This creates a single management point. You can manage the security of all of the Web servers through the
reverse proxy without establishing a footprint on the other Web servers.
Oracle Access Manager enables administrators to create a web of trust in which a user's credentials are verified
once and are provided to each application the user runs. Using these credentials, the application does not need to
re-authenticate the user with its own mechanism.
Application single sign-on allows users who have been authenticated by Oracle Access Manager to access
applications without being re-authenticated.
• Using Cookies: A specific value is set on the browser's cookie that the application must extract to identify
a user.
• Using Header Variables: An HTTP header set on the request by the agent and visible to the application.
Header response values are inserted into a request by an OAM Agent, and can only be applied on Web servers
that are protected by an agent registered with OAM 11g If the policy includes a redirect URL that is hosted by a
Web server not protected by OAM, header responses are not applied.
The Access System implements single-domain and multi-domain single sign-on through an encrypted cookie
called the ObSSOCookie. The WebGate sends the ObSSOCookie to the user's browser upon successful
authentication. This cookie can then act as an authentication mechanism for other protected resources that require
the same or a lower level of authentication.
It shows the number of servers where Oracle Access Manager is installed. If OAM is installed in cluster or High
Availability type of environment then the server instances will show two server instances.
Webgate agent contains the configuration details of webgate which is used by Access Manager Server.
1. LDAP
LDAP is Light weighted Directory Access Protocol used widely for Authentication and Authorization
Purpose and supported almost in every platform and can be adopted easily in any application because it
is an open protocol.
Play an important role in developing intranet and Internet applications by allowing the sharing of
information about users, systems, networks, services, and applications throughout the network
A common usage of LDAP is to provide a "single sign on" where one password for a user is shared
between many services
2. Examples of LDAP
OID
AD
OUD
Open LDAP
Apache Directory Server
3. OID and AD synn
They can be synced using DIP (Directory Integration Platform)
4. Operations:
StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure
connection
Bind — authenticate and specify LDAP protocol version
Search — search for and/or retrieve directory entries
Compare — test if a named entry contains a given attribute value
Add a new entry
Delete an entry
Modify an entry
Modify Distinguished Name (DN) — move or rename an entry
Abandon — abort a previous request
Extended Operation — generic operation used to define other operations
Unbind — close the connection (not the inverse of Bind)
5. Schema
Schema defines the rules for storing the user information in Attributes. It lays out the structure for the
attributes.
The schema defines the rules for which attributes may be used in an entry, the kinds of values that
those attributes may have, and how clients may interact with those values.
The contents of the entries in a subtree are governed by a directory schema, a set of definitions and
constraints concerning the structure of the directory information tree (DIT).
The schema of a Directory Server defines a set of rules that govern the kinds of information that the
server can hold. It has a number of elements, including:
6. Attributes
7. LDIF
LDIF (Lightweight Directory Interchange Format) is an ASCII file format used to exchange data and
enable the synchronization of that data between Lightweight Directory Access Protocol ( LDAP ) server s
called Directory System Agents (DSAs).
8. LDAP Attributes
Each node in DIT can use different type of attributes for storing informations.
Following are some of the frequently used attributes
10.Object Class
An objectClass is a collection of attributes (or an attribute container) and has the following
characteristics:
of organizationalPerson, which is the child of person, which is the child of top (the
ABSTRACT objectClass which terminates every objectClass hirearchy).
An objectclass has a globally unique name or identifier
An objectclass, as well as being an attribute container, is also an attribute and can
appear in a search operation.
An objectclass defines its member attributes and whether these MUST be present
(mandatory) or MAY be present (optional) in an entry.
An objectclass may form part of a hierarchy in which case it inherets all the
properties of its parent.
One or more objectclass(es) must be present in an LDAP entry.
One and only one STRUCTURAL objectclass must be present in an LDAP entry.
Each objectclass supported by an LDAP server forms part of
a collection called objectclasses which can be discovered via the subschema.