OAM INTERVIEW QUESTIONS December 2, 2013

OAM INTERVIEW QUESTIONS

.

1. What is SSO
2. What is Authentication
3. What is Authorization
4. What is Authentication Policies in OAM
5. What is Authorization Policies in OAM
6. Authentication Module
7. Authorization Modules
8. What is Webgate
9. What is OHS
10. What is IIS
11. What is Access Gate
12. What is Identity Store
13. Different Types of Identity Store
14. What is Security Mode in OAM
15. Different Types of Security Mode present in OAM
16. What is Protected Resource Policy
17. What is Public Resource Policy
18. What is Webgate Agent
19. Describe the different types of process to register any webgate agent
20. What is Host Identifiers
21. Explain the Architecture of OAM in High Availability
22. Explain the process of protecting any Web Application using OAM for SSO
23. How can you enable SSO between OIM and OAM
24. Describe Reverse Proxy
25. What are Header Variables
26. What is the use of Header Variables
27. What is Obsso Cookie
1. What is SSO

Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password
in order to access multiple applications. The process authenticates the user for all the applications they have
been given rights to and eliminates further prompts when they switch applications during a particular session.

Overview
• Provides users with unified sign-on and authentication across all their enterprise resources, including
desktops, client-server, custom, and host-based mainframe applications
• Provides a centralized framework for security and compliance enforcement
• Eliminates the need for multiple usernames and passwords
• Helps enforce strong password and authentication policies
• Uses any LDAP directory, Active Directory, or any SQL database server as its user profile and credential
repository
Benefits
 Reduces deployment risk and operational costs
 Allows enterprises to provide fast, secure access to applications for employees and partners
 Eliminates the overhead and limitations of traditional desktop client deployment
 Seamlessly integrates with Oracle Identity Management for common security policy enforcement and
compliance reporting across applications

2. What is Authentication

Created By: Ritesh Maddala Page 1

OAM INTERVIEW QUESTIONS December 2, 2013

The process of identifying an individual usually based on a username and password. In security systems,
authentication is distinct from authorization , which is the process of giving individuals access to system objects
based on their identity. Authentication ensures that the individual is who he or she claims to be, but says nothing
about the access rights of the individual.

3. What is Authorization

After Authentication the process of granting or denying access to a network resource is called Authorization..
Most computer security systems are based on a two-step process. The first stage is authentication, which ensures
that a user is who he or she claims to be. The second stage is authorization, which allows the user access to
various resources based on the user's identity.

4. What is Authorization Policies in OAM

Authorization is the process of determining if a user has a right to access a requested resource.

Administrators can create one or more authorization policies to specify the conditions under which a subject or
identity has access to a resource. A user might want to see data or run an application program protected by a
policy. The requested resource must belong to an application domain and be covered within that domain by a
specific authorization policy.

5. Authentication Modules

Authentication Modules can be categorised as an application from where user authentication will be going to
take place.

The smallest executable unit of an authentication scheme. Several pre-defined modules are provided. Each
module contains standard plug-ins. The authentication module determines the exact procedure to be followed and
the method for challenging the user for
credentials.

6. Authentication Scheme
Authentication Scheme defines which type of
Authentication Module we are going to use for
Authentication.

A named component that defines the challenge

mechanism, level of trust, and the underlying
authentication module required to authenticate
a user. It also contains some general
information about itself. Authentication
schemes are defined globally, to ensure that a
small number of Security Administrators define
them in a consistent, secure way. There are

Created By: Ritesh Maddala Page 2

OAM INTERVIEW QUESTIONS December 2, 2013

several default authentication schemes provided with Oracle Access Manager 11g.

7. Authentication Policies

Authentication Policy defines the level of protection. Authentication policies specify the authentication
methodology to be used for authenticating the user for whom the access must be provided on a given resource.
Policies define the way in which the resource access is to be protected.

After a policy has been evaluated, two standard actions are performed:

• The result is returned

• The user is shown something based on that result: either the requested URL requested (on Success, allow)
or the URL of a generic error page (on Failure, deny)

Either or both results can be overridden on a policy-by-policy basis.

8. Resource Types

A resource type describes the kind of resource to be protected.

Each resource is defined using a single resource type. However, you can define any number of resources using
that type.

Before you can add resources to an application domain for protection, *their* resource type must be defined.
Administrators typically use the default resource type, HTTP, but non-HTTP types can be defined.

When adding a resource to an application domain, administrators must choose from a list of defined Resource
Types. then enter a specific URL. For HTTP type resources, include a host identifier. For non-HTTP resource
types, use the type name.

The default resource type, HTTP, is used with HTTP and HTTPS protocols. Operations associated with the HTTP
resource type need not be defined by an administrator. Instead, policies developed and applied to the resource
apply to all operations.

When adding an HTTP type resource to an application domain, administrators must choose from a list of existing
host identifiers and add the resource URL.

Administrators can define a resource type for non-HTTP resources. Non-HTTP resource types have no associated
host identifier. When adding non-HTTP resources to an application domain, administrators must enter the type
name into the Resource URL field as a pointer. The name cannot match any host Identifier (and vice versa). This
is not a relative HTTP URL.

Created By: Ritesh Maddala Page 3

OAM INTERVIEW QUESTIONS December 2, 2013

For instance, a non-HTTP resource type named wl_authen is available to use with resources deployed in a
WebLogic container. Resources of type wl_authen, require a custom AccessGate. The protected resource is
accessed using its URL on the Oracle WebLogic Server.

9. What is Oracle Webgate?

An Oracle WebGate is a Web server plug-in that is shipped out-of-the-box with Oracle Access Manager.
The WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for
authentication and authorization.

10. What is OHS

Oracle HTTP Server is the Web server component for Oracle Fusion Middleware. It provides a listener for Oracle
WebLogic Server and the framework for hosting static pages, dynamic pages, and applications over the Web.

Oracle HTTP Server can also be a proxy server, both forward and reverse. A reverse proxy enables content
served by different servers to appear as if coming from one server.

Oracle HTTP Server 11g, Release 1 (11.1.1.4.0) is based on Apache HTTP Server 2.2.15 (with critical bug fixes
from higher versions) infrastructure, and includes modules developed specifically by Oracle. The features of
single sign-on, clustered deployment, and high availability enhance the operation of the Oracle HTTP Server.
Oracle HTTP Server has the following components to handle client requests:

• HTTP listener, to handle incoming requests and route them to the appropriate processing utility.
• Modules (mods), to implement and extend the basic functionality of Oracle HTTP Server. Many of the
standard Apache modules are included with Oracle HTTP Server. Oracle also includes several modules
that are specific to Oracle Fusion Middleware to support integration between Oracle HTTP Server and
other Oracle Fusion Middleware components.
• Perl interpreter, a persistent Perl runtime environment embedded in Oracle HTTP Server
through mod_perl.

Oracle HTTP Server enables developers to program their site in a variety of languages and technologies, such as
the following:

• Perl (through mod_perl and CGI)

• C (through CGI and FastCGI)
• C++ (through FastCGI)
• PHP (through mod_php)
• Oracle PL/SQL

11. What is IIS

Internet Information Services (IIS, formerly Internet Information Server) is an extensible web server created
by Microsoft for use with Windows NT family.[2] IIS supports HTTP, HTTPS, FTP, FTPS, SMTP and NNTP. It
has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some
editions (e.g. Windows XP Home edition). IIS is not turned on by default when Windows is installed. The IIS
Manager is accessed through the Microsoft Management Console or Administrative Tools in the Control Panel.

12. What is Identity Store

Identity store refers to store containing enterprise users & group. Weblogic comes with an embedded LDAP
which is used as identity store by fusion middleware components by default. You can configure external LDAP
servers like- OID, AD etc to be used as identity stores.

Created By: Ritesh Maddala Page 4

OAM INTERVIEW QUESTIONS December 2, 2013

13. Different Types of Identity Store

 System Store- Represents the identity store which will have groups or users that will act as
“Administrators” to OAM that is only members of this identity store group/user can perform admin
functions via oam console.
 Default Store- This will be the identity store that will be used at time of patching for migration purpose or
by Oracle security token service.

14. What is Security Mode in OAM

Security Mode helps OAM to identify the type of communication to be done with the Webgate for SSO. Open
Mode is Default mode in OAM.

15. Different Types of Security Mode present in OAM

There are three types of security mode available in OAM:

 OPEN : WebGate to OAM Access Server communication in clear text

 SIMPLE : Secure communication between WebGate to OAM Access Server using self signed
certificates provided by OAM Server
 CERT : Secure communication between WebGate to OAM Access Server using certificates signed
by Certificate Authority (CA)

16. What is Protected Resource Policy

17. What is Public Resource Policy
18. Describe the different types of process to register any webgate agent
19. What is Host Identifiers

Host Identifiers represent hostnames or groups of hostnames in OAM policies.

The reason why OAM supports the notion of host identifier instead of just having policy authors use full URLs is
because a single web resource may be accessible through any number of hostnames.

20. Explain the Architecture of OAM in High Availability

21. Explain the process of protecting any Web Application using OAM for SSO
22. How can you enable SSO between OIM and OAM
23. Describe Reverse Proxy

A reverse proxy provides architectural flexibility and can enable you to expose the same application on the
intranet and the extranet without requiring any changes to the application already deployed.

You can protect all Web content from a single logical component by directing all requests through the proxy.

This is true even for platforms that are not supported by Oracle Access Manager. If you have different types of
Web servers, for example, iPlanet, Apache, and so on, on different platforms, for example, MacOS, Solaris x86,
mainframe and so on, all content on these servers can be protected.

A reverse proxy can be a workaround for unsupported Web servers, eliminating the need to write custom
AccessGates for unsupported Web servers or for platforms where there is no AccessGate support.

A reverse proxy can be a workaround for unsupported Web servers, eliminating the need to write custom
AccessGates for unsupported Web servers or for platforms where there is no AccessGate support.

Created By: Ritesh Maddala Page 5

OAM INTERVIEW QUESTIONS December 2, 2013

You can install a WebGate on only the reverse proxy, rather than on every Web server.

This creates a single management point. You can manage the security of all of the Web servers through the
reverse proxy without establishing a footprint on the other Web servers.

24. What are Header Variables

Header Variable carries

Oracle Access Manager enables administrators to create a web of trust in which a user's credentials are verified
once and are provided to each application the user runs. Using these credentials, the application does not need to
re-authenticate the user with its own mechanism.

Application single sign-on allows users who have been authenticated by Oracle Access Manager to access
applications without being re-authenticated.

There are two ways to send a user's credentials:

• Using Cookies: A specific value is set on the browser's cookie that the application must extract to identify
a user.
• Using Header Variables: An HTTP header set on the request by the agent and visible to the application.

Authorization P olicy Response in the Adm inistration Console

Header response values are inserted into a request by an OAM Agent, and can only be applied on Web servers
that are protected by an agent registered with OAM 11g If the policy includes a redirect URL that is hosted by a
Web server not protected by OAM, header responses are not applied.

25. What is Obsso Cookie

The Access System implements single-domain and multi-domain single sign-on through an encrypted cookie
called the ObSSOCookie. The WebGate sends the ObSSOCookie to the user's browser upon successful
authentication. This cookie can then act as an authentication mechanism for other protected resources that require
the same or a lower level of authentication.

26. Server Instances

It shows the number of servers where Oracle Access Manager is installed. If OAM is installed in cluster or High
Availability type of environment then the server instances will show two server instances.

Created By: Ritesh Maddala Page 6

OAM INTERVIEW QUESTIONS December 2, 2013

27. What is Webgate Agent

Webgate agent contains the configuration details of webgate which is used by Access Manager Server.

Some Information On LDAP:

1. LDAP

LDAP is Light weighted Directory Access Protocol used widely for Authentication and Authorization
Purpose and supported almost in every platform and can be adopted easily in any application because it
is an open protocol.

It follows hierarchical structure

Play an important role in developing intranet and Internet applications by allowing the sharing of
information about users, systems, networks, services, and applications throughout the network

A common usage of LDAP is to provide a "single sign on" where one password for a user is shared
between many services

Created By: Ritesh Maddala Page 7

OAM INTERVIEW QUESTIONS December 2, 2013

2. Examples of LDAP
OID
AD
OUD
Open LDAP
Apache Directory Server
3. OID and AD synn
They can be synced using DIP (Directory Integration Platform)
4. Operations:

 StartTLS — use the LDAPv3 Transport Layer Security (TLS) extension for a secure
connection
 Bind — authenticate and specify LDAP protocol version
 Search — search for and/or retrieve directory entries
 Compare — test if a named entry contains a given attribute value
 Add a new entry
 Delete an entry
 Modify an entry
 Modify Distinguished Name (DN) — move or rename an entry
 Abandon — abort a previous request
 Extended Operation — generic operation used to define other operations
 Unbind — close the connection (not the inverse of Bind)

5. Schema

Schema defines the rules for storing the user information in Attributes. It lays out the structure for the
attributes.

The schema defines the rules for which attributes may be used in an entry, the kinds of values that
those attributes may have, and how clients may interact with those values.

The contents of the entries in a subtree are governed by a directory schema, a set of definitions and
constraints concerning the structure of the directory information tree (DIT).

The schema of a Directory Server defines a set of rules that govern the kinds of information that the
server can hold. It has a number of elements, including:

6. Attributes

Attributes are the elements responsible for storing information in a directory

7. LDIF

LDIF (Lightweight Directory Interchange Format) is an ASCII file format used to exchange data and
enable the synchronization of that data between Lightweight Directory Access Protocol ( LDAP ) server s
called Directory System Agents (DSAs).

Created By: Ritesh Maddala Page 8

OAM INTERVIEW QUESTIONS December 2, 2013

8. LDAP Attributes

Each node in DIT can use different type of attributes for storing informations.
Following are some of the frequently used attributes

 dc: domain component

 o: organization
 ou: organizational Unit
 cn: common Name
 sn: surname
 uid: userid
 l: location
 st: status
 c: country
9. LDAP Acronyms

 DIT: Directory Information Tree - A DIT is hierarchical tree structure which

has Distinguished Names (DNs) for directory service entries i.e. users,
resources, departments, etc.
 LDIF: LDAP Data Interchange Format - A simple data format that can be used
for representing information stored in DIT. LDIF is commonly used for export
and import operations on DIT.
 DN: Distinguished NAME - An unique identifier for each entry in the DIT. A
DN is composed of series of RDNs found by walking up the directory tree.
 RDN: Relative Distinguished Name - A relative distinguished name (RDN)
represents a single node of a DN. Thus if you combine RDNs walking up DIT
you can form DN.

10.Object Class

An objectClass is a collection of attributes (or an attribute container) and has the following
characteristics:

 An objectclass is defined within a Schema

 An objectclass may be a part of an objectclass hierarchy, in which case it inherits
all the properties of its parents. For example, inetOrgPerson is the child

Created By: Ritesh Maddala Page 9

OAM INTERVIEW QUESTIONS December 2, 2013

of organizationalPerson, which is the child of person, which is the child of top (the
ABSTRACT objectClass which terminates every objectClass hirearchy).
 An objectclass has a globally unique name or identifier
 An objectclass, as well as being an attribute container, is also an attribute and can
appear in a search operation.
 An objectclass defines its member attributes and whether these MUST be present
(mandatory) or MAY be present (optional) in an entry.
 An objectclass may form part of a hierarchy in which case it inherets all the
properties of its parent.
 One or more objectclass(es) must be present in an LDAP entry.
 One and only one STRUCTURAL objectclass must be present in an LDAP entry.
 Each objectclass supported by an LDAP server forms part of
a collection called objectclasses which can be discovered via the subschema.

Created By: Ritesh Maddala Page 10