• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • Oracle Access Manager Questions & Answers

    Posted by "" in "idm, InterviewQs, oam, security, Session, sso" on 2010-02-25

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInPin on PinterestEmail this to someone

    Hi all,

    Here I am going to post OAM questions and answers.

    Oracle Access Manager is a state-of-the-art solution for both centralized identity management and access control, providing an integrated standards-based solution that delivers authentication, web single sign-on, access policy creation and enforcement, user self-registration and self-service, delegated administration, reporting, and auditing.    

    Q: What is Single Sign On?
    A: Single Sign-On allows users to sign on once to a protected application and gain access to the other protected resources within the same domain defined with same authentication level.

    Q: What is multi domain Single Sign-On?
    A:  Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

    Q: What is the authentication mechanism used by Oracle Access Manager?
    A: ObSSOCookie and it is stateless.

    Q: Explain various security modes present in Oracle Access Manager?
    Open: Allows unencrypted communication. In Open mode, there is no authentication or encryption between the AccessGate and Access Server. The AccessGate does not ask for proof of the Access Server’s identity and the Access Server accepts connections from all AccessGates. Similarly, Identity Server does not require proof of identity from WebPass.
    Simple: Supports encryption by Oracle. In Simple mode communications between Web clients (WebPass and Identity Server, Policy Manager and WebPass, and Access Server and WebGate are encrypted using TLS v1. In both Simple and Cert mode, Oracle Access Manager components use X.509 digital certificates only. This includes Cert Authentication between WebGates and the Access Server where the standard cert-decode plug-in  decodes the certificate and passes certificate information to the standard credential_mapping authentication plug-in. For each public key there exists a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file for the Access Server (or ois_key.pem for Identity Server).
    Cert: Requires a third-party certificate. Use Cert (SSL) mode if you have an internal Certificate Authority (CA) for processing server certificates. In Cert mode, communication between WebGate and Access Server, and Identity Server and WebPass are encrypted using Transport Layer Security, RFC 2246 (TLS v1).

    Q: Explain the architecture of Oracle Access Manager?
    A: Oracle Access Manager architecture mainly consists for components such as Identity Server, WebPass, Policy Manager, Access Server and a WebGate. Identity Server is a standalone C++ server which communicates directly with LDAP.
    It also receives requests and sends response to Webpass. WebPass is a web server plugin that passes info between identity server and webserver. It redirects HTTP requests from browser to Access Server, and sends Identity XML SOAP requests to Identity Server.
    Policy Manager (PMP or PAP) is a web server plugin that communicates directly with user, configuration and policy repositories. Access Server is a stand alone C++ server and is also called PDP. It receives requests from & sends responses to WebGates/AccessGates.
    It also communicates with LDAP. It answers Access Server SDK requests. WebGate (PEP) is a web server plugin that passes info between webserver and access server. It passes user authentication data to access server for processing.

    Q: What are the ObSSOCookie Contents?
    A: Cookie contains encrypted session token and non-encrypted data.
    This Encrypted Session Token consists of : DN of the authenticated user, level of auth scheme, ip address of client to which cookie was issued, time the cookie is issued, time the cookie was last updated. If the user is not idle, then cookie will get automatically updated at a fixed interval to prevent session timeout. The updated interval is the 1/4 th of idle session timeout of accessgate.
    The Unencrypted ObSSOCookie data contains cookie expiry time, domain in which cookie is valid, additional flag that determines if cookie can only be sent using SSL.

    Q: What is the key used for encrypting the ObSSOCookie?
    A: Shared Secret key. It is configured in the Identity Admin console and can be generated by the OAM administrator.

    Q: What happens if the ObSSOCookie is tampered?
    A:  When access system generates ObSSOCookie, MD-5 hash is taken from session token. So when the user is authenticated again using the cookie, the MD5 hash is compared with original cookie contents. MD-5 hash is a one-way hash, hence it cant be unencrypted. Access server compares the cookie contents with hash. If both are not same, then cookie is tampered in the interim. This cookie does not contain username and password.

    Q: What is the difference between WebGate and AccessGate?
    A: WebGate is an out-of-the-box plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization. An AccessGate is a custom webgate that can intercept requests of HTTP and non-HTTP resources.
    Q: What are the major parameters defined in an authentication scheme?
    A: The authentication scheme level which defines the level of the security defined for an application.

    Q: Explain the flow when a user requests for an application protected by Oracle Access Manager?
    A: The following steps describes the flow when a user makes a request to access a resource protected by the Oracle Access Manager.

    • User requests for a resource through a web browser.
    • The Webgate intercepts the requests and checks with the Access Server whether the resource is protected or not.
    • If the resource is not protected, then the user will be shown the requested resource.
    • If the resource is protected, then Access Server will check with policy manager the authentication scheme configured for that resource.
    • User will be prompted to enter their credentials as per the auth scheme defined for the resource.
    • Webgate will send the credentials to the Access Server to check it against the backend (LDAP server).
    • Upon successful authentication, Access server checks whether the user is authorized to access the resource or not.
    • If the user is authorized, then the Access Server will create the session id and passes it to the webgate. An ObSSOCookie is created and will be sent to the user browser and the user will be shown the requested resource.
    • If the user is not authorized, then an error page (if its defined in policy domain) will be shown to the user.

    Q: Explain the flow of a Multi domain Single Sign-On?
    A: Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

    • For multi domain SSO to work, Access Servers in all domains must use same policy directory.
    • Multi domain works only with web gates, not Access Gates.
    • Within each individual domain, each web gate must have same “primary HTTP cookie domain”.

    In Multi Domain SSO environment, we should designate one web server (where web gate is installed) as “Primary Authentication Server”. Primary Authentication Server acts as a central server for all authentications in multi domain environment. In general the webgate installed in the domain where Access server resides will be designated as the primary authentication server.

    Lets assume that OAM components are installed in host1.domain1.com and we will designate host1.domain1.com as the primary authentication server.
    * Host2.domain2.com with web gate (ex: webgate2) installed.
    * A resource, abc.html, is protected with Form base authentication on host1.mydomain1.com
    * A resource, xyz.html, is protected with Basic over LDAP authentication on host2.mydomain2.com.

    Following are the steps that explain how multi domain SSO works
    1. User initiates a request for a Web page from a browser.
    For instance, the request could be for host2.mydomain2/xyz.html.
    2. Webgate2 (on host2.domain2.com) sends the authentication request back through the user’s browser in  search of primary authentication server.  In this example you have designated host1.domain1.com to be the primary authentication server.
    3. The request for authentication is sent from the user’s browser to the primary authentication server, host1.domain1.com.
    This request flows to the Access Server. The user logs in with the corresponding authentication scheme and the obSSO cookie is set for host1.domain1.com. The Access Server also generates a session token with a URL that contains the obSSO Cookie.
    4. The session token and obSSOCookie are returned to the user’s browser.
    5. The session token and obSSOCookie are sent to host2.domain2.com
    6. The Web gate (webgate2) on host2.domain2.com sets the obSSOCookie for its own domain (.domain2.com) and satisfies the user’s original request for the resource host2.domain2.com/xyz.html. User gets the resource.
    7. On the same browser if user accesses the host1.domain1.com page then resource will be presented without asking credentials as obSSOCookie is already available with .domain1.com (see step 3).

    Q: What is an Access Server SDK?
    A: The Access Manager Software Developer’s Kit (SDK) enables you to enhance the access management capabilities of the Access System. This SDK enables you to create a specialized AccessGate. The Access Manager SDK creates an environment for you to build a dynamic link library or a shared object to perform as an AccessGate. You also need the configureAccessGate.exe tool to verify that your client works correctly.

    Q: What is an Identity XML?
    A: IdentityXML provides a programmatic interface for carrying out the actions that a user can perform when accessing a COREid application from a browser. For instance, a program can send an IdentityXML request to find members of a group defined in the Group Manager application, or to add a user to the User Manager.

    IdentityXML enables you to process simple actions and multi-step workflows to change user, group, and organization object profiles.
    After creating the IdentityXML request, you construct a SOAP wrapper to send the IdentityXML request to WebPass using HTTP. The IdentityXML API uses XML over SOAP. We pass IdentityXML parameters to the COREid Server using an HTTP request.This HTTP request contains a SOAP envelope.When WebPass receives the HTTP request, the SOAP envelope indicates that it is an IdentityXML request rather than the usual browser request.
    The request is forwarded to the COREid Server, where the request is carried out and a response is returned. Alternatively, you can use WSDL to construct the SOAP request. The SOAP content looks like this, SOAP envelope (with oblix namespace defined), SOAP body (with authentication details), actual request (with application name and params). The application name can be userservcenter, groupservcenter or objservcenter (for organizations).

    Q: What is an SSPI connector and its role in Oracle Access Manager integrations?
    A:  The Security Provider for WebLogic SSPI (Security Provider) ensures that only appropriate users and groups can access Oracle Access Manager-protected WebLogic resources to perform specific operations. The Security Provider also enables you to configure single sign-on between Oracle Access Manager and WebLogic resources.
    The WebLogic security framework provides Security Service Provider Interfaces (SSPIs) to protect J2EE applications. The Security Provider takes advantage of these SSPIs, enabling you to use Oracle Access Manager to protect WebLogic resources via:

    • User authentication
    • User authorization
    • Role mapping

    The Security Provider consists of several individual providers, each of which enables a specific Oracle Access Manager function for WebLogic users:
    Authenticator: This security provider uses Oracle Access Manager authentication services to authenticate users who access WebLogic applications. Users are authenticated based on their credentials, such as user name and password.
    The security provider also offers user and group management functions. It enables the creation and deletion of users and groups from the BEA WebLogic Server. It also provides single sign-on between WebGates and portals.
    Identity Asserter: Like the Authenticator, this security provider uses Oracle Access Manager authentication services to validate already-authenticated Oracle Access Manager users using the ObSSOCookie and to create a WebLogic-authenticated session.
    Authorizer: This security provider uses Oracle Access Manager authorization services to authorize users who are accessing a protected resource. The authorization is based on Oracle Access Manager policies.
    Role Mapper: This security provider returns security roles for a user. These roles are defined in Oracle Access Manager, and they are provided by Oracle Access Manager using return actions on a special authentication policy. This authentication policy contains a resource with a URL prefix of /Authen/Roles. Role Mapper maps these roles to predefined security roles in WebLogic.

    Q: Explain the integration and architecture of OAM-OAAM integration?
    A: Using these products in combination will allow you fine control over the authentication process and full capabilities of pre-/post- authentication checking against Adaptive Risk Manager models.
    The OAAM’s ASA-OAM integration involves two Oracle Access Manager AccessGates: one for fronting the Web server (a traditional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. The access server SDK to be installed and configureAccessGate tool to be run. The ASA bharosa files to updated with ASDK location. An application to be protected using ASA authentication scheme and to be tested for ASA landing page for login.

    Here is how the flow goes:
    1. User requests for a resource.
    2. Webgate acting in the front end for ASA application will intercept the request and will redirect to the ASA application.
    3. The user enter credentials and the Access SDK setup in the ASA application will contact the Access gate which inturn contacts the access server for validating the credentials.
    4. Upon successful authentication, access server will generate obSSOCookie and will forwards it to the browser.
    5. Then the user will be shown the requested resource.

    Q: Explain IWA mechanism in Oracle Access manager?
    A: The OAM has a feature which enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native Authentication.

    1. user logs in to the desktop machine, and local authentication is completed using the Windows Domain Administrator authentication scheme.
    2. The user opens an Internet Explorer (IE) browser and requests an Access System-protected Web resource.
    3. The browser notes the local authentication and sends a token to the IIS Web server.
    4. The IIS Web server uses the token to authenticate the user and set up the REMOTE_USER HTTP header variable that specifies the user name supplied by the client and authenticated by the server.
    5. The WebGate installed on the IIS Web server uses the hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization.
    6. The WebGate creates an ObSSOCookie and sends it back to the browser.
    7. The Access System authorization and other processes proceed as usual.
      The maximum session timeout period configured for the WebGate is applicable to the generated ObSSOCookie.

    Q: Explain various major params defined in webgate instance profile?

    • Hostname: name of the machine hosting the access gate.
    • Maximum User Session Time: Maximum amount of time in seconds that a user’s authentication session is valid, regardless of their activity. At the expiration of this session time, the user is re-challenged for authentication. This is a forced logout. Default = 3600. A value of 0 disables this timeout setting.
    • Idle Session Time (seconds): Amount of time in seconds that a user’s authentication session remains valid without accessing any AccessGate protected resources.
    • Maximum Connections: Maximum number of connections this AccessGate can establish. This parameter is based on how many Access Server connections are defined to each individual Access Server. This number may be greater than the number allocated at any given time.
    • IPValidationException: IPValidationException is specific to WebGates. This is a list of IP addresses that are excluded from IP address validation. It is often used for excluding IP addresses that are set by proxies.
    • Maximum Client Session Time  :Connection maintained to the Access Server by the AccessGate. If you are deploying a firewall (or another device) between the AccessGate and the Access Server, this value should be smaller than the timeout setting for the firewall.
    • Failover Threshold: Number representing the point when this AccessGate opens connections to Secondary Access Servers. If you type 30 in this field, and the number of connections to primary Access Servers falls to 29, this AccessGate opens connections to secondary Access Servers.
    •  Preferred HTTP Host : Defines how the host name appears in all HTTP requests as they attempt to access the protected Web server. The host name in the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user’s HTTP request.
    • Primary HTTP Cookie Domain: This parameter describes the Web server domain on which the AccessGate is deployed, for instance, .mycompany.com.
    • IPValidation: IP address validation is specific to WebGates and is used to determine whether a client’s IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on.

    Q: What is Policy Manager API?
    A:  The Policy Manager API provides an interface which enables custom applications to access the authentication, authorization, and auditing services of the Access Server to create and modify Access System policy domains and their contents.

    Q: When do you need an access gate?
    A: An access gate is required instead of a standard webgate when you need to control access to a resource where OAM doesnot provide OOTB solution. These might include:

    1. protection for non-http resources (EJB, JNDI etc.,)
    2. Implementation of SSO to protect a combination of http and non-http resources.

    A file called obAccessClient.xml is stored in the server where access gate is installed. this file contains config params entered through the configureAccessGate tool.

    Q: Explain the flow when a user makes a request protected by an access gate (not webgate)?
    A: The flow is shown below.

    • The application or servlet containing the access gate code receives resource request from the user.
    • The access gate code constructs ObResourceRequest structure and access gate contacts Access server to find whether resource is protected or not.
    • The access server responds.
    • If the resource is not protected, access gate allows user to access the resource. Otherwise..,
    • Access Gate constructs ObAuthenticationScheme structure to ask Access Server what credentials the user needs to supply.
    • The access server responds.
    • The application uses a form or some other means to fetch the credentials.
    • The AccessGate constructs ObUserSession structure which presents user details to Acc Server.
    • If credentials are proven valid, access gate creates a session token for the user and then sends an authorization request to the access server.
    • Access server validates if the user is authz to access that resource.
    • Access gate allows user to access the requested resource.

    Q: Explain how Form login works if the form login page is present in different domain from OAM?
    A: The mechanism here is same as how the multi domain SSO works. Importantly, all of the activities for form authentication are carried out between the browser and one web server.
    Now, suppose you want to access a resource http://www.B.com/pageB.html but still be authenticated by the login form on www.A.com.

    • The authentication scheme required by pageB needs to have a redirect URL set to http://www.A.com.
    • The WebGate at www.B.com redirects you to the NetPoint URL obrareq.cgi on www.A.com, with a query string that contains the original request (wu and wh).
    • The WebGate on www.A.com will determine that you need to do a form login for that resource, so it will set the ObFormLoginCookie with the wu and wh values from the query string, but will set the ru field to /obrareq.cgi. WebGate on A then redirects your browser to the login form on A.
    • When you post your credentials back to A, the ObFormLoginCookie is set back. WebGate on A authenticates your userid and password, sets the ObSSOCookie for the .A.com domain and redirects you back to the ru value from the ObFormLoginCookie, which is /obrareq.cgi.
    • This time when your browser requests http://www.A.com/obrareq.cgi, it will pass the ObSSOCookie.
    • WebGate will then redirect your browser back to the B webserver, http://www.B.com/obrar.cgi, with the cookie value and the original URL in the query string.
    • The WebGate on www.B.com will extract the cookie value and set the ObSSOCookie for domain .B.com, and finally redirect you to http://www.B.com/pageB.html that you originally requested.

    90 Responses to “Oracle Access Manager Questions & Answers”

    1. Viren says:

      Can you please let me know how would i configure SSO/OID using FMW 11G for 11i or 12i

    2. Atul Kumar says:

      @ Viren,
      Please note that 11g OID is not yet supported with 11i / R12 (however it is possible to use 11g OID with 11i/R12).

      With FMW 11g there is no OracleAS SSO so you will have to use 10.1.4.X SSO with 11g OID and rest all steps will remain same as you do with OID/SSO integration with R12/11i

      more info on 11i/r12 integration with sso/oid http://onlineappsdba.com/index.php/2007/09/13/25-things-apps-dba-should-know-for-apps-11ir12-integration-with-oidsso/

    3. Atul Kumar says:

      Mahendra ,
      Very good post on Oracle Access Manager .

    4. vipinsavai says:

      Very nice simplified and detailed explanation.

    5. Ovidiu says:

      Very nice! Thank you!

    6. Gopal says:


      Application that i work on, needs username and pwd to login into the system. User details are maintained in LDAP. Now, the new requirement is to implement SSO using OAM. Now my application has to read the authenticated token obssocookie to identify the user. Is it possible? If so, how to do that?

    7. Mahendra says:


      What is the application built with, using Java or any other technology?
      If you are using web application, then you can create policy domains in OAM and protect your resources of application. If you are using stand alone java application, then you can use Access Server SDK to communicate the Access Server.


    8. tanushree says:

      Hi Mahendra,

      Is Single Sign On for Webservices using Oracle Access manager or OWSM possible?

    9. Mahendra says:

      Hi Tanushree,

      I think it is not possible with OWSM. Also, there is no direct way to achieve SSO for web services using OAM.


    10. tanushree says:

      Hi Mahendra,

      Is it possible to develop custom access gates to protect webservices in OAM?


    11. Mahendra says:

      Hi Tanushree,

      Yes, I have tried this once. Infact I would say with basic usecase such as authentication and authorization.

      In brief, user access a web service. The custom access gate protecting it will intercept that request and will check with access server whether its protected or not. If its protected, then it will throw the login form (per say) and you will collect it and passthrough to a different page to verify with the Access Server using SDK API.

      Similarly, user checks for authorization.

      I am not sure how far this mechanism is correct, but this is what I have right now.

      Any more questions, please shoot.

      Hope this helps.

    12. mike says:

      great post, very help. I was wondering if you could add another entry clarifying the difference between WebPass and WebGate. Seems like both forward a request to the Access Server for authentication/authorization. Would I ever need to use a webgate, if I already had WebPass on a given server?

    13. Mahendra says:

      Hi Mike,

      There is no real need to mention the difference between Webpass and WebGate as they are two different components altogether. WebPass forwards the request to Identity Server (not Access Server) for identity xml calls, presentation xml calls etc., and Webgate forwards to access Server for atn and atz purposes. Suppose, if you host webpass on OHS server and you can deploy a web application on same OHS and install a webgate on this. This is perfectly OK.
      Hope this answers your qn.

    14. deepak says:

      Does OAM has its on LDAP store or for authentication it always send request to OID server/any other thrid party LDAP server?


    15. Atul Kumar says:

      @ Deepak,
      No OAM (10g) as such doesn’t come with its own integrated LDAP. You configure OAM with 1 or more LDAP servers during install time or later.

      Depending on authentication scheme (configured in Access Server) it connects to one of configured external ldap server (OID, AD, Sun Directory server) for username/password verification.

      Things may have changed in 11g OAM so stay tuned (subscribe to this blog) for changes in OAM 11g .

    16. Rajeev Sinha says:

      Thanks for posting on Oracle Access Manager. It’s good for fresher.

    17. tanushree says:

      HI Atul,

      I have a doubt regarding URL pattern in OAM.

      I need to protect urls of form, test/test1//xyz & test/test1///xyz

      i protected test/test1 and want to create a URL pattern which satisfies both the URLs. Can you please help me out in this.


    18. Joek says:

      Hi Mahendra,

      First I would like to thank you for your excellent post.
      We are currently deploying am OAM solution and we are facing some problems with the IP validation as the webgate is sitting behind a Load Balancer that is performing source natting due to Network constrains. Is there any way around this? And if not, will disabling the IP validation introduce any security risks? Our clients are coming from the Intranet and Internet.
      In case the IP validation is disabled can a rogue user copy the cookie and use it from another browser? If not what is the benefit of having the IP validation?

      Many thanks,

    19. mahendra says:

      Hi Joek,

      Oracle recommends enabling the IP Validation in webgate. However if you know some IPs where the request might come from, you can add those in the IP Validation exception list and disable the the IP Validation for all IPs. Since your case seems to have website accessed by internet and intranet users, I would suggest to turn on IP Validation. You may try to add the Load balancer IP in the exception list. It is vulnerable if you disable because most of threat comes from inside the organization.

      Hope this helps.


    20. Atul Kumar says:

      @ Joek,

      Q: In case the IP validation is disabled can a rogue user copy the cookie and use it from another browser?

      A: Yes.

      Look into configuring SSL and secure cookie (if you are concerned)

    21. Joek says:

      Hi Mahendra,

      Thanks for your quick answer. Unfortunately, all traffic from inside and from Internet is going via different Load Balancer. Therefore the only IP that the web gate sees is the physical address of the Load Balancer. If I add the IP of the load balancer to the exception list, this would be exactly like disabling IP validation. All traffic is coming from that IP.

      If the browser is behind a proxy, which IP does the PEP use to put in the cookie when creating the cookie? The IP of the browser or the IP of the proxy?

      Thanks again.

    22. Joek says:

      @ Atul,

      Thank you for your valuable feedback. So if I’m forced to disable IP validation due to the Load Balancer, is SSL and secure cookies enough to prevent someone from connecting to my critical applications? That will secure the cookie during transport, but will not prevent the cookie from being copied to another browser no?

      Thank you for your precious help.


    23. hbangwal says:


      Would you please let me know how can we pass the query string from the requested url?
      Right now we have mechanism where we are intersecting the request, OAM login page asks credentials and redirect to certain landing page. The redirection do not contains the information of query strings of original requests. How can we achieve this?


    24. mahendra says:

      Hi Hbangwal,

      I am not clear of your requirement. Anyhow, to what I understand, you want to retrieve the URL that user is requested ? If it is so, and if you are using Form Authentication, then the ObFormLogin cookie will have the URL that user is requesting.

      In your custom Landing page after OAM authentication, you can retrieve the content from ObFormLoginCookie and do the processing further.

      Hope this helps.


    25. hbangwal says:

      Hi Mahendra,
      Thanks for reply. But unfortunately after authentication the destination web application is only getting ObSSOCookie, is there any setting which will enable creation of ObFormLoginCookie?


    26. hbangwal says:

      Hi Mahendra,
      I searched and get to know that I have to set passthrough:yes and set action to an aspx page which will get the ObFormLoginCookie, but still I didn’t get the cookie, I think because both my login pages and aspx page is in different domain. Please do let me know any solution for this situation.


    27. Dev says:

      Hi Mahendra and Atul,

      Customer has a custom built J2EE Web Applications and wants to have single sign on using Oracle Access Manager version 10.1.4

      Currently customer is logging in and setting a cookie which is persistent in the user browser until the user clicks on the logout button. Until that, whenever the user clicks on the application again and again it doesnot ask for any login details.

      Now customer is asking if there is any change that needs to be done on their application side as a part of Access Manager SSO Set up or all the changes are to be done only on the Access Manager Side.
      I need to place my requirements to them so that we can go for a POC SSO Set up.
      Can you give me some pointers as in what to ask and what all requirements needs to be gathered in order to have a proper SSO Setup with the Java Based Web application

      It would be very beneficial if i could get any documentation on how to integrate Access Manager with such kind of Custom Built Java Web Application


    28. Pal says:

      Very good post Mahendra.
      I have question on in-memory cache:
      What happens if the distributed in-memory cache runs out of allocated memory space?
      Can it drop the user sessions? Can you increase this cache?
      Appreciate your help.

    29. Pal says:

      Hi Mahendra,
      What are the ideal webgate parameter values for the following other than just using defaults:
      max session time, max connections, total validity periods, cache timeout, max cache elements, failover threshold, AAA Timeout threshold

      Certainly it depends on the environmnet, but I am looking for approx. reasonable values.
      Appreciate your help.

    30. Mahendra says:

      Hi Pal,

      As said, it depends on environment. Max Session Timeout depends on business requirement. If the users should get timeout even after active after sometime, then you need to set that time for this parameter. For max connections, yet again a big thing to explain. Depending up on no. of webgates in your environment, no. of concurrent requests. Same thing holds true for failover threshold. It depends on how many access servers are present and how many are primary/secondary and are you using any AAA Cluster? Definitely, there is no approx values. However, in our environment, we have 3 AAA servers, 2 primary and 1 secondary. So Max Connections are Failover Threshold are 8 and 4 respectively. Cache Elements has to be calculated based on requirements, there is a formula in OAM guide.

      Hope this helps.


    31. AVJ Kumar says:

      Hi Mahendra,
      We are facing authentication issue with two domains. We have two domains new.a.com and old.a.com. Appache 2.2.8 and Webgate 10g client are installed separately in each domain. Both webgate client are connecting to same OAM server running in a different server.
      In OAM we created NewWebgate for new.a.com domain and HeritageWebgate for old.b.com domain. Custom login page is configured in NewWebgateLDAP Scheme. Both NewWebgate and HeritageWebgate is configured with NewWebgateLDAP Scheme. When we access the protected resource in new.a.com, after authentication it is showing the protected page. But we have an issue when we try to access protected page in old.b.com domain. Upon request it shows the custom login page which is hosted in new.a.com, but authentication fails. Can you please help on this issue?

    32. eescoto says:

      Maximum Connections of OAM agent suggested

    33. eescoto says:

      hi, which is Maximum Connections of OAM agent suggested?

    34. Mahendra says:

      Max Connections are specified in WebGate profile itself.

    35. Dev says:

      Hi Mahendra,
      When you are passing a HTTP Header Variable as a Authorisation success or Authentication Success Return Action , how does the user id stored in the HTTP Header gets passed through. Does it pass as a clear text or does it pass as an encrypted text. Can anyone tamper that HTTP HEader variable and login to any of my protected application.


    36. Mahendra says:


      HTTP Headers will be passed in Plain Text. You are right that it is not secured. Thus you can envision SSL or server side mechanism to accept incoming request only from specific set of server IPs or so.


    37. vinaya says:

      Hi ,

      For multi domian SSO, do we need two different access servers (i.e. OAM for that respective webgates)? (Can we do it using one OAM?)
      We need to make one access server as “primary Authentication Server” — how this is done exactly?

    38. Atul Kumar says:

      @ vinaya,
      This is for sure possible with single OAM (Access Server) in 10g. I need to check if OAM 11g supports multi domain or not.

      If muti domain is supported in OAM 11g, still you wouldn’t need 2 Access Servers only 1 is enough.

    39. Jim says:

      Hi Mahendra,

      Thanks for this post.

      I ran across it as I’m trying to understand something that I’m seeing in a simple certificate (X509) test configuration, where I’m trying to proxy the OAM credential collector using an Apache+OAM webgate (i.e., Apache+webgate+WebLogic Plugin for Apache ==> OAM credential collector (port 14101)). The reason for this is for a number of reasons, e.g., we don’t want to have any users connect directly to the OAM credential collector.

      Anyway, I have this configuration working, but we are noticing that in the step where the browser is re-directed to (apache1.whatever.com is the Apache proxy):


      we then get a 302/re-direct to:


      and, that 302 includes a Set-cookie where it sets “OAM_REQ=invalid; path=/; HttpOnly”.

      As I said, visibly, everything works correctly, but we are trying to determine what is causing that “OAM_REQ=invalid”, and whether or not it is a problem.

      Have you ever seen the above, and, if so, do you know why the credential collector is setting OAM_REQ to “invalid”?

      Thanks again,

    40. Atul Kumar says:

      @ Jim,
      Based on my experience OAM_REQ=invalid means (User has not authenticated yet and value of this cookie is invalid) . You should see a valid cookie value after successful authentication.

    41. Odesa says:

      Hello Mahendra,
      How to get policies and roles for a specific user from Access Server SDK for C#, C++ or Java?

    42. Mahendra says:

      Hi Odesa,

      You will find java code samples in ASDK folder for retrieving policy domains & its policies. You would have to write code to retrieve it for a specific user.

    43. Odesa says:

      Thanks you, Mahendra

    44. ankita says:

      Can you please tell what are the steps to achieve SSO between Oracle and facebook?

    45. gkout says:

      Hi Atul,

      Is it possible to protect the OAM access/identity console web pages with a policy?
      How could this be implemented on OAM 10g?

      How is access to the console safeguarded in case of a missconfigured policy?

    46. Mahendra says:

      Yes – It is possible. When you configure policy manager, two policy domains will be created protecting both identity and access consoles. All you would need is to go and enable the policy domains based on needs. You can also change the auth schemes etc.,

    47. gkout says:

      Thank you Mahendra. Before I proceed and break things I had a look at the policy and the headervar looks like:

      Authentication Success

      Type Name Return Attribute headervar HTTP_OBLIX_UID samaccountname

      Due to security reasons we have changed the samaccountname to a random string value. Now, if I change the header to point to “uid” which is set to the normal username will this work?

      Thanks once more.

    48. Mahendra says:

      as long as both samaccountname and uid has has same value it will work

    49. gkout says:

      Hi again Mahreda,

      Currently the SAMAccountname value is set to something like: “$12adf46adsf” while the uid=oam-admin

      WAM is checking the Samaccountname value by default when authentication so if I want to login I need to use this $12adf46adsf” as username, while what I need is to be able to login with “oam-admin”


    50. gkout says:

      Regarding a two step authentication.

      The user needs to use a form to authenticate to WAM and then he will be redirect to the target URL login page where he will have to authenticate against the application. In our case the application is HP OVO.

      The problem: Once the user logs in to the application the obssocookie value changes to ObSSOCookie=loggedout;.
      From that point if he tries another application link he gets prompted to authenticate against WAM again.

      I tried using OTA authentication as well, but nothing changed.

      Thanks once more and apologies for the long post.

    51. Mahendra says:


      I did not completely understand your question on samaccountname and uid. To my knowledge, if you have to authenticate against 1 attribute in OAM 10g say samaccountname, set the attribute in credential_mapping plugin. To show the value of uid in the logged in page, then pass uid as header variable in authorization actions.



    52. Mahendra says:


      I did not understand the query on step up authentication. Please elaborate.


    53. gkout says:

      We have implemented a form based authentication policy for a URL.
      The URL this policy protects is the login form of application “A”. Essentially once the user has passed the OAM authentication they end up to application “A” login form.
      Once they authenticate there as well and are in the application “A” home page, whatever link they click within the applicaton protected URL they are requested to re-authenticate against OAM. NTP has been checked and works fine.

    54. Mahendra says:


      If my understanding is correct, Application A is protected using form based authentication and login works fine. When any link is clicked in Application Am it is showing login page again? Is that correct?

    55. gkout says:

      Application A has its own login page. For additional security an OAM policy with form based authentication has been implemented so that the user has to authenticate twice. First against OAM (1st step) and secondly against the application login form (2nd step).

      Once the user has passed both authentication steps even if he tries to refresh the page or click on a link, he get an “ObSSOCookie=loggedout” pop-up and is redirect back to OAM for re-authentication.

      • Atul Kumar says:

        This means OAM is not authenticating or not configured properly or you are using different webgate.

        Do you see ObSSOCookie after first OAM authentication in User HTTP Header ?
        What version of webgate and OAM server you are using ?

    56. gkout says:

      Hi Atul and thank you for your answer.

      OAM version is:
      Release: BP10

      We have noticed that the rest of the protected URLs, which are also using their own login form to re-authenticate the user on step2, are working fine. The problem is specific to OVO HP Operations Manager for Unix Administration UI 9.1.0.

      The ObSSOcookie is created fine.
      During the http header debuging we noticed the following:
      https://hostname/some_path/skin/images/header/logout.24.gif [HTTP/1.1 200 OK 734ms]

      According to documentation doesn’t OAM WebGate log a user out when it receives a URL containing “logout.”?

      • Atul Kumar says:

        @ gkout,
        Yes you are correct. In OAM as soon as URL includes logout, OAM server will initiate logout process but as far as I know this does not include images like gif/jpeg/png (*logout*.png or jpeg or gif).

        Raise an SR with Oracle support and chekc with them

    57. gkout says:

      Correct but the name of the image is “logout.24.gif”. I am not sure if the parsing code is logout*.gif/jpg or logout.gif/jpg. If the documentation (see below) is accurate then the gif should be causing the problem.

      What I can not verify is if this rule is hardcoded in OAM or is it configurable. Is it hardcoded to automatically logout when a URL containing “logout.” is reached or the logout action depends on the below setting?

      Under Server settings:
      “Configure SSO Logout URL
      URL /access/oblix/lang/%lang%/logout.html”

      And that html file contains the function to expire the cookie.

      According to documentation:

      Logout From a Single Domain Single Sign-On Session By default, the WebGate logs a user out when it receives a URL containing “logout.”
      (including the “.”), with the exceptions of logout.gif and logout.jpg. For example, logout.html or logout.pl. When the WebGate receives a URL with this string, the value
      of the ObSSOCookie is set to “logout”.

    58. srshukla3 says:

      Hi All,

      I have OAM10. installed on solaris10 box, while configuring for SSL after installation, some thing goes wrong and Access server stopped working, even after running the reconfig, it does not work.
      Later i decided to uninstall OAM components and install it again, i removed the schema from OID by running ldif file as mentioned in document, when i try to run uninstaller.bin for any component, it gives following error –

      – ./uninstaller.bin
      Abort (core dumped)

      Is there way to uninstall it completely and re-install it or can i install another instance of OAM of same box ?

      Any help..

    59. Bikram Bhusan Sinha says:

      Hi Atul/Mahendra,

      Thanks for posting all the valuable details on OAM. I have a query on the OAM. We have a requirement that user can login from different locations (countries, zones etc). After the user is being validated through OAM, it should set some flag in the HTTP Header or session so that the flag will be accessible from the portal application after the successful login. How can I achieve this through OAM ?

      BTW – Atul, I am reading your book on OAM Administration. You have done a great job. Keep it up.
      Also can we create dynamic policies in OAM based on some conditions ? For ex. if the user belongs to group A then apply the policies which are different if the user belongs to group B ?

    60. Rich says:


      I am trying to integrate existing ASP.NET applications with OAM. When a user attempts to access one of the ASP.NET applications, OAM redirects them to an ASP.NET login page. The ASP.NET login page then sends an HTTP POST to the OAM server to authenticate the user based on the credentials entered on the login page.

      The problem is that I need to execute some custom .NET code after OAM authentication success, instead of redirecting to the intially requested page. How can I accomplish this without losing the OBSSO cookie that OAM generates after the login POST to OAM?

    61. Mahendra says:


      Ensure that no OAM services are running in the machine and do a soft delete the OAM installation folder as root user.


    62. Mahendra says:

      @Bikram Bhusan Sinha,

      You can always set a flag to retrieve from header variables after succesful login. But it depends on what kind of flag? Is it static or dynamic such as ldap attribute.

      LDAP attributes can always be returned through header variables after atz.

      2nd question on dynamic policies: You can protect multiple URLs authorizing specific LDAP groups. To do this, you would need create seperate atn and atz policies.



    63. Mahendra says:

      @Rich ,

      In OAM 10g, there was a parameter in auth scheme passthrough which will let you redirect to a custom page after authentication. This was possible OOTB. But this is not possible OOTB in OAM 11g.

      You might have to write custom plugins.


    64. Bikram Bhusan Sinha says:

      Hi Mahendra,

      Thanks for the reply. The flags are not for LDAP. My requirement is as mentioned below.

      We need to find the client browser location and based on that we need to set some parameter in HTTP Header through OAM. Then the parameter will be retrieved in portal application (portlets, adf pages) and then take some action based on that.

      I am thinking of a solution where we will read the Client browser IP address in OHS level and then pass that value to OAM before setting that to HTTP header there.

      It looks like WebCache has some directive named UseWebCacheIp which can be used but it is not again supported in OHS version. We are using OHS

      Can you give me your comments on how to achieve this requirement ?

    65. Mahendra says:

      These are my thoughts. You can use a custom authentication plugin to read the client’s browser location and set some value to a custom ldap attribute. This ldap attribute can be returned in headers from OAM.

      Don’t think OAM will give you comfortability in reading the client’s browser location.

    66. Bikram Bhusan Sinha says:

      Hi Mahendra,

      Thanks for the reply. The OAM will have the request coming from OHS and OHS will be facing towards intercepting the web requests from the client. So, when you are saying about using a custom authentication plugin, where do I use that ? Something should be there on the OHS layer to read the ip address and then pass to the OAM. Is that what you are mentioning ? It will be good if you can give some more details.

    67. Mahendra says:

      Hi Bikram,

      You might be knowing the authentication plug-ins available in OAM 11g. First, the user Identification plug-in and next the User Authentication plug-in.

      So you can write a custom plugin that will execute after User Authentication plug-in. Plug-ins can be written in java in OAM 11g. So you can very well, pick up the client browser location in plugin code and can set an ldap attribute as per your requirement.

    68. Bikram Bhusan Sinha says:

      Hi Mahendra,

      Since I am totally new in OAM, I have some limited knowledge on the details now. Regarding creating custom authentication plug-in, I want to know how to get the client browser ip there ? The user requests will come through the OHS port and then it will hit the WebGate to OAM. So, the ip which will be available to OAM comes from OHS only not from the actual client browser. So, in that case how can I extract the client browser address in the custom plug-in code ? Do you have some sample code which is available online ?

    69. Mahendra says:


      I have not worked on custom plug-in yet. In OAM 11g, plug-ins can be developed using java. http://docs.oracle.com/cd/E21764_01/doc.1111/e12491/authnapi.htm

    70. nagesh says:

      Hi Atul/Mahendra,

      My requirement is to redirect the logout from the main applications (EBS, OBIEE, Hyperion, and ECM) to be redirected to an intranet site. These applications are integrated with OAM11g and webgate used version is 11g. How this can be done in version.


    71. Mahendra says:

      Hi Nagesh,

      When you say you want to redirect the logout from EBS/OBIEE to intranet site, can you elaborate the requirement?

      In general these main applications OBIEE/EBS may be accesible to both internet and intranet users with different access constraints (may be role /user based).

    72. nagesh says:

      Hi Mahendra,

      Thanks for replying.

      Actually we integrated all these application with oam 11g now client requirement is when we logout (ie from sso login) it should redirect to the intranet site, I wanted to know how this requirement be achieved. I tried updating the end_url parameter but not working.


    73. nagesh says:

      Hi Atul,

      Thanks for the update.

      Actually i updated the Logout Target URL via oamconsole, Which will redirect when we logout from application to this value. please correct me if am doing wrong if so how we can configure the same.


    74. jenny says:


      I have a problem where obformlogincookie is not being set properly. The resource url contains a space. When the ObFormLoginCookie is created, it is good but at the time of set-Cookie obFormLogincookie the resource url is truncated after space.

      Please help.

    75. SK says:


      I have a question regarding Custom error page implementation in OAM
      I have setup custom error page which works fine for expected errors such as invalid credentials, locked user account, etc (OAM error code OAM-1,OAM-2 … OAM-5).
      How to handle unexpected error which displays OAM error page with message “System error. Please re-try your action. If you continue to get this error, please contact the Administrator”.

      Appreciate the response.

    76. Viraj says:

      Hi Mahendra,

      I’m facing a problem with url: http://:7777. which error out saying “Request-URI Too Large

      The request could not be processed by the server. The request URI is longer than the permissible limit”

      It was working fine before. But now it is not working. Not sure when this got changed.


    77. Mahendra says:


      What is the length of the URL? I presume you’re using IE.. Also how was it working before ? Was the URL length small earlier?


    78. sb says:

      Hi Mahendra

      I have a wired problem with OAM config ,when I used loadbalancer URL for webgate ,redirection fails with http 414 error .
      Redirect URI too long .
      I i use individual OAM server login page displayed .
      Any clue on this

    79. Arindam says:

      Hi Atul,

      I am new to OAM. I read various blogs and have a simple question to you. Please let me know what does the authentication policy store? What is the difference between authentication and authorization policies? How both helps the OAM to validate an user?

      • Atul Kumar says:

        @ Arindam,
        Authentication means if you can prove who you say you are : usually username/password to authenticate . (There are other ways to authenticate as well like certifiates or tokens etc but username/password is most common)

        Authorization means if you can access a particular resource (URI) or not. OAM only supports perimter authorization which means a URL, it can’t allow/deny content within a URL (it will be either evrything or nothing).

        Authentication Policy dictates how user will be challeneged (or not challenegd) for authentication and authorization policy dictates how user will be allowed/denied for a URL (based on user’s group or attrribute etc)

        Store (usually database) is location where these rules/policies are stored .

    80. Narendra says:

      In our environment for OAM default user store is OVD and searchAttribute in OVD data store is uid but the actual requirement for our app after protecting it with OAM is user can enter his employeeID and windows password to login how can we achieve this ? how credential mapping will be done in OAM11gr2 ? and now I am able to login using uid and windows password
      lets say the resource is https://sso.dev.com:8080/test/ovd.html is protected while accessing this url we will get OAM SSO form
      as it is configured to be form based authentication here if I give uid/windows password i am able to login.

      but my requirement is I have to give employeeId/password to access/login the resource. how ?

      pls let me know the procedure ?

      Thanks in Advance.

    81. Narendra says:

      Sorry forgot to mention the version it is OAM11gR2.

    82. Devendra says:

      Very good info.

    83. Anan says:

      Hi Mahendra,

      Its nice to see your post.Gathered lots of info.

      I have a requirement like provide SSO using OAM for oracle communication stack apps.
      All applications using their local database.
      How can I get users authenticated against OAM.
      Local database are not ldap based databases.
      What i can do to get users data into Active Directory to get them authenticated.

    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP