• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


  • Categories

  • Archive

  • Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)

    Posted by "" in "oam" on 2010-09-09

    Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedInEmail this to someone

    This post covers overview of Policy Enforcement Points (known as Agents) in OAM 11g. For Step by Step installation of OAM 11g click here and to know about changes in Access Manager (OAM) 11g click here

    Agent in OAM 11g : is Policy Enforcement Point (PEP) registered with  WebServer (Apache, OHS, IBM HTTP Server), Application Server (WebLogic…) or third party application to protect using Oracle Access Manager 11g.  Example of OAM 11g Agent (aka Policy Enforcement Agents) are WebGate, AccessGate, OSSO Agent and IDM Domain Agent

    a) WebGate: WebGate is pre-packaged webserver plug-in to protect web-server via OAM11g. There are two versionof WebGate i.e. 10g WebGate and 11g WebGate . OAM 11g server supports both 10g WebGate and 11g WebGate

    b) AccessGate : is custom access client developed using AccessSDK to protect non web-based applications protected by OAM 11g

    c) mod_osso or OSSO agent: Agents introduced in OAM 11g for Oracle AS 10g SSO (Single Sign-On)

    d) IDM Domain Agent :  IDM Domain agent provides SSO for OAM Console and other IDM consoles (OIM, OAAM..) deployed on WebLogic Domain in Identity Management 11g.



    Key points for OAM 11g Agents
    1. A Web server, Application Server, or any third-party application must be protected by a WebGate, mod_osso or AccessGate instance that is registered with Oracle Access Manager as an agent.

    2. Agent (access gate/webgate/mod_osso) communicate with OAM Server (in OAM 10g this is Access Server) to check protected resource and configured access policies

    3. Individual agents must be registered (from OAM console or Remote Registration Tool) with Oracle Access Manager 11g to set up the required trust mechanism between the agent and OAM Server.

    4. Registering an Agent with OAM Server 11g is also known as “Registering a partner application” or “Regsitering a partner application with OAM

    5. When you register an Agent, a key is created and stored at Agent side in local wallet file, and at OAM Server side in Java Key Store. There is one key-pair per Agent with exception to WebGate 10g (There is only one secret key for all 10g Webgates registered with OAM 11g)

    6. On Agent registration, it create files on OAM’s WebLogic Admin Server under $DOMAIN_HOME/output/<agent_name>(ObAccessClient.xml, cwallet.sso, osso.conf, )


    How various agents talk to OAM Server ?

    a) WebGate 11g :After registration with OAM Server 11g, WebGate 11g directly communicates with OAM 11g server (No Proxy)

    b) WebGate 10g: After registration with OAM Server 11g, WebGate 10g communicates with OAM 11g server through J2EE based OAM Proxy.

    c) IDM Domain Agent: This agent is installed as part of Identity Management Domain (WebLogic Domain) and performs as an OAM 10g Agent.

    d) OSSO Agent (mod_osso 10g) : After registration with OAM Server 11g, OSSO agents communicate with OAM server via OSSO Proxy (OSSO proxy converts OSSO protocol to OAM 11g authentication service protocol).



    How to register Agent with OAM server ?

    To register Agents you can use
    a) OAM Administration Server Console: ( http://server:7001/oamconsole ) where 7001 is Admin server port for WebLogic server on which OAM server 11g is installed.

    Administration Console -> System Configuration -> Agent Node

    b) Command Line Tool (aka Remote Registration Tool)oamreg.sh (Unix) or oamreg.bat (Windows) 
    More on Remote Registration Tool for WebGate/Access Gate/mod_osso agent later

    Related Posts for Access Manager

    1. Integration Steps – 10g AS with OAM (COREid)
    2. OAS – OAM (Access Manager / Oblix COREid) Integration Architecture
    3. Oblix COREid and Oracle Identity Management
    4. Installing Oracle Access Manager (Oblix COREid / Netpoint)
    5. Oracle Access Manager (Oblix COREid) Upgrade
    6. Access Manager: WebGate Request Flow
    7. Introduction to Oracle Access manager : Identity and Access System – WebPass , Webgate, Policy Manager
    8. Certified Directory Server (AD, OID, Tivoli, Novell, Sun or OVD) and their version with Oracle Access Manager
    9. Install Oracle Access Manager (OAM) Identity Server, WebPass, Policy Manager, Access Server, WebGate
    10. Multi-Language or multi-lingual Support/Documentation for Oracle Access Manager (OAM)
    11. OAM Policy Manager Setup Issue “Error in setting Policy Domain Root” : OAM with AD and Dynamic Auxiliary Class
    12. OAM Installation Part II – Indentity Server Installation
    13. OAMCFGTOOL : OAM Configuration Tool for Fusion Middleware 11g (SOA/WebCenter) Integration with OAM
    14. Oracle Access Manager Installation Part III : Install WebPass
    15. OAM : Access Server Service Missing when installing Access Manager with ADSI for AD on Windows
    16. OAM : Create User Identity – You do not have sufficient rights : Create User Workflow
    17. Password Policy in Oracle Access Manager #OAM
    18. Changes in Oracle Access Manager 11g R1 (
    19. Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)
    20. How to install Patches in Oracle Access Manager 10g : Bundle Patch / BPXX
    21. Session Management in #OAM 11g : SME , Idle Timeout, Session Lifetime
    22. Part IX : Install OAM Agent – 11g WebGate with OAM 11g
    23. How to integrate OAM 11g with OID 11g for User/Identity Store
    24. How to install Bundle Patch (BP) on OAM – BP02 (10368022) OAM
    25. Error starting OAM on IBM AIX : AMInitServlet : failed to preload on startup oam java. lang. Exception InInitializer Error
    26. OAMCFG-60024 The LDAP operation failed. OAMCFG-60014 Oracle Access Manager is not configured with this directory
    27. How to Edit (create, delete, modify) Identity Store of OAM 11g from command line (WLST) – editUserIdentityStoreConfig
    28. OAM WebGate Registration RREG – Resource URL format is not valid
    29. Blank Screen on OAM 10g Identity Server Console : /identity/oblix
    30. Oracle 10g/11g webgate software download location
    31. How to find Webgate 10g/11g Version and Patches Applied
    32. OAM integration with OIF : Authentication Engine or Service Provider
    33. OAM 11g integration with Microsoft Windows Active Directory (WNA, IWA, Kerberos) for Zero Sign-On
    34. OAM 11g : How to change Security Mode (OPEN, SIMPLE, CERT) – WebGate to Access Server Communication
    35. Forgot Password link on OAM Login Page
    36. OIM-OAM-OAAM integration – Account Lockout in OAM obLoginTryCount , oblockouttime, MaxRetryLimit
    37. How to identify which LDAP (OID/AD/OVD) server OAM 11g connects to and as what user ?
    38. OAM 10g WebGate installation failed with Sorry Invalid User or Invalid Group
    39. Beware if you are running OAM in SIMPLE mode with 10g WebGate : Oracle AccessGate API is not initialized
    40. Troubleshooting : 11g WebGate with OHS 11g integrated with OAM 11g : OBWebGate_AuthnAndAuthz: Oracle AccessGate API is not initialized
    41. Deploying OAM in high availability across data centres in Active Active cluster : New Feature in OAM 11gR2 PS2
    42. New OAMConsole in OAM 11gR2 PS2 : Enabling Federation, STS, Mobile & Social in Oracle Access Management Suite

    23 Responses to “Agents in OAM 11g (WebGate 10g/11g, OSSO/mod_osso, AccessGate IDM Domain agent) aka PEP (Policy Enforcement Points)”

    1. Andre Eveleens says:


      We have a problem with our installation and like to drop a request at you.
      We are installing OAM with OID
      We are sofar that we are installing the AccessGate.
      When we are adding a New Access Gate, we receive the following error:
      Preferred HTTP Host must specify an existing host identifier variation, SERVER_NAME, or HOST_HTTP_HEADER

      Have you seen this before?

    2. Atul Kumar says:

      @ Andre,
      Yes this is requirement . Define host name identifier before defining webgate

      1.Launch the Access System Console and click the Access System Configuration tab.
      2. In left navigation pane, click Host Identifiers.
      3. Click Add to add a new host identifier.




    3. Dan says:

      Hi Atul,

      What is the secret symmetric key generated during the agent registration used for? Is this used for encrypting the obSSOcookie. I would think the obSSOcookie would be encrypted using a session key rather than the symmetric key.


    4. Atul Kumar says:

      @ Dan,
      Secret Symmetric key is used to validate identity of regsitered webgate (agent). This is just an extra security added in OAM 11g.

    5. […] OAM WebGate :  also known as AccessGate (in 10g) or OAM Agent (in 11g) is a Web Server Plugin installed with WebServer (OHS, IIS, Apache, IBM WebServer) and communicates with Oracle Access Manager Server (Access Server in OAM10g). When user access a resource protected by Oracle Access Manager (OAM) then WebGate communicate with OAM to find how resource is protected and ask user to provide credential based on Authentication Policy set for resource.  For Request flow for WebGate check my earlier post here . For overview of Agents in OAM 11g (OAM Agents & OSSO Agent) click here […]

    6. berniej says:

      Hi Atul,
      Have just bought your book which I know is going to be a great help over the next few months! However I wonder if you caould advise on the following please?

      I have an OHS 11g webgate working with OAM However, I have found that after a while, when I apply auth or authz policy changes they are not picked up by the webgate. Restarting OHS doesn’t help nor does restarting the oam_server instance. It seems that only rebooting the OAM/OID host machine fixes this problem which doesnt’ seem right! What do I need to do to propagate policy changes please?



    7. Atul Kumar says:

      @ berniej,
      Policy is stored in database via oamconsole (running on admin server of weblogic)

      Ideally on updating policy, it should invalidate cache from webgate. Try following after updating policy (authentication/authorization…)

      1. Logout of oamconsole and login again and see if changes are visible in oamconsole

      2. If not then bounce admin server and see if changes are visible in oamconsole

      3. If not then raise an Service Request.

      Which Operating System you are using ?

    8. berniej says:

      Thanks Atul,

      Policy changes are visible in oamconsole after logout/login so I’m pretty sure they’ve been applied to the DB. Strange thing is that after a reboot any subsquent policy changes are detected immediately by the webgate for a while but then seem to stop for some reason. I’ve also noticed that there are a lot of TCP connections to port 5575 in a TIME_WAIT state which is making me wonder if there are problems occurring with the client (webgate) connection to the oam server that build up over time resulting in a loss of connectivity and thus the webgate is unable to receive policy updates…?

      OS is W2K3



    9. Atul Kumar says:

      @ berniej,
      You are going to right direction. Monitor network traffic betwen webgate and OAM server.

      Do you see anything unusual in OAM managed server log file ?

      Check chapter 13 (logging) of my book https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book for steps on how to enable logging in OAM components.

    10. berniej says:

      Further update….
      I think the problem is that the access server is not reading back the updated policy data from the db – this is why….

      I had a response var set as $user.user_id (which is incorrect should be $user.userid). This shows as an error in the oam_server logs and causes an exception.

      After correcting this and bouncing oam_server in em the error still shows on next login. How to force oam_server to re-read policy data I wonder?



      BTW Atul, eBus12/OAM intgn book is going to be really useful :-)

    11. luke says:


      I have a configuration where there are 7 Apache servers, and 2 Access Servers.
      Now how what would be the configuration of the Webgates.
      Would I require to have 7 webgates installed, one for each Apache server ?

      I am also in the process of configuring the WebGate, OAM Servers in the OAM Identity Asserter on the Weblogic Domain.u
      What Would be the webgate name that would go into the configuration on the asserter.


    12. Atul Kumar says:

      @ Luke,

      Are these 7 Apaches serving same content ?
      Are these all 7 apaches installed on 7 different machines ?

      Here is my answer based on assumption that Access Server is 11g and all 7 apache are serving same content and installed on 7 different machines.

      1. Create 1 webgate instance in oam server
      2. Install 7 webgates 1 with each Apache

      Q: What Would be the webgate name that would go into the configuration on the asserter ?
      A: There is no need to give webgate name in asserter configuration. Which documentation link you refering for Identity asserter configuration ?

    13. jj says:

      Hi Atul,
      My understanding is : A Web server, Application Server must be protected by a WebGate, mod_osso RESPECTIVELY that is registered with Oracle Access Manager as an agent.

      For OHS(for example) we configure Webgate11g and register it in OAM.This protects the resources in OHS via Webgate.

      Query : In case of mos_osso,why do we not configure the Oracle Application server BUT we configure OHS again?


    14. Atul Kumar says:

      @ JJ,
      mod_osso is OHS module and must be configured with OHS only .

    15. […] a Policy Enforcement Point (PEP) that is installed with Web Server. More on Agents (PEPs) in OAM here . WebGates are of version 10g (10.1.4.*), 11gR1 (11.1.1.*), or 11gR2 (11.1.2.*), to find patches […]

    16. Lalith says:

      Hi Atul,

      If an organization have an external authentication system like CAS (Central Authentication System),

      How can they hook into the 11g OAM

      Any Ideas,


    17. Gupta Katakam says:

      Hi Atul,

      I need to protect a web application using OAM 11g, in which we have only 2 jsp’s deployed on tomcat server. One is login.jsp and the remaining is dashboard.jsp. I am validating the user against OracleDB using User table, in which we have 3 columns username,password and role.

      Can you please elaborate the procedure to protect this custom java based web app with OAM 11g.

      Thanks & Regards,
      Gupta Katakam

    18. […] Oracle Access Manager (OAM) is recommended Single Sign-On (SSO) solution from Oracle, WebGate is a Agent that acts as Policy Enforcement Point (PEP) and installed with WebServer (OHS, IHS, IIS etc). To […]

    19. Viruls says:

      Hi Atul,

      Env :
      OAM 11gR2
      OAM 10g webgate installed over apache2 webserver.

      I am working on protecting a proxied url of java application deployed over JBOSS
      I am using external custom authentication page in my authentication schema.
      In My authentication policy I specified the successURL and Failure URL , I am able to redirect to success URL after successful authentication where as if I enter invalid credentials it was remains on the login page upto 4 invalid attempts and the 5th invalid attempt redirecting to the failure url, In the logs I found that for the first 4 invalid times I am getting Invalid credentials error and on the 5th invalid attempt it is showing invalid credentials and user locked.

      Did I miss anything ?

      Please advise.


      • Atul Kumar says:

        Virtul, this is expected behaviour. In OAM 11g, user gets locked in LDAP server (obAccuntLock or somethign like this) after 5 failed attempts. This setting is defined in oam-config.xml

    20. Viruls says:


      My Problem is whenever user tried with invalid credentials he should redirects to failure URL mentioned in authentication policy but in my case it is not happenning, it is only after 5 invalid attempts in a row on the same browser.

      Please advise.


    21. sjsaleem says:

      Can i configure IBM Datapower as an agent in OAM?

    Leave a Reply

  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP