Friday, June 17, 2011

OAM 11g is certified with EBS 12

Oracle Access Manager 11gR1 (11.1.1.3) is now certified for use with E-Business Suite Releases 12.0.6 and 12.1.1 and above.
Here are the details Integration Certification Details.

Impersonation feature is not available in OAM 11g WebGates

If you are using .Net based applications to be protected by OAM 10g, you can certainly do it with IIS WebGates without custom coding/filters. This can be achieved using Impersonation feature in OAM 10g WebGates. However if you are using OAM 11g WebGate, impersonation feature is not available/supported.
In this case, the best way to approach is to use 10g WebGate with OAM 11g. I have read a beautiful post here on the same.

Thursday, June 16, 2011

Attended a session on Oracle Entitlement Server 11g

Further to previous posts on OES 11g, I had attended a session today given by Oracle Product Manager. Some of the key points that I would like to outline are:
  1. OES 11g can be integrated with OAM 11g out of the box and is certified - this is very good news. In previous versions of OAM and OES, we used custom approach by using specific Authentication schemes in applications protected by OES etc., It was not pretty straight forward.
  2. OES 11g provides very good authorization security for Oracle Database. In future we can expect that Database comes up with OES by default.
  3. OES 11g can be implemented in Cloud Security which is the hot requirement for most of the customers now.
  4. OES 11g is certified with OID 11g. 
  5. There is no direct integration of OES 11g with either OAAM 11g or OIF 11g. However it can be implemented using customization.
  6. Auditing and Reporting has been enhanced.
  7. OES 11g Admin consoles are Web UI consoles.
  8. OES 11g can be used for multi-tenancy. Future releases directly supports multi-tenancy.
  9. Future releases of OES 11g (probably by end of 2011) we may expect this product to integrate with SOA and Fusion Middleware products out of the box.
 This is it for today!!

Wednesday, June 15, 2011

Oracle Identity Manager Performance tips

I have read a post on Oracle Identity Manager performance tips here. This post talks about various factors where tuning has to be applied with respect to OIM. In addition, it is always good to tune the application server where OIM is deployed as a web application.

OAM 11g integration with OBIEE 10g for Single Sign-On

I have already done a detailed write up on Oracle Access Manager 10g integration with OBIEE 10g for Single Sign-On here.
I have read another post here that has detailed description about Oracle Access Manager 11g integration with OBIEE 10g.  That was pretty good!!

In fact I could not notice much difference with the integration steps with OAM 10g and OAM 11g.

OES 11g is launched

Much awaiting product Oracle Entitlement Server 11g is launched by Oracle. I am going to attend a Web Session on OES 11g. I will keep updated with the findings soon.

OES 11g Installs and documentation links are provided in this post

Keep watching this space.

Tuesday, June 14, 2011

Oracle Portal 11g is not certified with OAM 10g

Please be aware that Oracle Portal 11g is not certified with Oracle Access Manager 10g, please read the OAM 10g FAQ here. The certified version is OAM 11.1.1.4 and Oracle Portal 11.1.1.4.0. For more information, please read the detailed post here written by me.

How to setup Oracle Access Manager in disaster recovery mode?

In every real time environment, you would use two production sites i.e., Active , Stand-by. At a time, only one site will be up and running. This means all the transactional data with respect to Oracle Access Manager will be present in LDAP (user data, configuration data, policy store). However I am going to talk about providing disaster recovery setup for LDAP used by OAM. I would like to stress the key points involved in setting up OAM 10g for disaster recovery with less or no manual intervention.
I have explained much detailed here.

How clustering works with Access Server and WebGates

This post talks about webgate communicating with multiple access servers which are deployed in Primary/Secondary scenario. I have explained in detail about this post here.
Please feel free to reach me if you have any queries.

Global Logout in Oracle Access Manager 10g

This post covers the Global Logout operation to be performed in Oracle Access Manager 10g. If you look at the OAM 10g documentation for Global Logout, it just talks about having logout keyword in the logout URL (except logout images etc.,).
In reality, achieving Logout is not an easy job with Oracle Access Manager. If there are multiple products integrated with OAM 10g, killing obssocookie alone will not suffice the job. The cookies or sessions of applications that are integrated with OAM 10g needs to be implicitly killed and this is all customization. This is explained in detail in the post.

The most challenging part of this Global Logout is : User logs into Portal 11g and access multiple applications (custom and Legacy) within same session so is different cookies/sessions gets created for respective applications. Logout link is enabled only in Portal 11g but not in any of the other downstream applications. The concept is simple that single Logout at a single place. When the logout is performed in Portal 11g, Portal and OSSO related cookies/sessions gets cleared. However, cookies/sessions pertaining to other apps are not deleted and hence logging in a different user with in same browser session pertains old user session. Easy way to overcome this is to close all the IE browsers. An exception to this is to use < IE6 as there is a browser session sharing feature implemented in IE7 and above.

Now let us talk about the actual scenario.

To talk about our environment, there are almost 8 applications which is a mix of Custom applications and Legacy applications such as PEOPLESOFT, SIEBEL, ORACLE PORTAL 11g. Since Oracle Portal 11g integrates with OSSO - OAM 10g directly, there is a Logout page in OSSO (of Portal) which has functionality to delete OSSO related sessions for Portal. Since we used logout URL which calls logout.jsp, the OAM treats as logout call by default and sets the ObSSOCookie to loggedoutcontinue.

Custom applications has Apache based servers in front-end and Tomcat/WebLogic in backend where target applications are deployed. Each custom application has their own Logout functionality implemented. Same is the case with Legacy applications which has their own Logout pages with specific logout functionality.

How is Logout implemented then? Primary source for all applications is Oracle Portal for which performing logout is an easy job and clears all Portal related cookies. So from Portal logout.jsp, a call is made to the other application say PEOPLESOFT to clear Peoplesoft related sessions. The chain goes like this until all cookies/sessions pertaining to all applications are cleared.
The negative side of this approach is that the latency because calls are made to all the applications in the architecture. You can take this granted for a single reason : Logout is performed as heavily as Login or other transactions.