Access Policy Manager can provide the same functionality as an Oracle 10g WebGate. Access Policy Manager native OAM integration is built on top of Oracle 10g's latest Access Manager SDK. When you deploy Access Policy Manager with a OAM 10g or 11g server and OAM 10g WebGates, you no longer need to deploy a WebGate proxy or WebGate agent for each OAM-protected web application.
Although the Oracle 11g server is backward compatible with Oracle 10g WebGates, with Oracle 11g Access Policy Manager acts in place of OAM 10g resource webgates, but does not act as a authentication webgate. This is because a new architecture was introduced with OAM 11g in which the OAM 11g server becomes the central management point for everything including authentication, that is, the role of AWG. Refer to Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager 11g for a comparision of OAM 10g and 11g architectures.
Because the Oracle 11g server handles all user authentication requests, you should take steps to prevent and mitigate Layer 7 Denial of Server (DoS) and brute force attacks by installing a Web Application Firewall in front of the Oracle 11g server. BIG-IP Application Security Manager can provide you with intelligent Layer 7 protection in this case. For more information, refer to Configuration Guide for BIG-IP Application Security Manager.
You can achieve SSO functionality with OAM for HTTP/HTTPS requests passing through a virtual server to the web application. With OAM support enabled on a Local Traffic Manager (LTM) virtual server, Access Policy Manager will be the OAM policy enforcement point (PEP) on the BIG-IP system, while the OAM server is still the policy decision point (PDP) in the overall system architecture. When a user requests access to a protected web resource, Access Policy Manager communicates with the OAM server to determine whether the user can be authenticated/authorized for the request, and enforces the policy evaluation decision (made by OAM server) on the BIG-IP device.
The figures that follow show a typical configuration before and after OAM native integration is enabled.
In this figure individual WebGates, installed on each webserver, interact with the OAM Access Server.
In this figure WebGates are no longer required on the webserverss, and, even if they are installed, they are not used. Access Policy Manager acts in place of the WebGates, contacting the OAM Access Server for policy information, and enforcing the policies.