Applies To:

Show Versions Show Versions

Manual Chapter: Access Policy Manager Integration with OAM Overview
Manual Chapter
Table of Contents   |   Next Chapter >>

Integration with supported Oracle Access Manager versions

Access Policy Manager can provide the same functionality as an Oracle 10g WebGate. Access Policy Manager native OAM integration is built on top of Oracle 10g's latest Access Manager SDK. When you deploy Access Policy Manager with a OAM 10g or 11g server and OAM 10g WebGates, you no longer need to deploy a WebGate proxy or WebGate agent for each OAM-protected web application.

Access Policy Manager supports multiple webgates and can function as an Authentication WebGate (when deployed with Oracle 10g server) as well as a Resource WebGate (when deployed with either Oracle 10g or 11g server).
Authentication WebGate (AWG)
The front-end agent of the OAM server that provides the interface of authentication and authorization for the user's access request to specific web resources.
Resource WebGate (RWG)
The front-end agent of protected web servers; the RWG validates the OAM session cookie (ObSSOCookie) to determine whether the user has been authenticated and can be authorized to access the requested web resources.

Although the Oracle 11g server is backward compatible with Oracle 10g WebGates, with Oracle 11g Access Policy Manager acts in place of OAM 10g resource webgates, but does not act as a authentication webgate. This is because a new architecture was introduced with OAM 11g in which the OAM 11g server becomes the central management point for everything including authentication, that is, the role of AWG. Refer to Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager 11g for a comparision of OAM 10g and 11g architectures.

Because the Oracle 11g server handles all user authentication requests, you should take steps to prevent and mitigate Layer 7 Denial of Server (DoS) and brute force attacks by installing a Web Application Firewall in front of the Oracle 11g server. BIG-IP Application Security Manager can provide you with intelligent Layer 7 protection in this case. For more information, refer to Configuration Guide for BIG-IP Application Security Manager.

How does native integration with OAM work?

You can achieve SSO functionality with OAM for HTTP/HTTPS requests passing through a virtual server to the web application. With OAM support enabled on a Local Traffic Manager (LTM) virtual server, Access Policy Manager will be the OAM policy enforcement point (PEP) on the BIG-IP system, while the OAM server is still the policy decision point (PDP) in the overall system architecture. When a user requests access to a protected web resource, Access Policy Manager communicates with the OAM server to determine whether the user can be authenticated/authorized for the request, and enforces the policy evaluation decision (made by OAM server) on the BIG-IP device.

The figures that follow show a typical configuration before and after OAM native integration is enabled.

Typical OAM SSO configuration before APM native integration is enabled Typical configuration before OAM native integration is enabled on the BIG-IP system

In this figure individual WebGates, installed on each webserver, interact with the OAM Access Server.

Typical OAM SSO configuration after APM native integration is enabled Typical configuration after OAM native integration is enabled on the BIG-IP system

In this figure WebGates are no longer required on the webserverss, and, even if they are installed, they are not used. Access Policy Manager acts in place of the WebGates, contacting the OAM Access Server for policy information, and enforcing the policies.

Table of Contents   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)