OAM and ADAM

there is requirment to have the ADAM host the user and policy store for OAM with the user base to the tune of 3.5 millions. Is this going to pose a problem with ADAM as the repository ?

You should not have any issue with ADAM as it is the same Active Directory minus the Network related stuff removed. Code base is pretty much the same (microsoft claims::)
Couple of options for you to plan.
You have create two or three ADAm instances and split the users across and you can have OAM directly or through OVD to talk to multiple repositories.
Make sure the attributes that will be used in search are indexed and structure OU appropriately.
Whether or not you use the OVD, you may want to split the policy store to another ADAM instance so that when you have to back up entire ADAM DIT, you only do a small value and will also help during migration.
Thanks
Ram

Similar Messages

OAM with ADAM / AD userproxy bind

Hi All,
I have setup oam with ADAM as user store and extended schema etc. ,but now I need to use AD bind rather then ADAM bind.
Does anyone integrated ADAM / AD bind with OAM ? It will be great if you can provide me pros and cons of using it and how to do it.
Thanks,
Tom

Hi Tom,
I am also planning to install OAM with ADAM as my User and Configurtion store with SSL. I am taking OAM product documentation as a reference. But if you have got any screen shots or some kind of documnt you made while installing OAM with ADAM can you share that with me.
Thanks

Can anyone explain what "multi-tenant" means with respect to OAM and OIF?

Hi,
I noticed that OAM 11gR2 has several additional authentication modules and schemes out-of-the-box for "MT" or multi-tenant. I've actually tried them, but am not clear exactly what their purpose is?
As a test, I configured the FederationMT module and FederationMTScheme to protect a test resource in OAM, and then when I access the resource, I first get a page with one field for username and a "Sign In" button. After I enter a user name, it goes to a form login page and I can log into the OIF IdP, and that's about it. I guess that I don't see what this accomplishes?
If anyone is familiar with this, please advise.
Thanks,
Jim

Hi,
Thanks for the metalink article. I've read that, and I can understand what the article is describing, but I'm not 100% clear how that relates to the configuration parameters in the FederationMTPlugin. The article talks about a mapping file, but I don't see something like that for configuring the TenantDismbiguationPlugin?
The first step in FederationMTScheme plugin is a TenantDisambiguationPlugin, which takes two parameters:
KEY_IDENTITY_STORE_REF
KEY_FEDERATED_TENANTS (a comma-separated list of "some things")
The steps/orchestration for the FederationMTPlugin has:
Initial Step: FedUserAuthenticationPlugin
TenantDisambiguationPlugin OnSuccess: FedAuthenticationPlugin OnFailure: UserIdentificationPlugin
UserIdentificationPlugin OnSuccess: UserAuthenticationPlugin OnFailure: failure
UserAuthenticationPlugin OnSuccess: success OnFailure: failure
FedAuthnRequestPlugin OnSuccess: success OnFailure: FedUserAuthentication
FedUserAuthenticationPlugin OnSuccess: success OnFailure: TenantAmbiguationPlugin
[The OnError results for all steps are failure, so I haven't shown them.]
So, the first step is the FedUserAuthenticationPlugin (AssertionProcessing), and if that fails, the next step is the TenantDisambiguationPlugin.
I guess all of my questions are around what that TenantAmbiguationPlugin does, and how it works?
I'm guessing that what you enter on the 1st webpage, which asks for a Tenant, is matched against the comma-separated list that is in the plugins "KEY_FEDERATED_TENANTS" parameter.
Is that correct?
But:
a) What happens if there is a match of what you entered vs. what's in the "KEY_FEDERATED_TENANTS" list?
b) What happens if there is NOT a match of what you entered vs. what's in the "KEY_FEDERATED_TENANTS" list?
That article you mentioned calls for a mapping file, that maps what is entered (the tenant) to a user identity store, but where is that in the TenantDisambiguationPlugin's parameters? The only other parameter for that plugin is the "KEY_IDENTITY_STORE_REF" parameter.
Having said that, I described the steps and step orchestration in the FederationMTPlugin above. If the TenantDisambiguationPlugin is suppose to somehow map what's entered to a user identity store name, then, with respect to the FederationMTPlugin, is that mapped user identity store used for the UI and UA steps (i.e., as the "KEY_IDENTITY_STORE_REF" for the UI and UA steps)?
Thanks for your help with this. Oracle's documentation certainly merits some improvement :(...
Jim

Base IDM product should consist of OIM, OID, OVD, OAM and OIF ?

Hi Experts,
I want to understand what should be the very base IDM 11g Product should satisfy majority of client requirement. What is best Practices of Product combination one should have ?
1) OIM, OID, OVD, OAM and OIF 11g
2) OIM, OID, OVD, OAM 11g
3)OIM, OID, OVD and OIA 11g
Considering 11g & best pratices.
I would like to understand what Pack is must for what kind of requirement ?
There are so many product combination so confused what is best base Security Prodcut combination can be ?
Help Appreciated.
Thanks In Advance.
Edited by: 937775 on 31/05/2012 06:01

Thanks Gyanprakash for valuable Suggestion.
I have one more question,
Now to do the OIM,OID,OVD,OAM Security Stack Installaton,
can I use two VM 1) all security product (OIM,OID,OVD,OAM) 2) DB VM (I heard we do have database VM)
Could you mind sharing Info 1) what number of VM do I use for security Product Installation 2) Can I use DB VM or Database should be installed physically not on VM ?
Thoughts ?

OAM and OIM 11g Consoles

Hello Everyone,
Can anyone please tell me what would be the login credentials and the links for OAM and OIM 11g console?
I am trying, for:
OIM --> http://hostname:14000/admin
OAM --> http://hostname:14100/oamconsole
Please suggest.
Thanks,
PS

Got It.
OIM --> http://hostname:14000/oim
username: xelsysadm
password: weblogicpassword
OAM --> http://hostname:14100/oamconsole
username: weblogic
password: weblogicpassword
thanks,
PS
Edited by: 849754 on Apr 28, 2011 5:24 PM

OAM and OIM 11g study Material

Hi All,
Please can anybody provide me the study material for the OAM and OIM 11g.
Regards,
Anil

For OIM 11g see OBE link
http://apex.oracle.com/pls/apex/f?p=44785:2:0:::2:P2_GROUP_ID:1001

Dan Bracuk, Ian Skinner, BKBK, and Adam Cameron

Is it possible to have Dan Bracuk, Ian Skinner, BKBK, and
Adam Cameron
email me?
wkolcz (at) mynextpet (dot) org
I have a question to ask 'off the record'.
Wally Kolcz
MyNextPet.org
Founder / Developer
586.871.4126

If you just hover over my name next to the postings: that's a
real email
address ([email protected]).
Interestingly, I only ever use that one on public-facing
forums, forms,
etc, to try to protect my "main" email address from too much
spam. However
I get very little spam to my junk a/c (10 a day?), compared
to my real one
(about 100 a day).
But anyway, I do monitor that address.
Adam

Diff betw OAM and OAAM.

Hi All,
I am new to Oracle Identity Management. Could any one please help us to know what is difference between OAM (Oracle access manger) and OAAM(Oracle Adaptive Access Manager).
And also we have oracle application server 10g and apex installed in our server and we are using SSO authentication. SSO server is maintained by some other team and they are using Oracle access manger. Now we are planning to configure Oracle Adaptive Access Manager.
My question here is where we need to install and configure the Oracle Adaptive Access Manager software. In our server or else in SSO server.
Many Thanks

Difference b/w OAM and OAAM:
=====================
OAM is for protecting applications from unauthorized access and to implement SSO across OAM protected applications.
OAAM provides advanced secured login features and risk management capabilities.
Examples for advanced login features: Keypad, text pad , virtual keypad,slider. (If you visit either HDFC or Bank of America online banking, you can see how they are using advanced login mechanisms)
Example for risk management: Let's say you want to deny the access to your applications from a specific IP address. You can do that with OAAM.
OAM and OAAM need not be on the same machine. They can be either on the same machine or on different machines.
Thanks
GK

Diff between OAM and OIM

Hi Friends,
I am little bit confusing where we have to use Oracle Access Manager(OAM) and Oracle Identity Manager(OIM) specifically and what is the relation between them, how will they work together.
Thanks inadvance...
Best Regards
Som

OAM controls the access to various target systems.
OIM manages identities and can be used to provision and manage an account within OAM.
There are many more differences, but i would suggest reading the overviews on oracles pages of the two different products.
-Kevin

Share OID for OAM and for Siteminder

Hello,
Has anyone deployed or know if the same OID deployment can be used for OIM-OAM and for policy store of Siteminder? OIM-OAM will have its own user and policies stored in OID, while Siteminder would have its own policy store in the same OID deployment.
If possible, what are the challenges/disadvantages you see/have faced?
Thanks.

Ninad,
It appears you answered your own question. If product A is certified for a certain version of OID and product B is not yet certified, then you would have to wait to upgrade until both are certified if you want to stay within the support policies for both product A and B. That's the major constraint.
As Sagar noted, the policy stores for both OAM (10g) and SiteMinder can be separated into their own directory instances, so they can be tuned separately. OAM 11g no longer stores policy data inteh directory, so it's a non-issue for that product, anyway. However,you will have to apply each products' user schemas to all your users so they can work with either product. Here are the possible issues:
- Your directory server will have to index both OAM and SiteMinder attributes, so it has to index a lot of stuff, which is potentially a lot of overhead for the directory to maintain.
- Each product maintains separate attributes for password policies, so if you enforce password policies using both products, you could run into problems and confusion for your end users.
I'm just wondering why you aren't using one Access Mgmt product for everything? Are you trying to transition from SiteMinder to OAM or something?

OAM and Oracle Apps R12.1.1. Integration : Login page re-direction issue

Iam facing redirection issue when I tried accessing the URL http://hostname:port/context/OAMLogin.jsp and its going to the page http://hostname:port/access/oblix/apps/webgate/bin/webgate.so but its not logging into the application
Please help me in this issue.
Thanks,
Rajendra.

Overlooked that you have already mentioned the version.
Then your issue is same as pretty much everyone facing it.
When Accessgate is deployed with script SSO_SERVER_RELEASE gets set to 10 in PLan.xml.
And as per the design if the SSO_SERVER_RELEASE is 10, then SSO_SERVER_URL will be hardcoded as /access/oblix/apps/webgate/bin/webgate.cgi.
If SSO_SERVER_RELEASE is 11, then SSO_SERVER_URL should be of format http://myoamserver.example.com:14100/oam/server/auth_cred_submit
So technically with v11 in our cases, it should not even go to webgate.so
So only option left is to deploy accessgate manually
let me know if you need more information with this
IK

OAM and Windows SharePoint Services 3.0

Hi,
I have a client that uses OAM/WSSO and wants to use it with Windows SharePoint Services 3.0. The OAM integration guide has info on integrating with SharePoint Server 2007, but does not address integration with Windows SharePoint Sevices alone. Is this a supported integration path?
Thanks,
Erik

Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
It is unclear to me what you are referring, Are you talking about the old CM07 Dashboard product or creating custom dashboard yourself?
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ

OAM and MS Active Directory Integration on Non-Windows Server envrionment

I will start by saying that I am dealing with a heterogeneous environment here where multiple systems are run by different levels of management. Our Oracle systems chose to go all *nix (Oracle Solaris and Red Hat Linux) and hence we do not have a single Windows Server in our Oracle services area and would really like to keep it that way as we prefer to keep a uniform platform across our Oracle servers. However, the desktop side of our department has chosen to use Microsoft Active Directory and now we wish to integrate and perform authentication against it for our OAM protected sites. We are in the initial setup phase but we have no desire to implement a critical server such as OAM on the Windows platform and would rather tie OAM running on a Red Hat Linux server to Active Directory. We will also be using OID as we run Portal but do not want to use it as our authentication authority for Oracle Products (local policy is that Active Directory is the only valid credential authority on site as we are moving to true Single Sign On across our desktops and web applications). I have a few questions.
1. Can it be done natively or would we have to run the Windows version of OAM?
2. If you must run OAM on Windows to use AD for authentication, Is there some way to setup the Windows version of OAM as sort of an interface for our main OAM server running on Red Hat Linux to do the AD Auth?
3. Can it be done using some sort of an interface such as Oracle Virtual Directory to interface with the LDAP interface to MS Active Directory?

Hi David,
Answers in-line
1. Can it be done natively or would we have to run the Windows version of OAM?
You can run all of the OAM Servers on *nix, and simply point to AD as an OAM data source on the machine:port that AD is running on. There is no need for the OAM components to be on Windows.
2. If you must run OAM on Windows to use AD for authentication, Is there some way to setup the Windows version of OAM as sort of an interface for our main OAM server running on Red Hat Linux to do the AD Auth
As above, this is not necessary.
3. Can it be done using some sort of an interface such as Oracle Virtual Directory to interface with the LDAP interface to MS Active Directory?
Yes, this is entirely possible. Even though it is not necessary in your situation, it often provides more flexibility to front-end the user store with OVD, for example when adding/renaming Windows domains, or specifying specific branches for users and so on.
Regards,
Colin

OAM and RESTful services

All,
I'm looking for some advice regarding the consumption of REST services (from the users browser) in an environment that utilizes OAM security and the Oracle Service Bus. Let me set the stage.
We've configured an instance of OAM with OHS acting as a proxy to our applications. One of our apps wants to pull some data (using an AJAX call) from a service directly to the browser. The service is currently protected using HTTP Basic authentication. This works fine for Java apps that want to make those service calls directly, but not so well when it is the browser that wants to make the call.
My assumption (up to this point) had been that I would be able to utilize the OAM Identity Asserter on the service bus in much the same way that we have been using it to propagate identity to our application servers. After speaking with some of the service developers (guys more intimately familiar with the OSB than I am) we haven't tried to do this before and are unsure of the proper implementation to acheive our goal.
So, with all of that being said, am I barking up the wrong tree? Would it be incorrect to have a REST service written that is serviced by two different OSB proxies? One that enforces HTTP Basic, and one that (somehow) uses the OAM_REMOTE_USER and an appropriate identity asserter to pass identity in such a manner that the OSB would be able to enforce security in that manner?
Is there a better way to secure REST services being made from the browser?
Thank you for any help/direction you can provide.
--james

There is, but its not great. Publish your Siena app, then turn it into a Visual Studio project per
the links at the top of the forum. On the project's Debugger page, ensure "Allow Local Network Loopback" is set. When you run the app with F5, your app can then hit a server on the same machine via localhost.
This is a Windows restriction for published store apps (eg Siena). By turning your app into a local-deployed app, and enabling the loopback option, you can avoid this policy. See
http://msdn.microsoft.com/en-us/library/windows/apps/Hh780593.aspx

Integration problem of OAM and OSSO/Portal

I have completed the OBE integration after having the issue resolved as reported in the thread:
troubleshoot WebPass installation
Here is the url for OBE
http://www.oracle.com/technology/obe/fusion_middleware/im1014/oam-osso-portal/oam-osso-portal.htm
In the end to test the portal login, test accounts , which the OBE provided, failing
+401 Unauthorized+
Your account has been disabled. Please contact the system administrator.
The accounts, portal and orcladmin cannot access the portal after the integration. This may be understandable since portal and orcladmin are not under the search base as the integration configured.
The test accounts cannnot access the portal. It may be due a missing step in the OBE. Such as the group for the portal access is not grant to the accounts.
Any one has successfully completed this OBE? did you add the step for the privilege granting?
Now seems not accounts could access the portal.
Since I cannot login the portal via portal nor orcladmin, I am not sure how to grant the privs to the accounts. But I can acceess OID via ODM. Can thst be done in ODM?

Yes, one OID for the both.
I got the messages in the log
Wed Apr 07 15:14:10 EDT 2010 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Authorization failed for user:
Wed Apr 07 15:15:02 EDT 2010 [ERROR] AJPRequestHandler-ApplicationServerThread-5 No site2pstoretoken from SSO partner
Wed Apr 07 15:15:02 EDT 2010 [ERROR] AJPRequestHandler-ApplicationServerThread-5 Unexpected Exception received
java.lang.NullPointerException
     at oracle.security.sso.server.policy.FilePolicyManager.getAuthLevel(FilePolicyManager.java:396)
     at oracle.security.sso.server.auth.AuthDirector.getAuthLevel(AuthDirector.java:234)
     at oracle.security.sso.server.ui.SSOLoginServlet.doPost(SSOLoginServlet.java:480)
     at oracle.security.sso.server.ui.SSOLoginServlet.doGet(SSOLoginServlet.java:333)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
     at com.evermind.server.http.ServletRequestDispatcher.invoke(ServletRequestDispatcher.java:826)
     at com.evermind.server.http.ServletRequestDispatcher.forwardInternal(ServletRequestDispatcher.java:332)
     at com.evermind.server.http.HttpRequestHandler.processRequest(HttpRequestHandler.java:830)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:224)
     at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:133)
     at com.evermind.util.ReleasableResourcePooledExecutor$MyWorker.run(ReleasableResourcePooledExecutor.java:192)
     at java.lang.Thread.run(Thread.java:534)

OAM and ADAM

Similar Messages

Maybe you are looking for