Oracle Access Manager 11g
by Deborah Volk on October 21st, 2009

More coverage of Oracle IAM 11g suite based on OpenWorld sessions. If Oracle Identity Manager 11g is an evolutionary step and Oracle Identity Analytics 11g is fresh air then OAM 11g is a shot heard round the world. Changes, they're a comin'.

The current release of Oracle Access Manager is based on the 2005 acquisition of Oblix. The Oblix product is written in C++ and is comprised of a number of independent components that all function, well, independently! In the late 90s-early 00s world of enterprise applications where CORBA was still considered a viable deployment option, J2EE was learning how to walk and .NET was yearning for acceptance, apps that could run on a particular platform without a container were still popular. Today, container-less apps are certainly still around but they're not a frequent occurrence in the enterprise landscape. Recognizing that the internal architecture of OAM was getting long in the tooth and chanting its Weblogic uber alles mantra, Oracle transmogrified Oracle Access Manager into a J2EE app.
I didn't ask whether 11g was a rewrite from scratch or a port of C++ codebase to Java; if I had to guess, I'd say the latter. Regardless of how the guts were engineered, the access management UI in 11g reflects the same asset taxonomy as the current 10g release. There are webgates, resources, resource types, host identifiers, policy domains (renamed to application domains), authentication and authorization schemes, and so on. Conceptually, the OAM policy universe and (broadly speaking) its access management pieces are still in place. The identity side of OAM is no longer there, it's been subsumed by OIM. No more Identity Server, funky workflow applets, IdentityXML interface and other identity-related stuff in OAM. Poof! (There are backward compatibility options available, see the end of this blog). Now OIM and OAM are clearly and cleanly separated, there's no longer any sizeable overlap between two products. Identity Administration is in the top drawer (OIM), Access Management is in the bottom drawer (OAM). (Why does OIM get the top drawer? This must be my subconscious speaking).

Being a J2EE app gives OAM a number of immediate advantages, the first and foremost being the ability to reuse a large swath of Oracle J2EE tech. The distributed cache housing stateful sessions is courtesy Coherence (ex-Tangosol), the UI is based on Oracle's Application Development Framework (ADF), the app server is obviously Weblogic with rock-solid J2EE app hosting/management features. When you align your products with your platform strategy, not only technology can be reused at a product level but a lot of development effort can be cross-sourced and shared. This goes for both internal Oracle development effort as well as effort expended by customers when customizing Oracle products. The knowledge gained when learning how to customize UI via ADF in OIM should carry over to OAM and to other Oracle products. Same goes for Weblogic and other pieces. Wunderbar!
Aside from JEEification of OAM, there have been a number of other significant changes and enhancements in 11g:
LDAP scoped to authN scheme is a nice enhancement, it allows for authentication against different directories, e.g. internal users against Active Directory and external users against, say, Oracle Internet Directory (OID). It's worth noting that segmenting user population and authenticating these segments against different directories is possible in OAM 10g with Oracle Virtual Directory (OVD). In general, we recommend that OVD is deployed alongside OAM. OVD is an elegant solution for a number of issues having to do with heterogeneous identity stores (directories, databases, Toys R Us) and by using OVD you automatically become part of the COOL crowd.
Agents are an interesting story. As y'all know, today Oracle ships two identity management stacks - a legacy stack based on Oracle App Server and the "current" stack with OIM, OAM et al. In the legacy stack, web SSO is engineered in a manner somewhat similar to OAM in that there's a front-end component that plugs into the web server and intercepts requests. In the legacy stack the web server is Oracle HTTP Server (OHS) that is based on Apache. Apache plugins are called modules and prefixed with mod, thus mod_osso. Despite being a few generations behind the curve, the legacy stack features prominently in one area: as an SSO solution for Oracle's e-Business Suite (aka Oracle ERP). Even though one can deploy OAM together with legacy SSO (OSSO) and hide OSSO behind OAM, you still need OSSO underneath the hood. Oracle ERP isn't the only product where OSSO is deployed, there are others but ERP deployments with OSSO is where the impact will be the greatest.

In 11g, Oracle wants to (finally!) kill the legacy identity management solution. If this was done as a straightforward hatchet job (no more mod_osso, migrate or die), Oracle ERP customers with OSSO would have screamed so there is a soft landing. OAM 11g will support three types of agents that intercept requests and forward them onto OAM for access decisions: "traditional" access gates (a webgate is a pre-fabricated access gate) from OAM 10g, same from 11g and mod_osso.

Sessions are now stateful. This is a huge change which has tremendous performance repercussions. When OAM starts an SSO session on the user's behalf, it will keep track of the conversational state between OAM and the user, i.e. there will be a concrete chunk of memory on the server that knows about you. Stateful sessions are highly problematic when it comes to scaling an application to higher transaction volumes. Oracle's solution to scaling with stateful sessions is embedding Coherence into OAM, an industrial strength distributed cache acquired from Tangosol. One of Identigral's partners spent part of his misbegotten youth working with various caches and he says Coherence as a session cache can certainly handle just about any kind of load but tuning the distributed cache is akin to black magic. (I must mention that Identigral has certified black magic experts. We know voodoo!) .

One benefit of stateful sessions is that use cases such as "login is allowed only from a single location" (think Yahoo Messenger) or "maximum number of concurrent sessions" can be implemented out of the box. The long-term vision for stateful sessions is to allow the session to be exposed to other Oracle IAM products, notably Oracle Identity Federation (OIF) that could populate the session with their own attributes. If so, OAM could then use these "foreign" attributes to make authorization decisions. This is a lightweight example of data virtualization at the session level (front-end) versus data virtualization at the directory level via Oracle Virtual Directory (back-end).

The policy model change from a default of "allow all" to "deny all" is to be applauded. If you have OAM and your default is allow all, I highly recommend changing it to a deny.

One of the more welcome changes dragged in by the new UI is the introduction of a built-in mechanism for promoting assets across environments, e.g. from Test to Production, a niche previously (and temporarily) occupied by OAM Configuration Manager (OAMCM). Oracle also promised an ability to templatize environments so that topology "definitions" can be reused in different promotion contexts. Along with that a mention was made of incremental promotion of policy changes. Anything that helps with a promotion of assets in a controllable fashion is good in my book.

If you squint at the architecture diagram, you'll notice a Token Processing component. I interpret this as a Security Token Service (STS), a future capability. No mention of that was made during OpenWorld session but I wouldn't be surprised if the STS that ships with Sun's OpenSSO served as the inspiration or basis for Oracle's implementation. The beauty (and weakness) of Open Source... Squinting at the OAM portion of product strategy diagram in the OIM 11g blog entry, I also noticed that OAM box contains services that are now represented by separate products. I take this as an indication that all of these currently separate products - OIF (federation), OAAM (adaptive access / strong authentication), OES (fine-grained authorization) will become services/modules that are part of a single OAM product. Smells like OpenSSO to me! In my Suncle access management blog entry, I said that I don't see this convergence happening at Oracle but I may have been wrong. (My time machine ran out of gas...). There are pros and cons to both approaches; sooner or later we shall see what OAM will have become. As for the rest of OpenSSO vs OAM debate, I stand by my initial assessment.

During the Q&A portion of the session, a number of questions were asked about "..but what about X" where X was custom plugins, IdentityXML, identity workflows and more. Front-end agents aside, I did not fully understand how backward compatibility with OAM 10g is supposed to work but something to the effect of "OAM 10g and 11g can coexist and run side-by-side" was discussed. The coexistence strategy was represented by the following diagram:
The OAM release plan is spread across multiple 11g waves (my term). OAM 11gR1 will target feature parity with legacy Oracle SSO stack and supporting mod_osso agents. If you want to rip out legacy stuff, 11gR1 is your ticket. 11gR2 is supposed to provide for feature parity with OAM 10g agents and deal with coexistence of 10g/11g services. 11gR3 will be convergence of R1 and R2 into a nice and shiny product. As is true for other 11g products, the only release date made available was "somewhere in calendar year 2010".

Posted in Access Management, Oracle Access Manager, Sun OpenSSO, (Legacy) Oracle Identity Management, Identity Management, Oracle Identity Management, Oracle Virtual Directory, Oracle Identity Federation    Tagged with 11g, oow09


Ramnath Krishnamurthi - October 24th, 2009 at 8:02 AM
Thanks for the good article on OAM 11g and I attended that particular session and all those questions about "but what happens to X", were asked by me :-). We have heavy integration of idxml and plugins and i could not believe that it is going away. I know one of the customers have heavy customizations done on the identity portion of OAM and now they are just scratching their head for a migration/soltuin. In any case, OAM 11g is not a good news for the current OAM 10g users/customers unless Oracle comes with a proper migration strategy.
Joseph Solinsky - January 9th, 2010 at 8:49 AM
Oracle is not going to leave the IDXML gurus in the lurch. I'm responsible for a lot of its adoption by Oracle partners and customers, and there will be an answer. You have the opportunity to contribute to that answer. Deborah, please write me your thoughts on the subject. I will make sure it gets the appropriate attention.
Leave a Comment

2012 (1)
2011 (2)
2010 (2)
2009 (64)
March (11)
April (18)
May (18)
June (4)
July (1)
August (1)
September (5)
October (5)
December (1)