More Oracle Access Manager

Back almost a year ago I wrote this post where I confidently asserted my readiness to learn Oracle Access Manager. Well, time has passed as has our original OAM 10g and 11g testing. Now the fire drill is about to begin and we really, really have to learn it.

First off, after comparing the 10g (pre-Oracle) and 11g (post-Oracle) versions of the product I think it’s safe to say that the later iteration is, well, our only choice. I won’t waste time writing about the relative merits of the two. 10g is dead, it’s gone, and there’s nothing I can do about it.

11g has some hefty infrastructure requirements out of the gate: a Weblogic server and an Oracle database. The Weblogic server runs the (heaven help us!) J2EE components that replaced the former (pretty much rock-solid) C++ executables. The database is used to store audit logs and policy configuration data.

First the Oracle product stuff:

Data Sheet: Introduction to Oracle Access Manager

The omnibus documentation is here:

Oracle Identity and Access Management 11.1.1.5 Documentation

The installation guide for Access Manager is here:

Installation

This guide “encourages” installation of OIM (Oracle Identity Manager) and other components it depends on like SOA (Service Oriented Architecture) that aren’t needed by OAM alone. If read carefully you can trace a path to a OAM-only installation that “only” requires a Weblogic server and Oracle database. Looks like I may have to write my own comprehensive doc for that to ensure that subsequent installs get done in a uniform way.

Enterprise Deployment Guide for Oracle Identity Management

Follow this is you need “enterprise stuff”. You know, like anything to do with making the environment highly available.

Some Oracle blogs:

Oracle Access Management (why is this blog hosted on blogspot?)

Bird’s eye view of OAM 11g Install process

Upgrade 10g Osso to 11g OAM, Part 1

Upgrade 10g Osso to 11g OAM, Part 2

A series on the new policy model for OAM 11g (yes, 10g was completely different):

Oracle Access Manager 11g Academy: The Policy Model (Part 1)

This is the stuff that a lot of people, including architects and managers, just don’t get. Policy design is the heart of any authentication system. In OAM, like other url-centric content protection systems (remember .htaccess?), they include things like specifying who exactly gets to see precisely what. One thing that got my attention in my quick review of the “11g Differences” listed in the Oracle product doc was this disturbing statement:

no support for LDAP filters for (for retrieving matches based on an attribute of a certain display type, for example)

Translated that means, to quote the opposing column listing 10g’s features that didn’t make it over, 11g does not support:

Users can be specified using LDAP filters

That’s an improvement? My existing system makes extensive use of LDAP filters to separate “the sheep from the goats” in determining who gets access to particular resources. Losing the ability to use them is a significant downgrade as far as I’m concerned.

On a happier note, there’s now a book on the subject from Packt Publishing by Atul Kumar (the OnlineAppsDBA), entitled Oracle Identity and Access Manager 11g for Administrators (link is to the publisher’s site). I’ve been scanning through the ebook version tonight cram-style. While I think a competent editor could have helped especially in the organization of the presentation, Atul’s experience with these products shines through and saves the day.

Much of the material in the book related to installation can also be found in a series of articles on Atul’s site beginning here.

Both the book and the web series assume a monster install that includes every Oracle Identity suite 11g component on the same server — something no one in their right mind would do in production. In my case all I’m really interested in is getting a “minimal” OAM 11g instance up and running that I can then plug into my existing identity infrastructure built around Sun’s, sorry… Oracle’s Directory Server Enterprise Edition (DSEE). At least that’s my yet-to-be-approved plan.