Oracle Identity and Access Manager 11g for Administrators

4.8 (4 reviews total)
By Atul Kumar
    Advance your knowledge in tech with a Packt subscription

  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Oracle Identity Management: Overview and Architecture

About this book

Oracle Identity Management is intended to help organizations quickly and reliably manage information about users on multiple systems and applications. Regulatory Compliance and the desire to expose business applications over the Internet have made Identity and Access management skills particularly desirable in recent times. Oracle Access Manager is a recommended Single Sign-On solution for Fusion Middleware including WebCenter, SOA Suite, Portal, and E-Business Suite; more and more companies are implementing Oracle Access Manager. This book will guide you through the important administrative aspects of Identity Mangement.

Oracle Identity and Access Manager 11g for Administrators covers the complete day-to-day task of installing, configuring, and managing Oracle Access Manager and Oracle Identity Manager. This book covers everything an administrator needs during and after an Oracle Identity and Access Management implementation.

This book covers all aspects of the Oracle Identity and Access Management life cycle from administrator's point of view.

This book starts with an introduction into Oracle’s Identity and Access Management products touching all the products which are part of the Oracle Identity Management Suite. It then covers installation and the configuration of multiple OAM/OIM servers in clusters for resilience and high availability deployment for production deployments, creating Identity and Access Management Schemas, and configuring Identity Manager and Access Manager in detail. The book then dives into the important topic that is Oracle Identity Manager navigation, and covers integrating Oracle Identity Manager with Oracle Internet Directory and Microsoft Active Directory using OIM Connectors. Finally the book covers the important key topic for monitoring that is Logging and Auditing in OIM/OAM and configuring a dedicated database for Auditing.

Publication date:
September 2011


Chapter 1. Oracle Identity Management: Overview and Architecture

Oracle Identity Management products can be categorized in following components, providing services of Identity/Access management, governance, and directory services:

  • Identity Administration: Oracle Identity Manager (OIM)

  • Access Management: Oracle Access Manager (OAM), Oracle Identity Federation (OIF), Oracle Enterprise Single Sign-On (eSSO), Oracle Adaptive Access Manager (OAAM), Oracle Entitlement Server (OES), Oracle OpenSSO Fedlet, and Oracle OpenSSO Security Token Service

  • Identity & Access Governance: Oracle Identity Analytics (OIA)

  • Directory Services: Oracle Internet Directory (OID), Oracle Directory Server Enterprise Edition (ODSEE), and Oracle Virtual Directory (OVD)

  • Platform Security Services: Oracle Platform Security Services (OPSS), Oracle Authorization Policy Model (OAPM), and Oracle Web Services Manager (OWSM)

  • Operations Management: Oracle Identity Navigator (OIN) and Oracle Enterprise Manager Management pack for Identity management

This chapter provides an overview of Oracle Identity Management products, including:

  • WebLogic server

  • Identity Manager and Access Manager components

  • Architecture of Oracle Access Manager and Oracle Identity Manager


Oracle Identity Management overview

In this section I'll briefly cover the following identity and access manager products:

  • Oracle Identity Manager (OIM): It is an identity lifecycle management software that includes provisioning, reconciliation and administration tools. Oracle Identity Manager comes as part of Identity Management and Access Management Software.

  • Oracle Access Manager (OAM): It is an access management software and recommended single sign-on solution. Oracle Access Manager comes as part of Identity Management and Access Management Software.


    Currently there are two single sign-on solutions from Oracle – 10g Oracle Application Server Single Sign-On (OSSO) and Oracle Access Manager (OAM) Single Sign-On.

  • Oracle Identity Federation (OIF): It is a multi-protocol federation software, used to share identities across enterprises, partners, and vendors. Oracle Identity Federation simplifies the process of enabling a federated single sign-on.

  • Oracle Enterprise Single Sign-On (eSSO): It is an access management software which provides authentication and single sign-on across all enterprise resources, including desktops, client-server, and host-based mainframe applications:

  • Oracle Adaptive Access Manager (OAAM): It is a strong and proactive authentication and, real-time fraud prevention software. Oracle Adaptive Access Manager comes as part of Identity Management and Access Management software.

  • Oracle Entitlement Server (OES): It is a fine-grained entitlements management solution that provides authorization services for enterprise applications:

  • Oracle Identity Analytics (OIA): It provides identity analytics, dashboards, and compliance features that monitor, analyze, and govern user access.

  • Oracle Internet Directory (OID): It is a LDAP v3 compliant directory with meta-directory capabilities.

  • Oracle Directory Server Enterprise Edition (ODSEE): Formerly called the Sun Directory Server, this is a directory server ideally suited for heterogeneous environments.

  • Oracle Virtual Directory (OVD): It virtually aggregates identity information from multiple identity sources (directory server or databases) and presents a real-time unified view, thus eliminating the need to synchronize or move identity data across multiple sources.

  • Oracle Platform Security Services (OPSS): It is a portable, integrated, enterprise-grade platform for Java applications. Java EE and Java SE applications can use OPSS. OPSS is installed/configured by default with Fusion Middleware components including OIM and OAM.

  • Oracle Authorization Policy Model (OAPM): It is a J2EE application to manage authorization policy for applications that use Oracle Platform Security Services.

  • Oracle Web Services Manager (OWSM): It is a J2EE application designed to define and implement web services security in heterogeneous environments. OWSM is available both as a standalone product and as part of the SOA suite.

  • Oracle Identity Navigator (OIN): It is an administrative portal which acts as a launch pad for Oracle Identity Management components. It allows access to all identity management consoles from a single page.

  • OEM Grid Control Management pack for Identity Management: Proactively manages performance, availability, and service levels for identity and access management services.


There are two parts to 11g Identity Management Suite – Identity Management 11g which includes OID, OVD, OIF, and OHS; and Identity and Access Management 11g which includes OAM, OIM, OAAM, OAPM, and OIN.


WebLogic Server overview

WebLogic Server is a J2EE application server on which both Oracle Identity Manager (OIM) and Oracle Access Manager (OAM) are deployed. The following diagram and sections cover the WebLogic domain and the key WebLogic components respectively:

  • WebLogic Server Domain

  • WebLogic Admin Server

  • WebLogic Managed Server

  • WebLogic Cluster

  • Weblogic JDBC Datasource

  • Node Manager

  • WebLogic Server Domain: WebLogic server domain is logical grouping of resources and services. It contains Admin Server, Managed server, JDBC data Sources, Java Messaging Server, and coherence.

  • WebLogic Administration (Admin) Server: Administration server is a WebLogic server that maintains configuration data for a domain. There is always one and only one administration server in a Weblogic domain.

  • WebLogic Managed Server: Any WebLogic server other than the Admin server is called a Managed server. When you configure both OAM and OIM in same domain, domain creation creates three Managed servers one for OAM (oam_server1); the second for OIM (oim_server1); and the third for SOA (soa_server1).


    These are default names used by the domain configuration utility and can be changed to something else.

  • WebLogic Cluster: WebLogic cluster is a group of WebLogic Servers (Admin or Managed) that work together to provide high availability and scalability for applications. WebLogic Servers within a cluster can run on the same machine or on different machines. WebLogic Cluster comprised of just Managed Server is also known as Managed Server Cluster.

    The previous screenshot shows a WebLogic domain consisting of one Admin server, five Managed servers, and two clusters. Managed servers oim_server1 and oim_server2 are deployed in a cluster named oim_cluster while Managed servers oam_server1 and oam_server2 are deployed in second cluster, named oam_cluster. Finally, the domain also contains a fifth managed server (soa_server1) that is not in a cluster.


    WebLogic domain files are stored under $DOMAIN_HOME which by default is the directory user_projects/domain/base_domain/

  • WebLogic JDBC Datasource: WebLogic uses JDBC data sources to connect to databases. JDBC resources are deployed to servers or clusters within a domain. Application deployed on servers (Admin/Managed server) can then use the deployed JDBC data source to a connect to database. The following screenshot represents default JDBC data sources created after creating a domain with OIM (including SOA) and OAM.

  • Nod e Manager: Node manager is a Java utility that runs as a separate process from WebLogic server and allows common operational tasks for a Managed server. Node Manager can also be configured to automatically restart the Admin or Managed servers in case of unplanned outage, and is used to start/stop Managed servers from the WebLogic console. Use of Node Manager in OIM/OAM deployment is optional.


Oracle Access Manager overview & architecture

Oracle Access Manager (OAM) provides centralized, policy-driven services for authentication, single sign-on (SSO), and identity assertion. The following diagram shows the Oracle Access Manager Component Architecture:

  • User Agents: These include Web servers, Java applications, and Web service applications with OAM agents (10g/11g WebGates, OSSO, AccessGate). Client accesses the OAM Administration Console server (a.k.a OAM Console) via HTTPs.

  • Protocol Compatibility Framework: It interfaces with agents a.k.a. Policy Enforcement Points (PEP) such as 10g/11g WebGate, mod_osso agents, and custom Access Gates.

  • OAM Server: It provides shared service for access and includes Authentication Engine, Single Sign-On Engine, Session Management, Authorization Service, and Token Processing.

  • Oracle Platform Security Service (OPSS): Oracle Access Manager including WebLogic server relies on OPSS for authentication, authorization, credential store, Audit Framework, and identity service.

  • Protected Resources: These include the application or webpage which you wish to protect by OAM agents (10g/11g WebGates, OSSO, AccessGate). OAM agents act as plug-ins between user agents and the OAM server (a.k.a Access Server). OAM 10g/11g WebGate and AccessGate communicate with the OAM server (Access server) with the help of a proprietary protocol – Oracle Access Protocol (OAP). Oracle as Single Sign-On (OSSO) 10g Agent communicates with OAM server on HTTPs.

  • OAM Administration Console: OAM administration console is a Web application deployed on WebLogic's Administration server that is used to manage and configure OAM server, authentication/authorization policies, and OAM Agents. Some configuration can also be achieved via WebLogic Scripting Tool (WLST) commands.


    OAM Console 11g replaces OAM Policy domain component in OAM 10g.

  • Coherence Distributed Object Cache: It is used to propagate configuration changes and session information between OAM servers in high-availability deployments. Coherence is installed as part of WebLogic installation as shown in the following screenshot:

  • FMW Grid Control: It is a Java application (/em) deployed on a WebLogic Admin server and used to manage logging in Oracle Access Manager. It is also used for monitoring status, performance management, and to enable/disable logging or diagnostics.

  • WebLogic Scripting Tool (WLST): It is a command-line tool used to configure and manage Oracle Access Manager from the command line.

    WLST commands for OAM are limited and do not support all configuration/management features of OAM.

  • Data Store (File, LDAP and RDBMS): OAM requires data stores for:

    1. User/Identity Store

    2. OAM policy and session data

    3. OAM configuration data

    By default in OAM 11g:

    • User Identity Store is WebLogic's embedded LDAP server.


      It is recommended that you change OAM's primary identity store from WebLogic's embedded LDAP server to an enterprise LDAP server.

    • OAM policy data is stored in the database under OAM schema configured during Repository Creation Utility (RCU). In previous versions, the OAM policy store could be an LDAP. In 11g it must be an RDBMS.

    • OAM configuration data is stored in a file-based repository, specifically an XML file (oam-config.xml) containing all OAM-related system configuration data.

Oracle Access Manager server-side components

There are two main runtime components to OAM, the Administration Console, and the Server. Here’s what they do:

  • Oracle Access Manager Administration Console (a.k.a Oracle Access Manager Admin server or in short OAM Console) runs on WebLogic Admin server and is used to manage OAM server properties, create policies, define agents, and manage user sessions. You can access OAM Administration Console using the URI /oamconsole on the Admin server.

  • Oracle Access Manager Server is a runtime engine used to provide shared services for access such as Authentication/Authorization service, session management, token processing, and single sign-on. OAM Server runs on one of WebLogic's Managed servers, such as oam_server1.


Oracle Identity Manager overview & architecture

Oracle Identity Manager 11g is a Java application deployed on Oracle WebLogic server for identity and user provisioning. Oracle Identity Manager (OIM) 11g provides user administration, password management, workflow and policy, audit and compliance management, user provisioning and organization, and role management functionalities.

Oracle Identity Manager architecture

Oracle Identity Manager is a three tier J2EE application that consists of—presentation tier, business services tier, and data tier.

Presentation tier

OIM Presentation tier consists of two type of clients, Oracle Identity Manager Administrative & User Console, and Oracle Identity Manager Design Console.

  • Oracle Identity Manager Administrative and User Console: It is a thin client that is accessible via a web browser. The console provides self-service and delegated administration features.

  • Oracle Identity Manager Design Console: It is a thick (Java) client which is installed on a client machine. The console provides system configuration and development capabilities, and connects directly to Business Service Tier.

Business Services tier

OIM Business tier is implemented as an Enterprise Java Beans (EJB) application, and includes the following services:

  • Core Services: User management, provisioning and reconciliation.

  • API Services: SPML and EJB APIs. It allows custom clients to integrate with OIM using API.

  • Integration Services: Adapter factory, connector framework, generic technology connector, and remote manager.

  • Plat form Services: Request management, authorization service, entity manager, and scheduler service.

Data tier

OIM Data tier consists of a repository or database, which manages and stores OIM data and metadata. Data stored in OIM database consists mainly of:

  • Entity Data: Users, roles, organizations, role membership, and resources

  • Transactional Data: Requests, approval and provisioning workflow instances, and human tasks

  • Audi t Data: Request history, user profile history

Oracle Identity Manager components

Oracle Identity Manager consists of the following components:

  • OIM Server: It is a Java EE application that is stored on a WebLogic Managed server and uses a database to store runtime and configuration data. OIM server includes a Quartz-based scheduler (for job scheduling), Oracle Entitlement Server (OES) microkernel for authorization checks, Message Driven Beans (MDB), and a message producer.

  • Design Console: It is a thick client (Java Application) that runs on the client machine and connects to the OIM business tier directly. The console provides system configuration and development capabilities.

  • External Interfaces: OIM Server is exposed to external users/systems via following services:

    • SOA: OIM server connects to SOA Managed server over RMI (using SOA RmiURL) to invoke SOA EJBs. OIM connects to SOA web services using SOAP (using SOA SoapURL). SOA Managed server connects to OIM using the SOA Callback web service (using OimFrontendURL).

    • SPML Client: SPML client connect to OIM using the SPML web service (via OimFrontEndURL), whereas OIM server connect to SPML client using the SPML callback web service (via PolicyConfigURL).

    • Browser : End users access OIM servers via web browser using the OIM User Interface (UI) component (via OimFrontEndURL).

    • BI Publisher: OIM connects to BI publisher for all reporting features (via BIPublisher URL).

    • OVD Server : When LDAPSych is enabled, OIM connects to LDAP server via OVD (Oracle Virtual Directory).

    • OAM Server: OIM integrates with OAM for single sign-on configuration.

  • Remote Manager: It is a component that runs on a target system and provides the network and security layers required to integrate OIM with applications that do not have network-aware APIs.

  • Database: OIM uses a database to store runtime, user, and configuration data. Configuration information is stored in MDS schema, whereas runtime and user information is stored in OIM schema.



In this chapter, we discussed an overview of Oracle Identity Management 11g. We also briefly covered the various Identity Management components, WebLogic server and the architecture of Oracle Access Manager and Oracle Identity Manager 11g in detail.

In the next chapter, we are going to install Oracle WebLogic and Oracle Identity Management 11g. We will also cover Identity and Access Management High Availability deployment (Active-Active Cluster) for resilience and performance.

About the Author

  • Atul Kumar

    Atul Kumar is Oracle Identity Management consultant working on Oracle Technologies including Fusion Middleware, Databases and Oracle E-Business Suite. Atul Kumar became Oracle ACE in 2006 for his technical skills and commitment to Oracle Technology diffusion. He also maintains popular blog at for Application Administrators with 1,50,000+ views per month.

    Browse publications by this author

Latest Reviews

(4 reviews total)
Danke. Bitte weiter so. Auch wenn noch zwei Zeichen fehlen. ;-)
Muito bom. Muito bom. Muito bom.
I have worked with 11g off and on over time and needed a quick refresher. This was perfect.
Oracle Identity and Access Manager 11g for Administrators
Unlock this book and the full library for $5 a month*
Start now