Sunday, 28 November 2021

Top 20 Oracle Access Manager Interview Questions and Answers

  

Oracle Access Manager (Access Manager) is the key capability for Web Single Sign-on (SSO), authentication, authorisation, centralised policy administration and agent management, real-time session management, and auditing in the new Oracle Access Management platform. Access Manager is a 100% Java solution that is incredibly scalable, allowing it to manage Internet-scale installations. It also works with heterogeneous environments that already exist, with agents certified for hundreds of web and application servers. Access Manager increases security, improves user experience and productivity, and improves compliance while lowering total cost of ownership by providing broad capabilities, scalability, and high availability.

  Oracle SQL Interview Questions and Answers

Ques: 1). What are the different security modes available in Oracle Access Manager?

Answer: 

Open: Allows communication without encryption. There is no authentication or encryption between the AccessGate and the Access Server in Open mode. The AccessGate does not need the Access Server to provide proof of identification, and the Access Server accepts connections from all AccessGates. Similarly, Identity Server does not require WebPass to provide confirmation of identity.

Simple: Oracle encryption is supported. TLS v1 is used to secure communications between Web clients in Simple mode (WebPass and Identity Server, Policy Manager and WebPass, and Access Server and WebGate). Oracle Access Manager components only use X.509 digital certificates in both Simple and Cert modes. The standard cert-decode plug-in decodes the certificate and delivers certificate information to the standard credential mapping authentication plug-in in Cert Authentication between WebGates and the Access Server. Oracle Access Manager saves the associated private key for each public key in the aaa key.pem file for the Access Server (or ois key.pem for the Identity Server).

Cert: A third-party certificate is required. If you have an internal Certificate Authority (CA) for processing server certificates, use Cert (SSL) mode. Communication between WebGate and Access Server, as well as between Identity Server and WebPass, is encrypted in Cert mode utilising Transport Layer Security (RFC 2246). (TLS v1).

BlockChain Interview Question and Answers

Ques: 2). What Is Oracle Access Manager's Architecture?

Answer: 

Identity Server, WebPass, Policy Manager, Access Server, and a WebGate are the primary components of the Oracle Access Manager architecture. Identity Server is a stand-alone C++ server that connects to LDAP directly.

It also receives requests from Webpass and responds to them. WebPass is a web server plugin that allows information to be passed between the identity server and the web server. It sends Identity XML SOAP requests to Identity Server and redirects HTTP requests from the browser to Access Server.

A web server plugin called Policy Manager (PMP or PAP) interfaces directly with user, configuration, and policy repositories. Access Server, commonly known as PDP, is a stand-alone C++ server. It receives requests from WebGates/AccessGates and responds to them.

It also uses LDAP for communication. It responds to queries from the Access Server SDK. WebGate (PEP) is a web server plugin that communicates with the access server. It passes user authentication data to access server for processing.

 

Ques: 3). In Oracle Access Manager, what is the Iwa mechanism?

Answer: 

The OAM offers a feature that allows Microsoft Internet Explorer users to authenticate to their Web packages using their computing device credentials on a regular basis. Windows Native Authentication is the term for this. The user logs in to the computer, and the Windows Domain Administrator authentication mechanism is used to complete the local authentication.

The user launches an Internet Explorer (IE) browser and asks a Web assist from the Access System.

The browser notifies the IIS Web server about the neighbourhood authentication and sends a token.

The token is used by the IIS Web server to authenticate the user and to set the REMOTE USER HTTP header variable, which indicates the customer name provided by the customer and authenticated by the server.

The WebGate creates an ObSSOCookie and sends it lower back to the browser.

The Access System authorization and different techniques proceed as usual.

The maximum session timeout length configured for the WebGate is applicable to the generated ObSSOCookie.

 

Ques: 4). What Is An Access Server Sdk?

Answer :

The Access Manager Software Developer's Kit (SDK) allows you to extend the Access System's access management features. You can use this SDK to construct a customised AccessGate. The Access Manager SDK provides an environment in which you can establish an AccessGate by creating a dynamic link library or a shared object. You'll also need configureAccessGate.exe to make sure your client is working properly.

 

Ques: 5).  What Is Policy Manager Api?

Answer :

The Policy Manager API provides an interface that allows custom applications to establish and edit Access System policy domains and their contents using the Access Server's authentication, authorization, and auditing capabilities.

 

Ques: 6). Name some new features of OAM11gR2?

Answer: 

Dynamic Authentication -- Dynamic authentication is the ability to define what authentication scheme should be presented to a user base on some condition.

Persistent Login (Remember Me) -- Persistent Login is the ability to let users login without credentials after the first-time login.

Policy Evaluation Ordering -- The out-of-the -box algorithm is based on the "best match" algorithm for evaluating policies.

Delegated Administration -- The ability to select users who can administer their own application domains.

Unified Administration Console -- The console screen has a new look; a new single 'Launch Pad' screen with services that are enabled based on user roles.

Session Management -- Ability to set idle session timeout's at the application domain level

 

Ques: 7). What is IIS?

Answer: 

Internet Information Services (IIS, formerly Internet Information Server) is a Microsoft extensible web server designed for use with the Windows NT family of operating systems. [2] HTTP, HTTPS, FTP, FTPS, SMTP, and NNTP are all supported by IIS. Since Windows NT 4.0, it has been a fundamental element of the Windows NT family, albeit it may be missing from other editions (e.g. Windows XP Home edition). When Windows is installed, IIS is not enabled by default. The IIS Manager can be accessed through the Control Panel's Microsoft Management Console or Administrative Tools.

  

Ques: 8). What is the meaning of an Oracle Access Manager Basic License?

Answer: 

The Oracle Access Manager (OAM) Basic licence was intended to support Oracle AS Single Sign-On (OSSO) customers who purchased the Oracle iAS Suite or other Oracle E-Business Suite products. Customers who have valid Oracle Single Sign-On (OSSO) licences can swap them for an equivalent number of Access Manager licences under the OAM Basic licence, with some restrictions. Access Manager must employ Oracle infrastructure components due to the constraints; this was also a requirement for OSSO. The LDAP directory, for example, must be Oracle Internet Directory or Oracle Virtual Directory, and only Oracle application resources can be protected. Customers who want to remove the restrictions must acquire the complete Access Manager licence.

 

Ques: 9). What is Oracle Webgate, and how does it work?

Answer: 

Oracle WebGate is a Web server plug-in that comes with Oracle Access Manager out of the box. Users' HTTP requests for Web resources are intercepted by the WebGate and forwarded to the Access Server for authentication and permission.

 

Ques: 10). 11g Access Manager Oracle HTTP Server 11g and IBM HTTP Server 7.0 support WebGates, but I prefer Apache Web Servers. If I want to use Access Manager 11g, what should I do?

Answer: 

Oracle Access Manager 10g WebGates can communicate with Access Manager 11g servers. Oracle Access Manager 10g WebGates have a wide range of web server certifications, including Apache, Domino, Microsoft IIS, and many others. With thousands of applications, I have a massive Oracle Access Manager 10gR3 implementation. Do I have to transfer them all at once to the new 11gR2 platform? No. Both Oracle Access Manager 10gR3 and Oracle Access Manager 11gR2 servers can be live in production at the same time, protecting distinct sets of applications, thanks to server side coexistence in Access Manager 11gR2. End users will continue having a seamless single sign-on experience as they navigate between applications protected by the two servers. This capability can be leveraged by customers with large deployments to perform the server migration in a phased manner over a period of time without impacting end users.

 

Ques: 11). With thousands of applications, I have a massive Sun Access Manager 7.1 or Sun Access Manager 7.1 deployment. Is it necessary to migrate all of them to the new Access Manager 11gR2 platform at the same time?

Answer: 

No. Both the OpenSSO 8.0 (or Sun Access Manager 7.1) and Access Manager 11gR2 servers can be live in production at the same time safeguarding distinct sets of apps with Access Manager 11gR2. End users will continue to have a seamless single sign-on experience as they move between the two servers' protected apps. Customers with big deployments can utilise this capability to migrate servers in stages over time without affecting end users.

 

Ques: 12).What Is An Identity Xml?

Answer: 

IdentityXML provides a programmatic interface for performing the actions that a user can perform while using a browser to access a COREid application. A software can, for example, submit an IdentityXML request to find members of a group defined in the Group Manager software or to add a person to the User Manager. Simple moves and multi-step procedures can be applied to trade person, institution, and company object profiles using IdentityXML. After you've finished constructing the IdentityXML request, you'll need to put up a SOAP wrapper to send the IdentityXML request to WebPass over HTTP. XML over SOAP is used by the IdentityXML API. Using an HTTP request, we send IdentityXML parameters to the COREid Server. A SOAP envelope is included in this HTTP request. When WebPass receives an HTTP request, the SOAP envelope identifies it as an IdentityXML request rather than a standard browser request. The request is passed to the COREid Server, which executes the request and returns a response. You could also use WSDL to put together the SOAP request. This appears to be the SOAP content material: SOAP envelope (with oblix namespace described), SOAP body (with authentication information), genuine request (with software name and params). Userservcenter, groupservcenter, or objservcenter are examples of application names (for companies).

 

Ques: 13). What are Header Variables and How Do I Use Them?

Answer: 

The Header Variable contains Oracle Access Manager allows administrators to build a web of trust in which a user's credentials are confirmed once and then delivered to each application that the user uses. The programme does not need to re-authenticate the user with its own mechanism when using these credentials. Users who have been authenticated by Oracle Access Manager are able to access applications without having to re-authenticate. A user's credentials can be sent in one of two ways:

• Using Cookies: A specific value is set on the browser's cookie that the application must extract to identify a user.

• Using Header Variables: An HTTP header set on the request by the agent and visible to the application. Authorization Policy Response in the Administration Console Header response values are inserted into a request by an OAM Agent, and can only be applied on Web servers that are protected by an agent registered with OAM 11g If the policy includes a redirect URL that is hosted by a Web server not protected by OAM, header responses are not applied.

 

Ques: 14). Explain the Oam-oaam Integration Architecture and Integration.

Answer: 

Using all of these products together will provide you complete control over the authentication process and comprehensive pre-/post-authentication testing capabilities against Adaptive Risk Manager models.

Two Oracle Access Manager AccessGates are used in the OAAM's ASA-OAM integration: one for fronting the Web server (a traditional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. The access server SDK must be installed and configured before the AccessGate device can be used. The ASDK location will be updated in the ASA bharosa papers. An application that will use the ASA authentication mechanism and will be tested for the ASA login touchdown page.

 

Ques: 15). What Happens When A User Submits A Request That Is Protected By An Access Gate (No Longer Webgate)?

Answer: 

The following is an example of the flow:

The consumer sends a resource request to the application or servlet that has the access gate code.

The access gate code creates an ObResourceRequest shape and calls the Access server to determine whether or not the resource is protected.

The server responds to the request for entry. If the aid isn't secured, gaining access to the gate allows anyone to gain access to the resource. Otherwise, Access Gate creates an ObAuthenticationScheme shape to inquire about the credentials the user wishes to send to Access Server. The request for entry to the server is granted. To get the credentials, the programme employs a form or one of several additional methods. The AccessGate creates the ObUserSession structure, which provides the Acc Server with user information. If credentials are verified valid, get admission to gate creates a session token for the person after which sends an authorization request to the get admission to server. Access server validates if the user is authz to get right of entry to that useful resource. Access gate permits user to get entry to the asked resource.

 

Ques: 16). What exactly is SSO?

Answer: 

SSO (single sign-on) is a session/user authentication method that allows a user to access different apps with just one username and password. The procedure authenticates the user for all of the programmes to which they have been granted access and removes the need for further questions when they switch applications during a session.

Overview:

  • Provides users with unified sign-on and authentication across all their enterprise resources, including
  • desktops, client-server, custom, and host-based mainframe applications
  • Provides a centralized framework for security and compliance enforcement
  • Eliminates the need for multiple usernames and passwords
  • Helps enforce strong password and authentication policies.
  • Uses any LDAP directory, Active Directory, or any SQL database server as its user profile and credential repository

Benefits

  • Reduces deployment risk and operational costs.
  • Allows enterprises to provide fast, secure access to applications for employees and partners.
  • Eliminates the overhead and limitations of traditional desktop client deployments.
  • Seamlessly integrates with Oracle Identity Management for common security policy enforcement and compliance reporting across applications

  

Ques: 17). What is Reverse Proxy?

Answer: 

A reverse proxy gives you architectural flexibility by allowing you to expose the same application on both the intranet and the extranet without having to make any changes to the existing application. By sending all requests through the proxy, you may safeguard all Web content from a single logical component.

This is true even for platforms that Oracle Access Manager does not support. All content on these servers can be safeguarded if you have multiple types of Web servers, such as iPlanet, Apache, and others, running on different platforms, such as MacOS, Solaris x86, mainframe, and so on. A reverse proxy can be used as a workaround for unsupported Web servers, removing the requirement to develop custom AccessGates for unsupported Web servers or systems that do not support AccessGates. This creates a single management point. You can manage the security of all of the Web servers through the reverse proxy without establishing a footprint on the other Web servers.

 

Ques: 18). What is Identity Store and how does it work? Describe the many types of identity stores.

Answer: 

The term "identity store" refers to a database that contains business users and groups. Weblogic includes an inbuilt LDAP that is used as the identity store by default by fusion middleware components. External LDAP servers, such as OID, AD, and others, can be configured to serve as identity stores.

System Store - Represents the identity store which will have groups or users that will act as “Administrators” to OAM that is only members of this identity store group/user can perform admin functions via oam console.

Default Store - This will be the identity store that will be used at time of patching for migration purpose or by Oracle security token service.

 

Ques: 19). In OAM, what are Authorization Policies?

Answer: 

The process of assessing whether a user has the permission to access a requested resource is known as authorization. Administrators can establish the circumstances under which a subject or identity has access to a resource by creating one or more authorization policies. A user may seek to view data or run a policy-protected application programme. The requested resource must be part of an application domain and be covered by a specified permission policy within that domain.

 

Ques: 20). In comparison to the ECC, what are the benefits of the DCC?

Answer: 

From a security and flexibility standpoint, the DCC has several advantages. The DCC can be placed anywhere in the DMZ because it is totally detached from the Access Manager server. It also adds security by terminating all unauthenticated end user login requests at the DCC in the DMZ, isolating the server from unauthenticated network traffic.



No comments:

Post a Comment