OAM-OIM Interview Questions And Answers
OAM-OIM Interview Questions And Answers are as follows –
Question 1. What Is Single Sign On?
Answer:
Single Sign-On allows users to sign on once to a protected application and gain access to the other protected resources within the same domain defined with same authentication level.
Question 2. What Is Multi Domain Single Sign-on?
Answer:
Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.
Question 3. What Is The Authentication Mechanism Used By Oracle Access Manager?
Answer:
ObSSOCookie and it is stateless.
Question 4. Explain Various Security Modes Present In Oracle Access Manager?
Answer:
o Open: Allows unencrypted communication. In Open mode, there is no authentication or encryption between the AccessGate and Access Server. The AccessGate does not ask for proof of the Access Server’s identity and the Access Server accepts connections from all AccessGates. Similarly, Identity Server does not require proof of identity from WebPass.
o Simple: Supports encryption by Oracle. In Simple mode communications between Web clients (WebPass and Identity Server, Policy Manager and WebPass, and Access Server and WebGate are encrypted using TLS v1. In both Simple and Cert mode, Oracle Access Manager components use X.509 digital certificates only. This includes Cert Authentication between WebGates and the Access Server where the standard cert-decode plug-in decodes the certificate and passes certificate information to the standard credential_mapping authentication plug-in. For each public key there exists a corresponding private key that Oracle Access Manager stores in the aaa_key.pem file for the Access Server (or ois_key.pem for Identity Server).
o Cert: Requires a third-party certificate. Use Cert (SSL) mode if you have an internal Certificate Authority (CA) for processing server certificates. In Cert mode, communication between WebGate and Access Server, and Identity Server and WebPass are encrypted using Transport Layer Security, RFC 2246 (TLS v1).
Question 5. Explain The Architecture Of Oracle Access Manager?
Answer:
o Oracle Access Manager architecture mainly consists for components such as Identity Server, WebPass, Policy Manager, Access Server and a WebGate. Identity Server is a standalone C++ server which communicates directly with LDAP.
o It also receives requests and sends response to Webpass. WebPass is a web server plugin that passes info between identity server and webserver. It redirects HTTP requests from browser to Access Server, and sends Identity XML SOAP requests to Identity Server.
o Policy Manager (PMP or PAP) is a web server plugin that communicates directly with user, configuration and policy repositories. Access Server is a stand alone C++ server and is also called PDP. It receives requests from & sends responses to WebGates/AccessGates.
o It also communicates with LDAP. It answers Access Server SDK requests. WebGate (PEP) is a web server plugin that passes info between webserver and access server. It passes user authentication data to access server for processing.
Question 6. What Are The Obssocookie Contents?
Answer:
Cookie contains encrypted session token and non-encrypted data.
This Encrypted Session Token consists of : DN of the authenticated user, level of auth scheme, ip address of client to which cookie was issued, time the cookie is issued, time the cookie was last updated. If the user is not idle, then cookie will get automatically updated at a fixed interval to prevent session timeout. The updated interval is the 1/4 th of idle session timeout of accessgate.
The Unencrypted ObSSOCookie data contains cookie expiry time, domain in which cookie is valid, additional flag that determines if cookie can only be sent using SSL.
Question 7. What Is The Key Used For Encrypting The Obssocookie?
Answer:
Shared Secret key. It is configured in the Identity Admin console and can be generated by the OAM administrator.
Question 8. What Happens If The Obssocookie Is Tampered?
Answer:
When access system generates ObSSOCookie, MD-5 hash is taken from session token. So when the user is authenticated again using the cookie, the MD5 hash is compared with original cookie contents. MD-5 hash is a one-way hash, hence it cant be unencrypted. Access server compares the cookie contents with hash. If both are not same, then cookie is tampered in the interim. This cookie does not contain username and password.
Question 9. What Is The Difference Between Webgate And Accessgate?
Answer:
WebGate is an out-of-the-box plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization. An AccessGate is a custom webgate that can intercept requests of HTTP and non-HTTP resources.
Question 10. What Are The Major Parameters Defined In An Authentication Scheme?
Answer:
The authentication scheme level which defines the level of the security defined for an application.
Question 11. Explain The Flow When A User Requests For An Application Protected By Oracle Access Manager?
Answer:
The following steps describes the flow when a user makes a request to access a resource protected by the Oracle Access Manager:
o User requests for a resource through a web browser.
o The Webgate intercepts the requests and checks with the Access Server whether the resource is protected or not.
o If the resource is not protected, then the user will be shown the requested resource.
o If the resource is protected, then Access Server will check with policy manager the authentication scheme configured for that resource.
o User will be prompted to enter their credentials as per the auth scheme defined for the resource.
o Webgate will send the credentials to the Access Server to check it against the backend (LDAP server).
o Upon successful authentication, Access server checks whether the user is authorized to access the resource or not.
o If the user is authorized, then the Access Server will create the session id and passes it to the webgate. An ObSSOCookie is created and will be sent to the user browser and the user will be shown the requested resource.
o If the user is not authorized, then an error page (if its defined in policy domain) will be shown to the user.
Question 12. Explain The Flow Of A Multi Domain Single Sign-on?
Answer:
Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.
o For multi domain SSO to work, Access Servers in all domains must use same policy directory.
o Multi domain works only with web gates, not Access Gates.
o Within each individual domain, each web gate must have same “primary HTTP cookie domain”.
In Multi Domain SSO environment, we should designate one web server (where web gate is installed) as “Primary Authentication Server”. Primary Authentication Server acts as a central server for all authentications in multi domain environment. In general the webgate installed in the domain where Access server resides will be designated as the primary authentication server.
Lets assume that OAM components are installed in host1.domain1.com and we will designate host1.domain1.com as the primary authentication server.
o Host2.domain2.com with web gate (ex: webgate2) installed.
o A resource, abc.html, is protected with Form base authentication on host1.mydomain1.com
o A resource, xyz.html, is protected with Basic over LDAP authentication on host2.mydomain2.com.
Following are the steps that explain how multi domain SSO works:
o User initiates a request for a Web page from a browser.
o For instance, the request could be for host2.mydomain2/xyz.html.
o Webgate2 (on host2.domain2.com) sends the authentication request back through the user’s browser in search of primary authentication server. In this example you have designated host1.domain1.com to be the primary authentication server.
o The request for authentication is sent from the user’s browser to the primary authentication server, host1.domain1.com.
o This request flows to the Access Server. The user logs in with the corresponding authentication scheme and the obSSO cookie is set for host1.domain1.com. The Access Server also generates a session token with a URL that contains the obSSO Cookie.
o The session token and obSSOCookie are returned to the user’s browser.
o The session token and obSSOCookie are sent to host2.domain2.com
o The Web gate (webgate2) on host2.domain2.com sets the obSSOCookie for its own domain (.domain2.com) and satisfies the user’s original request for the resource host2.domain2.com/xyz.html. User gets the resource.
o On the same browser if user accesses the host1.domain1.com page then resource will be presented without asking credentials as obSSOCookie is already available with .domain1.com (see step 3).
Question 13. What Is An Access Server Sdk?
Answer:
The Access Manager Software Developer’s Kit (SDK) enables you to enhance the access management capabilities of the Access System. This SDK enables you to create a specialized AccessGate. The Access Manager SDK creates an environment for you to build a dynamic link library or a shared object to perform as an AccessGate. You also need the configureAccessGate.exe tool to verify that your client works correctly.
Question 14. What Is An Identity Xml?
Answer:
IdentityXML provides a programmatic interface for carrying out the actions that a user can perform when accessing a COREid application from a browser. For instance, a program can send an IdentityXML request to find members of a group defined in the Group Manager application, or to add a user to the User Manager.
IdentityXML enables you to process simple actions and multi-step workflows to change user, group, and organization object profiles.
After creating the IdentityXML request, you construct a SOAP wrapper to send the IdentityXML request to WebPass using HTTP. The IdentityXML API uses XML over SOAP. We pass IdentityXML parameters to the COREid Server using an HTTP request.This HTTP request contains a SOAP envelope.When WebPass receives the HTTP request, the SOAP envelope indicates that it is an IdentityXML request rather than the usual browser request.
The request is forwarded to the COREid Server, where the request is carried out and a response is returned. Alternatively, you can use WSDL to construct the SOAP request. The SOAP content looks like this, SOAP envelope (with oblix namespace defined), SOAP body (with authentication details), actual request (with application name and params). The application name can be userservcenter, groupservcenter or objservcenter (for organizations).
Question 15. What Is An Sspi Connector And Its Role In Oracle Access Manager Integrations?
Answer:
The Security Provider for WebLogic SSPI (Security Provider) ensures that only appropriate users and groups can access Oracle Access Manager-protected WebLogic resources to perform specific operations. The Security Provider also enables you to configure single sign-on between Oracle Access Manager and WebLogic resources.
The WebLogic security framework provides Security Service Provider Interfaces (SSPIs) to protect J2EE applications. The Security Provider takes advantage of these SSPIs, enabling you to use Oracle Access Manager to protect WebLogic resources via:
o User authentication
o User authorization
o Role mapping
The Security Provider consists of several individual providers, each of which enables a specific Oracle Access Manager function for WebLogic users:
Authenticator: This security provider uses Oracle Access Manager authentication services to authenticate users who access WebLogic applications. Users are authenticated based on their credentials, such as user name and password.
The security provider also offers user and group management functions. It enables the creation and deletion of users and groups from the BEA WebLogic Server. It also provides single sign-on between WebGates and portals.
Identity Asserter: Like the Authenticator, this security provider uses Oracle Access Manager authentication services to validate already-authenticated Oracle Access Manager users using the ObSSOCookie and to create a WebLogic-authenticated session.
Authorizer: This security provider uses Oracle Access Manager authorization services to authorize users who are accessing a protected resource. The authorization is based on Oracle Access Manager policies.
Role Mapper: This security provider returns security roles for a user. These roles are defined in Oracle Access Manager, and they are provided by Oracle Access Manager using return actions on a special authentication policy. This authentication policy contains a resource with a URL prefix of /Authen/Roles. Role Mapper maps these roles to predefined security roles in WebLogic.
Question 16. Explain The Integration And Architecture Of Oam-oaam Integration?
Answer:
Using these products in combination will allow you fine control over the authentication process and full capabilities of pre-/post- authentication checking against Adaptive Risk Manager models.
The OAAM’s ASA-OAM integration involves two Oracle Access Manager AccessGates: one for fronting the Web server (a traditional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. The access server SDK to be installed and configureAccessGate tool to be run. The ASA bharosa files to updated with ASDK location. An application to be protected using ASA authentication scheme and to be tested for ASA landing page for login.
Here is how the flow goes:
o User requests for a resource.
o Webgate acting in the front end for ASA application will intercept the request and will redirect to the ASA application.
o The user enter credentials and the Access SDK setup in the ASA application will contact the Access gate which inturn contacts the access server for validating the credentials.
o Upon successful authentication, access server will generate obSSOCookie and will forwards it to the browser.
o Then the user will be shown the requested resource.
Question 17. Explain Iwa Mechanism In Oracle Access Manager?
Answer:
The OAM has a feature which enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native Authentication.
o user logs in to the desktop machine, and local authentication is completed using the Windows Domain Administrator authentication scheme.
o The user opens an Internet Explorer (IE) browser and requests an Access System-protected Web resource.
o The browser notes the local authentication and sends a token to the IIS Web server.
o The IIS Web server uses the token to authenticate the user and set up the REMOTE_USER HTTP header variable that specifies the user name supplied by the client and authenticated by the server.
o The WebGate installed on the IIS Web server uses the hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization.
o The WebGate creates an ObSSOCookie and sends it back to the browser.
o The Access System authorization and other processes proceed as usual.
o The maximum session timeout period configured for the WebGate is applicable to the generated ObSSOCookie.
Question 18. Explain Various Major Params Defined In Webgate Instance Profile?
Answer:
Hostname: name of the machine hosting the access gate.
Maximum User Session Time: Maximum amount of time in seconds that a user’s authentication session is valid, regardless of their activity. At the expiration of this session time, the user is re-challenged for authentication. This is a forced logout. Default = 3600. A value of 0 disables this timeout setting.
Idle Session Time (seconds): Amount of time in seconds that a user’s authentication session remains valid without accessing any AccessGate protected resources.
Maximum Connections: Maximum number of connections this AccessGate can establish. This parameter is based on how many Access Server connections are defined to each individual Access Server. This number may be greater than the number allocated at any given time.
IPValidationException: IPValidationException is specific to WebGates. This is a list of IP addresses that are excluded from IP address validation. It is often used for excluding IP addresses that are set by proxies.
Maximum Client Session Time :Connection maintained to the Access Server by the AccessGate. If you are deploying a firewall (or another device) between the AccessGate and the Access Server, this value should be smaller than the timeout setting for the firewall.
Failover Threshold: Number representing the point when this AccessGate opens connections to Secondary Access Servers. If you type 30 in this field, and the number of connections to primary Access Servers falls to 29, this AccessGate opens connections to secondary Access Servers.
Preferred HTTP Host : Defines how the host name appears in all HTTP requests as they attempt to access the protected Web server. The host name in the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user’s HTTP request.
Primary HTTP Cookie Domain: This parameter describes the Web server domain on which the AccessGate is deployed, for instance, .mycompany.com.
IPValidation: IP address validation is specific to WebGates and is used to determine whether a client’s IP address is the same as the IP address stored in the ObSSOCookie generated for single sign-on.
Question 19. What Is Policy Manager Api?
Answer:
The Policy Manager API provides an interface which enables custom applications to access the authentication, authorization, and auditing services of the Access Server to create and modify Access System policy domains and their contents.
Question 20. When Do You Need An Access Gate?
Answer:
An access gate is required instead of a standard webgate when you need to control access to a resource where OAM doesnot provide OOTB solution.
These might include:
o protection for non-http resources (EJB, JNDI etc.,)
o Implementation of SSO to protect a combination of http and non-http resources.
A file called obAccessClient.xml is stored in the server where access gate is installed. this file contains config params entered through the configureAccessGate tool.
Question 21. Explain The Flow When A User Makes A Request Protected By An Access Gate (not Webgate)?
Answer:
The flow is shown below:
o The application or servlet containing the access gate code receives resource request from the user.
o The access gate code constructs ObResourceRequest structure and access gate contacts Access server to find whether resource is protected or not.
o The access server responds.
o If the resource is not protected, access gate allows user to access the resource. Otherwise..,
o Access Gate constructs ObAuthenticationScheme structure to ask Access Server what credentials the user needs to supply.
o The access server responds.
o The application uses a form or some other means to fetch the credentials.
o The AccessGate constructs ObUserSession structure which presents user details to Acc Server.
o If credentials are proven valid, access gate creates a session token for the user and then sends an authorization request to the access server.
o Access server validates if the user is authz to access that resource.
o Access gate allows user to access the requested resource.
Question 22. Explain How Form Login Works If The Form Login Page Is Present In Different Domain From Oam?
Answer:
The mechanism here is same as how the multi domain SSO works. Importantly, all of the activities for form authentication are carried out between the browser and one web server.
Now, suppose you want to access a resource http://www.B.com/pageB.html but still be authenticated by the login form on www.A.com.
o The authentication scheme required by pageB needs to have a redirect URL set to http://www.A.com.
o The WebGate at www.B.com redirects you to the NetPoint URL obrareq.cgi on www.A.com, with a query string that contains the original request (wu and wh).
o The WebGate on www.A.com will determine that you need to do a form login for that resource, so it will set the ObFormLoginCookie with the wu and wh values from the query string, but will set the ru field to /obrareq.cgi. WebGate on A then redirects your browser to the login form on A.
o When you post your credentials back to A, the ObFormLoginCookie is set back. WebGate on A authenticates your userid and password, sets the ObSSOCookie for the .A.com domain and redirects you back to the ru value from the ObFormLoginCookie, which is /obrareq.cgi.
o This time when your browser requests http://www.A.com/obrareq.cgi, it will pass the ObSSOCookie.
o WebGate will then redirect your browser back to the B webserver, http://www.B.com/obrar.cgi, with the cookie value and the original URL in the query string.
- The WebGate on B.comwill extract the cookie value and set the ObSSOCookie for domain .B.com, and finally redirect you to http://www.B.com/pageB.html that you originally requested.
Question 23. What is an Identity?
Answers: An identity is the virtual representation of an enterprise resource user including employees, customers, partners and vendors. Identity Management shows the rights and relationships the user has when interacting with a company’s network
Question 24. What is Oracle Identity Manager?
Answers: In computing, Oracle Identity Manager (OIM) enables enterprises to manage the entire user life-cycle across all enterprise resources both within and beyond a firewall. Within Oracle Identity Management it provides a mechanism for implementing the user-management aspects of a corporate policy.
Question 25. What is Oracle identity and access management?
Answers: Oracle Identity Management, a software suite marketed by Oracle Corporation, provides identity and access management (IAM) technologies. The name of the software suite closely resembles the name of one of its components, Oracle Identity Manager.
Question 26. What is an IAM tool?
Answers: Identity and access management (IAM) is a framework for business processes that facilitates the management of electronic or digital identities. The framework includes the organizational policies for managing digital identity as well as the technologies needed to support identity management.
Question 27. What are the types of Reconciliation in OIM?
Answers:
- Target Resource Reconciliation
- Provisioning
- Trusted Source Reconciliation
Questions 28. List the components of OIM?
Answers:
- Reconciliation APIs
- Reconciliation Engine
- Reconciliation Manager
- Remote Manager
Question 29. Different Types of Event Handlers
Answers: Event Handlers are among the most common customization in OIM 11g implementations. They have been available in OIM for a long time, but with 11g and its new frameworks, they certainly are becoming even more popular.
The main types of Event Handlers are:
- Pre-Process: triggered BEFORE the actual transaction is executed
- Post-Process: triggered AFTER the actual transaction is executed, but within the transaction
- Validation: triggered BEFORE the actual transaction starts and can prevent the transaction from happening if the validation fails
Question 30. What is the purpose of rule designer?
Answers: Use this form to create rules that can be applied to password policy selection, automatic group membership, provisioning process selection, task assignment, and prepopulating adapters
Question 31. What is purpose of Reconciliation Manager?
Answers: You can look here for recon data once reconciliation is complete. You can determine whether event received and linked for not.
Question 32. Mention the Connector components in OIM?
The following components are created when you deploy a connector:
- Reconciliation Field Definitions
- Reconciliation Field Mappings
- Reconciliation Rules
- Reconciliation Action Rules
- Reconciliation Provisioning Tasks
- IT Resource
- IT Resource Type
- Lookup Definitions
- Scheduled Tasks
- Resource Object
- Process Form
- Provisioning Process, Process Tasks, and Adapters
Question 33. Difference between OIM 10g and OIM 11g
Answers:
- 10g Request Management has been replaced by SOA composite which has a customized schema accommodating BPEL and Human Task.
- Reconciliation engine has been re-written in 11g to enhance the performance by introducing the cache mechanism.
- OES libraries are used as an authorization engine unlike 10g had its own object vs view based authorization.
- Plugin services platform is introduced in 11g to have easy customization in place which can be some what mapped to entity adapter functionality in 10g.
- Groups in 10g are now called as Roles in 11g with some modifications which makes it like ldap roles.
OIM 10g | OIM 11g |
Reconciliation Manager in Design Console | Event Management in Admin Console. |
Object Form | Request Dataset |
Creation of new IT Resource from Design/Admin Console. | Creation of new IT Resource from Admin Console. |
Struts based UI. | ADF based UI. |
Approvalworkflow creation from Design/Admin Console | Approval workflow creation from IDE using SOA Plugin. |
Custom workflow engine | Using BPEL as workflow engine. |
No Notification Tasks | Notification tasks which are separate from Schedule Task’s jobs. |
No Approval Policies. | Approval Policies |
No Need of BI Publishers. | Need BI Publisher for OOTB reporting. |
No need of RCU (Repository Creation Utility) | Need of RCU (Repository Creation Utility) |
Groups | Roles |
No concept of Request Template. | Request Template for controlling the Attributes of the request. |
Entity Adapters on User Form. | Event Handlers on user form. |
Support only old APIs. | Support old and new APIs. |
Question 34. What are the benefits of Identity Management?
Answers: Centralized auditing and reporting – Know who did what and report on system usage.
- Reduce IT operating costs – Immediate return on investment is realized by eliminating the use of paper forms, phone calls and wait time for new account generation and enabling user self service and password management.
- Minimize Security Risk – Control access to the network and instantaneously update accounts in a complex enterprise environment including: layoffs, acquisitions, partner changes, temporary and contract workers.
- Improved quality of IT services
- Legal compliance – Many government mandates require secure control of access.
Question 35. Explain the Architecture of Oracle identity Manager?
Answers: The Oracle Identity Manager architecture consists of three tiers
Tier 1: Client: The Oracle Identity Manager application GUI component reside in this tier. Users log in by using the Oracle Identity Manager client.The Oracle Identity Manager client interacts with the Oracle Identity Manager server, providing it with the user’s login credentials.
Tier 2: Application Server: The second tier implements the business logic, which resides in the Java Data Objects that are managed by the supported J2EE application server (JBoss application server, BEA WebLogic, and IBM WebSphere). The Java Data Objects implement the business logic of the Oracle Identity Manager application, however, they are not exposed to any methods from the outside world. Therefore, to access the business functionality of Oracle Identity Manager, you can use the API layer within the J2EE infrastructure, which provides the lookup and communication mechanism.
Tier 3: Database: The third tier consists of the database. This is the layer that is responsible for managing the storage of data within Oracle Identity Manager.
Question 35. What is Adapter? What Adapters available in OIM?
Answers: An adapter is a Java class that is created by an Oracle Identity Manager user through the Adapter Factory.
Process Tasks adapters – automate completion of a process task and are attached to a Process Definition Form ( AD user, OID User, etc)
Entity Adapter – automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete
Pre-Populate Adapter – specific type of rule generator attached to a user-created form field that can automatically generate data to the form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.
Rule Generator – can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules
Task Assignment Adapter – automates the assignment of a process task to a user or group
Question 36. What is Form Version Control Utility (FVC) and why it is used?
Answers: Process forms and child forms are used to hold account data of OIM Users. You can upgrade a form by adding, modifying, or removing fields on the form. For example, as part of an upgrade operation, you might add the Hire Date field and remove the Country of Origin field from a form. In addition, fields might be moved from the parent form to the child form. The Oracle Identity Manager Form Version Control (FVC) Utility facilitates the management of form data changes after a form upgrade operation.
The FVC Utility is a command-line utility that works directly on the Oracle Identity Manager database. When you install the Oracle Identity Manager Design Console, the utility is present in the OIM_DC_HOME directory. You use a properties file to specify the form data updates that the utility must perform. The utility supports field mapping and data updates on a provisioning process form and its associated child forms
Question 37. What is Oracle Identity Manager Roles?
Answers:
An Oracle Identity Manager role is used to define the access rights that an entity may have. These defined roles use unique role names to differentiate them within the Oracle Identity Manager environment. A role may be associated with one or more access rights to Oracle Identity Manager Function. For example, a single role enables a user to create other Oracle Identity Manager user accounts and manage a specific organization. Roles determine the links and menus that are available to users when they log in to the console.
Roles assigned to organizations determine the access rights that members of that organization inherit. Users may also be directly assigned to a role instead of inheriting the role through the organizational structure. As with organizations, roles can be organized into a hierarchical structure.
This hierarchical structure enables roles to inherit access rights from other roles, creating parent and children roles.
Roles are closely related to Access Rights of users to use the Resources
Question 38. Explain Role Category?
Answers:
Roles can be grouped into a category, organizing the roles for the purpose of navigation and authorization. Two categories exist by default in an out-of-the-box installation of Oracle Identity Manager:
- OIM Roles: The OIM Roles category contains the list of predefined roles that exist in Oracle Identity Manager by default. These roles are primarily used for managing permissions and access rights to menu items, links, and buttons within the Oracle Identity Manager environment.
- Default: Any roles created within Oracle Identity Manager that are not assigned to a category at the time of creation are assigned to the Default category by default. Create role categories to organize the custom roles to be created for managing organizations.
Q39. What is Adapter? What Adapters available in OIM?
An adapter is a Java class which helps in automation of process within OIM and is created by an Oracle Identity Manager user through the Adapter Factory.
- Process Tasks adapters – automate completion of a process task and are attached to a Process Definition Form (AD user, OID User, etc)
- Entity Adapter – automatically populates a field on the OIM User form or custom User Form on pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete
- Pre-Populate Adapter – specific type of rule generator attached to a user-created form field that can automatically generate data to the Process form but does not save that data to the OIM database but does send that information to appropriate directory user object. The data can come from manual entry on a form or from automated entry from the OIM defined forms.
- Rule Generator – can populate fields automatically on an OIM form or a user-created form and save to the OIM database based on business rules
- Task Assignment Adapter – automates the assignment of a process task to a user or group.
Question 39: Describe the Architecture of OAM 11g?
Answer: The Oracle Access Manager resides on the Oracle WebLogic Administration Server (known as AdminServer). WebLogic Managed Servers hosting OAM runtime
instances are known as OAM Servers. OAM 11g is a J2EE application.
Following Components are involved in OAM
- Webgate
- OAM Server
- OAM Console
Oracle Access Manager (OAM) provides centralized, policy-driven services for authentication, single sign-on (SSO), and identity assertion
Question 40: What is WebGate Agent?
Answer: OAM agent, also known as WebGate is a pre-packaged web server plugin which communicates with OAM server. There are two versions of OAM Agents, namely 11g WebGates and 10g WebGates.
Question 41: What is SSO?
Answer: SSO (Single Sign On), provides the ability to login to one application once, and login to same/other applications linked to same OAM without prompting for password.
Question 42: What is the difference between authentication and authorization in OAM?
Answer: Authentication is to check if users identity by obtaining some credentials andit will always followed by Authorization process. Authorization is to allow/disallow authenticated user to access application/pages they have access to.
Question 43: What is authorization module in OAM?
Answer: An authorization policy/module is to specify the conditions under which a subject or identity has access to a particular resource.
Question 44: How many types of resources are available in OAM and what is the use of Resources?
Answer: 1. Protected Resource — URL’s protected by OAM
- Public Resource — URL’s not protected by OAM (Public)
Question 45: What is the use of anonymous scheme in OAM?
Answer: Unprotected resources must be included in an authentication policy that uses an authentication scheme with a protection level of 0. Most often this will be the anonymous authentication scheme.
Question 46: What is the major difference between OAM 10g and OAM 11g?
Answer:
- Architecture Components
11g: Agents: Webgate, Access Client, mod_osso, and IAMSuiteAgent, OAM Server, Oracle Access Manager Console (installed on WebLogic Administration Server)
10g: Resource Webgate (RWG), Authentication Webgate (AWG),AccessGate, Access Server, Policy Manager
- OAM 11g uses, Host-based authentication cookie where as 10g users Domainbased Cookie.
- Cryptographic keys is one per agent in OAM 11g, One global shared secret key for all Webgates in OAM 10g
Question 46: What is the use of Host Identifier?
Answer: Policies protect resources on computer hosts. Within Oracle Access Manager, the computer host is specified independently using a host identifier
Question 47: What is persistent session management is OAM?
Answer: The session is created in the distributed in-memory cache. A copy is available in the local in-memory cache on the computer hosting the resource. If session persistence to database is enabled, the session is also written to the database.
Question 48: Explain the process of protecting web application using OAM and SSO login flow?
Answer:1. Register the Webgate Agent
- Copy Generated Files and Artifacts to the Webgate Instance Location
Question 49: What are Header Variables and how it is useful?
Answer: Depending on the actions (responses in Access Manager) specified for authentication success and authentication failure, the user may be redirected to a specific URL, or user information might be passed on to other applications through a header variable or a cookie value.
Question 50: What is the difference between Access Gate and Web Gate?
Answer: 1. A WebGate is a web-server plug-in for Oracle Access Manager (OAM) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization.
- AccessGate is custom access client developed using AccessSDK to protect non web-based applications protected by OAM 11g
Question 51: What is authentication Policy in OAM?
Answer: authentication policies are used to protect specific resources. The authentication policy provides the sole authentication method for resources governed by the policy.Each authentication policy defines the type of verification that must be performed to provide a sufficient level of trust for Access Manager to grant access to the user making the request.
Question 52: Explain the high level steps for Integrating E-Biz R12.2 with OAM 11gR2?
Answer:1. Install Database for OAM/OID
- Run RCU
- Install Weblogic, IDAM, OID and OHS
- Create Domain for OAM and OID
- Upgrade OPSS
- Create DIP to integrate AD to OID
- Apply EBS 12.2 patches for OAM
- Install and Configure Access Gate on 12.2
- Integrate EBS to OID
Question 53: What is the difference between SSO and ESSO?
Answer: SSO is to enable Single Sign On on Oracle Products and ESSO is to enable Single Sign On on both oracle and non-oracle products including Desktop, Windows password reset etc.,
Question 54: What are different types of Identity Store?
Answer: 1. System Identity Store — Used to authenticate System users like weblogic
- Default Identity Store — Used as default authentication for other users/applictions
Question 55: What is the use of Reverse Proxy?
Answer: A proxy server is a go-between or intermediary server that forwards requests for content from multiple clients to different servers across the Internet. Typically a reverse proxy is used to hide application server from end-users and/or for URL masking.
Question 56: Name some new features of OAM11gR2?
Answer: Dynamic Authentication — Dynamic authentication is the ability to define what authentication scheme should be presented to a user base on some condition.
Persistent Login (Remember Me) — Persistent Login is the ability to let users login without credentials after the first-time login.
Policy Evaluation Ordering — The out-of-the -box algorithm is based on the “best match” algorithm for evaluating policies.
Delegated Administration — The ability to select users who can administer their own application domains.
Unified Administration Console — The console screen has a new look; a new single ‘Launch Pad’ screen with services that are enabled based on user roles.
Session Management — Ability to set idle session timeout’s at the application domain
level
Question 57. What is Authorization Policies in OAM.
Answer: Authorization is the process of determining if a user has a right to access a requested resource. Administrators can create one or more authorization policies to specify the conditions under which a subject or identity has access to a resource. A user might want to see data or run an application program protected by a policy. The requested resource must belong to an application domain and be covered within that domain by a specific authorization policy.
Question 58. Explain Authentication Modules.
Answer: Authentication Modules can be categorised as an application from where user authentication will be going to take place.
The smallest executable unit of an authentication scheme. Several pre-defined modules are provided. Each module contains standard plug-ins. The authentication module determines the exact procedure to be followed and the method for challenging the user for credentials.
Question 59. Explain Authentication Scheme.
Answer: Authentication Scheme defines which type of Authentication Module we are going to use for Authentication.
A named component that defines the challenge mechanism, level of trust, and the underlying authentication module required to authenticate a user. It also contains some general information about itself. Authentication schemes are defined globally, to ensure that a small number of Security Administrators define them in a consistent, secure way. There are several default authentication schemes provided with Oracle Access Manager 11g.
Question 60. Explain Authentication Policies.
Answer: Authentication Policy defines the level of protection. Authentication policies specify the authentication methodology to be used for authenticating the user for whom the access must be provided on a given resource. Policies define the way in which the resource access is to be protected.
After a policy has been evaluated, two standard actions are performed:
- The result is returned
- The user is shown something based on that result: either the requested URL requested (on Success, allow)
or the URL of a generic error page (on Failure, deny) Either or both results can be overridden on a policy-by-policy basis.
Question 61. Explain Resource Types.
Answer: A resource type describes the kind of resource to be protected.
Each resource is defined using a single resource type. However, you can define any number of resources using that type.
Before you can add resources to an application domain for protection, *their* resource type must be defined. Administrators typically use the default resource type, HTTP, but non-HTTP types can be defined. When adding a resource to an application domain, administrators must choose from a list of defined Resource Types. then enter a specific URL. For HTTP type resources, include a host identifier. For non-HTTP resource types, use the type name.
The default resource type, HTTP, is used with HTTP and HTTPS protocols. Operations associated with the HTTP resource type need not be defined by an administrator. Instead, policies developed and applied to the resource apply to all operations. When adding an HTTP type resource to an application domain, administrators must choose from a list of existing host identifiers and add the resource URL.
Administrators can define a resource type for non-HTTP resources. Non-HTTP resource types have no associated host identifier. When adding non-HTTP resources to an application domain, administrators must enter the type name into the Resource URL field as a pointer. The name cannot match any host Identifier (and vice versa). This is not a relative HTTP URL.
For instance, a non-HTTP resource type named wl_authen is available to use with resources deployed in a WebLogic container. Resources of type wl_authen, require a custom AccessGate. The protected resource is accessed using its URL on the Oracle WebLogic Server.
Question 62. What is Identity Store
Answer: Identity store refers to store containing enterprise users & group. Weblogic comes with an embedded LDAP which is used as identity store by fusion middleware components by default. You can configure external LDAP servers like- OID, AD etc to be used as identity stores.
Question 63. Different Types of Identity Store
Answer:
System Store- Represents the identity store which will have groups or users that will act as “Administrators” to OAM that is only members of this identity store group/user can perform admin functions via oam console.
Default Store- This will be the identity store that will be used at time of patching for migration purpose or by Oracle security token service. What is Security Mode in OAM Security Mode helps OAM to identify the type of communication to be done with the Webgate for SSO. Open Mode is Default mode in OAM.
Question 64. Different Types of Security Mode present in OAM
Answer: There are three types of security mode available in OAM:
OPEN : WebGate to OAM Access Server communication in clear text
SIMPLE : Secure communication between WebGate to OAM Access Server using self signed
certificates provided by OAM Server
CERT : Secure communication between WebGate to OAM Access Server using certificates signed by Certificate Authority (CA)
Question 65. What are the types of Reconciliation in OIM ?
Answer:
- Target Resource Reconciliation
- Provisioning
- Trusted Source Reconciliation
Question 66. List the components of OIM ?
Answer:
- Reconciliation APIs
- Reconciliation Engine
- Reconciliation Manager
- Remote Manager
Question 67. Different Types of Event Handlers
Answer: Event Handlers are among the most common customization in OIM 11g implementations. They have been available in OIM for a long time, but with 11g and its new frameworks, they certainly are becoming even more popular.
The main types of Event Handlers are:
Pre-Process: triggered BEFORE the actual transaction is executed
Post-Process: triggered AFTER the actual transaction is executed, but within the transaction
Validation: triggered BEFORE the actual transaction starts and can prevent the transaction from happening if the validation fails
Question 68. What is the purpose of rule designer?
Answer: Use this form to create rules that can be applied to password policy selection, automatic group membership, provisioning process selection, task assignment, and prepopulating adapters
Question 69. What is purpose of Reconciliation Manager?
Answer: You can look here for recon data once reconciliation is complete. You can determine whether event received and linked for not.
Question 70. Mention the Connector components in OIM ?
Answer: The following components are created when you deploy a connector:
- Reconciliation Field Definitions
- Reconciliation Field Mappings
- Reconciliation Rules
- Reconciliation Action Rules
- Reconciliation Provisioning Tasks
- IT Resource
- IT Resource Type
- Lookup Definitions
- Scheduled Tasks
- Resource Object
- Process Form
- Provisioning Process, Process Tasks, and Adapters
Question 71. Explain Role Category?
Answer: Roles can be grouped into a category, organizing the roles for the purpose of navigation and authorization. Two categories exist by default in an out-of-the-box installation of Oracle Identity Manager:
OIM Roles: The OIM Roles category contains the list of predefined roles that exist in Oracle Identity Manager by default. These roles are primarily used for managing permissions and access rights to menu items, links, and buttons within the Oracle Identity Manager environment.
- Default: Any roles created within Oracle Identity Manager that are not assigned to a category at the time of creation are assigned to the Default category by default. Create role categories to organize the custom roles to be created for managing organizations.
Question 72. What Is Oracle Identity Federation?
Answer: Oracle Identity Federation is a complete, enterprise-level and carrier-grade solution for secure identity information exchange between partners. With OIF organizations can do more business online by allowing their business partners secure access to protected applications. OIF significantly reduces the need to create and manage unnecessary identities in an enterprise directory and lowers the ongoing costs of partner integrations through support of industry federation standards. Oracle Identity Federation protects existing IT investments by integrating with a wide variety of data stores, user directories, authentication providers and applications.
Question 73. What Are The Key New Features of OIF (Oracle Indentity Federation)?
Answer: Multiple federation protocols in a unified, extensible and customizable architecture delivered via Oracle Universal Federation Framework (OUFF).
Oracle OpenSSO Fedlet – simple, lightweight SAML 2.0 component for Service Providers.
OpenID 2.0 support.
OOTB integration modules for multiple authentication providers (including Infocard, OAM, OSSO, etc.).
Advanced support for authentication mechanisms.
Support for Oracle WebLogic Server.
Single systems management and administration UI interface.
Enterprise-ready operational management and monitoring delivered via integration with Enterprise Manager Fusion Middleware Control.
Centralized Fusion Middleware logging, auditing, and reporting.
Unified Identity Management installer.
Question 73. What Is Oracle Virtual Directory?
Answer: Oracle Virtual Directory provides a unified identity service to applications by aggregating without consolidation.
This allows applications to be deployed more quickly by enabling customers to re-use existing identity stores.
And by re-using existing identity stores – customers see a greater ROI on existing identity stores as well reduced compliance costs.
Question 74. What Are The Key New Features Of Ovd?
Answer: Unified Directory services administration via Oracle Directory Services Manager (ODSM).
Deployment accelerators.
Centralized Fusion Middleware log and auditing.
Unified Identity Management installer.
Automated synchronization of OVD cluster configurations.
Question 75. What is the difference between SSO and ESSO?
Answer: SSO is to enable Single Sign On on Oracle Products and ESSO is to enable Single Sign On on both oracle and non-oracle products including Desktop, Windows password reset etc.,
Related Posts:
- Latest Weblogic Interview Questions and Answers
- Latest Docker Interview Question And Answer
- Apache Tomcat Interview Questions And Answers
- JBOSS Interview Questions And Answers
- OHS Interview Questions And Answers
- Latest OSB Interview Questions And Answers
- Microserverices Interview Questions And Answers
- Nagios Interview Questions And Answers
- Openshift Interview Question And Answers
- Splunk Interview Questions And Answers
- TOP 200+ JAVA Interview Questions And Answers
For more Interview Questions And Answers click here