Top 100+ Oracle Access Manager Interview Questions And Answers
Question 1. What Is Single Sign On?
Answer :
Single Sign-On lets in users to sign up once to a covered software and advantage access to the other blanketed resources inside the same area defined with same authentication degree.
Question 2. What Is Multi Domain Single Sign-on?
Answer :
Multi Domain SSO offers users the potential to get admission to a couple of blanketed resource (URL and Applications), which can be scattered across more than one domains with one time authentication.
Oracle 10g Interview Questions
Question 3. What Is The Authentication Mechanism Used By Oracle Access Manager?
Answer :
ObSSOCookie and it's far stateless.
Question four. Explain Various Security Modes Present In Oracle Access Manager?
Answer :
Open: Allows unencrypted communique. In Open mode, there is no authentication or encryption between the AccessGate and Access Server. The AccessGate does now not ask for proof of the Access Server’s identity and the Access Server accepts connections from all AccessGates. Similarly, Identity Server does no longer require evidence of identity from WebPass.
Simple: Supports encryption by Oracle. In Simple mode communications among Web clients (WebPass and Identity Server, Policy Manager and WebPass, and Access Server and WebGate are encrypted the usage of TLS v1. In each Simple and Cert mode, Oracle Access Manager additives use X.509 digital certificate handiest. This consists of Cert Authentication among WebGates and the Access Server where the usual cert-decode plug-in decodes the certificate and passes certificate information to the usual credential_mapping authentication plug-in. For each public key there exists a corresponding private key that Oracle Access Manager stores in the aaa_key.Pem record for the Access Server (or ois_key.Pem for Identity Server).
Cert: Requires a 3rd-celebration certificate. Use Cert (SSL) mode if you have an internal Certificate Authority (CA) for processing server certificates. In Cert mode, conversation among WebGate and Access Server, and Identity Server and WebPass are encrypted the use of Transport Layer Security, RFC 2246 (TLS v1).
Oracle 10g Tutorial
Question 5. Explain The Architecture Of Oracle Access Manager?
Answer :
Oracle Access Manager architecture specially consists for components consisting of Identity Server, WebPass, Policy Manager, Access Server and a WebGate. Identity Server is a standalone C++ server which communicates at once with LDAP.
It also gets requests and sends response to Webpass. WebPass is a web server plugin that passes data among identification server and webserver. It redirects HTTP requests from browser to Access Server, and sends Identity XML SOAP requests to Identity Server.
Policy Manager (PMP or PAP) is an internet server plugin that communicates without delay with user, configuration and policy repositories. Access Server is a stand on my own C++ server and is likewise known as PDP. It gets requests from & sends responses to WebGates/AccessGates.
It also communicates with LDAP. It solutions Access Server SDK requests. WebGate (PEP) is a web server plugin that passes info among webserver and access server. It passes consumer authentication information to get entry to server for processing.
Oracle 9i Interview Questions
Question 6. What Are The Obssocookie Contents?
Answer :
Cookie consists of encrypted consultation token and non-encrypted statistics.
This Encrypted Session Token consists of : DN of the authenticated user, stage of auth scheme, ip address of purchaser to which cookie was issued, time the cookie is issued, time the cookie was ultimate up to date. If the consumer is not idle, then cookie gets automatically updated at a fixed c language to prevent session timeout. The updated c language is the 1/four th of idle consultation timeout of accessgate.
The Unencrypted ObSSOCookie data includes cookie expiry time, area wherein cookie is legitimate, extra flag that determines if cookie can handiest be sent the use of SSL.
Question 7. What Is The Key Used For Encrypting The Obssocookie?
Answer :
Shared Secret key. It is configured within the Identity Admin console and may be generated by way of the OAM administrator.
Oracle 9i Tutorial Oracle 8i Interview Questions
Question eight. What Happens If The Obssocookie Is Tampered?
Answer :
When get entry to gadget generates ObSSOCookie, MD-5 hash is taken from session token. So while the consumer is authenticated once more using the cookie, the MD5 hash is compared with unique cookie contents. MD-5 hash is a one-manner hash, consequently it cant be unencrypted. Access server compares the cookie contents with hash. If both aren't same, then cookie is tampered in the period in-between. This cookie does no longer comprise username and password.
Question nine. What Is The Difference Between Webgate And Accessgate?
Answer :
WebGate is an out-of-the-box plug-in that intercepts Web aid (HTTP) requests and forwards them to the Access Server for authentication and authorization. An AccessGate is a custom webgate that could intercept requests of HTTP and non-HTTP resources.
Informatica Interview Questions
Question 10. What Are The Major Parameters Defined In An Authentication Scheme?
Answer :
The authentication scheme degree which defines the level of the security defined for an utility.
Oracle 8i Tutorial
Question eleven. Explain The Flow When A User Requests For An Application Protected By Oracle Access Manager?
Answer :
The following steps describes the drift while a consumer makes a request to get right of entry to a aid covered by the Oracle Access Manager:
User requests for a useful resource thru a web browser.
The Webgate intercepts the requests and checks with the Access Server whether or not the aid is included or now not.
If the resource isn't always protected, then the consumer may be shown the asked useful resource.
If the resource is included, then Access Server will take a look at with policy supervisor the authentication scheme configured for that useful resource.
User could be brought on to enter their credentials as consistent with the auth scheme defined for the resource.
Webgate will send the credentials to the Access Server to test it against the backend (LDAP server).
Upon a hit authentication, Access server assessments whether the consumer is authorized to get admission to the aid or no longer.
If the consumer is authorized, then the Access Server will create the consultation identification and passes it to the webgate. An ObSSOCookie is created and might be sent to the user browser and the user can be shown the requested useful resource.
If the consumer isn't legal, then an error page (if its defined in coverage area) can be proven to the consumer.
PL/SQL Interview Questions
Question 12. Explain The Flow Of A Multi Domain Single Sign-on?
Answer :
Multi Domain SSO gives users the capacity to access multiple blanketed resource (URL and Applications), that are scattered throughout a couple of domains with one time authentication.
For multi area SSO to paintings, Access Servers in all domains should use identical coverage directory.
Multi domain works best with net gates, now not Access Gates.
Within each individual domain, each internet gate ought to have same “primary HTTP cookie domain”.
In Multi Domain SSO environment, we need to designate one web server (where net gate is established) as “Primary Authentication Server”. Primary Authentication Server acts as a central server for all authentications in multi domain surroundings. In widespread the webgate installed inside the domain wherein Access server is living will be detailed as the primary authentication server.
Lets expect that OAM additives are established in host1.Domain1.Com and we are able to designate host1.Domain1.Com because the number one authentication server.
Host2.Domain2.Com with net gate (ex: webgate2) established.
A useful resource, abc.Html, is covered with Form base authentication on host1.Mydomain1.Com
A resource, xyz.Html, is blanketed with Basic over LDAP authentication on host2.Mydomain2.Com.
Following are the steps that specify how multi area SSO works:
User initiates a request for a Web page from a browser.
For example, the request will be for host2.Mydomain2/xyz.Html.
Webgate2 (on host2.Domain2.Com) sends the authentication request lower back via the person’s browser in seek of number one authentication server. In this example you've got detailed host1.Domain1.Com to be the primary authentication server.
The request for authentication is despatched from the person’s browser to the primary authentication server, host1.Domain1.Com.
This request flows to the Access Server. The user logs in with the corresponding authentication scheme and the obSSO cookie is about for host1.Domain1.Com. The Access Server additionally generates a session token with a URL that carries the obSSO Cookie.
The consultation token and obSSOCookie are returned to the user’s browser.
The session token and obSSOCookie are sent to host2.Domain2.Com
The Web gate (webgate2) on host2.Domain2.Com sets the obSSOCookie for its personal domain (.Domain2.Com) and satisfies the user’s unique request for the aid host2.Domain2.Com/xyz.Html. User gets the useful resource.
On the equal browser if person accesses the host1.Domain1.Com page then useful resource can be provided with out asking credentials as obSSOCookie is already available with .Domain1.Com (see step three).
Oracle 10g Interview Questions
Question thirteen. What Is An Access Server Sdk?
Answer :
The Access Manager Software Developer’s Kit (SDK) permits you to enhance the get admission to control capabilities of the Access System. This SDK allows you to create a specialised AccessGate. The Access Manager SDK creates an environment if you want to build a dynamic hyperlink library or a shared item to perform as an AccessGate. You additionally need the configureAccessGate.Exe tool to confirm that your purchaser works efficaciously.
Informatica Tutorial
Question 14. What Is An Identity Xml?
Answer :
IdentityXML gives a programmatic interface for carrying out the movements that a user can carry out while having access to a COREid application from a browser. For example, a software can send an IdentityXML request to locate participants of a group defined inside the Group Manager software, or to add a person to the User Manager.
IdentityXML permits you to manner simple moves and multi-step workflows to trade person, institution, and corporation object profiles.
After developing the IdentityXML request, you assemble a SOAP wrapper to ship the IdentityXML request to WebPass the use of HTTP. The IdentityXML API makes use of XML over SOAP. We pass IdentityXML parameters to the COREid Server the use of an HTTP request.This HTTP request contains a SOAP envelope.When WebPass gets the HTTP request, the SOAP envelope indicates that it's miles an IdentityXML request rather than the usual browser request.
The request is forwarded to the COREid Server, where the request is performed and a response is lower back. Alternatively, you could use WSDL to assemble the SOAP request. The SOAP content material seems like this, SOAP envelope (with oblix namespace described), SOAP body (with authentication information), real request (with software name and params). The application name can be userservcenter, groupservcenter or objservcenter (for companies).
Question 15. What Is An Sspi Connector And Its Role In Oracle Access Manager Integrations?
Answer :
The Security Provider for WebLogic SSPI (Security Provider) ensures that most effective suitable customers and organizations can get entry to Oracle Access Manager-blanketed WebLogic resources to carry out precise operations. The Security Provider also permits you to configure unmarried signal-on among Oracle Access Manager and WebLogic resources.
The WebLogic protection framework affords Security Service Provider Interfaces (SSPIs) to defend J2EE packages. The Security Provider takes gain of these SSPIs, enabling you to use Oracle Access Manager to shield WebLogic assets via:
User authentication
User authorization
Role mapping
The Security Provider consists of several character providers, each of which permits a selected Oracle Access Manager feature for WebLogic users:
Authenticator: This protection company uses Oracle Access Manager authentication offerings to authenticate users who get entry to WebLogic packages. Users are authenticated based on their credentials, which include user call and password.
The security company also gives consumer and organization management features. It allows the advent and deletion of users and companies from the BEA WebLogic Server. It additionally gives single signal-on between WebGates and portals.
Identity Asserter: Like the Authenticator, this security issuer makes use of Oracle Access Manager authentication offerings to validate already-authenticated Oracle Access Manager customers the use of the ObSSOCookie and to create a WebLogic-authenticated consultation.
Authorizer: This security company uses Oracle Access Manager authorization offerings to authorize customers who're having access to a covered aid. The authorization is primarily based on Oracle Access Manager regulations.
Role Mapper: This security provider returns protection roles for a user. These roles are defined in Oracle Access Manager, and they are furnished by means of Oracle Access Manager the use of return moves on a unique authentication coverage. This authentication policy consists of a resource with a URL prefix of /Authen/Roles. Role Mapper maps those roles to predefined safety roles in WebLogic.
Oracle 11g Interview Questions
Question 16. Explain The Integration And Architecture Of Oam-oaam Integration?
Answer :
Using those merchandise in aggregate will allow you first-class control over the authentication process and full abilties of pre-/publish- authentication checking in opposition to Adaptive Risk Manager models.
The OAAM’s ASA-OAM integration entails two Oracle Access Manager AccessGates: one for fronting the Web server (a conventional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. The access server SDK to be set up and configureAccessGate device to be run. The ASA bharosa documents to updated with ASDK location. An application to be included using ASA authentication scheme and to be tested for ASA touchdown page for login.
Here is how the flow is going:
User requests for a resource.
Webgate acting within the the front quit for ASA software will intercept the request and will redirect to the ASA application.
The consumer input credentials and the Access SDK setup inside the ASA utility will contact the Access gate which inturn contacts the get admission to server for validating the credentials.
Upon a hit authentication, get entry to server will generate obSSOCookie and will forwards it to the browser.
Then the consumer might be proven the asked aid.
Oracle 11g Tutorial
Question 17. Explain Iwa Mechanism In Oracle Access Manager?
Answer :
The OAM has a function which enables Microsoft Internet Explorer users to routinely authenticate to their Web packages the use of their computing device credentials. This is called Windows Native Authentication.
Person logs in to the computing device machine, and neighborhood authentication is finished the usage of the Windows Domain Administrator authentication scheme.
The person opens an Internet Explorer (IE) browser and requests an Access System-included Web aid.
The browser notes the neighborhood authentication and sends a token to the IIS Web server.
The IIS Web server uses the token to authenticate the person and installation the REMOTE_USER HTTP header variable that specifies the consumer name provided with the aid of the customer and authenticated through the server.
The WebGate installed on the IIS Web server uses the hidden feature of outside authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie era and authorization.
The WebGate creates an ObSSOCookie and sends it lower back to the browser.
The Access System authorization and different techniques proceed as usual.
The maximum session timeout length configured for the WebGate is applicable to the generated ObSSOCookie.
SQL Interview Questions
Question 18. Explain Various Major Params Defined In Webgate Instance Profile?
Answer :
Hostname: name of the gadget web hosting the get admission to gate.
Maximum User Session Time: Maximum quantity of time in seconds that a consumer’s authentication consultation is valid, irrespective of their hobby. At the expiration of this session time, the person is re-challenged for authentication. This is a pressured logout. Default = 3600. A value of zero disables this timeout placing.
Idle Session Time (seconds): Amount of time in seconds that a user’s authentication session remains valid without having access to any AccessGate blanketed resources.
Maximum Connections: Maximum number of connections this AccessGate can establish. This parameter is based totally on what number of Access Server connections are defined to each individual Access Server. This variety can be greater than the wide variety allocated at any given time.
IPValidationException: IPValidationException is precise to WebGates. This is a list of IP addresses which might be excluded from IP address validation. It is regularly used for except for IP addresses which might be set by way of proxies.
Maximum Client Session Time :Connection maintained to the Access Server through the AccessGate. If you're deploying a firewall (or any other device) among the AccessGate and the Access Server, this cost have to be smaller than the timeout putting for the firewall.
Failover Threshold: Number representing the factor while this AccessGate opens connections to Secondary Access Servers. If you type 30 on this discipline, and the quantity of connections to number one Access Servers falls to 29, this AccessGate opens connections to secondary Access Servers.
Preferred HTTP Host : Defines how the host name seems in all HTTP requests as they try and get entry to the included Web server. The host call inside the HTTP request is translated into the cost entered into this area irrespective of the manner it changed into described in a user’s HTTP request.
Primary HTTP Cookie Domain: This parameter describes the Web server domain on which the AccessGate is deployed, as an instance, .Mycompany.Com.
IPValidation: IP cope with validation is precise to WebGates and is used to determine whether a customer’s IP cope with is the same as the IP deal with saved inside the ObSSOCookie generated for single sign-on.
Oracle 9i Interview Questions
Question 19. What Is Policy Manager Api?
Answer :
The Policy Manager API presents an interface which permits custom applications to get entry to the authentication, authorization, and auditing services of the Access Server to create and alter Access System coverage domains and their contents.
Question 20. When Do You Need An Access Gate?
Answer :
An get admission to gate is needed rather than a fashionable webgate whilst you need to manipulate get admission to to a aid wherein OAM doesnot offer OOTB answer.
These might consist of:
protection for non-http sources (EJB, JNDI and so forth.,)
Implementation of SSO to protect a aggregate of http and non-http sources.
A document known as obAccessClient.Xml is stored in the server where get entry to gate is set up. This report carries config params entered via the configureAccessGate device.
Oracle apps Interview Questions
Question 21. Explain The Flow When A User Makes A Request Protected By An Access Gate (no longer Webgate)?
Answer :
The flow is proven beneath:
The application or servlet containing the access gate code receives resource request from the consumer.
The get entry to gate code constructs ObResourceRequest shape and get admission to gate contacts Access server to find whether resource is protected or now not.
The get entry to server responds.
If the aid isn't protected, get entry to gate lets in person to get entry to the resource. Otherwise..,
Access Gate constructs ObAuthenticationScheme shape to ask Access Server what credentials the user desires to deliver.
The get admission to server responds.
The application uses a form or a few other method to fetch the credentials.
The AccessGate constructs ObUserSession structure which affords user details to Acc Server.
If credentials are verified valid, get admission to gate creates a session token for the person after which sends an authorization request to the get admission to server.
Access server validates if the user is authz to get right of entry to that useful resource.
Access gate permits user to get entry to the asked resource.
Question 22. Explain How Form Login Works If The Form Login Page Is Present In Different Domain From Oam?
Answer :
The mechanism right here is equal as how the multi domain SSO works. Importantly, all of the sports for shape authentication are finished between the browser and one web server.
Now, think you want to access a resource http://www.B.Com/pageB.Html but nevertheless be authenticated via the login form on www.A.Com.
The authentication scheme required by means of pageB wishes to have a redirect URL set to http://www.A.Com.
The WebGate at www.B.Com redirects you to the NetPoint URL obrareq.Cgi on www.A.Com, with a question string that consists of the original request (wu and wh).
The WebGate on www.A.Com will decide that you want to do a shape login for that useful resource, so it's going to set the ObFormLoginCookie with the wu and wh values from the query string, but will set the ru discipline to /obrareq.Cgi. WebGate on A then redirects your browser to the login shape on A.
When you publish your credentials lower back to A, the ObFormLoginCookie is ready back. WebGate on A authenticates your userid and password, units the ObSSOCookie for the .A.Com area and redirects you back to the ru fee from the ObFormLoginCookie, that's /obrareq.Cgi.
This time while your browser requests http://www.A.Com/obrareq.Cgi, it will bypass the ObSSOCookie.
WebGate will then redirect your browser again to the B webserver, http://www.B.Com/obrar.Cgi, with the cookie cost and the unique URL within the query string.
The WebGate on www.B.Com will extract the cookie value and set the ObSSOCookie for domain .B.Com, and ultimately redirect you to http://www.B.Com/pageB.Html that you at the start requested.
