Interview Questions.

Q1. What Is The Difference Between Webgate And Accessgate?
WebGate is an out-of-the-box plug-in that intercepts Web resource (HTTP) requests and forwards them to the Access Server for authentication and authorization. An AccessGate is a custom webgate that can intercept requests of HTTP and non-HTTP resources.

Q2. Explain The Architecture Of Oracle Access Manager?
Oracle Access Manager architecture mainly consists for components such as Identity Server, WebPass, Policy Manager, Access Server and a WebGate. Identity Server is a standalone C++ server which communicates directly with LDAP.
It also receives requests and sends response to Webpass. WebPass is a web server plugin that passes info between identity server and webserver. It redirects HTTP requests from browser to Access Server, and sends Identity XML SOAP requests to Identity Server.
Policy Manager (PMP or PAP) is a web server plugin that communicates directly with user, configuration and policy repositories. Access Server is a stand alone C++ server and is also called PDP. It receives requests from & sends responses to WebGates/AccessGates.
It also communicates with LDAP. It wers Access Server SDK requests. WebGate (PEP) is a web server plugin that passes info between webserver and access server. It passes user authentication data to access server for processing.
Q3. What Is The Authentication Mechanism Used By Oracle Access Manager?
ObSSOCookie and it is stateless.

Q4. Explain Iwa Mechanism In Oracle Access Manager?
The OAM has a feature which enables Microsoft Internet Explorer users to automatically authenticate to their Web applications using their desktop credentials. This is known as Windows Native Authentication.

user logs in to the desktop machine, and local authentication is completed using the Windows Domain Administrator authentication scheme.
The user opens an Internet Explorer (IE) browser and requests an Access System-protected Web resource.
The browser notes the local authentication and sends a token to the IIS Web server.
The IIS Web server uses the token to authenticate the user and set up the REMOTE_USER HTTP header variable that specifies the user name supplied by the client and authenticated by the server.
The WebGate installed on the IIS Web server uses the hidden feature of external authentication to get the REMOTE_USER header variable value and map it to a DN for the ObSSOCookie generation and authorization.
The WebGate creates an ObSSOCookie and sends it back to the browser.
The Access System authorization and other processes proceed as usual.
The maximum session timeout period configured for the WebGate is applicable to the generated ObSSOCookie.
Q5. Explain The Flow When A User Requests For An Application Protected By Oracle Access Manager?
The following steps describes the flow when a user makes a request to access a resource protected by the Oracle Access Manager:

User requests for a resource through a web browser.
The Webgate intercepts the requests and checks with the Access Server whether the resource is protected or not.
If the resource is not protected, then the user will be shown the requested resource.
If the resource is protected, then Access Server will check with policy manager the authentication scheme configured for that resource.
User will be prompted to enter their credentials as per the auth scheme defined for the resource.
Webgate will send the credentials to the Access Server to check it against the backend (LDAP server).
Upon successful authentication, Access server checks whether the user is authorized to access the resource or not.
If the user is authorized, then the Access Server will create the session id and passes it to the webgate. An ObSSOCookie is created and will be sent to the user browser and the user will be shown the requested resource.
If the user is not authorized, then an error page (if its defined in policy domain) will be shown to the user.
Q6. What Is Policy Manager Api?
The Policy Manager API provides an interface which enables custom applications to access the authentication, authorization, and auditing services of the Access Server to create and modify Access System policy domains and their contents.

Q7. What Is The Key Used For Encrypting The Obssocookie?
Shared Secret key. It is configured in the Identity Admin console and can be generated by the OAM administrator.

Q8. Explain How Form Login Works If The Form Login Page Is Present In Different Domain From Oam?
The mechanism here is same as how the multi domain SSO works. Importantly, all of the activities for form authentication are carried out between the browser and one web server.

Now, suppose you want to access a resource http://www.B.com/pageB.html but still be authenticated by the login form on www.A.com.

The authentication scheme required by pageB needs to have a redirect URL set to http://www.A.com.
The WebGate at www.B.com redirects you to the NetPoint URL obrareq.cgi on www.A.com, with a query string that contains the original request (wu and wh).
The WebGate on www.A.com will determine that you need to do a form login for that resource, so it will set the ObFormLoginCookie with the wu and wh values from the query string, but will set the ru field to /obrareq.cgi. WebGate on A then redirects your browser to the login form on A.
When you post your credentials back to A, the ObFormLoginCookie is set back. WebGate on A authenticates your userid and password, sets the ObSSOCookie for the .A.com domain and redirects you back to the ru value from the ObFormLoginCookie, which is /obrareq.cgi.
This time when your browser requests http://www.A.com/obrareq.cgi, it will pass the ObSSOCookie.
WebGate will then redirect your browser back to the B webserver, http://www.B.com/obrar.cgi, with the cookie value and the original URL in the query string.
The WebGate on www.B.com will extract the cookie value and set the ObSSOCookie for domain .B.com, and finally redirect you to http://www.B.com/pageB.html that you originally requested.
Q9. Explain The Flow Of A Multi Domain Single Sign-on?
Multi Domain SSO gives users the ability to access more than one protected resource (URL and Applications), which are scattered across multiple domains with one time authentication.

For multi domain SSO to work, Access Servers in all domains must use same policy directory.
Multi domain works only with web gates, not Access Gates.
Within each individual domain, each web gate must have same “primary HTTP cookie domain”.
In Multi Domain SSO environment, we should designate one web server (where web gate is installed) as “Primary Authentication Server”. Primary Authentication Server acts as a central server for all authentications in multi domain environment. In general the webgate installed in the domain where Access server resides will be designated as the primary authentication server.

Lets assume that OAM components are installed in host1.domain1.com and we will designate host1.domain1.com as the primary authentication server.

Host2.domain2.com with web gate (ex: webgate2) installed.
A resource, abc.html, is protected with Form base authentication on host1.mydomain1.com
A resource, xyz.html, is protected with Basic over LDAP authentication on host2.mydomain2.com.
Following are the steps that explain how multi domain SSO works:

User initiates a request for a Web page from a browser.
For instance, the request could be for host2.mydomain2/xyz.html.
Webgate2 (on host2.domain2.com) sends the authentication request back through the user’s browser in  search of primary authentication server.  In this example you have designated host1.domain1.com to be the primary authentication server.
The request for authentication is sent from the user’s browser to the primary authentication server, host1.domain1.com.
This request flows to the Access Server. The user logs in with the corresponding authentication scheme and the obSSO cookie is set for host1.domain1.com. The Access Server also generates a session token with a URL that contains the obSSO Cookie.
The session token and obSSOCookie are returned to the user’s browser.
The session token and obSSOCookie are sent to host2.domain2.com
The Web gate (webgate2) on host2.domain2.com sets the obSSOCookie for its own domain (.domain2.com) and satisfies the user’s original request for the resource host2.domain2.com/xyz.html. User gets the resource.
On the same browser if user accesses the host1.domain1.com page then resource will be presented without asking credentials as obSSOCookie is already available with .domain1.com (see step 3).
Q10. Explain The Integration And Architecture Of Oam-oaam Integration?
Using these products in combination will allow you fine control over the authentication process and full capabilities of pre-/post- authentication checking against Adaptive Risk Manager models.

The OAAM’s ASA-OAM integration involves two Oracle Access Manager AccessGates: one for fronting the Web server (a traditional WebGate) to Adaptive Strong Authenticator and one for the embedded AccessGate. The access server SDK to be installed and configureAccessGate tool to be run. The ASA bharosa files to updated with ASDK location. An application to be protected using ASA authentication scheme and to be tested for ASA landing page for login.

Here is how the flow goes:

User requests for a resource.
Webgate acting in the front end for ASA application will intercept the request and will redirect to the ASA application.
The user enter credentials and the Access SDK setup in the ASA application will contact the Access gate which inturn contacts the access server for validating the credentials.
Upon successful authentication, access server will generate obSSOCookie and will forwards it to the browser.
Then the user will be shown the requested resource.