|Which statement is true about a single sign-on operation initiated from a Service Provider using SMAL 2.0
In Oracle Identity Federation (OIF)? Oracle Access Manager is required as a Service Provider integration module. An Oracle Access Manager WebGate is needed to protect the target web resource and redirect requests to OIF. HTTP post binding is only supported. Any HTTP request hitting the target resource is redirected to the Service Provider’s OIF instance.
What would you need to configure to use Oracle Adaptive Access Manager (OAAM) along with Mobile Single Sign-On, by using Oracle Access Management Mobile services? An appropriate security handler plug-in name needs to be configured for the Mobile Service domain to use OAAM. An authentication scheme needs to be configured for the Mobile Service domain to reflect OAAM use. A separate application profile needs to be created for OAAM. The Mobile Service domain needs to specify a configuration for OAAM.
You have configured a new pattern in Oracle Adaptive Access Manager (OAAM) to capture login times of devices. Your customer wants to ensure that devices that are used outside their normal times are blocked. After creating your pattern, which two additional steps must you perform to configure OAAM to meet this requirement? Create a transaction definition for the pattern. Create a new rule in an existing policy that contains an appropriate condition to evaluate your new pattern. Linkyour chosen policy to the appropriate user groups. Configure a block action for your new rule. Restart the OAAM Managed Server for the pattern to take effect.
Identify two Oracle products that have a certified out-of-the-box integration with Oracle Entitlemets Server 11g. Oracle API Gateway Oracle Virtual Private Database Oracle Service Bus Oracle Service Registry Oracle NoSQL Database.
How would you configure an authentication policy for federation in Oracle Access Management 11gR2? There are no authentication policies for federation. Authentication policies are defined in the Oracle Identity Federation (OIF) console. Authentication policies are defined in the Oracle Access Management console for each domain. Authentication policies are provided in assertions.
What performance data can you see from the Oracle Adaptive Access Manager (OAAM) 11g admin dashboard? Average processing times Number of threads running CPU utilization Memory utilization.
Which statement is true about Oracle Access Manager 11g session management? Oracle Access Manager 11g uses Coherence to reliabley cache millions of users sessions. Oracle Access Manager 11g uses encrypted cookies that track the login time, authentication level, and the idle and maximum session times. Oracle Access Manager 11g session information is stored in lightweight directory access protocol
(LDAP) directory. Oracle Access Manager 11g requires an Oracle database to reliably store session information.
What value will you define in the Oracle Access Manager resource URL field to allow access to an application under the context root /procurement? /procurement /procurement/* /procuremen t/ … /procurement/…/*.
OAM-OAAM basic integration, which is a native integration, requires the OAM server and OAAM admin server in the same access management domain.
Which two statements are true in the case of OAM-OAAM basic integration?
This is unique case in which OAAM data in stored in the OAM schema. The OAAM Managed Server needs to be configured in a separate domain. The OAAM extension libraries are bundled with the OAM server. The knowledge-Based Authentication (KBA) challenge mechanism is available in this integration. Supported agents for this deployment are WebGate 10gand 11g.
Which two cookies are created when you log in to Oracle Access Manager 11g with WebGates? ObSSOCooKie OAM_ID OAM_AuthnCookie OAM_AuthzCookie _WI_AUTHCOOKIE_JSESSIONID.
Which three types of attributes does Oracle Entitlements Server support? Resource attributes Dynamic attributes Context attributes Information attributes Request attributes.
When managing Token Issuance conditions and rules in Security Token Service, who is granted access to a requested resource through the Allow type rule? Only partners are granted access; everyone else is denied access to the resource. Only the partners and users listed in a condition are granted access; everyone else is denied access to the resource. Users listed in a condition are granted access; everyone else is denied access to the resource. Only Relying Party Partners are granted access; everyone else is denied access to the resource.
Which component acts as the certified WS-Trust client that can be used to communicate with Security Token Service? Token Consumer Token Administrator OWSM Agent OPSS Security Keystore User Name Token (UTN) WS Policy.
At what checkpoint would you create a challenge policy for Knowledge-Based Authentication for online user authentication? Pre- authentication AuthentiPad Post - Authentication Device Identification.
What are the three main roles that can be adopted by Oracle Access Management and Oracle Fusion Middleware components when using the Identity Context? Publisher Consumer Propagator Generator Evaluator Authorizer.
Identify three uses of the Knowledge-Based Authentication functionality provided by Oracle Adaptive Access Manager. First authentication for forgot password Second factor authentication for change password Offline SMS PIN-based authentication High risk user authentication User authorization.
Which statement is true about Service Providers and Service Profiles in Oracle Access Management Mobile and Social? A Service Provider instance may or may not have a corresponding Service Profile instance. A Service Profile instance may or may not have a corresponding Service Provider instance. Each Service Provider instance requires at least one corresponding Service Profile instance. One Service Profile cannot be assigned to multiple Service Domains.
When defining an attributed on the Relaying Party Partner Profile in Security Token Service, which three types of attribute source are supported? User Store (LDAP) CSV File Incoming Token Data XML File Static Value User Store (Oracle Identity Analytics – Identity Warehouse).
Identify two functions of the heartbeat check performed by Oracle Access Manager Access Servers. It Checks if an LDAP store can be accessed. It Checks if a WebGate can be accessed. It Checks if a session cache store can be accessed. It Checks if a policy store can be accessed. It Checks if a database can be accessed.
What would you need to configure to migrate all agents (WebGates) with different transport security Modes from Oracle Access Manger 10g to Oracle Access Manager 11g in the same transport security mode. Set the migration_mode property in the eam_migration.properties file to COMPLETE. Set the agent_mode_to_override property in the oam_migration.properties file to the new security mode. Set the agent_mode_to_override property in the oam_migration.properties file to RETAIN_EXISTING. No configuration is required because this is done by default.
Which three statements are true about OAM-OAAM advanced integration? Advanced integration using Trusted Authentication Protocol (TAP) is a vailable for OAAM 220.127.116.11.0 and later only. Advanced integration without using TAP does not require the OAAM Managed Server, whereas advanced integration using TAP requires the OAAM Managed Server. Advanced integration with TAP works with both WebGate 10g and 11g, whereas advanced integration without TAP works with WebGate 10g only. Advanced integration with TAP works with WebGate 10g only, whereas advanced integration without TAP works with both WebGate 10g and 11g. In case of advanced integration using TAP, OAM acts as an asserter and not an authenticator.
Identify three attributes that are a part of mobile device fingerprinting by default when Oracle Adaptive Access Manager is used. Operating System Type Hardware IMEI Number Hardware MAC Address Hardware Make and Model Hardware IP Address.
Identify two ways in which you can specify trusted Identity Provider (IdP) partners while configuring Service Providers (SP) in Oracle Access Management Identity Federation. Manually create a new IdP configuration and fill the form with all attributes. Import the metadata file generated from an IdP deployment to create a new Identity Provider configuration. Automatic discovery of an IdP populates the configuration data. A request can be broadcast to all IdPs and the one that matches returns its configuration data is populated. A sample XML configuration file is provided, which needs to be modified, and the server needs to be
Which service does the Session Management Engine (SME) use internally to provide a high performance, distributed caching system, and to enable the monitoring and management of user sessions in real time? Oracle ADF Oracle Coherence WebGates Oracle Adaptive Access Manager.
Identify two services offered by the Oracle Access Management Suite Plus 11g. Web-perimeter security functions Identity Context Identity Provisioning Privileged Accounts Management Entitilement Certification.
Identify three required steps for configuration OAM-OAAM basic integration. Set the OAAMEnabled property to true in oam-config.xml. Target the OAAM JDBC data source to the OAM Managed Server. Protect a resource in an authentication policy using the OAAMBasic authentication scheme. Install SOA Suite and configure the Unified Messaging Service (UMS) delivery channel for One Time Pin (OTP). Install and configure Oracle Entitlements Server (OES).
How are Mobile and Social services enabled in Oracle Access Management Suite 11gR2? by always installing them separately from Access Manager in order to be enabled by clicking the appropriate button in the System Configuration section of Available Services by clicking the appropriate button in the System Configuration section of Common Settings by clicking the appropriate button in the System Configuration section of Plugins.
Identify two settings in the Authentication Scheme definition of Oracle Access Manager 11g. Authentication Password Challenge Method Authentication Level Error Message Authentication Id.
You are configuring Oracle Entitlements Server (OES) and have a requirement to make a connection to an external Policy Information Point (PIP) in order to retrieve an attribute for use in a condition. You need to modify the security module configuration to configure the PIP. Which two options do you have for making this modification? Configure the PIP settings in your OES policy and distribute it to each security module as part of the policy distribution.
Manually edit the jps-config.xml file on each security module. Use the OES admin console to define the PIP settings and write them to a database for each security module to retrieve during bootstrap. Use the SMConfig UI to configure the settings.
Which statement is true about moving Oracle Access Management Mobile and Social from a test Environment to a production environment? A new application profile needs to be created always for Internet Identity Services. The Challenge Redirect URL in authentication schemes need to be updated. The cwallet.sso file needs to be edited for the production host. The merge-creds.xml file needs to be created on the production host.
Which two statements are true about Oracle Access Manger 11g data sources? A System Store is optional. A system Store is optional. Embedded LDAP is configured as the default User identity Store for Oracle Access Management. Only one User Identity Store can and must be designated as te4h System Store. You can define as many User identity Stores as the System Store. A System Store contains policy data, including password management data.
From Oracle Access Manager 11g R1-PS1(and R2) onward, resource definitions in the policy model have a field protection level that can be protected, unprotected, or excluded. What the correct behavior for a request that has excluded protection level? Authentication is always performed but session validation is not performed. Authentication is not performed but session validation is always performed. The WebGate/agent lets the request through without authentication and no validationis performed. The OAM_REMOTE\_USER header is added to the request.
Identify two settings that are available from the common settings for a session in Oracle Access Manager system configuration. Session Lifetime Minimum Number of Sessions per User Maximum Number of Sessions per User Session Cache Memory size Session Security Protocol.
Which statement is true about the interaction between a UMS component in the SOA Suite and OAAM? OAAM generates and sends the One Time Pin (OTP) directly to a user. OAAM generates and sends the OTP o UMS, which submits to a customer. OAAM communicates with the UMS, which generates and submits the OTP to a customer. OAAM sends the OTP to a customer directly and UMS validates the OTP to a customer. UMS generates and sends the OTP directly to a user.
Which statement is true about scaling out an Oracle Access Management server in high availability topology? Scale out is used when a new Access Manager Managed Server instance is added to a node that is already running one or more server instances. Scale out is used when a new Access Manager Managed Server instance to a new node.
Scale out is used toadd a new Access Manager Managed Server instance to a new node. Scale out is used when a new WebGate to talk to an existing Access Manager instance. Scale out is used when a new Identity Store to Access Manager Instance.
Your customer has deployed an employee portal that you have protected with Oracle Access Manager (OAM). The customer now wants a new portlet added to the home page to display the employee’s salary details. The portlet will obtain the information through a call to an internally exposed web service. Your customer has defined the following security requirements for the new portlet:
1. Employee must be authenticated through risk-based authentication before they can access the portal.
2. The web service must be secured form unauthenticated calls.
3. All security logic for the web service must be external to the web service.
4. The web service should return salary details only if the user’s authentication risk source is below 500.
Which four steps must you perform to meet the requirements for the new portlet? Deploy Oracle Adaptive Access Manager (OAAM) and integrate with OAM, setting OAAM as the authentication scheme. Configure Oracle Web Services Manager (OWSM) on the portal container to generate a security token. Configure a cookie response in OAM to set the risk score into a cookie called HTTP_RISK_SCORE. Enable Identity Assertion propagation in the OAM policy. Configure OWSM to call OAAM to obtain the risk score. Configure an OWSM policy to protect the web service, consume the security token, and evaluate the
Which two features of Oracle Access Management Mobile and Social are supported only when it is integrated with Oracle Adaptive Access Management? Multi-step authentication (knowledge-based authentication and one-time password support) JWT token support for authentication and authorization Ability to uniquely identify connecting mobile devices (device fingerprinting) Relaying party support for Internet-based Identity providers (Facebook, Google, Twitter, Linkedin, and Yahoo) Basic (limited) device security checks during device registration and access requests.
What extra configuration must be performed only when a Detached Credentials Collector is separated from a Resource WebGate and not when they are combined? The Allow Credential Collector Operations check box must be selected. The Resource WebGate should set the Logout Redirect URL to the Detached Credentials Collector’s logout.1. The Allow Token Scope Operations check box must be selected. The IP Validation check box must be selected.
In a high availability deployment for Oracle Access Manager, which configuration will make sure that the Request to Login page goes to the load balancer ? Changing Server Host, Port, and Protocol from the WebLogic administration console Changing Server Host, Port, and Protocol in a WebGate or an agent configuraion Changing Server Host, Port, and Protocol in a Credentials Collector configuration Changing Server Host, Port, and Protocol in Access Manager settings under System Configuration from the Oracle Access Management console.
Identify three functions that Oracle Adaptive Access Manager provides. Risk-based access control
Secure credential collection Offline and online risk analytics Username and password validation Single sign-on User provisioning.
Identify the preconfigured authentication scheme that is used in the Oracle Access Management 11gR2 federation service. OIFScheme OIFLDAPPlugin OIFMTLDAPPlugin FederationScheme.
Identify two authentication engines that are available in Oracle Identity Federation (OIF) 11g. LDAP Flat File MongoDB JAAS Excel File.
Which additional cookie needs to be cleared out on performing centralized logot when a Detached Credentials Collector is used in Oracle Access Manager with 11g WebGates? obssocookie DCCCttxCookie _WL_AUHCOKIE_JSESSIONID iplanetDirectoryPro.
Which are the four valid token types that Oracle Mobile and Social can return to a mobile client on authentication? SMAL Token User Token SecurID Token Access Token Client Registration Handle Client Token LTPA Token.
Which two services can be enabled from the Oracle Access Management 11gR2 console? Identity Federation Oracle Adaptive Access Manger Mobile and Social Oracle Entitlements Server Oracle API Gateway.
Identify two ways in which you can diagnose an issue when the Remote Registration Tool in Oracle
Access Manger fails. Ensure that an agent name is already registered Ensure that the agent name is unique. Ensure that AdminServer is running. Ensure that AdminServer is not running Ensure that the agent name and application domain are different.
Your customer requires Oracle Adaptive Access Manager (OAAM) to perform risk analysis of the money transfer transactions in their eBanking application. They have already deployed OAAM and OAM using the out-of-the-box Advanced integration.
What must they do to capture and process their application transactions in OAAM? Configure the OAAM Server application with the definition of the new transaction data to be captured. Deploy the UIO proxy and configure it to capture the money transfer transaction data and submit it to OAAM. Change their eBanking application to use OAAM native integration. Deploy the OAAM sample application and configure it to collect the money transfer transactions.
Which Oracle Access Management Suite Plus 11g service provides Access Management components the ability to share information during a user’s session that enables security decisions? Security Token Service Oracle WSM Agent Policy Context Identity Context.
Which three statements are true about Oracle Entitlements Server? It enables you to externalize fine-grained authorization from applications. It uses a centralized Policy Decision Point (PDP) that all Policy Enforcement Points (PEPs) Communicate with. It can use either a centralized PDP or a localized PDP. It has an out-of -the –box integration with Oracle Adaptive Access manager. Auditing is not enabled by default within the security modules.
Which two mechanisms does Oracle Access Manger provide for credential collection during authentication? Embedded Credential Collector (ECC) Security Store Collector (SSC) Detached Credential Collector (DCC) Security Toke Services (STS) Credential Security Framework (CSF).
Which statement is true about the Detached Credentials Collector (DCC) used in Oracle Access Manager? It is the default credentials collector for Oracle Access Manager 11gR1. It is the default credentials collector for Oracle Access Manager 11gR2. It is supported only by Oracle Access Manager 11gR1. It is supported only by Oracle Access Manager 11gR2.
What is the purpose of the extract Move Plane script when moving an Oracle Access Management environment from test to production? It extracts configuration information from the archive created on the source environment into XML files, which can be edited for the destination environment. It extracts the binary file from the archive created on the source environment into the destination environment. It extracts the configuration files from the archive created on the source environment into the destination environment. It extracts the distribution at a mount point.
In a Security Token Service deployment for Identity Propagation with the Access Manager token, which component must be registered with Oracle Access Manager 11g to create a communication channel? WS-Trust Validation Template WebGate Oracle Adaptive Access Manager Oracle Identity Federation Request Security Token (RST).
Identify four data stores or repositories used by Oracle Identity Federation (OIF) 11g. Federation data store User data store Audit data store Session and Message data store Reports data store Configuration data store Role data store.
Which authentication scheme is the preferred option for integration OAM with OAAM in 11gR2? OAAMBasic authentication scheme TAPScheme authentication scheme OAAMAdvanced authentication scheme LDAPScheme authentication scheme.
Which protocol does WebGate use to communication with the Access Manager server? TCP HTTP SSL Oracle Access Protocol OAP Policy Administration Protocol (PAP).
In Security Token Service, what is a prerequisite when managing a Token Issuance Template? Confirm whether the desire LDAP Identity Store is registered with and configured as the Default Store. A WebGate must be registered with Oracle Identity Federation. The WSS Validation Template must be configured to accept only X.509 certificates. SAML tokens must be present in the SOAP header.
In an enterprise deployment, where are the binary and library files that are required for Oracle Access Management located?
IDM_ORACLE_HOME IAM_ORACLE_HOME ORACLE_COMMON_HOME IAM_MW_HOME.
How would you add support for additional Internet Identity Providers for Oracle Access Management Mobile and Social, other than the preconfigured ones such as Facebook and LinkedIn? You do this by implementing the oracle.security.idaas.rp.spi.ServiceProvider Java Interface. Support for Internet Identity Providers is limited to the ones that are available out of the box from Oracle Access Management (ICF). Support for Internet Identity Providers is enabled through the connectors built on the Identity Connector Framework (ICF). You do this by implementing the oracle.security.idaas.rp.spi.IdentityProvider Java Interface.
Identify two protocols that the Oracle Access Management Social module supports for Authentication and Authorization using Internet Identity services. OpenID WebID BrowserID Windows Live ID OAuth.
Which two earlier technologies des Oracle Access Manger 11g replace and provider a converged platform for? Oracle Access Manager 10g Oracle Identity Access 10g Oracle Application Server SSO (OSSO) 10g Oracle Enterprise Single Sign-On.
Your customer wants to use the information available in the Identity Context in their application to determine a user’s Journey through various screens and functions. One of the attributes they want to use is the Oracle Adaptive Access Manager (OAAM) risk score. They have deployed OAAM and think they have integrated it correctly into the Oracle Access Management
Platform. However, when their application interrogates Identity Context, none of the OAAM attributes Are present.
Which three configuration settings should you check as part of troubleshooting the problem? The OAAM property oracle.oaam.idcontext.enabled has been set to true. Oracle Access Manager is using the “OAAM Advanced” authentication scheme. The TAP token version is set to 2.1 in OAAM properties. The application has been given proper source code grants to access the Identity Context runtime. A configurable action has been defined in OAAM to generate the Identity Context attributes. Oracle Security Token Service has been configured to generate the Identity Context attributes.
Identify the mandatory attribute that is used when creating an application profile for a mobile application in Single Sign-On with Oracle Access Management Mobile and Social services. userId4BasicAuth Mobile.clientRegHandle.baseSecret sharedSecret.4BasicAuth baseSecret4BasicAuth.
You have created a set of hierarchical resources in Oracle Entitlements Server and an associated set of
authorization policies as shown in the Exhibits. You execute a newQueryPepRequest in order to evaluate exactly which resources the weblogic user has access to.
Which three hierarchical resources can user access? (Choose three.) /Hier1 /Hier1/a /Hier1/b /Hier1/a/i /Hier1/b/i.
By default, which four Oracle Access Management platform components write attributes into the Identity Context? Oracle Entitlements Server Oracle Access Manager Oracle Security Token Service Oracle Enterprise Single Sign-On Oracle Access Management Mobile and Social Oracle Adaptive Access Manager.
What is the role of a user data store in Oracle Identity Federation (OIF) 11G When it is configured as an Identity Provider (IdP)? Oracle Identity Federation uses the repository to map the information in received assertions to user identities at the destination. When creating a new federation, Oracle Identity Federation uses the repository to identify a user and link the new federation to that user’s account. Oracle Identity Federation uses the repository to authorize users for access to protected. Oracle Identity Federation uses the repository to verify user Identities and to build protocol assertions.
You have defined and application and its associated policies in Oracle Entitilements Server (OES) to protect you customer’s banking application. This application is written in Java and deployed on WebLogic,using the WebLogic security module for integration. Using the Policy simulator, your policy However, while testing, it appears that your authorization policies are not being applied and all authorization decisions are being returned as false from the security module.
Which two configuration settings in your OES admin console may be the cause of this problem? The security module is configured to pull policies instead of having policies of this problem? The application has not been associated with the security module in the OES admin console. The security module was not registered correctly when config.sh was run. You have not distributed the policies in the OES admin console. The security module has not been started.
Identify two artifactsthat are present in an application domain of Oracle Access Manager 11g. Resources Authentication Scheme Authentication Policies Authentication Modules Data Sources.
Identify two registration artifacts that are created when an 11g WebGate is registered using the Oracle Access Management console. oss.conf oaam_cli_properties OAMRequest_short.xml obAccessClient.xml cwallet.sso.
Your portfolio trading customer is using Oracle Entitlements Server (OES) to externalize authorization decisions from their share dealing application. The trading customer has stipulated the following policy need to be implemented: Customers can purchase shares only if their credit limit is 20% higher than the value of the shares in their basket at checkout. The value of a basket and a customer’s credit limit are both available in the application, and can be passed to OES as part of an authorization request if required. You are looking to implement the most efficient policy within OES. Which three steps would you
implement? Configure a Policy Information Point (PIP) to retrieve the basket value and credit limit from an internal system. Configure an authorization policy to include a condition that executes a custom function. Configure the application to include the basket value and credit limit in the authorization request. Create a custom function to calculate the difference between the basket value and the credit. Use a PIP to call a web service that returns the calculated difference between the basket valu e and the
credit limit. Return an obligation that contains the difference value so that the application can decide whether to
allow the transaction or not.