OAM 10.1.4 Architecture Changes

If you haven’t already heard, Oracle Access Manager (as it is now called) has rearchitected their web agents (known as webgates) for the first full version to come out since Oracle acquired Oblix.

This is critical information for anyone who is currently running version 6 or version 7 of the Oblix codebase, or who is considering a version 6 to version 7 upgrade. I believe that most clients have been notified of this change, but just in case it hasn’t filtered down to the people actually running the systems, I thought I’d highlight the importance of the changes.

One of the toughest challenges of an Access Management system is certification of the many permutations of web server platforms that must be protected. The matrix defining which web server software is supported on which operating system platform for what version of COREid has in the past been made easier by the fact that webgates are forwards and backwards compatible between versions. What this means, is that if a web server & platform combination is certified for any version of COREid, you can use it in your single sign-on environment, regardless of which version of the Access System you are on. The result of this policy is that there are a huge number of supported web server versions & platforms, giving clients a lot of freedom to implement their environments as they see fit.

This policy has changed for the newest version, Oracle Access Manager 10.1.4 . Version 10.1.4 webgates will NOT work on a version 6 or version 7 Access System. Note that version 6 and 7 webgates will work on a 10.1.4 Access System, just not the other way around.

If you are on version 10.1.4 or are going to version 10.1.4, life really won’t change much, other than the fact that during the migration, you lose the freedom to upgrade your webgates at any time before or after the Access Server is migrated — you will have no choice but to upgrade your webgates afterwards.

If you are on version 6, you may be anxious because of the ‘End-Of-Life’ for that version. I’ve just learned that Oracle has extended their support for version 6 until December of 2007. I suggest using this time to modify your migration plans so that you skip version 7 and go straight to OAM 10.1.4 – for reasons I will describe below.

If you are on version 7 — you are not where you want to be. Although version 7 is a supported version, future web server and OS platform certifications will happen for version 10.1.4 — which means they can’t connect to your Access System. Backporting webgates for version 7 is an expensive and time-consuming process, and it isn’t going to happen unless there is a proven critical demand. As a result, the chances the exact web server you want to use will be there waiting for you in the supported platforms matrix whenever you decide to look for it are slim. For example, there is a 10.1.4 webgate for web servers on Red Hat 4, but only certifications for Red Hat 3 on 7.0.4. If you want to run your web servers on RH4, and you have a version 7.0.4 access system, there is nothing that you can do except to upgrade the access system or downgrade the web server OS. If you have a critical need to support a future web platform on version 7, you had better be negotiating with your Oracle Account Manager far far in advance of the point in time when you need to start using it.

The moral of this story is: Even though the version numbers look minor (10.1.2 to 10.1.4), the changes made by Oracle since acquiring Oblix are worthy of a MAJOR version number change. OAM 10.1.4 is the first step in Oracle’s post-Oblix strategic vision for access management, and it will be in every client’s best interests to align with that vision as soon as possible. Support is one thing, but progress is something very different. Trust me, if you can, you want to go for progress :)