Oracle Access Manager Deployments: Use Embedded Credential Collector Over the Detached Credential Collector
(Doc ID 2634863.1)
Last updated on JANUARY 20, 2021
Applies to:Oracle Access Manager - Version 126.96.36.199.0 and later
Information in this document applies to any platform.
Oracle Access Manager (OAM) supports two mechanisms of credential collection -- the embedded credential collector (ECC) and the detached credential collector (DCC). Both credential collectors are suitable for use with OAM. However, Oracle recommends use of ECC over DCC for the following reasons:
- Both ECC and DCC allow for a secure deployment where a defense in depth approach requires that security vulnerabilities (DDOS, Throttling, App Firewalling) be handled in the upstream application delivery tier. For any typical deployment, robust upstream capabilities exist making any potential benefit of terminating unauthenticated connections on the web tier very minimal.
- DCC requires use of tunneling, which adds overhead and complexity to a deployment. In addition, customers are making all network hops using TLS transport to better secure the internal infrastructure thereby moving the secure connection perimeter to the app tier unlike in the past when it was in the web tier. As a result, the benefits of upstream termination of unauthenticated connections using DCC are no longer relevant.
- DCC is complete when you look at OAM login but for the overall enterprise to be secure, it requires terminating all unauthenticated connections on the web tier (e.g. OIM Self Service/Lost Password which are public pages) which is impractical and thus, results in an inconsistent security threat and risk posture. Using ECC enables consistent use of sophisticated security capabilities of upstream components like load balancers, application firewalls, IDS/IPS, etc. as well as upcoming security services like OCI’s Web Application Firewall and User & Entity Behavior Analysis risk analytics.
- DCC authentication is not supported for OAuth/OIDC in 12c as Oracle recommends customers to use ECC.
A concern has been raised when using the ECC is the fact that unauthenticated end-points accessed via a reverse proxy are vulnerable. This is not true since the security assurance process that ECC undergoes during the software development lifecycle (SDLC) is the same as DCC. In fact, Oracle has had a smaller number of security issues reported against ECC compared to DCC over the years.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document