OAM 11gR2 : Single-Sign-On to an internal Portal, logging in from an external facing public Portal

A common requirement for many Portal clients -

Allow single signed on access to an Internal Portal, with the user logging in from an external portal using a custom login form (one at the top right corner of the screen).

Why is this not straight forward ?

Well, you might ask what's the big deal with this. Isn't this a standard custom login page being implemented ? Nope, a standard OAM Custom Login page posts to the /oam/server/auth_cred_submit URL endpoint alongwith request_id as a parameter which contains the details of the protected resource to which it should navigate on successful authentication. In short, the protected page was solicited by the user, and after a series of redirects it lands at the custom login page. Once the user authenticates successfully, the resource is picked up from the request_id parameter and navigated to.

In the above scenario, the user needs to navigate to a resource which was not solicited.e.g. The user requested for  www.oracle.com and after logging in needs to navigate to oracle.com/EmployeePortal.

This introduces the concept of Unsolicited Login -

Unsolicited Login is used when we want to authenticate user without any request_id or resource. The page which is navigated to, upon successful authentication is not the one which was initially solicited hence the name Unsolicited Login.

This feature has been introduced by Oracle in 11gR2 (11.1.2.x series). Prior to 11gR2, this feature would need to be custom built.

Following are the steps needed to enable this feature in OAM :
1. Enable Direct Authentication for OAM.

Navigate to OAM Domain for your installation, under config/fmwconfig/oam-config.xml, ensure that ServiceStatus under DirectAuthenticationServiceDescriptor is set to true. (DirectAuthenticationServiceDescriptor is under OAMServicesDescriptor).

It is highly recommended that, you first stop the Admin Server and OAM Cluster before you make any changes to the oam-config.xml. Further, it is sufficient to do the above changes in the oam-config.xml under the AdminServer/config/fmwconfig incrementing the Version field by 1. Once you have restarted the AdminServer and the OAM Clusters, the oam-config.xml for OAM Cluster will get automatically updated.

2. Submit the following information to the endpoint via Custom Login Form (External Public facing Portal Page) https://oam_host:oam_port/oam/server/authentication:

a.      username

b.      password

c.       successurl, for example, http://machinename.mycompany.com:7778/sample-web/headers.jsp.

Code Example

<form id="loginForm" name="loginForm" action="http://OAMHost:Port/oam/server/authentication" method="post" hidden="true" >

<input id="username" type="text" name="username" />

<input id="password" type="password" name="password" />

<input id="successurl" type="text" name="successurl" value="http://chinni-pc:7777/"/>

<input type="submit" value="submit" />

</form>

You can use the above code bit in a JSP and package it within the same Custom Login Page app archive used for the Internal Portal. This will need to be re-deployed to the Weblogic Server for the functionality to work.

 In case you would like to use it in an external Portal page which is an HTML or the like you can iframe the above code as a JSP.

Once the credentials are validated, OAM Server redirects to the success URL after setting OAM_ID cookie as part of HTTP redirect (HTTP response code 302).

Note – Internal Portal Login page or code does not need to be changed.

3. To allow direct authentication only for POST, or vice-versa:

i)        Login to Oracle Access Management administration console and navigate to Policy Configuration, then Application Domains.

ii)      Select edit default application domain IAMSuite. Navigate to Resources, then search and edit resource /oamDirectAuthentication.

iii)    Under Operations, de-select all operations that are not to be supported, except POST. For example, GET, DELETE.

iv)    Make sure that the AuthenticationPolicy for the /oamDirectAuthentication points to the same AuthenticationScheme as for the Internal Portal.

If the above is not present in your OAM environment, please create it similar to the screenshots below.

Once user logs in, user will be redirected to successurl.

4. The URL pattern of the external Public facing Portal needs to be marked as ‘Unprotected’ with a ‘PublicAuthenticationPolicy’ which uses an ‘Anonymous Scheme’.

The internal Portal would continue to be as-it-is marked ‘Protected’ with a ‘PrivateAuthenticationPolicy’ pointing to the relevant ‘LDAPScheme’.

The above would need to be done within the appropriate ‘Application Domain’ which is used for the Portal.

In screenshot below, /ssologin/.../* represents the URL pattern for an External public facing Portal.

Oracle Documentation References

http://docs.oracle.com/cd/E27559_01/dev.1112/e27134/custpages.htm#AIDEV6382

http://fusionsecurity.blogspot.com/2012/12/unsolicited-login-with-oam-11gr2.html#more

http://fusionsecurity.blogspot.com/2012/04/unsolicited-login-with-oam-11g.html 

Screenshots from a POC on this
Below are the screenshots and summary from a POC done on OAM 11.1.2.2 with WebCenter Portal/Spaces 11.1.1.8.3 as the Success URL.

The below screenshot represents a public site with a login form. This page is not protected and is meant to represent an external portal.

Once the user enters the required credentials and clicks submit, they will be redirected to a protected resource. The protected resource shown below (WebCenter) is to reflect a protected internal portal.

Shown above, the user has successfully authenticated and has established an SSO session with Oracle Access Manager.

If the protected resource is accessed directly, a separate authentication method/form will be used to challenge the user. 

Oracle Fusion Middleware : 11.1.1.x / 11gR1 Support

Your 11gR1(11.1.1.x) customer does not wish to upgrade to 11gR2 (11.1.2.x) or to 12c (12.1.x) as he probably is not too keen on the new features or is not excited about the cloud yet.

Well, what about support on 11gR1 ? This can be a major factor for upgrade apart from new features!

11.1.1.x Premier support ends June 2015
As per http://www.oracle.com/us/support/library/lifetime-support-middleware-069163.pdf page 36

Note there are three kinds of support - Premier Support, Extended Support and Lifetime Support.

The extended support may not support integrations with new third party vendors and the sustaining support does not include new fixes!

Typically premier support is for 5 years since the launch of the product, extended support for 2 more years and sustaining support thereafter.

Oracle Security : Getting Started

Oracle Identity Management(IDM) is a vast collection of products with confusing terminology and it can be difficult to understand where to start. Hope the below links help.

Concepts

Oracle IDM Basics - (Keep clicking to navigate through entire topics)

A few simple Tutorials from Oracle to get started

Oracle IDM Home Page (Source to Datasheets, Whitepapers, Customer Use Cases and various Data)

Installs

Software Downloads Page

Installation Guide 

Issues/Continuous learning of tricky use cases & finer concepts

Oracle IDM A-Team Blogs (Learn tricks of the trade)

Oracle IDM Forums

OnlineAppsDBA Blogs

Oracle Security Facebook Page

Mapping of use cases with products

IDM Customer Success Stories  

Collated IDM 11gR2 Blog Dashboard

Abhishek Gupta's Blog

UCM / Webcenter Content : Configuring an Admin User for UCM which resides in OID

UseCase :

• The default install of Webcenter Content/UCM results in weblogic as the Default Content Admin which resides in the embedded LDAP.
• In our Webcenter implementations we end up using a variety of LDAP's.
• This post details how to change the Admin user for UCM to a user residing in OID which is easier to manage and the recommended approach instead of using weblogic.

Advantages : 

• This can also be extended to use any LDAP like AD, OUD, ODSEE etc.
• Another reason why this needs to be configured is so that the UCM Console can be logged in using a OHS URL or Virtual IP which has a LDAP configured as its IdentityStore instead of having to log in via the managed server port.

Configuration Steps :

1.Create a new user called ucmadmin in OID with object classes simialr to those present for orcladmin.

2.Create a new group called ucmadmingroup in OID with object classes top and groupOfUniqueNames.

3.Assign ucmadmin as a member of the ucmadmingroup.

4.Make sure the users and groups mentioned here reside in the DN hierarchy defined in the OID Authenticator(e.g. cn=Users,dc=oracle,dc=com)

5.You also need to create the Credential Maps to grant ucmadmingroup as the administrator in UCM. Then, in UCM, we mapp the OID group ucmadmin to UCM internal roles and all accounts priveliges. All the users who belong to the ucmadmin group will be automatically granted the UCM admin roles.

- Login to Content Server as weblogic and configure credential map (http://<host>:16200/cs)
  Administration -> Credential Maps, create a new map (e.g.: called "MyOIDMap")
- Add the following mapping

ucmadmingroup ,                  admin
ucmadmingroup ,                  guest
ucmadmingroup ,                  sysmanager
ucmadmingroup ,                  refineryadmin
ucmadmingroup ,                  rmaadmin
ucmadmingroup ,                  pcmadmin
ucmadmingroup ,                  ermadmin
ucmadmingroup ,                  @#all

6.Edit the provider.hda  and add the credit map "MyOIDMap" which would be at the location -
 <UCM-Domain>/ucm/cs/data/providers/jpsuserprovider/provider.hda
  Here is an example:

<feff><?hda version="11gR1-11.1.1.6.0-idcprod1-111219T111403" jcharset="UTF8" encoding="utf-8"?>
Properties LocalData
DefaultNetworkAccounts=#none
DefaultNetworkRoles=guest
PasswordScope=jpsuserprovider
ProviderClass=idc.provider.jps.JpsUserProvider
ProviderDescription=csJpsUserProviderDescription
ProviderName=JpsUserProvider
ProviderType=jpsuser
SourcePath=jpsuser
ProviderCredentialsMap=MyOIDMap
blDateFormat=M/d{/yy}{ h:mm[:ss]{ a}}!mAM,PM!tAmerica/Los_Angeles
pDescription=csJpsUserProviderDescription
end

7.Restart the UCM Managed Server.
 
8. Repeat the steps for the other machine if its a clustered environment.

9.After that , if you login to Content Server as ucmadmin, in the ucadmin profile, you should see something similar as the following:

 

 In the ucmadminprofile, you should see the "#all" in the Accounts fields. Otherwise, when users accessing documents in Spaces, it will fail the following error:
  User 'ucmadmin' does not have sufficient privileges to access the content account.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=1454012.1#aref_section310

OID 11.1.1.7 - Unlocking superuser orcladmin account

We weren't able to login to WebCenter Portal which uses OID as the Authentication store today.
On investigation we found out that the superuser orcladmin account was itself locked.

Note -
1.There are 2 orcladmin accounts: the superuser account, cn=orcladmin, and the REALM administrator cn=orcladmin, for example: cn=orcladmin,cn=users,dc=oracle,dc-com.

2. The superuser account is hard coded and is not seen in the Oracle Directory Manager (ODM), nor the Oracle Directory Services Manager (ODSM) in 11g.

Following commands* executed from a command line tool helped to fix this issue -

export ORACLE_HOME=/u01/app/oracle/middleware/Oracle_IDM1/

export ORACLE_INSTANCE=/u01/app/oracle/admin/OID_Domain/oid_inst_2/

cd /u01/app/oracle/middleware/Oracle_IDM1/ldap/bin

>./oidpasswd connect=OIDDB unlock_su_acct=true      #find connect string from #/u01/app/oracle/admin/OID_Domain/oid_inst1/config/tnsnames.ora

OID DB user password:<ODS Schema pwd>

*This is just a representation of what i had to do in my environment to fix this.

Post this, you would need to login to ODSM, go to Data Browser tab and change the password for cn=orcladmin,cn=Users,dc=<companyName>,dc=com and change the password which in all probability might have expired as well.

Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?id=251354.1

Atul Kumar's post here also helps with similar issues.

To change password policies have a look at this Oracle Doc

OAM 11gR2/Weblogic : The important of parameters in mod_wl_ohs.conf(Web Server plugins)

Configurations of various parameters in web server plugins plays in a major part in ensuring that Single-Sign-On works fine using OAM.

Oracle Documentation -
http://docs.oracle.com/cd/E23943_01/web.1111/e14395/plugin_params.htm

This post is intended to share my experiences with certain parameters and the repercussions if you don't include them :)

WLProxyPassThrough
WLProxySSl works great if webserver is doing the SSL work. But if SSL being terminated by a load balancer then mod_wl will remove any incoming WL-Proxy-SSL and the request will reach OHS over HTTP this means that the WebLogic server won't ever get that header and so request.isSecure() will always return false. If you add that directive and set it to ON then the WebLogic plug-in will not remove any incoming WL-Proxy-SSL header. This lets WebLogic Server know that the original request was initiated over SSL.  WL-Proxy-SSL header should not be sent if the inbound traffic to the load balancer was not SSL (HTTPS).

Error Scenario : 
Once I added this parameter for under the <if weblogic_module> tag and set it to true, this issue no longer reccurred .




WLCookieName
If you change the name of the WebLogic Server session cookie in the WebLogic Server Web application, you need to change the WLCookieName parameter in the plug-in to the same value. The name of the WebLogic session cookie is set in the WebLogic-specific deployment descriptor, in the <session-descriptor> element.

Error Scenario :
The Webcenter Portal application I was implementing SSO using OAM for, had changed the weblogic session cookie name to a non-JSESSION ID value for some reason.
This was not giving me any issues until I was configuring "Weblogic Cluster" value(instead of "Weblogic Host") in the OHS layer pointing to the Webcenter managed servers.Once I did so,the Webcenter Portal page would not load and instead would give me a flickering page with consistently changing values of adf_ctrl.state and the page would not load up.
This issue was resolved once I added WLCookieName <cookieName> under the context root tag for the Webcenter Portal app in mod_wl_ohs.conf

This post is also relevant in this regard.

Oracle IDM 11gR2 : Integrating with MS Active Directory 2003

The latest versions of OIM and OAM 11gR2(11.1.2.x) donot support LDAP Sync or OIM-OAM Integration using Active Directory(AD) 2003 as per the 11gr2 certification matrix. 

We had a use case to support federation using OAM 11gR2 somehow with AD 2003 as the Identity Store. 

Option 1 : Using OVD

We noticed that the latest version of OVD was 11.1.1.7 which happens to support AD 2003 as per the 11gR1 FMW certification matrix .So potentially we could hook OAM with OVD as the Identity Store and still connect to Active Directory 2003, which is not directly supported!

Extending this theory we could provision to OVD from OIM which finally would create relevant user accounts in Active Directory 2003!!

Oracle confirmed this in SR # 3-9503114871(you may not be able to view it directly but can refer to this in another SR if need be).

Option 2 : Using OID and DIP

Standup OID(11.1.1.7 is the latest as of today) and sync existing users from AD 2003 using a DIP process.

Option 3 : Use IDM 11gR1

Least preferred since it's never a good idea to go back to a older release when the newer release has so much to offer and IDM 12c is in the pipeline.If none of the above can be made to work for whatever reasons, AD 2003 is definitely supported both with OIM and OAM 11gR1(11.1.1.x).

OAM 11gR2 : 500 Internal Server Error after registering new 11g Webgate

I got the error as in the subject after I had registered a new webgate , done other necessary configurations and tried to access a WebCenter Portal page which I was trying to protect.

The error in the oblog.log said - 

Request Failed for : /index.html, Resp Code : [500]

OBWebGate_AuthnAndAuthz: Cannot get message for ObAccessException_NO_AGENT_KEY

Oracle Support had a similar issue for Fusion Apps which didnot really help -

https://support.oracle.com/epmos/faces/DocumentDisplay?id=1534423.1

Finally , after using the OAM Tester , a colleague suggested to edit and re-copy Webgate related files from Output Directory of the OAM_Domain pertaining to the webgate to <OHS_Instance>/config/OHS/ohs1/webgate/config.

Hope this helps someone facing a similar issue.

Debugging SSO issues using OAM Tester

The OAM Tester is a great desktop based tool to test issues while accessing resources protected using OAM. It will help you with basic logs and categorizes on what exactly fails(authentication,authorization etc).

This is a quick way to ensure that everything works fine at the OAM layer without having to look at the logs and/or tools like Firebug or HTTPAnalyzers/Fiddler.

The port for the server connection would be 5575 which is the port for Access Manager.All the rest should be self explanatory.

Copy the following files from <ORACLE_IAM_HOME>/oam/server/tester & launch oamtest to get to this dialog.

Links from Oracle documentation -

Validating Connectivity and Policies Using the Access Tester

Validating Connectivity and Policies Using the Access Tester  (Linkfor quick install)

Thanks to my colleague Shivram Sundaram to help find this thus quickly resolving multiple issues.

Note - I was on the 11gR2 version of OAM.

ADF / Webcenter : POJO Data Control caches values even when container taskflow is refreshed [UI Aware Data Model - I]

Oracle says ADF BC , EJBs , Webservices , POJOs etc. are supported as Business Services layer in ADF.

The Data control layer which happens to be the Model layer can be generated from each of the above ( gets generated automatically from ADF BC).






Use Case -
I had a taskflow which contained a jsff as a default view activity. The view in turn pulled data from a Webservice proxy (a POJO for all practical purposes) via a POJO DataControl.We had a requirement to refresh the taskflow when the value of a selectOneChocie outside the region changed .

Issue -
Though the taskflow refreshed but the page showed the same data  within the ADF Table (based on the POJO Data control) which was surprising !

Concern - 
Since as per the documentation -

http://docs.oracle.com/cd/E21764_01/web.1111/b31974/taskflows_regions.htm#CHDEIFBB

Example 17-8 says :
You do not need to refresh an ADF region to refresh the data controls inside the ADF region. During the ADF lifecycle, the refresh events telling the iterators to update will be propagated to the binding container of the current page of the ADF region.

Solution -
We had to re-execute the iterator's Query to get this to work either as a method call before your view is loaded or by overriding the refreshRegion() method of the Region Controller class.

Explanation - 
The actual reason why this is expected is because the way ADF works with ADF BC as the business services layer and the UI-aware data model aspect from the Oracle documentation. Other non - ADF BC business services implementation donot support this pattern and we would need to refresh iterators programmatically or clear cache's etc to reflect most recent data when using POJO's/ WS Datacontrols etc.

"When you use ADF Business Components in combination with the ADF Model layer and ADF Faces UI components, the data model is "UI aware" because your UI components will automatically update to reflect any changes to the row sets of these business objects
Thus, the UI-aware data model represents a solution that works across application technology layers to ensure that the UI and data model remain synchronized."

Here is the forum thread for reference.

Conclusion - 
Though many people who have worked in open source platforms and are used to having a handle to the code aren't fans of ADF BC - but ADF BC simplifies development by providing really cool features like the UI Aware Data Model.I would try to outline more in this in another post.

ADF/Webcenter : High Availability/Failover Configuration

We need to add the following parameters to our config files to enable High Availability in ADF /Webcenter applications.

Specifically ensure the weblogic-application.xml file has the following:
<session-descriptor>
<cookie-path>/appname</cookie-path>
<persistent-store-type>REPLICATED_IF_CLUSTERED</persistent-store-type>
</session-descriptor>

And the adf-config.xml file has the following:
<adf-controller-config xmlns="http://xmlns.oracle.com/adf/controller/config">
<adf-scope-ha-support>true</adf-scope-ha-support>
</adf-controller-config>

http://www.oracle.com/technetwork/database/availability/bestpracticescustomwcapps-1854907.pdf

Some other factors you should consider at a code level.

ADF : Refactoring/Modularizing your AMImpl code

Lot of our ADF Applications use a single Application Module(AM henceforth) to house most of the business logic. Thus results in a huge AMImpl.java which keeps growing and eventually becomes difficult to maintain with multiple developers working on it.

With this file being the heart and soul of the application , it would not hurt to refactor the business logic within it to separate standalone Java classes which can be separated out based on some functional/logical separation.

This can be easily achieved by calling these standalone Java classes from the AMImpl.java and passing the AM instance to them so that the required operation could be carried out independantly and in context.The AMImpl.java just houses the skeleton methods to call the standalone Java class methods.

Example

Code in <yourAMName>Impl.java

       public void scheduleJobViaAM(){ // this could be called from the UI via method call in a Taskflow

        Scheduler scheduler=new Scheduler(); // can be made a static class as well based on need

        scheduler.scheduleJobsViaQuartz(this);

    }

Code in StandAlone java class

    public void scheduleJobsViaQuartz(ApplicationModuleImpl am){// accepts an instance of super Class of our AMImpl.java'

         OrgAMImpl orgAM=(OrgAMImpl)am; //typecast AM  to its appropriate Impl class to get access to its method and objects

        orgAM.commitSalaryForEmployee(100); // call AM method to do processing with its VO Instances , alternatively that code could be written here too since we have a handle to the AM instance !

 }

Finally we have more readable , manageable code which goes a huge way in having a timely delivered project with minimum issues  !

ADF/WebCenter : Things to keep in mind while integrating Google Analytics

Download this article here to configure Google Analytics with ADF ( Pretty much similar to integration of GA with JSP)  . This will help you see page views by location , browser

Few Issues I faced & might help you -

1)Tracking not Installed is misleading , check Real Time reports -> http://stackoverflow.com/questions/16952379/google-analytics-says-tracking-not-installed-but-i-see-it-working

2)Enabling IP Address on IWLS -

http://www.coderanch.com/t/570109/BEA-Weblogic/Resolving-Replacing-localhost-IP-Address

3)Use Universal Analytics or Basic Classic Analytics (without additional settings) as clearly mentioned here -

https://support.google.com/analytics/answer/2817075

4)Limitations & how to capture button clicks -
https://groups.google.com/forum/#!topic/adf-methodology/7h8JulWeHZU

ADF : Lifecycle of a POJO Data Control

Though ADF BC is the Oracle recommended Business Services layer , but for many use cases  we end up using POJOs and exposing them in the UI via POJO Datacontrols

e.g. consuming Webservices as WS Proxy , calling 3rd party or IDM APIs

I would like to point out that its highly recommended that you generate datacontrols out of the POJO and consume them in the UI rather than get a handle to the POJO directly in the UI surpassing any binding layer per se. That ways we can leverage cool features like sorting , filtering etc OOTB as well as the results are not cached when the table is bound to a pageFlowScope bean.

I have seen even ignorant so called 'Sr Solution Architects' use the wrong approach & face weird issues & blame it on ADF !!

This post is intended to share the insights I received from Oracle PMs and others on the popular ADF Enterprise Methodology Group (EMG) on the below use case.

A POJO  in the model layer with its constructor and a few public methods which return a list or the like which is finally exposed as a Datacontrol to a ADF UI.

When will the POJO Datacontrol and the POJO be initialized and in what memory scope would it be kept in case it needs to be accessed in various places on the same page or in different pages in same/different TFs ?

See   the ADF EMG post & Frank's reply on the forum post for more details  and precise answers on the above.

Oracle Access Manager(OAM) & Oracle Internet Directory(OID)'s restricted use license with WebCenter Portal

A restricted use of Oracle Access Manager(OAM) & Oracle Internet Directory(OID) is allowed with WebCenter Suite Plus licensing which is one of the most common licenses available to Customers implementing a WebCenter Portal.

Thus OAM & OID can be used to provide Single Sign On (SSO) between WebCenter , UCM/Content & IPM without the client having to buy any additional licenses albeit with a few technical limitations.

In addition out of the box features like Impersonation can be leveraged easily.

On a whole this should help customers easily leverage Single-Sign-On using OAM & use Oracle's LDAP - OID when implementing a WebCenter Portal.

Source :

Oracle® Fusion Middleware Licensing Information 11g Release 1 (11.1.1)

"Oracle Access Manager(OAM) for enabling Single-Sign On (SSO) between WebCenter Portal components. Use of Oracle Access Manager to a) enable SSO for any custom services or functions or third party applications;

b) Direct Oracle Access Manager SDK calls; or c) Third party directory integration, is not allowed.

Oracle Internet Directory(OID) - The use of OID is restricted to storing credentials and policies specific to WebCenter Portal and its delivered components."

Limitations :

1) OAM & OID alongwith the WebTier would need to be installed in the same VMs as Webcenter Portal when leveraged as a part of this licensing.

This makes it slightly different from Oracle's recommended deployment Architecture for OAM.

What is Oracle Mobile Application Framework (MAF) ?

 Oracle Mobile Application Framework (MAF) was launched on June 30 , 2014. 

It is Oracle's latest mobile platform to develop hybrid mobile applications(which run on device and are built using web technologies like Java/ADF) and can be deployed to iOS & Android platforms.

It is basically an extension of ADF Mobile with a few additional features -

• Ability to develop using multiple IDE Tools like Eclipse(OEPE*) besides Jdeveloper.
• Additional AMX* components (totally 80 now) to develop mobile applications & provide a rich look & feel.
• Newly suppported ADF DVT* components like Sunburst & Timeline.[Demos]
• Supoort for Apache Cordova Plugins .
• Support for O-Auth & web-SSO for Security.
• Complete integration with Oracle Mobile Security Suite (OMSS) which is a part of Oracle IDM.
• Available Jdeveloper 12.1.3 onwards.
• Migration of existing ADF Mobile Applications is easy , just open application in new Jdeveloper !
• Licensing for Oracle MAF is now seperate ( per user per app or unlimited users per app).
• Higher reusability using Feature Archives (FARs) & custom components.
• Support for HTML5 and Javscript development.

Architecture ( Source : Oracle )

Resources

Announcement

Datasheet

Introduction video & videos for developers (by Grant Ronald)

Demos

Certification Matrix

Glossary
*  DVT - Data Visualization Components (Graphs/Charts etc)
*  OEPE - Oracle Enterprise Pack for Eclipse
*  AMX - ADF Mobile XML