1 Overview of Access System Configuration and Administration

This chapter provides an overview for people who are new to Access System setup and administration.

This chapter discusses the following topics:

• About the Access System

• Access System Components

• Review of Access System Installation and Setup

• About Configuring Resources and Rules for Who Can Access Them

• About Configuring and Managing the Access System Components

Note:

This chapter assumes that you have at least a little familiarity with the purpose of Oracle Access Manager and the Identity System. For references to these topics, see the "Preface".

1.1 About the Access System

The Access System provides centralized authentication, authorization, and auditing to enable single sign-on and secure access control across enterprise resources. You use the Access System to set up security policies that control access to resources. Resources include Web content, applications, services, and objects in applications, and similar types of data in non-Web (non-HTTP) resources.

The Access System stores information about configuration settings and access policies in a directory server that uses Oracle Access Manager-specific object classes. You can use the same directory to store the Access System configuration settings, access policy data, and the Identity System user data, or this data can be stored on separate directory servers.

1.2 Access System Components

The Access System consists of the following components:

Policy Manager

The Policy Manager is installed on a Web server in the same directory as the Identity System component WebPass. See the Oracle Access Manager Introduction manual for an illustration that shows the location of WebPass. The Policy Manager provides a login interface to the Access System. Master Access Administrators and Delegated Access Administrators use the Policy Manager to define resources to be protected, and to group resources into policy domains. A policy domain consists of resource types to protect, rules for protection, policies for protection, and administrative rights.

The Policy Manager has a component called the Access System Console, that permits administrators to add, change, and remove Access Clients and Access Servers, configure authentication and authorization schemes, configure master audit settings, and configure host identifiers.

You do not need to configure the Policy Manager application user interface the way you do the Identity System applications.

Access Server

The Access Server is a standalone server that provides authentication, authorization, and auditing services. You can have multiple instances installed. The Access Server validates credentials, authorizes users, and manages user sessions. The Access Server receives requests from an Access Client and queries authentication, authorization, and auditing rules in the directory server as follows:

• Authentication involves determining what authentication method is required for a resource, gathering credentials over HTTP, and returning an HTTP response that is based on the results of credential validation.

• Authorization involves granting access based on a policy and an identity established during authentication.

WebGate

The WebGate is an out-of-the-box Access Client for HTTP-based resources. WebGate is a plug-in that intercepts HTTP requests for Web resources and forwards them to the Access Server.

The Access System supports single sign-on, enabling you to establish login policies that allow users to access multiple applications with a single login.

1.3 Review of Access System Installation and Setup

During Access System installation and setup, you complete the following tasks as described in the Oracle Access Manager Installation Guide:

• Install and configure the Policy Manager application.

• Select a directory to store access policies.

• Configure Policy Manager to communicate with the directory server that stores access policies.

• Configure one or more authentication schemes.

  Configuring authentication schemes during setup is optional.

• Install and configure at least one Access Server and one AccessGate.

• Select the Access Server's transport security communication mode.

  You should ensure that communications are secure by selecting Simple or Cert transport security.

• Optionally, install and set up additional instances of these components interactively, or by using silent installation or cloning.

Table 1-1 summarizes Access System installation and setup, which is described in detail in the Oracle Access Manager Installation Guide.

Table 1-1 Overview of Access System Installation and Setup

To perform this task	Read
Install the Policy Manager	Oracle Access Manager Installation Guide chapter on installing the Policy Manager
Set up the Policy Manager	Oracle Access Manager Installation Guide section on setting up the Policy Manager
Install the Access Server	Oracle Access Manager Installation Guide chapter on installing the Access Server
Install a WebGate	Oracle Access Manager Installation Guide chapter on installing the WebGate

1.4 About Configuring Resources and Rules for Who Can Access Them

The Access System enables you to control who is allowed to access data. You can create access policies that extend beyond the Identity System applications. For example, if you have an online benefits system, you can configure access policies that only permit employees to view portions of the benefits Web site that are relevant to them. Or you can configure access policies so that external customers are allowed to see your inventory Web pages but not other corporate information.

Table 1-2 provides an overview of configuring the Access System.

Table 1-2 Overview of Access System Policy-Related Configuration

Perform this task	Description	Read
Enter host IDs	Map host name variations to a single Web server instance. This ensures that the Access System can process variations in URLs that it receives when users request resources.	"Configuring Host Identifiers"
Create a policy domain and define resources to protect	A resource is something you want to protect, such as a Web page, plus the actions applied to that item, for instance, an update. A policy domain defines a set of resources to protect. You identify the resources in the domain using fully qualified path names or URLs, plus rules for protection, policies for protection, and administrative rights.	"Protecting Resources with Policy Domains"
Create policies for URL patterns	Default rules apply to all URLs in a policy domain. You can also specify individual policies with their own authorization, authentication, and auditing rules for URL patterns and functions, for example, HTTP get, put, and so on.	"About Policy Domains and Their Policies"
Create an authentication scheme	Validate the identities of people who want to access your resources. Define the method of authentication (for instance, x.509 certificates), the plug-in used to map authentication credentials to a user's identity in the directory, and mapping to the user's DN in the directory.	"Configuring User Authentication"
Create an authorization scheme	Determine if people with valid credentials are permitted (authorized) to access particular resources, and perform actions on those resources based on the authorization rules.	"Configuring User Authorization"
Create a master audit rule	The Access System must have a Master Audit Rule to begin adding data to the audit log file. The audit log file records administrative events such as clearing data from caches.	"About the Master Audit Rule".
Configure single sign-on	Single sign-on allows users to authenticate to multiple applications with one login.	"Configuring Single Sign-On"
Create a shared secret	The shared secret is used to generate the key that encrypts cookies sent between the WebGate and the user's browser.	"Creating a Shared Secret Key"

Note:

Before you define policy domains and policies, you may want to define a few Access Administrators and configure at least one Access Server and WebGate, as mentioned in Table 1-3.

1.5 About Configuring and Managing the Access System Components

You configure the Access System by defining administrators, adding components such as Access Servers and AccessGates, and setting basic system parameters.

You also manage the Access System by adding more servers, by defining caching parameters, and by extending your access policies using custom plug-ins. Table 1-3 provides an overview of managing the Access System.

Table 1-3 Overview of Managing the Access System

To perform this task	Read
Configure Access Administrators	"Configuring Access Administrators and Server Settings"
Configure server settings	"Configuring Access Administrators and Server Settings"
Configure WebGates, AccessGates and Access Servers	"Configuring WebGates and Access Servers"
Add Access Servers	The Oracle Access Manager Installation Guide. You can add components interactively, or by using silent installation or cloning.
Configure directory instances	The Oracle Access Manager Identity and Common Administration Guide
Configure logging, monitoring, and auditing	The Oracle Access Manager Identity and Common Administration Guide
Install the Access Manager SDK	The Oracle Access Manager Developer Guide
Configure non-HTTP access clients	The Oracle Access Manager Developer Guide
Manage caching	The Oracle Access Manager Deployment Guide
Configure failover	The Oracle Access Manager Deployment Guide
Tune performance	The Oracle Access Manager Deployment Guide