|Oracle® Access Manager Installation Guide
Part Number E12493-01
After you install the Identity System, you can begin to install the Access System, which includes three components: the Policy Manager, the Access Server, and the WebGate. The Policy Manager is the first component that must be installed, as topics in this chapter describe:
See Also:"Confirming Certification Requirements"
The Policy Manager provides the login interface for the Access System, communicates with the directory server to write policy data, and communicates with the Access Server over the Oracle Access Protocol to update the Access Server when you make certain policy modifications. Master Access Administrators and Delegated Access Administrators use the Policy Manager to define resources to be protected and to group resources into policy domains. An overview is provided in the Oracle Access Manager Introduction.
The Policy Manager installation includes the Access System Console. Installing the Policy Manager combines elements of both Identity Server and WebPass installation. For instance, when installing the Policy Manager you must identify where to store Oracle Access Manager policy data. A default Policy Manager directory profile is created and becomes available after setup. You also need to update your Web server configuration for the Policy Manager, as you did for the WebPass. Rather than starting and stopping an Policy Manager service, you will start and stop the Policy Manager Web server.
Oracle recommends that you protect all WebPass and Policy Manager instances with WebGate. WebPass and Policy Manager use in-built simple authentication for protecting specific applications (User Manager, Group Manager, Policy Manager). However, this does not protect all possible WebPass and Policy Manager URLs from direct access.
Note:You can install Policy Manager (and WebGate) against the same Web server instance as WebPass. You can accept creating default policy domains during Policy Manager setup. This enables you to have WebGate protect all Identity and Policy Manager URLs from un-authenticated access. For more information see "Configuring Authentication Schemes and Default Policy Domains".
Again, separate Web server-specific installation packages are provided for the Policy Manager in platform-specific directories. The installation process is similar regardless of the installation method you choose and your operating system. Information is saved at certain points during installation. If you cancel the installation after being informed that the Policy Manager is being installed, you must uninstall the component, as described in "Upgrading an Earlier Release".
After installation, you must complete the Policy Manager setup process before installing other Access System components. As with Identity System set up, your information is saved as you progress from one page to the next during setup. You may return to previous pages at any time and you may leave the setup process and restart it at any time. If you restart the setup process, you will continue with the question that follows your last saved entry.
For installation considerations, see "Policy Manager Guidelines".
Oracle recommends you install multiple Policy Managers for fault tolerance. To install multiple Policy Managers, you simply perform the installation and setup described in this chapter for each new Policy Manager instance.
A Policy Manager installed with an IIS Web server depends on the Registry to obtain the \PolicyManager_install_dir. To avoid a conflict in the Registry when you install two Policy Managers on a single computer, one with an IIS Web server and the other with a Sun Web server, you must install the Policy Managers as outlined in the following procedure.
Install the Policy Manager with the Sun Web server first.
Install the Policy Manager with the IIS Web server second.
Before you begin installing the Policy Manager, confirm that you have completed the tasks in Table 7-1. Failure to complete all prerequisites may adversely affect your Oracle Access Manager installation.
Table 7-1 Policy Manager Prerequisites Checklist
|Checklist||Policy Manager Prerequisites|
Review and complete all prerequisites and requirements that apply to your environment, as described in Part I, "Installation Planning and Prerequisites"
Complete all activities in Part II, "Identity System Installation and Setup"
Install a WebPass for this Policy Manager, as described in Chapter 5, "Installing WebPass" and:
Review Web server specific details in:
You must install your Policy Manager in the same directory as your WebPass. If you specify a directory that does not include a WebPass, you will be asked if you want to install a WebPass or specify a different directory. If you choose to install a WebPass, this may launch automatically.
Refer to your completed installation preparation worksheets as you install the Policy Manager. The installation task has been divided into the following procedures:
Choose your installation method and start the process as described in "Starting the Installation".
Identity the directory server and data location as explained in "Defining a Directory Server Type and Policy Data Location".
Identity the transport security mode as described in "Specifying a Transport Security Mode".
Update the Web server configuration as explained in "Updating Your Policy Manager Web Server Configuration".
Complete installation as discussed in "Finishing the Policy Manager Installation".
Be sure to choose the appropriate installation package for your Web server and review Web server-specific details as described in Table 7-1.
Log in as a user with administrator privileges.
Locate the Policy Manager installer (including any Access System Language Packs you want to install) in the temporary directory you created.
Launch the Policy Manager installer for your preferred platform, installation method, and Web server.
The Welcome screen appears.
Dismiss the Welcome screen by clicking Next.
Respond to the question about administrator rights based upon your platform. For example:
You are asked to specify the installation directory for the Policy Manager.
Choose the installation destination, then click Next.
Language Pack: Choose a Default Locale and any other Locales to install, if this screen appears, then click Next.
A summary identifies the installation directory and required disk space and asks you to make a note of this information for future reference.
Write the installation directory name, if needed, then click Next.
You are notified that the Policy Manager is being installed, which may take several seconds. On Windows systems, you are informed that the Microsoft Managed Interfaces are being configured. Information is saved and you cannot return to previous screens to restate information.
The installation process is not complete. You are asked about the location for Oracle Access Manager policy data.
Oracle Access Manager policy data includes the rules that govern access to resources. You are asked to specify where policy data will be stored and if you want to add the Oracle Access Manager schema now or later. If your policy data is stored on the:
Same Directory Server: Respond with No. When Oracle Access Manager policy data will be stored in the same directory server as configuration data or user data, an update is not needed because the schema was added during the Identity Server installation.
Separate Directory Server: When Oracle Access Manager policy data will be stored in a separate directory server than either the configuration data or user data, the Oracle Access Manager schema must be added. You can direct this addition to occur either:
Automatically: Respond with Yes to automatically update the schema now.
Manually: Respond with No to update the schema manually later. For additional information, see "Updating the Schema and Attributes Automatically Versus Manually".
Select your directory server type, then click Next
Respond to the question about where policy data will be stored:
No: Answer No if policy data will be stored with user and configuration data or if you want to manually update the schema later.
Yes: Answer Yes when policy data will be stored separately and you want to automatically update the schema now.
This information will be saved and you will not be allowed to return restate it.
Click Next and skip to the appropriate procedure for your environment:
During installation on a Solaris system, when policy data is stored with other Oracle Access Manager data you will be asked about the communication method for the existing directory server.
To specify directory server communication details
Respond to the question about securing directory server communication with SSL, then click Next.
Note:SSL-enabled communication is supported for Policy Managers installed on Solaris with Sun Web servers.
SSL: Specify the path to the certificate, then click Next.
Continue with "Specifying a Transport Security Mode".
During installation on a Windows system, when policy data is stored with other Oracle Access Manager data you will be asked about communication with the directory server.
Note:When this sequence concludes, you will be asked for transport security details. When this occurs, skip to "Specifying a Transport Security Mode".
Click Yes if you are using Active Directory with ADSI (or No if you are not), then click Next. For example:
Next you are asked about the communication between the directory server and the Policy Manager for each of the three types of data: user, configuration, and policy data.
Check the box beside each type of data for which SSL communication with the directory server is needed, then click Next. For example:
Directory Server ... user data is in SSL
Directory Server ... configuration data is in SSL
Directory Server ... Policy data is in SSL
SSL: Specify the path to each certificate, then click Next.
Continue with "Specifying a Transport Security Mode"
When your policy data is stored separately you need to identify the type of directory server and other relevant details. For additional information, see "Data Storage Requirements".
Specify your directory server type for policy data stored separately, then click Next. For example:
Specify the following directory server configuration information, then click Next. For example:
Host name: The DNS host name of the policy data directory server computer
Port number: The port on which the policy data directory server listens (for SSL connections, provide the encrypted port)
Bind DN: The DN for the policy data directory server
Note:The distinguished name you enter as the bind DN must have full permissions for the policy data branch of the directory information tree (DIT). Oracle Access Manager will access the directory server as this account. Examples are provided in Table 7-2 Your configuration may be different.
Table 7-2 Sample Bind DNs for Supported Directory Servers
|Directory Server||Bind DN|
Sun Directory Server 5.x
Note: Oracle recommends that you do not use cn=Directory Manager. For details, see "Meeting Directory Server Requirements".
Password: The password for the user data directory server bind DN
Update through SSL connection? (Yes or No): If you are installing on Solaris with a Sun Web server, SSL is not supported and communication must be Open.
You complete step 3 when you indicated SSL.
SSL only: Enter the certificate path, then click Next.
If there is an error in the information you provide, the schema cannot be updated. You can either restate the configuration information during installation or manually update the schema later using the file: \PolicyManager_install_dir\access\oblix\tools\ldap_tools\ds_conf_update. See also, "Updating the Schema and Attributes Automatically Versus Manually".
Next, you are asked about transport security.
You must specify a transport security mode for the Policy Manager and its WebPass. Transport security between all Access System components (Policy Managers, Access Servers, and associated WebGates) must match: either all open, all Simple mode, or all Cert.
Specify the transport security mode this Policy Manager will use to communicate with the rest of the Access System.
Click Next and perform the following operations according to the transport security mode you chose. For example:
Open: Skip to "Updating Your Policy Manager Web Server Configuration".
Simple: Specify and confirm the Access System Pass Phrase, click Next, then continue with "Updating Your Policy Manager Web Server Configuration".
Certificate: Specify and confirm the certificate password (PEM phrase), click Next, and continue with step 3.
Certificate: Indicate if you are requesting or installing a certificate, complete the sequence, then continue with "Updating Your Policy Manager Web Server Configuration".
Note:You cannot setup the Policy Manager until the certificates are copied to the \PolicyManager_install_dir\access\oblix\config directory, and the Policy Manager Web server is restarted. See the Oracle Access Manager Access Administration Guide for more information.
You are ready to update the Policy Manager Web server configuration.
Your Web server must be configured to work with the Policy Manager. You can direct this Web server configuration update to occur either automatically or manually.
Note:Oracle recommends automatically updating your Web server configuration. However, instructions for manual configuration are also provided.
Click Yes to automatically update your Web server, then click Next.
Most Web Servers: Specify the absolute path of the directory containing the Web server configuration file, then click Next.
IIS Web Servers: The process begins immediately and may take more than a minute. For more information, see Chapter 19, "Installing Web Components for the IIS Web Server".
A screen announces that the Web server configuration has been updated.
Sun Web Servers: Apply the changes in the Web server Administration console before you continue.
Stop the Policy Manager Web server instance, stop and restart the Identity Server service, then start the Policy Manager Web server instance.
Note:With an IIS Web server, using
net stop iisadminand
net start w3svcare good ways to stop and start the Web server, especially after installing the Policy Manager. The net commands help to ensure that the Metabase does not become corrupted following an installation. For more information, see Chapter 19, "Installing Web Components for the IIS Web Server".
Click Next to dismiss the announcement and continue with "Finishing the Policy Manager Installation"
ReadMe information appears.
Click No when asked if you want to proceed with the automatic update, then click Next.
A new window opens to assist you in manually setting up your Web server for Oracle Access Manager.
Return to the Policy Manager installation and click Next.
Refer to "Manually Configuring Your Web Server" after you finish the installation and before you setup the Policy Manager.
The ReadMe information provides details about documentation and contacting Oracle.
Review the ReadMe information, then click Next.
You are informed that the Policy Manager has been successfully installed.
Click Finish to close the wizard.
Continue with the following procedures, as needed:
See Also:"SELinux Issues".
Native POSIX Thread Library: When installing Oracle Access Manager Web components for use with NPTL, there is no need to set the environment variable LD_ASSUME_KERNEL to 2.4.19.
Manually Configuring Your Web Server if you did not do this automatically during installation
During Policy Manager installation you are asked if you want to automatically update your Web server installation. If you selected No, you must do this manually before you set up the Policy Manager.
Note:If the manual configuration process was launched during Policy Manager installation, you can skip step 1.
Launch your Web browser, and open the following file, if needed:
where \PolicyManager_install_dir is the directory where you installed the Policy Manager; and langTag refers to a language specific directory (en-us, for example).
Select the appropriate supported Web server interface configuration protocol from the table on the screen.
Follow all instructions that appear, which are specific to each type of Web server, and note the following:
Make a back up copy of any file that you are required to modify during Web server set up, so it is available if you need to start over.
Some setups launch a new browser window or require you to launch a Command window to input information, so ensure that you return to and complete all original setup instructions to enable your Web server to recognize the appropriate Oracle Access Manager files.
Note:If you accidentally closed the window, return to step1 and click the appropriate link again.
Continue with the following procedures:
Security-Enhanced Linux: After installing an Oracle Access Manager Web component, errors might be reported in WebServer logs/console when starting a Web server on Linux distributions that have stricter SELinux policies in place. You can avoid these errors by running appropriate
chcon commands for the installed Web component before restarting the Webserver.
See Also:"SELinux Issues"
The Policy Manager must communicate with your directory server to write the new policies you create. The following procedures guide you as you make the connections that are necessary for this communication.
During setup, specifications are saved whenever you click the Next button. If you leave setup and restart it later, you are returned to the same place.
Start the process, as described in "Starting the Setup Process".
Define directory details, as described in "Specifying Directory Server Details and Data Locations".
Set up authentication schemes, as described in "Configuring Authentication Schemes and Default Policy Domains".
Finish the setup process, as described in "Completing Policy Manager Setup".
Policy Manager setup cannot be completed if the directory server used to store policy information is not loaded with the Oracle Access Manager schema.
You must manually update the policy data directory server schema before you begin the setup process, when the following conditions are both true:
You plan to store policy data in a separate directory server
You did not update this directory server schema during Identity System setup
If you need to do this, use the instructions in the following file:
where directory_server in the path name refers to your specific directory server type and \langTag refers to the language you are using, for example \en-us.
Make sure your Web server is running.
Navigate to the Access System Console from your browser by specifying the URL of the WebPass instance that connects to the Policy Manager. For example:
where hostname refers to computer that hosts the Web server; port refers to the HTTP port number of the WebPass Web server instance;
/access/oblix connects to the Access System Console.
You will see the main Access System page.
Click the Access System Console link.
You are informed that the application is not yet set up.
Click the Setup button.
The next page asks about the directory server type.
Continue with "Specifying Directory Server Details and Data Locations" and see Chapter 21, "Important Notes" for additional details:
You need to specify details about the directory servers where user data, configuration data, and policy data are stored. You will be asked to provide information about the directory server for each type of data:
Your directory server type affects the scope of activities. With Sun directory servers, you may store policy data on a different directory server than configuration or user data. All policy data must be stored together on the same directory server.
With Active Directory, a pure ADSI configuration is created and communication to the directory servers will be configured over ADSI when you select the ADSI option. If you want to enable Dynamic Auxiliary Object Classes (Windows 2003 only), see "About Dynamically-Linked Auxiliary Classes".
The information you see during setup will depend on your environment. In this example, user data, configuration data, and policy data are stored together on the same directory server. Your environment may be different.
Select your user data directory server type, then click Next. For example:
Now you specify details for the user data directory server to help the Policy Manager locate your directory server and copy information into it.
Specify the user data directory server details based on your installation, then click Next. For example:
Computer: The user data directory server DNS hostname
Port Number: The user data directory server port number
Root DN: The user data directory server bind DN
Root Password: The password for the bind DN
Note:For Active Directory, a Domain Name field is included to fill in. With ADSI, a User-Principle-Name field is included where you enter the UserPrincipleName of the Root DN, such as :firstname.lastname@example.org.
You are asked about where the user data and configuration data are stored.
Select your configuration data directory server type, then click Next. For example:
Next you are informed that you can store your user data and configuration data either in the same directory or in separate directories and asked to choose a configuration for your deployment.
Choose the item that describes where you user data and configuration data are stored (together or separately), then click Next.
If the data is stored together, you are asked where policy data should be stored. In this case, continue with step 5.
If the data is stored separately, you are asked to specify details for the configuration data directory server before you continue.
Choose the item that describes where your policy data and configuration data are stored (together or separately), then click Next.
If the data is stored together, continue with step 6.
If the data is stored separately, you are asked to specify details for the policy data directory server before you continue.
The Setup Help button appears on the next page, which you can select to obtain additional information during the setup process. You are now asked to specify the location of the configuration DN, searchbase, and policy base.
Note:The configuration DN, searchbase, and policy base may be at the same level or at different levels of the directory tree. However, when the searchbase and the policy base are in separate directories, they must have unique DNs. That is, the searchbase cannot be o=oblix,<Policy Base> or ou=oblix,<Policy Base> if they are in separate directories. Similarly, the policy base and the configuration DN cannot be same if they are in separate directories.
Specify the appropriate information for your installation, then click Next. For example:
This must be the same searchbase you specified during Identity System configuration.
This must be the same configuration DN you specified during Identity System configuration.
This node resides within the policy directory server. If this node does not already exist, create it manually.
You are now asked to specify the Person object class, which must match the one you specified during Identity System setup. For more information, see your preparation worksheets and "To specify Person and Group object class details".
Enter the Person object class name, then click Next.
Person Object Class:
At this point, you are prompted to restart your Web server.
Note:If you are using IIS, be sure to follow additional on-screen instructions. Consider using
net stop iisadminand
net start w3svcto stop and start IIS. The net commands help to ensure that the Metabase does not become corrupted.
Stop and restart your WebPass/Policy Manager Web server instance and the related Identity Server instance, as usual, then click Next to continue.
Now you are asked to specify the root directory for Oracle Access Manager policy domains.
Oracle recommends that you accept the default value "/" unless you want to restrict the Master Administrator's ability to define and protect policy domains. For more information, see the Oracle Access Manager Access Administration Guide
Accept the default root directory for policy domains (or specify a new root directory), then click Next. For example:
Policy Domain Root
The next page asks about configuring authentication schemes.
This topic describes the authentication schemes and default policy domains that can be created during Policy Manager set up.
During Policy Manager setup, the following two authentication schemes are configured automatically:
The Anonymous authentication method is especially useful because it provides for anonymous users. Users are allowed access to Oracle Access Manager-specific URLs you do not want protected with the Access System, such as Self Registration and Lost Password Management.
In addition, you can automatically configure a Basic and a Client Certificate authentication scheme based on the configuration information from your user directory:
Basic Over LDAP: This built-in Web server challenge mechanism requires the user to enter their login ID and password. The credentials supplied are then compared to the users profile in the LDAP directory server.
The fields on the setup page for each scheme must be completed with information that is consistent with the Oracle Access Manager environment you are setting up. In most cases, appropriate defaults will appear on the setup page. You can modify these parameters later using the Access System Console.
You are also asked if you want to set up default policy domains. These will protect Access and Identity URLs. If you accept this option, the following two policy domains are created automatically:
Note:Oracle recommends that you accept creation of the Access domain and Identity domains to protect Identity and Policy URLs. Otherwise, you must manually create these policies later. For more information, see Oracle Access Manager Access Administration Guide.
Of course, you can decline automatic configuration. In this case, you need to set up Basic over LDAP and Client Certificate authentication schemes in the Access System Console later. Also, you must manually set up and enable the policy domains to protect Identity and Policy URLs. For more information about authentication schemes and policy domains, see the Oracle Access Manager Access Administration Guide.
Select Yes to initiate the automatic configuration sequence, or No to set up all authentication schemes yourself, then click Next.
If you selected Yes, continue with step 2.
Otherwise, skip to step 5.
Choose the authentication scheme or schemes you want to configure automatically, then click Next.
Review and change Basic Over LDAP parameters, as needed, then click Next.
Review and change Client Certificate parameters, as needed, then click Next.
Next you are asked if you want to configure policies to protect Oracle Access Manager-related (URLs). The default is No.
Select Yes to configure the policies (or No), then click Next. For example: Yes.
Note:You must associate and install Access Servers and WebGates before you can use the policy domains. Additionally, you must enable policy domains to make them operational. For more information about policy domains, see the Oracle Access Manager Access Administration Guide.
The next page provides instructions to complete the Policy Manager setup.
The Securing Data Directories page lists the Oracle Access Manager directories that you must protect to maintain the security of the Identity System.
You must restrict access both from browsers and from network users who access the directory through the file system. See the documentation for your Web server and operating system if you need instructions on how to protect directories.
You can also protect the Access System within a policy domain.
The second half of the page on-screen provides additional information about configuring Oracle Access Manager policy domains.
Read all information on the page before you continue.
Note:If you are using Active Directory, see "Installing and Setting Up the Access System" for additional information before you continue.
Restart the Web server and Identity Server service in the following order:
Stop the WebPass Web server instance, which is the same as the Policy Manager.
Stop, then restart the Identity Server service for the WebPass.
Restart the WebPass/Policy Manager Web server instance.
After the Web server restarts, click Done.
The Policy Manager home page appears.
Review the following information; you may perform any of the following procedures:
An easy way to confirm your Policy Manager setup is to log in and review the authentication schemes automatically configured during the setup process. You may also begin to use the Access System Console to setup the Access Server instance and define other administrators, as described in the Oracle Access Manager Access Administration Guide.
Note:If the Policy Manager home page is on your screen, you may skip step 2
Navigate to the Access System Console from your browser. For example:
where hostname refers to computer that hosts the Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.
Select the Access System Console link.
Log in as a user with Master Administrator privileges.
The Access System Console appears.
You can click a tab in the top navigation bar to display a list of options, which will appear along the left side of the on-screen page. For example, complete step 4 to display a list of currently configured authentication schemes.
Select the Access System Configuration tab, then click Authentication Management when it appears in the left column.
A list of currently configured authentication schemes appears in the main body of the new page. If you did not choose to automatically configure schemes, none will be listed.
At this point, you can:
Display configuration details for an authentication scheme by clicking the link that corresponds to the scheme.
Add an Access Server instance by selecting Access Server Configuration in the side navigation bar (this is a prerequisite to installing an Access Server). For more information, see "Installing the Access Server".
Continue to explore the Access System Console and Policy Manager.
For example, you can define or modify policy domains as described in the Oracle Access Manager Access Administration Guide. The fact that Access Server or WebGate has not yet been installed has no impact on your ability to define them. Once these components are installed, the policy domains will be in affect.
Log out by selecting Logout in the side navigation bar.
For more information, see the Oracle Access Manager Access Administration Guide
Install the Access Server. For details, see Chapter 8, "Installing the Access Server".