Before adding policies to OpenSSO Enterprise using ssoadm ensure that:
The relevant realms exist (for example, if creating sub realm or peer realm referrals).
Any authentication modules defined in the policies are registered with the appropriate realm.
The corresponding LDAP objects (groups, roles and users) exist.
OpenSSO Enterprise roles exist when creating IdentityServerRoles subjects.
Create an XML file with policy definitions.
To add multiple policies simultaneously, place all policy definitions in one XML file (as opposed to having one policy per XML file). This will help to avoid issues with the policy index. Following is an example of an XML file with policy definitions.
<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE Policies PUBLIC "-//Sun Java System Access Manager 7.1 2006Q3 Admin CLI DTD//EN" "jar://com/sun/identity/policy/policyAdmin.dtd"> <Policies> <Policy name="bigpolicy" referralPolicy="false" active="true" > <Rule name="rule1"> <ServiceName name="iPlanetAMWebAgentService" /> <ResourceName name="http://thehost.thedomain.com:80/*.html" /> <AttributeValuePair> <Attribute name="POST" /> <Value>allow</Value> </AttributeValuePair> <AttributeValuePair> <Attribute name="GET" /> <Value>allow</Value> </AttributeValuePair> </Rule> <Subjects name="subjects" description="desccription"> <Subject name="webservicescleint" type="WebServicesClients" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/><Value>CN=sun-unix, OU=SUN OpenSSO Enterprise, O=Sun, C=US</Value> </AttributeValuePair> </Subject> <Subject name="au" type="AuthenticatedUsers" includeType="inclusive"> </Subject> <Subject name="ldaporganization" type="Organization" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="ldapuser" type="LDAPUsers" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>uid=amAdmin,ou=People,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="ldaprole" type="LDAPRoles" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>cn=Organization Admin Role,o=realm1,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="ldapgroup" type="LDAPGroups" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>cn=g1,ou=Groups,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> <Subject name="amidentitysubject" type="AMIdentitySubject" includeType="inclusive"> <AttributeValuePair><Attribute name="Values"/> <Value>id=amAdmin,ou=user,dc=red,dc=iplanet,dc=com</Value> </AttributeValuePair> </Subject> </Subjects> <Conditions name="conditions" description="description"> <Condition name="ldapfilter" type="LDAPFilterCondition"> <AttributeValuePair><Attribute name="ldapFilter"/> <Value>dept=finance</Value> </AttributeValuePair> </Condition> <Condition name="authlevelge-nonrealmqualified" type="AuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>1</Value> </AttributeValuePair> </Condition> <Condition name="authlevelle-realmqaulfied" type="LEAuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>/:2</Value> </AttributeValuePair> </Condition> <Condition name="sessionproperties" type="SessionPropertyCondition"> <AttributeValuePair><Attribute name="valueCaseInsensitive"/> <Value>true</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="a"/><Value>10</Value> <Value>20</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="b"/><Value>15</Value> <Value>25</Value> </AttributeValuePair> </Condition> <Condition name="activesessiontime" type="SessionCondition"> <AttributeValuePair><Attribute name="TerminateSession"/> <Value>session_condition_false_value</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="MaxSessionTime"/> <Value>30</Value> </AttributeValuePair> </Condition> <Condition name="authelevelle-nonrealmqualfied" type="LEAuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>2</Value> </AttributeValuePair> </Condition> <Condition name="ipcondition" type="IPCondition"> <AttributeValuePair><Attribute name="DnsName"/> <Value>*.iplanet.com</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EndIp"/> <Value>145.15.15.15</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartIp"/> <Value>120.10.10.10</Value> </AttributeValuePair> </Condition> <Condition name="authchain-realmqualfied" type="AuthenticateToServiceCondition"> <AttributeValuePair><Attribute name="AuthenticateToService"/> <Value>/:ldapService</Value> </AttributeValuePair> </Condition> <Condition name="auth to realm" type="AuthenticateToRealmCondition"> <AttributeValuePair><Attribute name="AuthenticateToRealm"/> <Value>/</Value> </AttributeValuePair> </Condition> <Condition name="authlevelge-realmqualified" type="AuthLevelCondition"> <AttributeValuePair><Attribute name="AuthLevel"/> <Value>/:2</Value> </AttributeValuePair> </Condition> <Condition name="authchain-nonrealmqualfied" type="AuthenticateToServiceCondition"> <AttributeValuePair><Attribute name="AuthenticateToService"/> <Value>ldapService</Value> </AttributeValuePair> </Condition> <Condition name="timecondition" type="SimpleTimeCondition"> <AttributeValuePair><Attribute name="EndTime"/> <Value>17:00</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartTime"/> <Value>08:00</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EndDate"/> <Value>2006:07:28</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EnforcementTimeZone"/> <Value>America/Los_Angeles</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartDay"/> <Value>mon</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="StartDate"/> <Value>2006:01:02</Value> </AttributeValuePair> <AttributeValuePair><Attribute name="EndDay"/> <Value>fri</Value> </AttributeValuePair> </Condition> </Conditions> <ResponseProviders name="responseproviders" description="description"> <ResponseProvider name="idresponseprovidere" type="IDRepoResponseProvider"> <AttributeValuePair> <Attribute name="DynamicAttribute"/> </AttributeValuePair> <AttributeValuePair> <Attribute name="StaticAttribute"/> <Value>m=10</Value> <Value>n=30</Value> </AttributeValuePair> </ResponseProvider> </ResponseProviders> </Policy> </Policies>
The Value element of the following subject attributes takes the full DN:
SubrealmReferral
PeerRealmReferral
Realm
IdentityServerRoles
LDAPGroups
LDAPRoles
LDAPUsers
Add the defined policies to OpenSSO Enterprise using ssoadm with the XML file as input.
ssoadm create-policies --realm realm-name --xmlfile policy-xml-filename --adminid administrator-id --password-file password-filename |
For more information, see Chapter 1, ssoadm Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference.