Creating Policies and Referrals

Policies are generally configured by creating an XML file and importing the data to OpenSSO Enterprise using the ssoadm command line utility but, they can also be created using the OpenSSO Enterprise console. (You can also create, modify and delete policies using the Policy API. See the Sun OpenSSO Enterprise 8.0 Developer’s Guide for more information.) The following sections contain procedures for creating policies or referrals using the ssoadm command line utility and the OpenSSO Enterprise console. In general, policy is created at the realm (or sub realm) level for use throughout the particular realm’s tree.

• To Add Multiple Policies Using the ssoadm Command Line Utility

• To Create a Policy Using the OpenSSO Enterprise Console

• To Create a Referral Using the OpenSSO Enterprise Console

Wildcards are supported in policy definitions. For information see Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.

To Add Multiple Policies Using the ssoadm Command Line Utility

Before You Begin

Before adding policies to OpenSSO Enterprise using ssoadm ensure that:

• The relevant realms exist (for example, if creating sub realm or peer realm referrals).

• Any authentication modules defined in the policies are registered with the appropriate realm.

• The corresponding LDAP objects (groups, roles and users) exist.

• OpenSSO Enterprise roles exist when creating IdentityServerRoles subjects.

1. Create an XML file with policy definitions.

   To add multiple policies simultaneously, place all policy definitions in one XML file (as opposed to having one policy per XML file). This will help to avoid issues with the policy index. Following is an example of an XML file with policy definitions.

   <?xml version="1.0" encoding="ISO-8859-1"?>
   <!DOCTYPE Policies
   PUBLIC "-//Sun Java System Access Manager 7.1 2006Q3 Admin CLI DTD//EN"
   "jar://com/sun/identity/policy/policyAdmin.dtd">
   
   <Policies>
   <Policy name="bigpolicy" referralPolicy="false" active="true" >
   <Rule name="rule1">
   <ServiceName name="iPlanetAMWebAgentService" />
   <ResourceName name="http://thehost.thedomain.com:80/*.html" />
   <AttributeValuePair>
   <Attribute name="POST" />
   <Value>allow</Value>
   </AttributeValuePair>
   <AttributeValuePair>
   <Attribute name="GET" />
   <Value>allow</Value>
   </AttributeValuePair>
   </Rule>
   <Subjects name="subjects" description="desccription">
   <Subject name="webservicescleint" type="WebServicesClients" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/><Value>CN=sun-unix, 
   OU=SUN  OpenSSO Enterprise, O=Sun, C=US</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="au" type="AuthenticatedUsers" includeType="inclusive">
   </Subject>
   <Subject name="ldaporganization" type="Organization" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldapuser" type="LDAPUsers" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>uid=amAdmin,ou=People,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldaprole" type="LDAPRoles" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>cn=Organization Admin Role,o=realm1,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="ldapgroup" type="LDAPGroups" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>cn=g1,ou=Groups,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   <Subject name="amidentitysubject" type="AMIdentitySubject" includeType="inclusive">
   <AttributeValuePair><Attribute name="Values"/>
   <Value>id=amAdmin,ou=user,dc=red,dc=iplanet,dc=com</Value>
   </AttributeValuePair>
   </Subject>
   </Subjects>
   <Conditions name="conditions" description="description">
   <Condition name="ldapfilter" type="LDAPFilterCondition">
   <AttributeValuePair><Attribute name="ldapFilter"/>
   <Value>dept=finance</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelge-nonrealmqualified" type="AuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>1</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelle-realmqaulfied" type="LEAuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>/:2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="sessionproperties" type="SessionPropertyCondition">
   <AttributeValuePair><Attribute name="valueCaseInsensitive"/>
   <Value>true</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="a"/><Value>10</Value>
   <Value>20</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="b"/><Value>15</Value>
   <Value>25</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="activesessiontime" type="SessionCondition">
   <AttributeValuePair><Attribute name="TerminateSession"/>
   <Value>session_condition_false_value</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="MaxSessionTime"/>
   <Value>30</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authelevelle-nonrealmqualfied" 
              type="LEAuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="ipcondition" type="IPCondition">
   <AttributeValuePair><Attribute name="DnsName"/>
   <Value>*.iplanet.com</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndIp"/>
   <Value>145.15.15.15</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartIp"/>
   <Value>120.10.10.10</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authchain-realmqualfied"
             type="AuthenticateToServiceCondition">
   <AttributeValuePair><Attribute name="AuthenticateToService"/>
   <Value>/:ldapService</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="auth to realm" 
         type="AuthenticateToRealmCondition">
   <AttributeValuePair><Attribute name="AuthenticateToRealm"/>
   <Value>/</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authlevelge-realmqualified"
         type="AuthLevelCondition">
   <AttributeValuePair><Attribute name="AuthLevel"/>
   <Value>/:2</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="authchain-nonrealmqualfied" 
        type="AuthenticateToServiceCondition">
   <AttributeValuePair><Attribute name="AuthenticateToService"/>
   <Value>ldapService</Value>
   </AttributeValuePair>
   </Condition>
   <Condition name="timecondition" type="SimpleTimeCondition">
   <AttributeValuePair><Attribute name="EndTime"/>
   <Value>17:00</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartTime"/>
   <Value>08:00</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndDate"/>
   <Value>2006:07:28</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EnforcementTimeZone"/>
   <Value>America/Los_Angeles</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartDay"/>
   <Value>mon</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="StartDate"/>
   <Value>2006:01:02</Value>
   </AttributeValuePair>
   <AttributeValuePair><Attribute name="EndDay"/>
   <Value>fri</Value>
   </AttributeValuePair>
   </Condition>
   </Conditions>
   <ResponseProviders name="responseproviders"
          description="description">
   <ResponseProvider name="idresponseprovidere" 
        type="IDRepoResponseProvider">
   <AttributeValuePair>
   <Attribute name="DynamicAttribute"/>
   </AttributeValuePair>
   <AttributeValuePair>
   <Attribute name="StaticAttribute"/>
   <Value>m=10</Value>
   <Value>n=30</Value>
   </AttributeValuePair>
   </ResponseProvider>
   </ResponseProviders>
   </Policy>
   </Policies>

   ---

   Note –

   The Value element of the following subject attributes takes the full DN:

   • SubrealmReferral

   • PeerRealmReferral

   • Realm

   • IdentityServerRoles

   • LDAPGroups

   • LDAPRoles

   • LDAPUsers

   ---

2. Add the defined policies to OpenSSO Enterprise using ssoadm with the XML file as input.

   ssoadm create-policies --realm realm-name --xmlfile policy-xml-filename --adminid administrator-id --password-file password-filename

   For more information, see Chapter 1, ssoadm Command Line Interface Reference, in Sun OpenSSO Enterprise 8.0 Administration Reference.

To Create a Policy Using the OpenSSO Enterprise Console

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator.

1. Under the Access Control tab, click the name of the realm for which you are creating policy.

2. Click the Policies tab.

3. Click New Policy.

4. Enter a name for the policy.

5. (Optional) Enter a description of the policy.

6. (Optional) Select Yes to activate the policy.

   It is not necessary to define all of the policy's fields at this time. You may choose to add Rules, Subjects, Conditions, and Response Providers later. See Modifying Policies and Referrals for information on these component's attributes.

7. Click OK.

To Create a Referral Using the OpenSSO Enterprise Console

In order to create policies for peer realms or sub realms, you must first create a referral in the parent (or peer) realm pointing to the appropriate peer or sub realm. The Rule definition in the referral must contain the location of the resource(s) that will be managed. Once the referral is created, policies can be created for the appropriate peer or sub realm.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator.

1. Under the Access Control tab, click the name of the realm in which you are creating the referral.

   This might be the / Top Level Realm or a sub realm.

2. Click the Policies tab.

3. Click New Referral.

4. Enter a name for the referral.

5. (Optional) Enter a description of the referral.

6. (Optional) Select Yes to activate the referral.

7. Click New under Rules.

8. Select the appropriate Service Type and click Next.

   This value can not be changed once the Rule has been created. The options are:

   • Discovery Service (with resource name) defines the authorization actions for Discovery Service query and modify protocol invocations by web services clients.

   • Liberty Personal Profile Service (with resource name) defines the authorization actions for Liberty Personal Profile Service query and modify protocol invocations by web services clients.

   • URL Policy Agent (with resource name) defines authorization actions for the URL Policy Agent service. This is used to define policies that protect HTTP and HTTPS URLs. This is the most common use case.

   You may see a larger list if more services are enabled for the policy. (See Enabling Policy in a Service.) For more information, see Rules.

9. Add a Name for the Rule.

10. Add a URL as the value for Resource Name and click Finish.

    In this procedure, o=example.com is the sub realm that manages access to http://www.example.com and its sub-resources.

11. Click New under Referral.

12. (Optional) Select the Referral Type and click Next.

    The choices are Peer Realm or Sub Realm. This page is displayed only when the realm in which you are creating the referral has both peer and sub realms. It will not be displayed, for example, when creating a referral in the / Top Level Realm because all realms are sub to the / Top Level Realm.

13. Enter a name for the referral.

14. Select the realm to which you are referring policy management from the drop down list and click Finish.

15. Click Save to update.

16. Navigate to the sub realm to create policy.

    Now that policy management for the resource is referred to the peer or sub realm, policies can be created to control access for http://www.example.com or any resource starting with http://www.example.com. See To Add Multiple Policies Using the ssoadm Command Line Utility or To Create a Policy Using the OpenSSO Enterprise Console.