To view all the existing Users, click the
UserStore item in the tree view on the left-hand
side of the Policy Studio. The users are listed in a table in the main
panel of the Policy Studio.
Users can be created and imported into the Enterprise Gateway keystore using the
Users interface on the Policy Studio. Privileges can then
be assigned to users using this interface. Click the
Add button on the Users page to view
the Add User dialog.
There are two tabs on this dialog:
User Details
To add a new User, complete the following fields:
-
Name
Enter a name for the new user.
-
User's Password
Enter a password for the new user.
-
Confirm User's Password
Re-enter the user's password to confirm it.
-
X.509 Cert
Click the X.509 Cert button to load the user's
certificate from the Certificate Store.
It is now possible to assign privileges to this new user. The following
privileges can be assigned:
-
Remote Logging
A remote Monitoring Console can be installed with the Enterprise Gateway, which
enables server activity to be monitored from a remote machine.
Users must have the Remote Logging privilege
assigned to them to run the Monitoring Console remotely.
-
View Reports
The Enterprise Gateway includes a browser-based reporting module that can be
used to generate reports on server transactions. Users can only run
reports if they have been granted the View Reports
privilege. This is the only privilege that does not require the
presence of the user's private key in the Enterprise Gateway keystore. This
is because users can also use local keys, which are stored in the
browser's keystore.
-
Sign XML Messages
The Enterprise Gateway can sign outbound XML messages using the signing key of
a User. This user must have been granted the
Sign XML Messages privilege.
-
Sign Log Events
The Enterprise Gateway maintains detailed logging information about all server
security events. It is possible to sign these logs, thus providing
a signed audit trail for all processed messages. Only users with
the Sign Log Events privilege can sign these logs.
-
Sign OCSP or XKMS Requests
Online Certificate Status Protocol (OCSP) and XML Key Management
Specification (XKMS) are both methods of certificate validation.
A client presents a certificate to an OCSP or XKMS responder to
determine whether the certificate is valid. Such requests must be
signed, and the Enterprise Gateway only allows users who have been assigned
the Sign OCSP or XKMS Requests privilege to sign these
requests.
-
Use for Client Authentication
Whenever the Enterprise Gateway needs to authenticate to another service (for
example, over two-way SSL to an LDAP directory), it needs to use a
client certificate. The user whose certificate is to be used must
be assigned the Use for Client-side SSL Authentication privilege.
User Attributes
This section enables you to configure user attributes as simple name-value
pairs. The following are examples of user attributes:
- role=admin
- email=niall@oracle.com
- dept=eng
- company=oracle
You can add user attributes by clicking the Add button.
Enter the name of the attribute in the Name field.
Enter the value of the value of the attribute in the
Value field.
|