|Oracle® Fusion Middleware Administrator's Guide for Oracle Entitlements Server
11g Release 1 (11.1.1)
Part Number E14096-05
This chapter describes how to get started using Oracle Entitlements Server, including information about how to use and navigate the graphical interface. It contains the following sections.
Before getting started using Oracle Entitlements Server, the following tasks must be done. They include installing the product and its components (for example, remote Security Modules), and configuring features like high availability and Secure Sockets Layer (SSL), if applicable. After finishing with these tasks, you can begin with Section 3.2, "Understanding The Graphical Interface."
Install and configure Oracle Entitlements Server according to the instructions in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
For this release, the policy store managed by Oracle Entitlements Server can be a relational database (preferred) or an LDAP-based directory.
The identity store associated with Oracle Entitlements Server must be an LDAP-based directory.
After installation, the Oracle Entitlements Server identity store is associated with the WebLogic Server embedded LDAP directory. While this embedded LDAP directory is fine for development purposes, a supported LDAP directory must be used in production. The following procedure reconfigures the default identity store settings. More specific information on configuring LDAP authentication providers can be found in the Oracle Fusion Middleware Securing Oracle WebLogic Server.
Launch the WebLogic Server console.
Click Security Realms.
Click the settings for myrealm.
Click the Provider tab.
Click the Authentication tab as displayed in Figure 3-1.
Figure 3-1 The Authentication Provider Tab
Click the New button to create a new provider.
Enter a name and select the type of LDAP-based directory.
For example, OracleInternetDirectoryAuthenticator.
Configure the provider-specific attributes of the LDAP-based directory.
This might include the host name and port, credentials, group search base, user search base and the like.
Save the provider information.
Change the order of the providers so that the LDAP-based directory is first.
DefaultAuthenticator and DefaultIdentityAsserter will follow.
Click the new provider name to configure it.
Click the Configuration tab.
Click the Common tab.
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2.
Figure 3-2 SUFFICIENT Control Flag
Click the Provider Specific tab.
Enter the LDAP configuration information for your identity store and click Save.
Return to the Providers tab.
Click DefaultAuthenticator to change its configuration.
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3.
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Restart WebLogic Server.
For information about configuring high availability for Oracle Entitlements Server, see Oracle Fusion Middleware High Availability Guide
For information regarding the authentication of users, see Oracle Fusion Middleware Securing Oracle WebLogic Server.
Oracle Entitlements Server is not involved in the authentication of users. This is normally done as part of the WebLogic Server security realm configuration.
For information about configuring one-way SSL for connections that Oracle Entitlements Server establishes with the policy store, the identity store, and the database, see Oracle Fusion Middleware Securing Oracle WebLogic Server. Access to Oracle Entitlements Server using a browser can also be secured through one-way SSL. These settings are similar to those of any other application running in the Oracle WebLogic Server.
Refer to the system requirements and certification documentation for information about hardware and software requirements, platforms, databases, and other information.
The system requirements document covers information such as hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches:
The certification document covers supported installation types, platforms, operating systems, databases, JDKs, and third-party products:
These documents are available on Oracle Technology Network (OTN).
Oracle Authorization Policy Manager is a sub-component of Oracle Entitlements Server that is the graphical console for administrators. It is a browser-based, graphical interface for managing policies and related policy objects. The following sections contain information to help understand the Authorization Policy Manager Administration Console.
Only users with sufficient privileges can log in to the Oracle Entitlements Server Administration Console or use administrative command-line tools such as the WebLogic Scripting Tool (WLST). An Oracle Entitlements Server system-level Administrator Role named
SystemAdmin is created during installation and is mapped to the WebLogic Server administrator user (
weblogic). The password is set during installation. SystemAdmin has extensive privileges that includes the rights to create additional Administrative Roles and delegating administrative rights to others.
At first log in to the Oracle Entitlements Server Administration Console, SystemAdmin must use the credentials set during installation. The identifier and password can be changed by using your identity store's management tool.
You can create separate administrative users with different access rights for administering Oracle Entitlements Server and your environment. For more information, see Section 9.6, "Managing System Administrators Using Administrator Roles.".
Oracle Entitlements Server administrator and user identities are stored in an identity store, typically an LDAP directory server. Users and external roles defined in the identity store are read-only during authorization policy definition. Oracle Entitlements Server reads and displays the data; it does not perform any management operations. Management of the identity data is accomplished using the identity store's tools or an identity management product such as Oracle Identity Manager.
For this release, Oracle Entitlements Server the policy store used to maintain policy objects and defined policies can be a relational database (preferred) or an LDAP-based directory. (Oracle Internet Directory can be used as the policy store but has limited capabilities.) For links regarding hardware requirements, see Section 3.1, "Before You Begin." Instructions for creating and initializing the policy store can be found in Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
The following sections contain information on how to access the Authorization Policy Manager graphical interface (also referred to as the Administration Console).
Follow this procedure to sign in to the Authorization Policy Manager Administration Console.
Enter the Authorization Policy Manager Administration Console URL in the address bar of your browser. For example:
HTTPS represents the Hypertext Transfer Protocol (HTTP) with the Secure Socket Layer (SSL) enabled to encrypt and decrypt user page requests and the pages returned by the Web server.
hostname refers to the fully qualified domain name of the computer hosting the Oracle Authorization Policy Manager Administration Console.
port refers to the designated bind port for the Authorization Policy Manager Administration Console. (This is the same as the bind port for the WebLogic Server Administration Console.)
/apm/ refers to the Authorization Policy Manager Log In page
Enter the System Administrator credentials.
The default system administrator identifier is
weblogic. The password is the same one supplied during installation. Figure 3-4 is a screenshot of the Sign In page.
Figure 3-4 Administration Console Sign In Page
Click Sign In.
Follow this procedure to sign out of the Authorization Policy Manager Administration Console.
Click the Sign Out link located in the upper right corner of the Administration Console.
Figure 3-5 is a screenshot of the Sign Out link.
Figure 3-5 Administration Console Sign Out Link
Close the browser window.
After a successful log in, the Authorization Policy Manager Administration Console is displayed with the Authorization Management Tab active. The Navigation Panel is on the left side and the Home area on the right side. Objects selected in the Navigation Panel are opened in tabs and displayed in the Home area. Figure 3-6 is a screenshot of the Administration Console after an administrative user has successfully signed in.
Figure 3-6 Oracle Entitlements Server Administration Console
The following list contains descriptions of the top-level items displayed in Figure 3-6. See the appropriate links for more information.
See the following sections for information on the organizational tabs used in the Administration Console. Each tab is comprised of a Navigation Panel and Home area.
The Authorization Management tab is used to search and manage policy objects. This tab is active upon successful log in to the Administration Console. Figure 3-7 is a screenshot of the Authorization Management tab.
Figure 3-7 Authorization Management Tab
Under Authorization Management, the left side is the Navigation Panel and the right side is Home. The Home display changes based on what is selected from the Navigation Panel. For more information, see Section 3.4.2, "Using The Navigation Panel" and Section 3.4.3, "The Home Area."
The System Configuration tab is used to manage administrative and system type objects for the Oracle Entitlements Server deployment. Figure 3-8 is a screenshot of an active System Configuration tab. The object selected in the Navigation Panel is displayed using tabs in the Home area.
Figure 3-8 System Configuration Tab
The following tasks are performed under System Configuration:
Creating Security Modules
Binding Security Modules to applications
Managing system administrators (for example, creating additional system administrator roles, assigning users to system administrator roles, and assigning rights to system administrator roles)
For more information, see Chapter 8, "Managing System Configurations".
The Navigation Panel is used to find security objects by browsing the Global or Applications information trees, or by conducting a simple search. It lists all Global and Application policy objects in a navigatable tree. You can browse the tree or display objects as Search Results based on defined search criteria. Figure 3-6 is a screenshot that displays the Navigation Panel with its nodes collapsed. Figure 3-9 displays the Navigation Panel with its nodes expanded and many policy objects in view.
Figure 3-9 Navigation Panel Browse Tab with Nodes Expanded
The Navigation Panel contains, from top to bottom, the following elements:
A pull-down list to select the policy object for a simple search. For more information, see Section 5.2, "Finding Objects with a Simple Search."
A pull-down list to select the scope of a simple search. For more information, see Section 5.2, "Finding Objects with a Simple Search."
A text box to enter the simple search string. The string is compared against both the Name and Display Name of policy objects; those that match are displayed in the Search Results tab.
The Browse tab displays the following expandable and collapsible nodes:
The Global node collects global objects such as external roles.
The Applications node contains one or more Applications being managed by the administrator that is logged in. (Only Applications which the logged in user is authorized to access are displayed.) From any of those displayed, the administrator can access application-specific policy objects such as resource types, entitlements, resources, policies, and roles. For more information, see Chapter 8, "Managing System Configurations".
The Search Results tab displays the results of the last simple search as seen in Figure 3-10.
Action and View drop downs to select operations on the chosen policy object.
Figure 3-10 Navigation Panel Search Tab
From the Navigation Panel, there are two methods for displaying the New and Open options comprised in the Actions drop-down list.
Locate the desired application, expand the node, and select the desired object. Click the Actions drop-down and select New.
Locate the desired application, expand the node, and select the desired object. Right-click the object from the application node.
Select New to create a new object of the same type and select Open to display a search tab in the Home area. Double-clicking an object from the node also opens a Search tab in the Home area.
The Home area displays on the right side of the Navigation Panel and contains quick access links to New and Search screens for the most commonly used policy objects. As displayed in Figure 3-11, the Home area of the Administration Console is divided into the following sections.
The Application area is the upper region of the Home area. The Application Name pane displays all applications available to the logged in user. To the right of this pane are links to screens for performing common operations such as creating new policy objects (entitlements, resources, resource types, application roles, and authorization policies) or searching defined policy objects.
The Global section is the lower right region of the Home area. This section is for objects shared across all applications and includes external role search.
The Entitlements Resource Center section is the lower left region of the Home area. It contains links to information regarding the most commonly used procedures.
Figure 3-11 The Home Area
To get more information while using the Administration Console, click the Help link located in the upper right corner (as seen in Figure 3-5). A separate window opens. From this window you can access both the online help and an embedded version of this book in HTML. After the window displays, select either Oracle Entitlements Server Administration Console Online Help or Administrator's Guide for Oracle Entitlements Server from the drop-down Book list. The help topics link to the corresponding section of the embedded book as do the links in the book's Table of Contents.