Skip Headers
Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2)

Part Number E27301-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

8 Installing and Configuring Oracle Entitlements Server

This chapter describes how to install and configure Oracle Entitlements Server 11g Release 2 (11.1.2).

It discusses the following topics:

8.1 Important Note Before You Begin

Before you start installing and configuring Oracle Identity and Access Management products in any of the scenarios discussed in this guide, note that IAM_Home is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. You can specify any name for this Oracle Home directory.

8.2 Overview of Oracle Entitlements Server 11g Installation

Oracle Entitlements Server, formerly AquaLogic Enterprise Security, is a fine-grained authorization and entitlement management solution that can be used to precisely control the protection of application resources. It simplifies and centralizes security for enterprise applications and SOA by providing comprehensive, reusable, and fully auditable authorization policies and a simple, easy-to-use administration model. For more information, see "Introducing Oracle Entitlements Server" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

Oracle Entitlements Server 11g includes two distinct components:

Oracle Entitlements Server Administration Server

This component is included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) installation and requires Oracle WebLogic Server that creates the Middleware Home directory.

Oracle Entitlements Server Client (Security Module)

This component has its own installer and it is not included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) installation. The Oracle Entitlements Server Client does not require Oracle WebLogic Server.

8.3 Installation and Configuration Roadmap for Oracle Entitlements Server

Table 8-1 lists the tasks for installing and configuring Oracle Entitlements Server.

Table 8-1 Installation and Configuration Flow for Oracle Entitlements Server

No. Task Description

1

Review installation concepts in the Installation Planning Guide.

Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.2) depending on the user's existing environment.

2

Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing.

For more information, see Section 2.1, "Reviewing System Requirements and Certification".

3

Obtain the Oracle Fusion Middleware Software.

For more information, see Section 3.2.1, "Obtaining the Oracle Fusion Middleware Software"

4

Install one of the following database for the Oracle Entitlements Server policy store:

  • Oracle Database

  • Apache Derby 10.5.3.0, an evaluation database included in your Oracle WebLogic Server installation

Oracle recommends to install Oracle Database. If you are installing Oracle Database, see Section 3.2.2, "Database Requirements".

5

Create and load the appropriate schemas for Oracle Entitlements Server.

Depending on the policy store you choose for Oracle Entitlements Server, complete one of the following:

6

Review WebLogic Server and Middleware Home requirements.

For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements".

7

Start the Oracle Identity and Access Management Installer.

For more information, see Section 3.2.6, "Starting the Oracle Identity and Access Management Installer".

8

Install the Oracle Identity and Access Management 11g software.

Oracle Entitlements Server is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite.

For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management (11.1.2)".

9

Run the Oracle Fusion Middleware Configuration Wizard to configure Oracle Entitlements Server Administration Server.

For more information, see Section 8.5, "Configuring Oracle Entitlements Server Administration Server".

10

Install the Oracle Entitlements Server Client software.

For more information, see Section 8.6, "Installing Oracle Entitlements Server Client".

11

Configure Oracle Entitlements Server Client.

For more information, see Section 8.7, "Configuring Oracle Entitlements Server Client".

12

Get started with Oracle Entitlements Server.

For more information, see Section 8.8, "Getting Started with Oracle Entitlements Server After Installation".


8.4 Creating Oracle Entitlement Server Schemas (For Apache Derby Only)

If you are using Apache Derby for Oracle Entitlements Server policy store, then you must complete the following:

  1. Open setNetworkServerCP (located in wlserver_10.3/common/derby/bin on UNIX) or setNetworkServerCP.bat (located in wlserver_10.3\common\derby\bin on Windows) in a text editor and specify the DERBY_HOME as shown in the following example:

    DERBY_HOME="Oracle/Middleware/wlserver_10.3/common/derby"
    
  2. Start the Apache Derby database by running the following commands:

    • setNetworkServerCP (UNIX) or setNetworkServerCP.bat (Windows).

    • startNetworkServer (located in wlserver_10.3/common/derby/bin on UNIX) or startNetworkServer.bat (located in wlserver_10.3\common\derby\bin on Windows).

    You can also run startDerby.sh (located in wlserver_10.3/common/bin) or startDerby.cmd (located in wlserver_10.3\common\bin) to start the Apache Derby database. The Apache Derby database also starts automatically when you start Oracle WebLogic Server.

  3. Test the network server connection, by running ij(located in wlserver_10.3/common/derby/bin on UNIX) or ij.bat (located in wlserver_10.3\common\derby\bin on Windows) as follows:

    bin/ij
    
  4. Connect to the Apache Derby Server, as shown in the following example:

    ij> connect 'jdbc:derby://127.0.0.1:1527/data/oesdb;create=true';
    

    oesdb is the name of database and data is the relative path (based on the directory where you start the server. In this example, it is Oracle/Middleware/wlserver_10.3/common/derby/bin where the database files will be saved.

  5. Open opss_user.sql (located in RCU_HOME/rcu/integration/apm/sql/derby) in a text editor and replace &&1 with the schema user name.

    Repeat the above steps for the following SQL files (located in RCU_HOME/rcu/integration/apm/sql/derby):

    • opss_tables.sql

    • opss_version.sql

    • opss_gencatalog.sql

    Note:

    This is the schema name you will specify when you configure the Oracle Entitlements Server described in Configuring Oracle Entitlements Server Administration Server.

  6. Run the following SQL files (located in RCU_HOME/rcu/integration/apm/sql/derby) in the ij console:

    • run'opss_user.sql';

    • run'opss_tables.sql';

    • run'opss_version.sql';

    • run'opss_gencatalog.sql';

    Note:

    Ensure that you run the SQL files in the same order listed above and make a note of the schema owner and password that you have created.

8.5 Configuring Oracle Entitlements Server Administration Server

This topic describes how to configure Oracle Entitlements Server in a new WebLogic domain. It includes the following sections:

8.5.1 Components Deployed

Performing the configuration in this section deploys the following:

  • WebLogic Administration Server

  • Oracle Entitlements Server application on the Administration Server

8.5.2 Prerequisites

The following are the prerequisites for configuring Oracle Entitlements Server 11g Release 2 (11.1.2):

8.5.2.1 Installing Oracle Entitlements Server

You must install Oracle Entitlements Server Administration Server as described in Section 8.3, "Installation and Configuration Roadmap for Oracle Entitlements Server".

8.5.2.2 Extracting Apache Derby Template (Optional)

If you are using Apache Derby, then you must extract the oracle.apm_11.1.1.3.0_template_derby.zip file (located in IAM_HOME/common/templates/applications) and save oracle.apm_11.1.1.3.0_template_derby.jar file to the following location:

IAM_HOME\common\templates\applications

8.5.3 Configuring Oracle Entitlements Server in a New WebLogic Domain

Perform the following steps to configure Oracle Entitlements Server in a new WebLogic domain:

Note:

You must have a dedicated Oracle WebLogic Server domain for Oracle Entitlements Server. Do not configure any other Oracle Identity and Access Management components in this domain.

  1. Run the IAM_HOME/common/bin/config.sh script (on UNIX), or IAM_HOME\common\bin\config.cmd (on Windows).

    The Fusion Middleware Configuration Wizard appears.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] option, and click Next.

    Notes:

    • When you select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_Home] option, the following options are also selected, by default:

      • Oracle Platform Security Service 11.1.1.0 [IAM_Home]

      • Oracle JRF 11.1.1.0 [oracle_common]

    • If you using Apache Derby, then select the Oracle Entitlements Server Derby template.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Configure JDBC Component Schema screen is displayed.

  7. On the Configure JDBC Component Schema screen, select the OPSS Schema and specify the Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.

    Note:

    You get the Schema information from the steps you completed in Section 8.4, "Creating Oracle Entitlement Server Schemas (For Apache Derby Only)".

    The Test JDBC Component Schema screen appears.

  8. Select the component schema you want to test, and click Test Connections. After the test succeeds, click Next.

    The Select Optional Configuration screen appears.

  9. On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters, Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes, and click Next.

    Note:

    This step is optional.

  10. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

A new WebLogic domain to support Oracle Entitlements Server is created in the <MW_HOME>\user_projects\domains directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains directory.

8.5.4 Configuring Security Store for Oracle Entitlements Server Administration Server

You must run the configureSecurityStore.py script to configure the security store for Oracle Entitlements Server Administration Server.

The configureSecurityStore.py script is located in the <IAM_HOME>\common\tools directory. You can use the -h option for help information about using the script.

For example:

<MW_HOME>\oracle_common\common\bin\wlst.sh <IAM_HOME>\common\tools\configureSecurityStore.py -h

Configure the security store for Oracle Entitlements Server Administration Server as follows:

On Windows:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -s <datasource> -f <farmname> -t <servertype> -j <jpsroot> -m <mode> -p <password>

For example:

<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1

On UNIX:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -s <datasource> -f <farmname> -t <servertype> -j <jpsroot> -m <mode> -p <password>

For example:

<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1

Table 8-2 describes the parameters that you may specify on the command line.

Table 8-2 OES Administration Server Security Store Configuration Parameters

Parameter Description

-d domaindir

Location of the Oracle Entitlements Server Administration Server Domain.

-s datasource

The data source of security store configured in domain.

It is optional, default value is opss-DBDS.

-f farmname

The security store farm name.

It is optional, default value is the domain name.

-t servertype

The policy store type. For example: DB_ORACLE , DB_DERBY, or OID.

It is optional, default value is DB_ORACLE.

-j jpsroot

The distinguished name of jpsroot.

It is optional, default value is cn=jpsroot.

-m mode

create- Use create if you want to create a new database security store.

join- Use join if you want to use an existing database security store for the domain.

validate- Use validate to verify whether the Security Store has been configured correctly. This command validates diagnostics data created during initial creation of the Security Store.

validatefix- Use validatefix to fix diagnostics data present in the Security Store.

fixjse- Use fixjse to update the domain's Database Security Store credentials used for access by JSE tools.

-c config

The configuration mode of the domain. For example: IAM.

It is optional, default value is None.

Note: If -c <config> option is specified, OES Admin Server will be configured in mixed mode, then it can only distribute policies to Security Modules in non-controlled mode and controlled pull mode.

For example: If the OES Administration Server is deployed in the domain where other Oracle Identity and Access Management components (OIM, OAM, OAAM, OPAM, or OIN) are deployed, then the domain is configured in mixed mode. In this case, the OES Administration Server is used for managing the Oracle Identity and Access Management policies only. It should not be used to manage the policies for any other applications protected by OES Security Modules.

If -c <config> option is not specified, OES Admin Server will be configured in non-controlled mode, it can distribute policies to Security Modules in controlled push mode.

For example: If you want to use OES Administration Server to manage custom applications which are protected by OES Security Modules, then the OES Administration Server must be deployed in a domain with non-controlled distribution mode.

-p password

The OPSS schema password.

-k keyfilepath

The directory containing the encryption key file ewallet.p12. If -m join is specified, this option is mandatory.

-w keyfilepassword

The password used when the domain's key file was generated. If -m join is specified, this option is mandatory.

-u username

The user name of the OPSS schema. If -m fixjse is specified, this option is mandatory.


8.5.5 Starting the Administration Server

You must start the Administration Server by running the following command on the command line:

Windows:

MW_HOME\user_projects\domains\domain_name\bin\startWebLogic.cmd

UNIX:

MW_HOME/user_projects/domains/domain_name/bin/startWebLogic.sh

8.5.6 Verifying Oracle Entitlements Server Administration Server Configuration

To verify that your Oracle Entitlements Server Administration Server configuration was successful, use the following URL to log in to the Oracle Entitlements Server Administration Console:

http://hostname:port/apm/

Where hostname is the DNS name or IP address of the Administration Server and port is the address of the port on which the Administration Server listens for requests.

For more information, see the section "Logging In to and Signing Out of the User Interface" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

8.6 Installing Oracle Entitlements Server Client

This section contains the following topic:

8.6.1 Prerequisites

You must install and configure Oracle Entitlements Server Administration Server, as described in Section 8.3, "Installation and Configuration Roadmap for Oracle Entitlements Server".

8.6.2 Obtaining Oracle Entitlements Server Client Software

For more information on obtaining Oracle Entitlements Server Client 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

8.6.3 Installing Oracle Entitlements Server Client

To install Oracle Entitlements Server Client 11g Release 2 (11.1.2.0.0), extract the contents of oesclient.zip to your local directory and then run setup.exe (on Windows) or./runInstaller (on UNIX) from the Disk1 directory.

Note:

The installer prompts you to enter the absolute path of the JDK that is installed on your system. When you install Oracle WebLogic Server, the jdk160_29 directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JRE is located in C:\oracle\Middleware\jdk160_29, then launch the installer from the command prompt as follows:

C:\setup.exe -jreLoc C:\oracle\Middleware\jdk160_29\jre

You must specify the -jreLoc option on the command line when using the JDK to avoid installation issues.

Follow the instructions in Table 8-3 to install Oracle Entitlements Server Client.

If you need additional help with any of the installation screens, click Help to access the online help.

Table 8-3 Installation Flow for the Oracle Entitlements Server Client

No. Screen Description and Action Required

1

Welcome

Click Next to continue.

2

Prerequisite Checks

If all prerequisite checks pass inspection, then click Next to continue.

3

Specify Installation Location

In the Oracle Home Directory field, enter the directory where you want to install the Oracle Entitlements Server client. This directory is also referred to as OES_Client_Home in this book.

Note: If the Security Module you want to configure requires creation of a WebLogic domain, then you must install the Oracle Entitlements Server client in the Middleware Home that was created during WebLogic Server installation.

Oracle recommends that you install the Oracle Entitlements Server client in a separate directory in the same Middleware Home where the Oracle Entitlements Server Administration server is installed. For example, MW_HOME/Oracle_Client_Home.

Click Next to continue.

4

Installation Summary

The Installation Summary Page screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing OES Client Management, click Install.

5

Installation Progress

If you are installing on a UNIX system, you may be asked to run the ORACLE_HOME/oracleRoot.sh script to set up the proper file and directory permissions.

Click Next to continue.

8

Installation Complete

Click Finish to dismiss the installer.

This installation process copies the OES Client software to your system and creates an OES_Client_Home directory under your Middleware Home. You must proceed to create a WebLogic Domain, by running the Oracle Fusion Middleware Configuration Wizard. In addition, you must configure the Administration Server settings while creating the domain.


8.6.4 Verifying Oracle Entitlements Server Client Installation

To verify that your Oracle Entitlements Server Client install was successful, go to your Oracle Home directory which you specified during installation and verify that the Oracle Entitlements Server Client installation files are created.

8.6.5 Applying a Patch Using OPatch

After installing the Oracle Entitlements Server Client software, you must apply a patch to oracle_common directory using OPatch.

Note:

This patch is required only if you have installed the Oracle Entitlements Server Client software in a separate Middleware Home than the Oracle Entitlements Server Administration Server.

Skip this step if you are installing the Oracle Entitlements Server Client software into the same Middleware Home as the Oracle Entitlements Server Administration Server, because it has already been applied automatically.

This patch applies only to the following Security Module configurations:

  • WebLogic Server Security Module in a JRF environment

  • Web Service Security Module on Oracle WebLogic Server domain in a JRF environment

  • WebSphere Security Module in a JRF environment

  • Oracle Service Bus Security Module

To apply a patch to oracle_common directory using OPatch, do the following:

  1. Go to the OES_Client_Home/oneoffpatches directory.

  2. Extract the contents of 13591235.zip file and go to the OES_Client_Home/oneoffpatches/13591235 directory.

  3. Follow the instructions provided in README.txt file located in the OES_Client_Home/oneoffpatches/13591235 directory.

8.7 Configuring Oracle Entitlements Server Client

Oracle Entitlements Server Client distributes policies to individual Security Modules that protect applications and services. Policy data is distributed in a controlled manner or in a non-controlled manner. The distribution mode is defined in the jps-config.xml configuration file for each Security Module. The specified distribution mode is applicable for all Application Policy objects bound to that Security Module.

Note:

Oracle recommends that you configure Oracle Entitlements Server Client in the controlled distribution mode.

This section describes how to configure the following:

8.7.1 Configuring Security Modules in a Controlled Push Mode (Quick Configuration)

These section describes how to configure the Security Module quickly using pre-existing smconfig.prp files.

8.7.1.1 Configuring Java Security Module in a Controlled Push Mode

To configure Java Security Module instance in a controlled distribution mode, do the following:

  1. Open smconfig.java.controlled.prp file (located in, OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8-4.

  2. Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

    config.sh –smConfigId <SM_NAME> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp
    
  3. When prompted, specify the following:

    • Oracle Entitlements Server user name (This is the Administration Server's user name).

    • Oracle Entitlements Server password (This is the Administration Server's password)

    • New key store password for enrollment

8.7.1.2 Configuring RMI Security Module in a Controlled Push Mode

To configure RMI Security Module instance in a controlled distribution mode, then do the following:

  1. Open smconfig.rmi.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8-4.

  2. Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

    config.sh –smConfigId <SM_NAME> -RMIListeningPort <RMISM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.rmi.controlled.prp
    
  3. When prompted, specify the following:

    • Oracle Entitlements Server user name (This is the Administration Server's user name)

    • Oracle Entitlements Server Password (This is the Administration Server's password)

    • New key store password for enrollment

8.7.1.3 Configuring Web Service Security Module in a Controlled Push Mode

To configure Webservice Security Module instance in a controlled distribution mode, do the following:

  1. Open smconfig.ws.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8-4.

  2. Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

    config.sh –smConfigId <SM_NAME> -WSListeningPort <WSSM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.ws.controlled.prp
    
  3. When prompted, specify the following:

    • Oracle Entitlements Server user name (This is the Administration Server's user name)

    • Oracle Entitlements Server password (This is the Administration Server's password)

    • Key store password for enrollment

8.7.1.4 Configuring Oracle WebLogic Server Security Module in a Controlled Push Mode

To configure Oracle WebLogic Server Security Module instance in a controlled distribution mode, do the following:

  1. Open smconfig.wls.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 8-4.

  2. Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

    config.sh –smConfigId <SM_NAME> -prpFileName $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.wls.controlled.prp –serverLocation <Location of Web Logic Server Home 
    
  3. Create a Oracle Entitlements Server Client domain, as described in Configuring OES Client Domain in a Non-JRF Environment or Configuring OES Client Domain in a JRF Environment.

8.7.2 Configuring Distribution Modes

For more information about distribution modes, see the section "Defining Distribution Modes" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server.

The following sections explains how to configure distribution modes.

8.7.2.1 Configuring Controlled Distribution

To configure a controlled Distribution mode, open the smconfig.prp file (located in OES_CLIENT_HOME/oessm/bin/SMConfigTool) in a text editor, and edit the following parameters described in Table 8-4.

Table 8-4 smconfig.prp File Parameters (Controlled Distribution)

Parameter Description

oracle.security.jps.runtime.pd.client.policyDistributionMode

Accept the default value controlled-push as the distribution mode.

oracle.security.jps.runtime.pd.client.RegistrationServerHost

Enter the address of the Oracle Entitlements Server Administration Server.

oracle.security.jps.runtime.pd.client.RegistrationServerPort

Enter the SSL port number of the Oracle Entitlements Server Administration Server. You can find the SSL port number from the WebLogic Administration console.


8.7.2.2 Configuring Non-Controlled and Controlled Pull Distribution Mode

Open the smconfig.prp file (located in OES_CLIENT_HOME/oessm/bin/SMConfigTool) in a text editor and edit the following parameters described in Table 8-5.

Table 8-5 smconfig.prp File Parameters Non- Controlled Distribution

Parameter Description

oracle.security.jps.runtime.pd.client.policyDistributionMode

Enter non-controlled or controlled-pull as the distribution mode.

oracle.security.jps.policystore.type

Specify the policy store type. For example, DB for Oracle Database, OID for Oracle Internet Directory, and Derby for Apache Derby.

jdbc.url

Specify your database policy store JDBC URL.

ldap.url

Specify your LDAP URL.

oracle.security.jps.farm.name

Specify your domain name. The default value is cn=oes_domain.

oracle.security.jps.ldap.root.name

Specify the root name of jps context. The default value is cn=jpsroot.


8.7.3 Configuring Security Modules

Oracle Entitlements Server Client includes the following Security Modules:

8.7.3.1 Configuring WebLogic Server Security Module

The WebLogic Security Module is a custom Java Security Module that includes both a Policy Decision Point and a Policy Enforcement Point. It can receive requests directly from the WebLogic Server without the need for explicit authorization API calls. It will only run on the WebLogic Server container.

To configure a WebLogic Server Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -onJRF -smType wls -smConfigId mySM_WLS -serverLocation MW_HOME/wlserver_10.3/

Note:

If you are using a non-JRF environment, do not specify the -onJRF parameter.

In non-controlled and controlled-pull distribution modes, when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 8-6 describes the parameters you specify on the command line.

Table 8-6 Oracle WebLogic Server Security Module Parameters

Parameter Description

smType

Type of security module instance you want to create. It should be wls.

smConfigId

Name of the security module instance. For example, mySM_WLS_Controlled.

serverLocation

Location of the Oracle WebLogic Server.


Note:

Non-controlled mode is the default distribution mode for Oracle WebLogic Server Security Module in a JRF environment.

Controlled-push mode is the default distribution mode for Oracle WebLogic Server Security Module in a non-JRF environment.

Controlled-push mode is not supported for Oracle WebLogic Server Security Module in a JRF enabled domain.

The Configuration Wizard is displayed. You can create an Oracle Entitlements Server Client domain in a JRF environment and a non-JRF environment. Depending on the option you select complete one of the following:

Configuring OES Client Domain in a Non-JRF Environment

To create the Oracle Entitlements Server Client domain without JRF, complete the following steps:

  1. The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server WebLogic Security Module - 11.1.1.0 [oesclient] option. Click Next.

    Note:

    Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.

  8. Optional: Configure the following Administration Server parameters:

    • Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.

    • Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.

    • Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.

      Note:

      Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.

      Note:

      After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.

  9. Optional: Configure Managed Servers, as required.

    In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:

    • Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

  10. Optional: Configure Clusters, as required.

    For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  11. Optional: Assign Managed Servers to clusters, as required.

  12. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

  13. Optional: Assign the Administration Server to a machine.

  14. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  15. Optional: Configure RDBMS Security Store, as required.

  16. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

Configuring OES Client Domain in a JRF Environment

To create the OES Client domain with JRF, complete the following steps:

  1. The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server WebLogic Security Module On JRF - 11.1.1.0 [oesclient] option. Click Next.

    Note:

    Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.

  8. Optional: Configure the following Administration Server parameters:

    • Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.

    • Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.

    • Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.

      Note:

      Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.

      Note:

      After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.

  9. Optional: Configure Managed Servers, as required.

    In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:

    • Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

  10. Optional: Configure Clusters, as required.

    For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  11. Optional: Assign Managed Servers to clusters, as required.

  12. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

  13. Optional: Assign the Administration Server to a machine.

  14. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  15. Optional: Configure RDBMS Security Store, as required.

  16. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

After configuring OES Client domain in a JRF environment, you must set up a connection to Oracle Database.

Setting Up Connection to Oracle Database

For setting up connection to Oracle Database, complete the following steps:

  1. Create a JDBC Data Source using the WebLogic Server Administration Console. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

    http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/jdbc/jdbc_datasources/CreateDataSources.html

  2. Open the jps-config.xml file located in <OES_DOMAIN_HOME>/config/oeswlssmconfig directory (on UNIX), or <OES_DOMAIN_HOME>\config\oeswlssmconfig directory (on Windows).

  3. Locate pdp.service and replace the existing jdbc.url property with the following property:

    <property value="jdbc/APMDBDS" name="datasource.jndi.name"/>

    Note:

    jdbc/APMDBDS is the name of the JDBC datasource used for the OES.

  4. Delete the following properties:

    • jdbc.driver

    • jdbc.url

    • bootstrap.security.principal.key

    • bootstrap.security.principal.map

  5. Save the jps-config.xml file.

8.7.3.2 Configuring Web Service Security Module

To create a Web Service Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType ws -smConfigId mySM_Ws -serverPort 9410

In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 8-7 describes the parameters you specify on the command line.

Table 8-7 Web Service Security Module Parameter

Parameters Description

smType

Type of security module instance you want to create. For Web Service security module, the value for this parameter should be ws.

smConfigId

Name of the security module instance. For example, mySM_ws.

serverPort

The web service listening port. For example, 9410.


Note:

Controlled-push distribution is the default distribution mode for Web Service Security Module.

This command also creates client configuration for Webservice Security Module Instance.

8.7.3.3 Configuring Web Service Security Module on Oracle WebLogic Server

To create a Web Service Security Module instance on Oracle WebLogic Server, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -onJRF -smType ws -onWLS -smConfigId mySM_WsOnWLS -serverLocation <WebLogic_server_Home> -serverPort <WebLogic_server_port> -pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -serverUserName <username> -serverPassword <password>

Note:

If you are using a non-JRF environment, do not specify the -onJRF parameter.

In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 8-8 describes the parameters you specify on the command line.

Table 8-8 Parameters for Web Service Security Module on Oracle WebLogic Server

Parameters Description

smType

Type of security module instance you want to create. For Web Service security module, the value for this parameter should be ws.

smConfigId

Name of the security module instance. For example, mySM_ws_Controlled.

pdServer

The address of the Oracle Entitlements Server Administration Server.

pdPort

The SSL port of the Oracle Entitlements Server Administration Server. For example, 7002.

serverLocation

Location of the Oracle WebLogic Server.

serverPort

Specify the Oracle WebLogic Administration Server port.

serverUserName

Specify the Oracle WebLogic Server Administration username. For example: weblogic

serverPassword

Specify the Oracle WebLogic Server Administration password.


Note:

Controlled-push distribution is the default distribution mode for Web Service Security Module on Oracle WebLogic Server in a non-JRF environment.

Non-controlled distribution is the default distribution mode for Web Service Security Module on Oracle WebLogic Server in a JRF environment.

This command also creates client configuration for Webservice Security Module Instance on Oracle WebLogic Server.

The Configuration Wizard is displayed. You can create an OES Client domain with Web Service on Oracle WebLogic Server in a JRF environment and Web Service on Oracle WebLogic Server in a non-JRF environment. Depending on the option you select complete one of the following:

Configuring Web Service on Oracle WebLogic Server Domain in a Non-JRF Environment

To create a Web Service on Oracle WebLogic Server domain in a Non-JRF environment, complete the following steps:

  1. The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server Web Service Security Module on Weblogic- 11.1.1.0 [oesclient] option. Click Next.

    Note:

    Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.

  8. Optional: Configure the following Administration Server parameters:

    • Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.

    • Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.

    • Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.

      Note:

      Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.

      Note:

      After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.

  9. Optional: Configure Managed Servers, as required.

    In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:

    • Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

  10. Optional: Configure Clusters, as required.

    For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  11. Optional: Assign Managed Servers to clusters, as required.

  12. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

  13. Optional: Assign the Administration Server to a machine.

  14. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  15. Optional: Configure RDBMS Security Store, as required.

  16. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

Configuring Web Service on Oracle WebLogic Server Domain in a JRF Environment

To create the Web Service on Oracle WebLogic Server domain in a JRF environment, complete the following steps:

  1. The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server Web Service Security Module on Weblogic and JRF- 11.1.1.0 [oesclient] option. Click Next.

    Note:

    Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.

  8. Optional: Configure the following Administration Server parameters:

    • Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.

    • Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.

    • Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.

      Note:

      Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.

      Note:

      After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.

  9. Optional: Configure Managed Servers, as required.

    In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:

    • Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

  10. Optional: Configure Clusters, as required.

    For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  11. Optional: Assign Managed Servers to clusters, as required.

  12. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

  13. Optional: Assign the Administration Server to a machine.

  14. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  15. Optional: Configure RDBMS Security Store, as required.

  16. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

After configuring Web Service on Oracle WebLogic Server domain in a JRF environment, you must set up a connection to Oracle Database.

Setting Up Connection to Oracle Database

For setting up connection to Oracle Database, complete the following steps:

  1. Create a JDBC Data Source using the WebLogic Server Administration Console. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

    http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/jdbc/jdbc_datasources/CreateDataSources.html

  2. Open the jps-config.xml file located in <OES_DOMAIN_HOME>/config/oeswlssmconfig directory (on UNIX), or <OES_DOMAIN_HOME>\config\oeswlssmconfig directory (on Windows).

  3. Locate pdp.service and replace the existing jdbc.url property with the following property:

    <property value="jdbc/APMDBDS" name="datasource.jndi.name"/>

    Note:

    jdbc/APMDBDS is the name of the JDBC datasource used for the OES.

  4. Delete the following properties:

    • jdbc.driver

    • jdbc.url

    • bootstrap.security.principal.key

    • bootstrap.security.principal.map

  5. Save the jps-config.xml file.

8.7.3.4 Configuring Oracle Service Bus Security Module

To create a Oracle Service Bus Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -onJRF -smType wls -smConfigId myosb_WLS -serverLocation <server_location>

Table 8-9 Oracle Service Bus Security Module Parameters

Parameter Description

smType

Type of security module instance you want to create. For example, jboss.

smConfigId

Name of the security module instance. For example, mySM_WLS.

serverLocation

The location of Oracle WebLogic Server.


Note:

Non-controlled distribution is the default distribution mode for Oracle Service Bus Security Module.

The Configuration Wizard is displayed. You can create an OES Client domain with Oracle Service Bus environment as follows:

  1. The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.

  2. On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

    The Select Domain Source screen appears.

  3. On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

    Select the Oracle Entitlements Server Security Module On Service Bus - 11.1.1.0 [OESCLIENT] option. Click Next.

    Note:

    Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

    The Specify Domain Name and Location screen appears.

  4. Enter a name and a location for the domain to be created, and click Next.

    The Configure Administrator User Name and Password screen appears.

  5. Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

    The Configure Server Start Mode and JDK screen appears.

    Note:

    When you enter the user name and the password for the administrator, be sure to remember them.

  6. Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

    Note:

    Ensure that the JDK version you select is Java SE 6 Update 24 or higher.

    The Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.

  8. Optional: Configure the following Administration Server parameters:

    • Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.

    • Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.

    • Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.

      Note:

      Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.

      Note:

      After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.

  9. Optional: Configure Managed Servers, as required.

    In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:

    • Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.

    • Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

    • SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.

    • SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.

  10. Optional: Configure Clusters, as required.

    For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.

  11. Optional: Assign Managed Servers to clusters, as required.

  12. Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

    Tip:

    Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.

  13. Optional: Assign the Administration Server to a machine.

  14. Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.

  15. Optional: Configure RDBMS Security Store, as required.

  16. On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

After configuring Oracle Service Bus Security Module in a JRF environment, you must set up a connection to Oracle Database.

Setting Up Connection to Oracle Database

For setting up connection to Oracle Database, complete the following steps:

  1. Create a JDBC Data Source using the WebLogic Server Administration Console. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

    http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/jdbc/jdbc_datasources/CreateDataSources.html

  2. Open the jps-config.xml file located in <OES_DOMAIN_HOME>/config/oeswlssmconfig directory (on UNIX), or <OES_DOMAIN_HOME>\config\oeswlssmconfig directory (on Windows).

  3. Locate pdp.service and replace the existing jdbc.url property with the following property:

    <property value="jdbc/APMDBDS" name="datasource.jndi.name"/>

    Note:

    jdbc/APMDBDS is the name of the JDBC datasource used for the OES.

  4. Delete the following properties:

    • jdbc.driver

    • jdbc.url

    • bootstrap.security.principal.key

    • bootstrap.security.principal.map

  5. Save the jps-config.xml file.

Configuring Authorization Provider

You must configure an Authorization provider. For information about configuring an Authorization provider, see "Configure Authorization providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/security/ConfigureAuthorizationProviders.html

Configuring Role Mapping Provider

You must configure a Role Mapping provider. For information about configuring a Role Mapping provider, see "Configure Role Mapping providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/security/ConfigureRoleMappingProviders.html

8.7.3.5 Configuring IBM WebSphere Security Module

You can configure WebSphere in a JRF environment, and WebSphere in a non-JRF environment. Depending on the option you select complete one of the following:

8.7.3.5.1 Configuring WebSphere Security Module in a Non-JRF Environment

To configure WebSphere Security Module in a non-JRF environment, complete the following steps:

  1. Create a new application server using the IBM WebSphere console and name it OesServer.

  2. Start the Oracle Entitlements Server (OesServer) you created for IBM WebSphere.

  3. Open the smconfig.prp file in a text editor and specify the pd client port and the pd app client context. The pd client port number is the SSL port number of the IBM WebSphere application server and pd app client contex is the location where the was-client.jar is deployed. For example:

    oracle.security.jps.pd.was.client.appcontext=pd-client
    oracle.security.jps.pd.clientPort=8002
    
  4. Run the config.sh command as follows:

    $OES_CLIENT_HOME/oessm/bin/config.sh -smType was -smConfigId mySM_WAS -serverLocation WAS_HOME
    

    WAS_HOME is the location of the IBM WebSphere Application Server.

    For any distribution mode you choose, you must specify the IBM WebSphere server user name and password, when prompted.

    In controlled push mode, you will be prompted for Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

    In non-controlled and controlled-pull modes, you will be prompted for Oracle Entitlements Server schema user name and password.

    Table 8-10 describes the parameters you specify on the command line.

    Table 8-10 IBM WebSphere Security Module Parameter

    Parameter Description

    smType

    Type of security module instance you want to create. For example, was.

    smConfigId

    Name of the security module instance. For example, mySM_WAS.

    serverLocation

    Location of the IBM WebSphere Server.


    Note:

    Controlled-push distribution is the default distribution mode for IBM WebSphere Security Module a non-JRF environment.

  5. Configure SSL for the IBM WebSphere application server as follows:

    1. Import the Oracle WebLogic Server demo trust certificate into IBM WebSphere node default trust keystore and cell default trust keystore by using keytool to export WLS demo trust certificate from WLS demo trust keystore file, or OES trust.jks file into a .der, as shown in the following example:

      keytool -exportcert -keystore $OES_CLIENT_HOME/oessm/enroll/DemoTrust.jks -alias wlscertgencab -file ~/was.der
      
    2. Import the was.der file into WAS node default trust keystore and cell default trust keystore. as follows:

      • You may find the import in IBM WebSphere Administration Server console:

        security->SSL certificate and key management -> Key stores and certificates -> <NodeDefaultTrustStore> <CellDefaultTrustStore> (here you need to choose one name) -> Signer certificates.

      • Click Add.

      • Enter an alias. For example, WLS.

      • Choose the .der file that you exported earlier, and select data type as DER.

    3. Import the issued private key into the IBM WebSphere node default keystore as follows:

      • You may find the import in IBM WebSphere Administration Server console:

        security->SSL certificate and key management -> Key stores and certificates -> NodeDefaultKeyStore -> Personal certificates.

      • Click Import.

      • Select Keystore and enter the path to the keystore file (located in OES_CLIENT_HOME/oes_sm_instances/mySM_WAS/security/identity.jks)

      • Select JKS as type and enter the password you used to create the keystore file.

      • The certificate alias name is the same name as the hostname.

        Note:

        You must import demo trust certificate into two trust stores for the WAS ND edition. For the private key, you must import one keystore.

    4. Enable Inbound SSL for the server running IBM WebSphere Security Module as follows:

      • In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.

      • Expand inbound tree to get:Inbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.

      • In the General Properties page, select Override inherited values.

      • From the SSL configuration list, select NodeDefaultSSLSettings.

      • Click Update certificate alias list button and then choose the new imported private key alias in the Certificate alias in key store list.

      • Click Apply.

    5. Enable Out bound SSL for the server running IBM WebSphere Security Module, follows:

      • In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.

      • Expand inbound tree to get:Outbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.

      • In the General Properties page, select Override inherited values.

      • From the SSL configuration list, select NodeDefaultSSLSettings.

      • Click Update certificate alias list and choose the new imported private key alias in the Certificate alias in key store list.

      • Click Apply.

8.7.3.5.2 Configuring WebSphere Security Module in a JRF Environment

To configure WebSphere Security Module in a JRF environment, complete the following steps:

  1. Configure IBM WebSphere Application Server, as described in Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server available at the following link:

    http://docs.oracle.com/cd/E21764_01/web.1111/e17764/toc.htm

    Note:

    In the Add Products to Cell screen, ensure that you select Oracle JRF for WebSphere - 11.1.1.0 [oracle_common]

  2. Run the config.sh command as follows:

    $OES_CLIENT_HOME/oessm/bin/config.sh -smType was -smConfigId mySM_WAS -onJRF -conntype SOAP -host <websphere_host> -port <websphere_port> -user <username> -password <password> -serverLocation WAS_HOME
    

    WAS_HOME is the location of the IBM WebSphere Application Server.

    For any distribution mode you choose, you must specify the IBM WebSphere server user name and password, when prompted.

    In controlled push mode, you will be prompted for Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

    In non-controlled and controlled-pull modes, you will be prompted for Oracle Entitlements Server schema user name and password.

    Table 8-10 describes the parameters you specify on the command line.

    Table 8-11 IBM WebSphere Security Module Parameter

    Parameter Description

    smType

    Type of security module instance you want to create. For example, was.

    smConfigId

    Name of the security module instance. For example, mySM_WAS.

    serverLocation

    Location of the IBM WebSphere Server.

    host

    Specify the WebSphere host name.

    port

    Specify the WebSphere Node Manager port. For example: 8882

    user

    Specify the WebSphere username. For example: websphere

    password

    Specify the WebSphere password.


    Note:

    Non-controlled distribution is the default distribution mode for IBM WebSphere Security Module in a JRF environment.

After configuring WebSphere Security Module in a JRF environment, you must set up a connection to Oracle Database.

Setting Up Connection to Oracle Database

For setting up connection to Oracle Database, complete the following steps:

  1. Create a JDBC Data Source using the WebLogic Server Administration Console. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

    http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/jdbc/jdbc_datasources/CreateDataSources.html

  2. Open the jps-config.xml file located in <OES_DOMAIN_HOME>/config/oeswlssmconfig directory (on UNIX), or <OES_DOMAIN_HOME>\config\oeswlssmconfig directory (on Windows).

  3. Locate pdp.service and replace the existing jdbc.url property with the following property:

    <property value="jdbc/APMDBDS" name="datasource.jndi.name"/>

    Note:

    jdbc/APMDBDS is the name of the JDBC datasource used for the OES.

  4. Delete the following properties:

    • jdbc.driver

    • jdbc.url

    • bootstrap.security.principal.key

    • bootstrap.security.principal.map

  5. Save the jps-config.xml file.

8.7.3.6 Configuring JBoss Security Module

To create a JBoss Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType jboss -smConfigId mySM_JBOSS -serverLocation <middleware>/jbosslocation/

Table 8-12 JBoss Security Module Parameters

Parameter Description

smType

Type of security module instance you want to create. For example, jboss.

smConfigId

Name of the security module instance. For example, mySM_WLS.

serverLocation

The location of JBoss Application Server.


Note:

Controlled-push distribution is the default distribution mode for JBoss Security Module.

To make controlled-push mode work, you must login to WebLogic Administration console and go to Environment>Servers>AdminServer>SSL. The Settings for AdminServer page is displayed. Click on Advanced tab and select Use Server Certs.

8.7.3.7 Configuring the Apache Tomcat Security Module

To create a Apache Tomcat Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType tomcat -smConfigId my_tomcat_sm_push pdServer <oes_server_address> -pdPort <oes_server_port> -sslPort <oes_server_ssl_port> -serverLocation <apache-tomcat Home> -jaxwsRIHome  <jaxwsRI_Home>  -serverUserName <username> -serverPassword <password>

Table 8-13 Apache Tomcat Security Module Parameters

Parameter Description

smType

Type of security module instance you want to create. For example, tomcat.

smConfigId

Name of the security module instance. For example, my_tomcat_sm_push.

pdServer

The address of the Oracle Entitlements Server Administration Server.

pdPort

The port number of the Oracle Entitlements Server Administration Server. For example, 7002.

sslPort

The SSL port number of the Oracle Entitlements Server Administration Server. For example, 8449.

serverLocation

The location of Apache Tomcat Server.

jaxwsRIHome

The location of JAXWS-RI

Note: JAXWS support is required in controlled-push mode. Apache Tomcat does not have JAXWS support by default. You can download JAXWS-RI from the following location:

http://jax-ws.java.net/2.1.7/

serverUserName

Specify the Oracle WebLogic Server Administration username. For example: weblogic

serverPassword

Specify the Oracle WebLogic Server Administration password.


Note:

Controlled-push distribution is the default distribution mode for Apache Tomcat Security Module.

To make controlled-push mode work, you must login to WebLogic Administration console and go to Environment>Servers>AdminServer>SSL. The Settings for AdminServer page is displayed. Click on Advanced tab and select Use Server Certs.

8.7.3.8 Configuring Java Security Module

To create a Java Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

Note:

If you are using Java Security Module in the proxy mode with Web Service Security Module or RMI Security Module, then you must use oes-ws-client.jar or oes-rmi-client.jar and ensure that you do not use oes-client.jar.

config.sh -smType java -smConfigId mySM_Java

In controlled push mode, you will be prompted for the Oracle Entitlements Server Administration Server username, password, and a new key store password for enrollment.

In non-controlled and controlled pull modes, you will be prompted for Oracle Entitlements Server schema username, and Password.

Table 8-14 describes the parameters you specify on the command line.

Table 8-14 JSE Security Module Parameters

Parameter Description

smType

Type of security module instance you want to create. For example, java.

smConfigId

Name of the security module instance. For example, mySM_java.


Note:

Controlled-push distribution is the default distribution mode for JSE Security Module.

The Java Security Module Instance is created at OES_CLIENT_HOME/oes_sm_instances/mySM_java. If you use the default values described in Table 8-14.

8.7.3.9 Configuring RMI Security Module

To configure a RMI Security Module Instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType rmi -smConfigId mySM_Rmi -serverPort 9405

In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull distribution modes when prompter specify the Oracle Entitlements Server schema username and password.

Table 8-15 describes the parameters you specify on the command line.

Table 8-15 RMI Security Module Parameters

Parameter Description

smType

The type of security module instance you want to create. For example, rmi.

smConfigId

The name of the security module instance. For example, mySM_rmi.

serverPort

The RMI listening port. For example, 9405.


Note:

Controlled-push distribution is the default distribution mode for RMI Security Module.

This command also creates client configuration for the RMI Security Module Instance.

8.7.3.10 Configuring Microsoft .NET Security Module

This section includes the following topics:

8.7.3.10.1 Prerequisites for Configuring .NET Security Module

Before configuring .NET Security Module, you must complete the following steps:

Open the dotnetsm_config.properties file (located in <MW_Home>\as_1\oessm\dotnetsm\configtool) and update the following information:

  • application.config.file: Specify the path of the configuration file based on the type of .Net application. For example: app.config or web.config

  • application.log4NetXmlfile: Specify the location of log4net.xml configuration file. If you do not have an existing logging configuration file specify the default location (OES_CLIENT_HOME/oessm/dotnetsm/logging/log4Net.xml).

  • wssm.smurl: Specify the OES webservice uri exposed through the WSSM in the following format:

    http://<host>:<port>/Ssmws

  • gac.utility: Specify the Microsoft .NET Framework Global Assembly Cache Utility Location. You can define the following operations:

    config: If you select this option, then SMconfig tool registers OES-PEP.dll and log4NET.dll in GAC Utility.

    remove: If you select this option, then SMconfig tool removes the DLL from the GAC util and removes the configuration parameters from application.config.file.

8.7.3.10.2 Microsoft .NET Configuration Scenarios

You can configure .NET Security Module in the following scenarios:

Scenario 1: .NET and Web Service on a Single Machine

If .NET and Web Service are installed on a single machine, the following configurations are possible:

Configuring .NET Security Module and Web Service Security Module

Perform the configuration in this scenario if .NET and Web Service are installed on a single machine, and you want to configure .NET Security Module and Web Service Security Module.

Run the config.cmd located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType dotnetws -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config> -smConfigId myDotnet –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410

Table 8-16 describes the parameters you specify on the command line.

Table 8-16 .NET Security Module Parameters

Parameter Description

smType

The type of security module instance you want to create. For example, dotnetws.

smConfigId

The name of the security module instance. For example, myDotnet.

prpFileName

Specify the path to the smconfig.prp file located in <OES_Client_Home>\oessm\wssm\configtool.

dotnetprpFileName

Specify the path to the dotnetsm_config.properties file located in <OES_Client_Home>\oessm\dotnetsm\configtool.

pdServer

The address of the Oracle Entitlements Server Administration Server.

pdPort

The port number of the Oracle Entitlements Server Administration Server. For example, 7002.

WSListeningPort

The web service listening port. For example, 9410.


This command also creates client configuration for the .NET Security Module Instance.

Configuring .NET Security Module

Perform the configuration in this scenario if .NET and Web Service are installed on a single machine, and Web Service Security Module is already configured.

Before you configure a .NET Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Run the config.cmd (located in OES_CLIENT_HOME\oessm\bin) for Windows as follows:

config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>

Table 8-18 describes the parameters you specify on the command line.

Table 8-17 .NET Security Module Parameters

Parameter Description

smType

The type of security module instance you want to create. For example, dotnet.

smConfigId

The name of the security module instance. For example, myDotnet.

prpFileName

Specify the path to the smconfig.prp file located in <OES_Client_Home>\oessm\wssm\configtool.

dotnetprpFileName

Specify the path to the dotnetsm_config.properties file located in <OES_Client_Home>\oessm\dotnetsm\configtool.


This command also creates client configuration for the .NET Security Module Instance.

Scenario 2: .NET and Web Service on Different Machines

Perform the configuration in this scenario if .NET and Web Service are installed on different machines.

Before you configure a .NET Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Run the config.cmd (located in OES_CLIENT_HOME\oessm\bin) for Windows as follows:

config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>

Table 8-18 describes the parameters you specify on the command line.

Table 8-18 .NET Security Module Parameters

Parameter Description

smType

The type of security module instance you want to create. For example, dotnet.

smConfigId

The name of the security module instance. For example, myDotnet.

prpFileName

Specify the path to the smconfig.prp file located in <OES_Client_Home>\oessm\wssm\configtool.

dotnetprpFileName

Specify the path to the dotnetsm_config.properties file located in <OES_Client_Home>\oessm\dotnetsm\configtool.


This command also creates client configuration for the .NET Security Module Instance.

8.7.3.11 Configuring Microsoft SharePoint Server (MOSS) Security Module

This section includes the following topics:

8.7.3.11.1 Prerequisites for Configuring MOSS Security Module

Before configuring a MOSS Security Module instance, you must ensure the following:

  • Microsoft SharePoint Server (MOSS) is installed on your machine.

  • The MOSS Web Application, associated with site collections and other resources to be protected by OES MOSS Security Module has been created.

8.7.3.11.2 MOSS Configuration Scenarios

You can configure MOSS Security Module in the following scenarios:

Scenario 1: MOSS and Web Service on a Single Machine

If MOSS and Web Service are installed on a single machine, the following configurations are possible:

Configuring MOSS Security Module and Web Service Security Module

Perform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and you want to configure MOSS Security Module and Web Service Security Module.

Run the config.cmd file located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType mossws –prpFileName <ws_config> –mossprpFileName <moss_config> -smConfigId myMoss –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410

Table 8-19 describes the parameters you specify on the command line.

Table 8-19 MOSS Security Module Parameters

Parameter Description

smType

The type of security module instance you want to create. For example, mossws.

smConfigId

The name of the security module instance. For example, myMoss.

prpFileName

Specify the path to the smconfig.prp file located in <OES_Client_Home>\oessm\wssm\configtool.

mossprpFileName

Specify the path to the moss_config.properties file located in <OES_Client_Home>\oessm\mosssm\adm\configtool.

pdServer

The address of the Oracle Entitlements Server Administration Server.

pdPort

The port number of the Oracle Entitlements Server Administration Server. For example, 7002.

WSListeningPort

The web service listening port. For example, 9410.


This command also creates client configuration for the MOSS Security Module Instance.

Configuring MOSS Security Module

Perform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and Web Service Security Module is already configured.

Before you configure a MOSS Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Run the config.cmd file located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>

Table 8-21 describes the parameters you specify on the command line.

Table 8-20 MOSS Security Module Parameters

Parameter Description

smType

The type of security module instance you want to create. For example, moss.

smConfigId

The name of the security module instance. For example, myMoss.

prpFileName

Specify the path to the smconfig.prp file located in <OES_Client_Home>\oessm\wssm\configtool.

mossprpFileName

Specify the path to the moss_config.properties file located in <OES_Client_Home>\oessm\mosssm\adm\configtool.


This command also creates client configuration for the MOSS Security Module Instance.

Scenario 2: MOSS and Web Service on Different Machines

Perform the configuration in this scenario if MOSS and Web Service are installed on different machines.

Before you configure a MOSS Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Run the config.cmd file located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>

Table 8-21 describes the parameters you specify on the command line.

Table 8-21 MOSS Security Module Parameters

Parameter Description

smType

The type of security module instance you want to create. For example, moss.

smConfigId

The name of the security module instance. For example, myMoss.

prpFileName

Specify the path to the smconfig.prp file located in <OES_Client_Home>\oessm\wssm\configtool.

mossprpFileName

Specify the path to the moss_config.properties file located in <OES_Client_Home>\oessm\mosssm\adm\configtool.


This command also creates client configuration for the MOSS Security Module Instance.

8.7.3.11.3 Running Resource Discovery Tool

You must run the Resource Discovery tool to locate the MOSS resources.

Run the MOSSResourceDiscovery.exe file, located in <OES_CLIENT_HOME/oessm/mosssm/lib directory (on Windows). You will be prompted for the following parameters:

  • Enter the folder path where you want to create OES policy file - Specify the path of the folder where the resource files will be created. Note that the directory used for storing the exported resources must be created beforehand.

  • Enter Path where Admin Url file is located - Specify the path to <OES_CLIENT_HOME/oessm/mosssm/adm/discovery/AdmUrls.txt file. This file is used to extract the admin URLs.

  • Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01 - Specify the URL of the top level MOSS sites to be protected by OES.

  • Enter Application Name of the MOSS application to be protected by OES e.g. MossApp - Specify the name of the MOSS application to be protected by OES.

    Note:

    Ensure that the MOSS application name that you provide is same as the value defined for moss.app.name parameter in moss_config.properties file.

  • Enter Resource Type of all the MOSS resources e.g. MossResourceType - Specify the resource type of all the MOSS resources to be protected by OES.

    Note:

    Ensure that the MOSS resource type that you provide is same as the value defined for moss.resource.type parameter in moss_config.properties file.

Following is a sample execution of MOSSResourceDiscovery.exe file:

C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\lib>MOSSResourceDiscovery.exe
----------------------------------------------------------
         Welcome to the MOSS Resource Discovery
----------------------------------------------------------
Enter the folder path where you want to create OES policy file
 
c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy
 
Enter Path where Admin Url file is located
 
C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\adm\Discovery\AdmUrls.txt
 
Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01
 
http://alesw2k8:9581
 
Enter Application Name of the MOSS application to be protected by OES e.g. MossApp
 
MossApp
 
Enter Resource Type of all the MOSS resources e.g. MossResourceType
 
MossResourceType
 
Resource Discovery starts....
SpSitePath is http://alesw2k8:9581
8.7.3.11.4 Migrating Resource Policies

To migrate the MOSS resource policies to OES policy store, complete the following steps:

  1. Go to OES_CLIENT_HOME/oessm/bin directory (on Windows), or OES_CLIENT_HOME\oessm\bin directory (on UNIX)

  2. Run the manage-policy.cmd file (on Windows), or manage-policy.sh file (on UNIX)

Following is a sample execution of manage-policy.cmd file:

C:\Oracle\Middleware\Oracle_OESClient\oessm\bin>manage-policy.cmd

Please input the application name for the protected MOSS application e.g MossApp:
MossApp

Input the resource type for the MOSS resources e.g MossResourceType:
MossResourceType

Input the Moss resource file:
c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy\object

Creating resource: /_layouts  

8.7.4 Locating Security Module Instances

The Oracle Entitlements Server security module instances are created in the OES_CLIENT_HOME/oes_sm_instances. directory.

For Oracle WebLogic Server security module, the domain configuration is located in DOMAIN_HOME/config/oeswlssmconfig.

You can create, delete, or modify the security module instances, as required.

8.7.5 Using the Java Security Module

After configuring Java Security Module for your program, you must start the Java Security module for your program by completing the following:

  1. Set a new Java System Property -Doracle.security.jps.config and specify the location of the jps-config.xml file (located in OES_CLIENT_HOME/oes_sm_instances/<SM_NAME>/config) as the value.

  2. Enter oes-client.jar (located in OES_CLIENT_HOME/modules/oracle.oes_sm.1.1.1) into the classpath of the program.

8.7.6 Configuring the PDP Proxy Client

You can configure a PDP Proxy Client for your web service Security Module or RMI Security Module, as described in Table 8-22:

Table 8-22 PDP Proxy Client Security Module Parameters

Parameter Description

oracle.security.jps.pdp.isProxy

Specify true as the value.

oracle.security.jps.pdp.PDPTransport

Specify Web Service (WS) or (RMI).

oracle.security.jps.pdp.proxy.PDPAddress

Specify http://hostname:port (WS) or rmi://hostname:port (RMI).


You must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as shown in the following example:

For Java Security Module:

OES_CLIENT_HOME/oessm/bin/config.sh -smType <SM_TYPE> -smConfigId <SM_NAME>

The SM_TYPE can be java, wls, or was. and for SM_NAME enter an appropriate name.

8.8 Getting Started with Oracle Entitlements Server After Installation

After installing Oracle Entitlements Server, refer to the following documents: