7 Configuring Oracle Entitlements Server

This chapter describes how to configure Oracle Entitlements Server 11g Release 2 (11.1.2.3.0).

It discusses the following topics:

Important Note Before You Begin
Overview of Oracle Entitlements Server 11g Installation
Configuration Roadmap for Oracle Entitlements Server
Configuring Oracle Entitlements Server Administration Server
Installing Oracle Entitlements Server Client
Configuring Oracle Entitlements Server Client
Getting Started with Oracle Entitlements Server After Installation

7.1 Important Note Before You Begin

Before you start configuring Oracle Entitlements Server, ensure that you have reviewed the information provided in Part I, "Introduction and Preparation".

Note that IAM_HOME is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite. You can specify any path for this Oracle Home directory.

7.2 Overview of Oracle Entitlements Server 11g Installation

Oracle Entitlements Server is a fine-grained authorization and entitlement management solution that can be used to precisely control the protection of application resources. It simplifies and centralizes security for enterprise applications and SOA by providing comprehensive, reusable, and fully auditable authorization policies and a simple, easy-to-use administration model. For more information, see "Introducing Oracle Entitlements Server" in the Administering Oracle Entitlements Server.

Oracle Entitlements Server 11g includes two distinct components:

Oracle Entitlements Server Administration Server
Oracle Entitlements Server Client (Security Module)

Oracle Entitlements Server Administration Server

This component is included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) installation. The Administration Server manages the storage of policy data in the database and the transactional distribution of policies to the Security Modules.

Oracle Entitlements Server Client (Security Module)

This component has its own installer, and it is not included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) installation. The Oracle Entitlements Server Client does not require Oracle WebLogic Server.

7.3 Configuration Roadmap for Oracle Entitlements Server

Table 7-1 lists the tasks for configuring Oracle Entitlements Server.

Table 7-1 Configuration Flow for Oracle Entitlements Server

No.	Task	Description
1	Run the Oracle Fusion Middleware Configuration Wizard to configure Oracle Entitlements Server Administration Server.	For more information, see Section 7.4, "Configuring Oracle Entitlements Server Administration Server".
2	Install the Oracle Entitlements Server Client software.	For more information, see Section 7.5, "Installing Oracle Entitlements Server Client".
3	Configure Oracle Entitlements Server Client.	For more information, see Section 7.6, "Configuring Oracle Entitlements Server Client".
4	Get started with Oracle Entitlements Server.	For more information, see Section 7.7, "Getting Started with Oracle Entitlements Server After Installation".

7.4 Configuring Oracle Entitlements Server Administration Server

This topic describes how to configure Oracle Entitlements Server in a new WebLogic domain. It includes the following sections:

Components Deployed
Extracting Apache Derby Template (Optional)
Configuring Oracle Entitlements Server in a New WebLogic Domain
Configuring SSL When Configuring the Database Security Store
Configuring the Database Security Store for Oracle Entitlements Server Administration Server
Starting the Servers
Verifying Oracle Entitlements Server Configuration

7.4.1 Components Deployed

Performing the configuration in this section deploys the following:

WebLogic Administration Server
Oracle Entitlements Server application on the Administration Server

7.4.2 Extracting Apache Derby Template (Optional)

If you are using Apache Derby, then you must extract the oracle.apm_11.1.1.3.0_template_derby.zip file (located in IAM_HOME/common/templates/applications) and save oracle.apm_11.1.1.3.0_template_derby.jar file to the following location:

IAM_HOME\common\templates\applications

7.4.3 Configuring Oracle Entitlements Server in a New WebLogic Domain

Perform the following steps to configure Oracle Entitlements Server in a new WebLogic domain:

Run the IAM_HOME/common/bin/config.sh script (on Linux or UNIX), or IAM_HOME\common\bin\config.cmd (on Windows).

The Welcome screen of the Oracle Fusion Middleware Configuration Wizard appears.

Note:
IAM_HOME is used as an example here. You must run this script from your Oracle Identity and Access Management Home directory that contains Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Privileged Account Manager, Oracle Access Management Mobile and Social, and Oracle Mobile Security Suite.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

Select one of the following options:
- Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_HOME]
- Oracle Entitlements Server for Managed Server- 11.1.1.0 [IAM_HOME]
Notes:
- If you select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_HOME] option, the following options are also selected, by default:
  - Oracle Platform Security Service 11.1.1.0 [IAM_HOME]
  - Oracle JRF 11.1.1.0 [oracle_common]
  - Oracle OPSS Metadata for JRF 11.1.1.0 [oracle_common]
- If you select the Oracle Entitlements Server for Managed Server- 11.1.1.0 [IAM_HOME] option, the following options are also selected, by default:
  - Oracle Platform Security Service 11.1.1.0 [IAM_HOME]
  - Oracle JRF 11.1.1.0 [oracle_common]
  - Oracle OPSS Metadata for JRF 11.1.1.0 [oracle_common]
- If you are using Apache Derby, then select the Oracle Entitlements Server Derby Template - 11.1.1.0 [IAM_HOME] option.
Click Next. The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created.

Note:
The default locations for the domain home and application home are MW_HOME/user_projects/domains and MW_HOME/user_projects/applications, respectively. However, it is recommended that you create your domain and application home directories outside of both the Middleware home and Oracle home.

Click Next. The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

Note:
When you enter the user name and the password for the administrator, be sure to remember them. This is the WebLogic Administrator user name and password that you must specify for logging in to the WebLogic Server Administration Console. The Oracle WebLogic Server Administration Console is a Web browser-based, graphical user interface that you use to manage a WebLogic Server domain.

The Configure Server Start Mode and JDK screen appears.
Choose a JDK from the Available JDKs and then select a mode under WebLogic Domain Startup Mode. Click Next.

The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select the OPSS Schema and specify the Schema Owner, Schema Password, DBDS/Service, Host Name, and Port.

Note:
The Schema Owner refers to the name that you specified when creating the database schemas for Oracle Entitlements Server using the Oracle Fusion Middleware Repository Creation Utility (RCU).
For Database related information, refer to the tnsnames.ora file (located in the DB_INSTALL_DIR/product/11.2.0/DB_INSTANCE/network/admin directory, where DB_INSTALL_DIR is the location where Oracle Database was installed, and DB_INSTANCE by default is dbhome_1).

Click Next. The Test JDBC Component Schema screen appears.
Select the component schema you want to test, and click Test Connections. After the test succeeds, click Next. If the test fails, click Previous, correct the values that you entered in step 7, and test the connection again.

The Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes, and click Next.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
The Creating Domain screen appears. This screen shows the progress of the domain creation. When the domain creation process completes, this screen displays the Domain location and the Admin Server URL.

After reviewing the information displayed on the screen, click Done to close the Configuration Wizard.

By default, a new WebLogic domain to support Oracle Entitlements Server is created in the MW_HOME\user_projects\domains directory (on Windows). On Linux or UNIX, the domain is created in the MW_HOME/user_projects/domains directory, by default.

7.4.4 Configuring SSL When Configuring the Database Security Store

After you have created the appropriate database schemas and have configured Oracle Entitlements Server in a WebLogic domain, you can configure SSL when configuring the database security store. To configure the database security store, you must run the configureSecuritystore.py script. To configure SSL when configuring the database security store, you must complete the following steps before running the configureSecuritystore.py script.

Notes:

It is assumed that, at this point, the database is properly configured with SSL, and the Keystore and Truststore are already created using the command keytool.
In the following steps, the property oracle.net.ssl_version=1.0 is set for a database server that is configured to use Transport Layer Security (TLS) version 1.0. If the database server does not use TLS 1.0, then you must set the property oracle.net.ssl_version to the corresponding value. This property is used to set the SSL version that the JDBC driver uses. The value specified should be supported by both SSL and the server.
For more information on running the configureSecuritystore.py script, see Section 7.4.5, "Configuring the Database Security Store for Oracle Entitlements Server Administration Server".

Update the Database URL in the JDBC configuration file opss-jdbc.xml by doing the following:
1. Open the DOMAIN_HOME/config/jdbc/opss-jdbc.xml file for editing.
  
  The opss-jdbc.xml file contains schema and database server information for Oracle Entitlements Server and Oracle Platform Security Services.
2. Edit the Database URL to change it from:
  
  jdbc:oracle:thin:@db_host:db_port/service_name
  
  to
  
  jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=db_hostname)(PORT=db_port_number)))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=db_service_name)))
3. Add the following properties:
```
<property>
<name>javax.net.ssl.keyStore</name>
<value>path_to_keystore</value>
</property>
<property>
<name>javax.net.ssl.keyStorePassword</name>
<value>keystore_password</value>
</property>
<property>
<name>javax.net.ssl.trustStore</name>
<value>path_to_truststore</value>
</property>
<property>
<name>javax.net.ssl.trustStorePassword</name>
<value>truststore_password</value>
</property>
<property>
<name>oracle.net.ssl_version</name>
<value>TLS_version</value>
</property>
```
  Where,
  
  path_to_keystore refers to the absolute path to the keystore. For example, /home/certs/dbcerts/mycerts/keystore.jks.
  
  keystore_password refers to the password of the key store.
  
  path_to_truststore refers to the absolute path to the truststore. For example, /home/certs/dbcerts/mycerts/truststore.jks.
  
  truststore_password refers to the password of the truststore.
  
  TLS_version refers to the Transport Layer Security (TLS) version. If the database server is configured to use the TLS version 1.0, you must specify 1.0.
4. Save the file and exit.
Edit the WLST script by doing the following:
1. Open the MW_HOME/wlserver_10.3/common/bin/wlst.sh file for editing.
2. Update the following line:
  
  JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS}"
  
  to change it to
  
  JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS} -Djavax.net.ssl.trustStorePassword=trust_store_password -Djavax.net.ssl.keyStorePassword=key_store_password -Djavax.net.ssl.keyStore=path_to_keystore -Djavax.net.ssl.trustStore=path_to_truststore -Doracle.net.ssl_version=TLS_version"
  
  For example:
```
JVM_ARGS="-Dprod.props.file='${WL_HOME}'/.product.properties ${WLST_PROPERTIES} ${JVM_D64} ${MEM_ARGS} ${CONFIG_JVM_ARGS} 
-Djavax.net.ssl.trustStorePassword=welcome1 
-Djavax.net.ssl.keyStorePassword=welcome2 
-Djavax.net.ssl.keyStore=/home/certs/dbcerts/mycerts/keystore.jks 
-Djavax.net.ssl.trustStore=/home/certs/dbcerts/mycerts/truststore.jks 
-Doracle.net.ssl_version=1.0"
```
  In the above example, the property "-Doracle.net.ssl_version=1.0" represents that the database server is configured to use the Transport Layer Security (TLS) version 1.0.
3. Save the file and exit.
Edit the configureSecurityStore.py script by doing the following:
1. Open the MW_HOME/IAM_HOME/common/tools/configureSecurityStore.py file for editing.
2. Edit the following line to change it from:
  
  full_command_parts = ("java -Doracle.security.jps.config=", escapedJpsConfPath, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
  
  to
  
  full_command_parts = ("java -Djavax.net.ssl.trustStorePassword=truststore_password -Djavax.net.ssl.keyStorePassword=keystore_password -Djavax.net.ssl.keyStore=path_to_keystore -Djavax.net.ssl.trustStore=path_to_truststore -Doracle.net.ssl_version=TLS_version -Doracle.security.jps.config=", escapedJpsConfPath, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
  
  For example:
```
full_command_parts = ("java -Djavax.net.ssl.trustStorePassword=welcome1 
-Djavax.net.ssl.keyStorePassword=welcome2 
-Djavax.net.ssl.keyStore=/home/certs/dbcerts/mycerts/keystore.jks 
-Djavax.net.ssl.trustStore=/home/certs/dbcerts/mycerts/truststore.jks 
-Doracle.net.ssl_version=1.0 
-Doracle.security.jps.config=", escapedJpsConfPath, " oracle.security.jps.internal.api.credstore.CredstoreUtil",
```
3. The following line occurs twice. Edit the line to change it from:
  
  full_command_parts = ("java -Xms512M -Xmx512M ", "oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
  
  to
  
  full_command_parts = ("java -Xms512M -Xmx512M -Djavax.net.ssl.trustStorePassword=truststore_password -Djavax.net.ssl.keyStorePassword=keystore_password -Djavax.net.ssl.keyStore=path_to_keystore -Djavax.net.ssl.trustStore=path_to_truststore -Doracle.net.ssl_version=TLS_version ", "oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
  
  For example:
```
full_command_parts = ("java -Xms512M -Xmx512M 
-Djavax.net.ssl.trustStorePassword=welcome1 
-Djavax.net.ssl.keyStorePassword=welcome2 
-Djavax.net.ssl.keyStore=/home/certs/dbcerts/mycerts/keystore.jks 
-Djavax.net.ssl.trustStore=/home/certs/dbcerts/mycerts/truststore.jks 
-Doracle.net.ssl_version=1.0 ", 
"oracle.security.jps.internal.tools.configuration.ldap.LdapServiceEnabler ", command)
```
4. Save the configureSecurityStore.py script and exit.
Edit the startWebLogic script by doing the following:
1. Open the DOMAIN_HOME/bin/startWebLogic.sh file for editing.
2. Edit the following line to change it from:
  
  JAVA_OPTIONS="${JAVA_OPTIONS} -Dlaunch.main.class=${SERVER_CLASS} -Dlaunch.class.path="${CLASSPATH}" -Dlaunch.complete=weblogic.store.internal.LockManagerImpl -cp ${WL_HOME}/server/lib/pcl2.jar"
  
  to
  
  JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=truststore_password -Djavax.net.ssl.keyStorePassword=keystore_password -Djavax.net.ssl.keyStore=path_to_keystore -Djavax.net.ssl.trustStore=path_to_truststore -Doracle.net.ssl_version=TLS_version -Dlaunch.main.class=${SERVER_CLASS} -Dlaunch.class.path="${CLASSPATH}" -Dlaunch.complete=weblogic.store.internal.LockManagerImpl -cp ${WL_HOME}/server/lib/pcl2.jar"
  
  For example:
```
JAVA_OPTIONS="${JAVA_OPTIONS} -Djavax.net.ssl.trustStorePassword=welcome1 
-Djavax.net.ssl.keyStorePassword=welcome2 
-Djavax.net.ssl.keyStore=/home/certs/dbcerts/mycerts/keystore.jks 
-Djavax.net.ssl.trustStore=/home/certs/dbcerts/mycerts/truststore.jks 
-Doracle.net.ssl_version=1.0 -Dlaunch.main.class=${SERVER_CLASS} 
-Dlaunch.class.path="${CLASSPATH}" 
-Dlaunch.complete=weblogic.store.internal.LockManagerImpl -cp ${WL_HOME}/server/lib/pcl2.jar"
```
3. Save the file and exit.
  
  Note:
  If you have Managed Server, you must update the script OES_DOMAIN_HOME/bin/startManagedWebLogic.sh as described for startWebLogic.sh script.
Configure the database security store by running the configureSecurityStore.py script. For more information, see Section 7.4.5, "Configuring the Database Security Store for Oracle Entitlements Server Administration Server".

After you configure the database security store, start the domain. Then, you can verify that it uses database SSL connection.

7.4.5 Configuring the Database Security Store for Oracle Entitlements Server Administration Server

You must run the configureSecurityStore.py script to configure the Database Security Store for Oracle Entitlements Server Administration Server. Security store is a repository of system and application-specific policies, credentials, and keys.

The configureSecurityStore.py script is located in the IAM_HOME\common\tools directory. You can use the -h option for help information about using the script.

Note:

If you want to configure SSL when configuring the database security store, then you must complete the steps in Section 7.4.4, "Configuring SSL When Configuring the Database Security Store" before running the configureSecuritystore.py script.

Configure the security store for Oracle Entitlements Server Administration Server as follows:

On Windows:

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d DOMAIN_HOME -s datasource -f farmname -t servertype -j jpsroot -m mode -p password

For example:

MW_HOME\oracle_common\common\bin\wlst.cmd IAM_HOME\common\tools\configureSecurityStore.py -d MW_HOME\user_projects\domains\base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1

For an example of the join option, see "Configuring the Database Security Store Using the Join Option."

On Linux or UNIX:

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d DOMAIN_HOME -s datasource -f farmname -t servertype -j jpsroot -m mode -p password

For example:

MW_HOME/oracle_common/common/bin/wlst.sh IAM_HOME/common/tools/configureSecurityStore.py -d MW_HOME/user_projects/domains/base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1

For an example of the join option, see "Configuring the Database Security Store Using the Join Option."

Table 7-2 describes the parameters that you may specify on the command line.

Table 7-2 OES Administration Server Security Store Configuration Parameters

Parameter	Description
`-d` `domaindir`	Location of the Oracle Entitlements Server Administration Server Domain.
`-s` `datasource`	The data source of security store configured in domain. It is optional, default value is `opss-DBDS`.
`-f` `farmname`	The security store farm name. It is optional, default value is the domain name.
`-t` `servertype`	The policy store type. For example: `DB_ORACLE`, `DB_DERBY`, or `OID`. It is optional, default value is `DB_ORACLE`.
`-j` `jpsroot`	The distinguished name of jpsroot. It is optional, default value is `cn=jpsroot`.
`-m` `mode`	`create`- Use `create` if you want to create a new database security store. `join`- Use `join` if you want to use an existing database security store for the domain. `validate`- Use `validate` to verify whether the Security Store has been configured correctly. This command validates diagnostics data created during initial creation of the Security Store. `validatefix`- Use `validatefix` to fix diagnostics data present in the Security Store. `fixjse`- Use `fixjse` to update the domain's Database Security Store credentials used for access by JSE tools.
`-c` `config`	The configuration mode of the domain. For example: `IAM`. It is optional, default value is `None`. Note: If `-c` `<config>` option is specified, OES Admin Server will be configured in mixed mode, then it can only distribute policies to Security Modules in non-controlled mode and controlled pull mode. For example: If the OES Administration Server is deployed in the domain where other Oracle Identity and Access Management components (OIM, OAM, OAAM, OPAM, or OIN) are deployed, then the domain is configured in mixed mode. In this case, the OES Administration Server is used for managing the Oracle Identity and Access Management policies only. It should not be used to manage the policies for any other applications protected by OES Security Modules. If `-c` `<config>` option is not specified, OES Admin Server will be configured in non-controlled mode, it can distribute policies to Security Modules in controlled push mode. For example: If you want to use OES Administration Server to manage custom applications which are protected by OES Security Modules, then the OES Administration Server must be deployed in a domain with non-controlled distribution mode.
`-p` `password`	The OPSS schema password.
`-k` `keyfilepath`	The directory containing the encryption key file `ewallet.p12`. If `-m join` is specified, this option is mandatory.
`-w` `keyfilepassword`	The password used when the domain's key file was generated. If `-m join` is specified, this option is mandatory.
`-u` `username`	The user name of the OPSS schema. If `-m fixjse` is specified, this option is mandatory.

7.4.6 Starting the Servers

After installing and configuring Oracle Entitlements Server, you must start the Administration Server and the Managed Server based on the option that you had selected on the Select Domain Source screen of the Oracle Fusion Middleware Configuration Wizard. For more information, see Appendix C, "Starting the Stack".

Ensure that you start the Oracle Entitlements Server Administration Server before starting the Managed Server.

7.4.7 Verifying Oracle Entitlements Server Configuration

To verify that your Oracle Entitlements Server Administration Server configuration was successful, use the following URL to log in to the Oracle Entitlements Server Administration Console:
```
http://hostname:port/apm/
```
Where hostname is the DNS name or IP address of the Administration Server and port is the address of the port on which the Administration Server listens for requests. You can obtain these values from the AdminServer.log file.

The AdminServer.log file is located in the DOMAIN_HOME/servers/AdminServer/logs directory (on Linux or UNIX) or the DOMAIN_HOME\servers\AdminServer\logs directory (on Windows).
To verify that your Oracle Entitlements Server Managed Server configuration was successful, use the following URL:
```
http://oes_server1-hostname:oes_server1-port/apm/
```

For more information, see the section "Logging In to and Signing Out of the User Interface" in the Administering Oracle Entitlements Server.

7.5 Installing Oracle Entitlements Server Client

This section contains the following topic:

Prerequisites
Obtaining Oracle Entitlements Server Client Software
Installing Oracle Entitlements Server Client
Verifying Oracle Entitlements Server Client Installation

7.5.1 Prerequisites

Before installing the Oracle Entitlements Server Client software, ensure that you have installed and configured the Oracle Entitlements Server Administration Server.

7.5.2 Obtaining Oracle Entitlements Server Client Software

For more information on obtaining Oracle Entitlements Server Client 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

7.5.3 Installing Oracle Entitlements Server Client

To install Oracle Entitlements Server Client, extract the contents of oesclient.zip to your local directory and then start the Installer by executing one of the following commands:

Linux or UNIX: <full path to the runInstaller directory>/runInstaller -jreLoc <full path to the JRE directory>

Windows: <full path to the setup.exe directory>\setup.exe -jreLoc <full path to the JRE directory>

Note:

The installer prompts you to enter the absolute path of the JDK that is installed on your system. When you install Oracle WebLogic Server, the jdk directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JRE is located in C:\MW_HOME\jdk, then launch the installer from the command prompt as follows:

<full path to the setup.exe directory>\setup.exe -jreLoc C:\MW_HOME\jdk\jre

You must specify the -jreLoc option on the command line when using the JDK to avoid installation issues.

Follow the instructions in Table 7-3 to install Oracle Entitlements Server Client.

If you need additional help with any of the installation screens, click Help to access the online help.

Table 7-3 Installation Flow for the Oracle Entitlements Server Client

No.	Screen	Description and Action Required
1	Welcome	Click Next to continue.
2	Prerequisite Checks	If all prerequisite checks pass inspection, then click Next to continue.
3	Specify Installation Location	In the Oracle Home Directory field, enter the directory where you want to install the Oracle Entitlements Server client. This directory is also referred to as `OES_CLIENT_HOME` in this book. Note: If the Security Module you want to configure requires creation or extension of a WebLogic domain, then you must install the Oracle Entitlements Server client in the Middleware Home that was created during WebLogic Server installation. This applies to the following Security Module configurations: WebLogic Server Security Module in a JRF environment WebLogic Server Security Module in a Non-JRF environment Web Service Security Module on Oracle WebLogic Server domain in a JRF environment Web Service Security Module on Oracle WebLogic Server domain in a Non-JRF environment Oracle Service Bus Security Module For the above Security Module configurations, Oracle recommends that you install the Oracle Entitlements Server client in a separate directory in the same Middleware Home where the Oracle Entitlements Server Administration server is installed. For example, `MW_HOME/OES_CLIENT_HOME`. For the other Security Modules, the `OES_CLIENT_HOME` can be any other directory where you want to install the Oracle Entitlements Server client. Click Next to continue.
4	Installation Summary	The Installation Summary Page screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. Click Save to save the installation response file, which contains your responses to the Installer prompts and fields. To continue installing Oracle Entitlements Server Client, click Install.
5	Installation Progress	The Installation Progress screen appears. Monitor the progress of your installation. The location of the installation log file is listed for reference. Make a note of the name and location of the installation log file for your reference. After the installation progress reaches 100%, click OK. If you are installing on a Linux or UNIX system, you may be asked to run the `OES_CLIENT_HOME/oracleRoot.sh` script to set up the proper file and directory permissions.
6	Installation Complete	Click Finish to dismiss the installer. This installation process copies the OES Client software to your system and creates an `OES_CLIENT_HOME` directory in the location that you specified in step 3.

7.5.4 Verifying Oracle Entitlements Server Client Installation

To verify that your Oracle Entitlements Server Client installation is successful, go to your OES_CLIENT_HOME directory which you specified during installation, and verify that the OES_CLIENT_HOME directory is created and populated with product files.

You can also verify the installation log file that is generated after the installation is complete. The name and location of the installation log file is displayed on the Installation Progress screen (in step 5) of the Oracle Entitlements Server Client installation.

7.6 Configuring Oracle Entitlements Server Client

Policy data is distributed in a controlled manner or in a non-controlled manner.

The distribution mode is defined in the jps-config.xml configuration file for each Security Module. The specified distribution mode is applicable for all Application Policy objects bound to that Security Module.

Note:

Oracle recommends that you configure Oracle Entitlements Server Client in the controlled distribution mode. However, if you configure a Security Module in a JRF environment, then non-controlled distribution mode is the only supported distribution mode.

This section describes how to configure the following:

Configuring Distribution Modes
Configuring Security Modules in a Controlled Push Mode (Quick Configuration)
Configuring Security Modules
Locating Security Module Instances
Using the Java Security Module
Configuring the PDP Proxy Client

7.6.1 Configuring Distribution Modes

For introductory information about distribution modes, see the section "Defining Distribution Modes" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server.

The following sections explains how to configure the distribution modes.

Configuring Controlled Push Distribution Mode
Configuring Non-Controlled and Controlled Pull Distribution Mode

7.6.1.1 Configuring Controlled Push Distribution Mode

To configure a controlled push distribution mode, open the smconfig.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and edit the following parameters described in Table 7-4.

Table 7-4 smconfig.prp File Parameters (Controlled Distribution)

Parameter	Description
`oracle.security.jps.runtime.pd.client.policyDistributionMode`	Accept the default value `controlled-push` as the distribution mode.
`oracle.security.jps.runtime.pd.client.RegistrationServerHost`	Enter the address of the Oracle Entitlements Server Administration Server.
`oracle.security.jps.runtime.pd.client.RegistrationServerPort`	Enter the SSL port number of the Oracle Entitlements Server Administration Server. You can find the SSL port number from the WebLogic Administration console.

7.6.1.2 Configuring Non-Controlled and Controlled Pull Distribution Mode

Open the smconfig.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor and edit the following parameters described in Table 7-5.

Table 7-5 smconfig.prp File Parameters Non- Controlled Distribution

Parameter	Description
`oracle.security.jps.runtime.pd.client.policyDistributionMode`	Enter non-`controlled` or `controlled-pull` as the distribution mode.
`oracle.security.jps.policystore.type`	Specify the policy store type. For example, `DB` for Oracle Database, `OID` for Oracle Internet Directory, and `Derby` for Apache Derby.
`jdbc.url`	If you are using database as the policy store, then specify your database policy store JDBC URL. For example, `jdbc:oracle:thin:@myhost:1521/orcl`
`ldap.url`	If you are using LDAP as the policy store, then specify your LDAP URL. For example, `ldap://myhost:port`
`oracle.security.jps.farm.name`	Specify your domain name. The default value is `cn=oes_domain`.
`oracle.security.jps.ldap.root.name`	Specify the root name of jps context. The default value is `cn=jpsroot`.

7.6.1.2.1 Setting Up Connection to an Oracle Database

If you are configuring a Non-Controlled or Controlled Pull Distribution Mode, then you must set up a connection to an Oracle Database. The procedure for setting up connection to an Oracle Database differs based on the type of Security Module you choose to configure.

This section includes the following topics:

Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment
Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment

Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment

If you configure a Security Module in a non-JRF environment, then you must complete the following steps for setting up a connection to an Oracle Database:

Create a JDBC Data Source using the WebLogic Server Administration Console. This data source is used to connect to the Policy Store of the OES Administration Server. The data source should be created in the domain where the Security Module instance is deployed. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/jdbc/jdbc_datasources/CreateDataSources.html

When you follow the instructions in the above link, then in step 7 you are required to enter a value for Database User Name. The value for this parameter must be same as the one you used when creating schemas for Oracle Entitlements Server using the Oracle Fusion Middleware Repository Creation Utility (RCU). For example, prefix_OPSS.
Open the jps-config.xml file located in the DOMAIN_HOME/config/fmwconfig/ directory (on Linux or UNIX) or the DOMAIN_HOME\config\fmwconfig\ directory (on Windows). DOMAIN_HOME is the domain location of the Oracle Entitlements Server Administration Server.
Locate pdp.service and replace the existing jdbc.url property with the following property:

<property value="jdbc/OPSSDBDS" name="datasource.jndi.name"/>

Note:
jdbc/OPSSDBDS is the name of the JDBC datasource used for the OES.
Save the jps-config.xml file.

Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment

If you configure a Security Module in a JRF environment, then you must complete the following steps for setting up a connection to an Oracle Database:

Create a JDBC Data Source using the WebLogic Server Administration Console. This data source is used to connect to the Policy Store of the OES Administration Server. The data source should be created in the domain where the Security Module instance is deployed. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/jdbc/jdbc_datasources/CreateDataSources.html

When you follow the instructions in the above link, then in step 7 you are required to enter a value for Database User Name. The value for this parameter must be same as the one you used when creating schemas for Oracle Entitlements Server using the Oracle Fusion Middleware Repository Creation Utility (RCU). For example, prefix_OPSS.
Start the Oracle Entitlements Server Client domain. For more information, see Appendix C, "Starting the Stack".
Reassociate the policies using the WLST reassociateSecurityStore command, as follows:
1. Start the WLST shell.
```
cd ORACLE_HOME/common/bin
./wlst.sh
```
2. Connect to the WebLogic Administration Server using the WLST connect command.
```
connect ("AdminUser", "AdminPassword", "hostname:port")
```
  For example:
```
connect ("weblogic", "welcome1", "ADMINHOST:7001")
```
3. Run the reassociateSecurityStore command.
```
reassociateSecurityStore(domain="OESDomain", servertype="DB_ORACLE", datasourcename="Datasource_Name", jpsroot="cn=reassociatedb", join="true")
```
  Note:
  The values for domain and jpsroot must be same as the value for farmname in the jps-config.xml file. This file is located in DOMAIN_HOME/config/fmwconfig directory (on Linux or UNIX) or DOMAIN_HOME\config\fmwconfig directory (on Windows). DOMAIN_HOME is the domain location of the Oracle Entitlements Server Administration Server.
  datasourcename is the name of the Data Source that you created in step 1.
Restart the Oracle Entitlements Server Client domain after the command completes successfully. For more information, see Appendix C, "Starting the Stack".

7.6.2 Configuring Security Modules in a Controlled Push Mode (Quick Configuration)

These section describes how to configure the Security Module quickly using pre-existing smconfig.prp files.

Note:

Security Module can be configured by running the config.sh command. This section describes how to configure various security modules in a controlled push mode.

If the Administration Server configuration is using a customer digital certificate, you must use the parameter -skipEnroll when you run the config.sh command to configure security module.

Configuring Java Security Module in a Controlled Push Mode
Configuring RMI Security Module in a Controlled Push Mode
Configuring Web Service Security Module in a Controlled Push Mode
Configuring Oracle WebLogic Server Security Module in a Controlled Push Mode

7.6.2.1 Configuring Java Security Module in a Controlled Push Mode

To configure Java Security Module instance in a controlled distribution mode, do the following:

Open smconfig.java.controlled.prp file (located in, OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 7-4.
Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:
```
config.sh –smConfigId <SM_NAME> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smcon
fig.java.controlled.prp
```
When prompted, specify the following:
- New key store password for enrollment.
- Oracle Entitlements Server user name (This is the Administration Server's user name).
- Oracle Entitlements Server password (This is the Administration Server's password)

7.6.2.2 Configuring RMI Security Module in a Controlled Push Mode

To configure RMI Security Module instance in a controlled distribution mode, then do the following:

Open smconfig.rmi.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 7-4.

Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh –smConfigId <SM_NAME> -RMIListeningPort <RMISM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.rmi.controlled.prp

When prompted, specify the following:
- New key store password for enrollment
- Oracle Entitlements Server user name (This is the Administration Server's user name)
- Oracle Entitlements Server Password (This is the Administration Server's password)

7.6.2.3 Configuring Web Service Security Module in a Controlled Push Mode

To configure Web Service Security Module instance in a controlled distribution mode, do the following:

Open smconfig.ws.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 7-4.
Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:
```
config.sh –smConfigId <SM_NAME> -WSListeningPort <WSSM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.ws.controlled.prp
```
When prompted, specify the following:
- New key store password for enrollment
- Oracle Entitlements Server user name (This is the Administration Server's user name)
- Oracle Entitlements Server password (This is the Administration Server's password)

7.6.2.4 Configuring Oracle WebLogic Server Security Module in a Controlled Push Mode

To configure Oracle WebLogic Server Security Module instance in a controlled distribution mode, do the following:

Open smconfig.wls.controlled.prp file (located in OES_CLIENT_HOME/oessm/SMConfigTool) in a text editor, and then specify the parameters described in Table 7-4.

Run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh –smConfigId <SM_NAME> -prpFileName $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.wls.controlled.prp –serverLocation <Location of Web Logic Server Home

Create a Oracle Entitlements Server Client domain, as described in Configuring OES Client Domain in a Non-JRF Environment or Configuring OES Client Domain in a JRF Environment.

7.6.3 Configuring Security Modules

Oracle Entitlements Server Client includes the following Security Modules:

Configuring WebLogic Server Security Module
Configuring Web Service Security Module
Configuring Web Service Security Module on Oracle WebLogic Server
Configuring Oracle Service Bus Security Module
Configuring IBM WebSphere Security Module
Configuring JBoss Security Module
Configuring the Apache Tomcat Security Module
Configuring Java Security Module
Configuring RMI Security Module
Configuring Microsoft .NET Security Module
Configuring Microsoft SharePoint Server (MOSS) Security Module

7.6.3.1 Configuring WebLogic Server Security Module

The WebLogic Security Module is a custom Java Security Module that includes both a Policy Decision Point and a Policy Enforcement Point. It can receive requests directly from the WebLogic Server without the need for explicit authorization API calls. It will only run on the WebLogic Server container.

To configure a WebLogic Server Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

On Linux or UNIX:

config.sh -onJRF -smType wls -smConfigId mySM_WLS -serverLocation MW_HOME/wlserver_10.3/

On Windows:

config.sh -onJRF -smType wls -smConfigId mySM_WLS -serverLocation MW_HOME\wlserver_10.3\

Note:

If you are using a non-JRF environment, do not specify the -onJRF parameter.

In non-controlled and controlled-pull distribution modes, when prompted, specify the Oracle Entitlements Server schema owner and password.

Table 7-6 describes the parameters you specify on the command line.

Table 7-6 Oracle WebLogic Server Security Module Parameters

Parameter	Description
`smType`	Type of security module instance you want to create. It should be `wls`.
`smConfigId`	Name of the security module instance. For example, `mySM_WLS_Controlled`.
`serverLocation`	Location of the Oracle WebLogic Server.

Note:

Non-controlled mode is the default distribution mode for Oracle WebLogic Server Security Module in a JRF environment. This will not change even if you edit the distribution mode in the smconfig.prp file.

For Oracle WebLogic Server Security Module in a non-JRF environment, the default distribution mode is set to controlled-push mode in the smconfig.prp file. If you want to change the distribution mode, refer to Section 7.6.1.2, "Configuring Non-Controlled and Controlled Pull Distribution Mode".

Controlled-push mode is not supported for Oracle WebLogic Server Security Module in a JRF enabled domain.

The Configuration Wizard is displayed. You can create an Oracle Entitlements Server Client domain in a JRF environment and a non-JRF environment. Depending on the option you select complete one of the following:

Configuring OES Client Domain in a Non-JRF Environment
Configuring OES Client Domain in a JRF Environment

7.6.3.1.1 Configuring OES Client Domain in a Non-JRF Environment

To create the Oracle Entitlements Server Client domain without JRF, complete the following steps:

The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
1. Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
2. On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
3. On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

Select the Oracle Entitlements Server WebLogic Security Module - 11.1.1.0 [oesclient] option. Click Next.

Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.

The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

The Configure Server Start Mode and JDK screen appears.

Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
- Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.
- Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
- Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.
  
  Note:
  Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.
  
  Note:
  After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.
Optional: Configure Managed Servers, as required.

In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
- Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.

For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

Tip:
Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
On successful domain creation you may review the folder structure and files of the WebLogic Server Security Module instance. The jps-config.xml configuration file for the WebLogic Server Security Module instance configuration is located in DOMAIN_HOME/config/oeswlssmconfig/AdminServer.

Setting Up Connection to an Oracle Database

After configuring OES Client domain in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment".

7.6.3.1.2 Configuring OES Client Domain in a JRF Environment

To create the OES Client domain with JRF, complete the following steps:

The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
1. Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
2. On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
3. On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

Select the Oracle Entitlements Server WebLogic Security Module On JRF - 11.1.1.0 [oesclient] option. Click Next.

Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.

The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

The Configure Server Start Mode and JDK screen appears.

Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
- Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.
- Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
- Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.
  
  Note:
  Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.
  
  Note:
  After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.
Optional: Configure Managed Servers, as required.

In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
- Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.

For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

Tip:
Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

Setting Up Connection to an Oracle Database

7.6.3.2 Configuring Web Service Security Module

To create a Web Service Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType ws -smConfigId mySM_Ws -serverPort 9410

In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.

In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 7-7 describes the parameters you specify on the command line.

Table 7-7 Web Service Security Module Parameter

Parameters	Description
`smType`	Type of security module instance you want to create. For Web Service security module, the value for this parameter should be `ws`.
`smConfigId`	Name of the security module instance. For example, `mySM_ws`.
`serverPort`	The web service listening port. For example, `9410`.

Note:

For Web Service Security Module, the default distribution mode is set to controlled-push mode in the smconfig.prp file. If you want to change the distribution mode, refer to Section 7.6.1.2, "Configuring Non-Controlled and Controlled Pull Distribution Mode".

This command also creates client configuration for Webservice Security Module Instance.

7.6.3.3 Configuring Web Service Security Module on Oracle WebLogic Server

To create a Web Service Security Module instance on Oracle WebLogic Server, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -onJRF -smType ws -onWLS -smConfigId mySM_WsOnWLS -serverLocation <WebLogic_server_Home> -serverPort <WebLogic_server_port> -pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -serverUserName <username> -serverPassword <password>

Note:

If you are using a non-JRF environment, do not specify the -onJRF parameter.

In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.

Table 7-8 describes the parameters you specify on the command line.

Table 7-8 Parameters for Web Service Security Module on Oracle WebLogic Server

Parameters	Description
`smType`	Type of security module instance you want to create. For Web Service security module, the value for this parameter should be `ws`.
`smConfigId`	Name of the security module instance. For example, `mySM_ws_Controlled`.
`pdServer`	The address of the Oracle Entitlements Server Administration Server.
`pdPort`	The SSL port of the Oracle Entitlements Server Administration Server. For example, 7002.
`serverLocation`	Location of the Oracle WebLogic Server.
`serverPort`	The value for `serverPort` should be the listening port of the Web Services Security Module. For Web Service Security Module on Oracle WebLogic Server, the listening port is the Weblogic Administration Server port. Hence, for serverPort, you must specify the value of the Oracle WebLogic Administration Server port. For example, 7001.
`serverUserName`	Specify the Oracle WebLogic Server Administration username. For example: `weblogic`
`serverPassword`	Specify the Oracle WebLogic Server Administration password.

Note:

For Web Service Security Module on Oracle WebLogic Server in a non-JRF environment, the default distribution mode is set to controlled-push mode in the smconfig.prp file. If you want to change the distribution mode, refer to Section 7.6.1.2, "Configuring Non-Controlled and Controlled Pull Distribution Mode".

Non-controlled distribution is the default distribution mode for Web Service Security Module on Oracle WebLogic Server in a JRF environment. This will not change even if you edit the distribution mode in the smconfig.prp file.

This command also creates client configuration for Webservice Security Module Instance on Oracle WebLogic Server.

The Configuration Wizard is displayed. You can create an OES Client domain with Web Service on Oracle WebLogic Server in a JRF environment and Web Service on Oracle WebLogic Server in a non-JRF environment. Depending on the option you select complete one of the following:

Configuring Web Service on Oracle WebLogic Server Domain in a Non-JRF Environment
Configuring Web Service on Oracle WebLogic Server Domain in a JRF Environment

7.6.3.3.1 Configuring Web Service on Oracle WebLogic Server Domain in a Non-JRF Environment

To create a Web Service on Oracle WebLogic Server domain in a Non-JRF environment, complete the following steps:

The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
1. Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
2. On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
3. On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

Select the Oracle Entitlements Server Web Service Security Module on Weblogic- 11.1.1.0 [oesclient] option. Click Next.

Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.

The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

The Configure Server Start Mode and JDK screen appears.

Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
- Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.
- Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
- Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.
  
  Note:
  Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.
  
  Note:
  After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.
Optional: Configure Managed Servers, as required.

In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
- Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.

For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

Tip:
Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
On successful domain creation you may review the folder structure and files of the Web Service Security Module instance on Oracle WebLogic Server. The jps-config.xml configuration file for the Web Service Security Module instance on Oracle WebLogic Server is located in DOMAIN_HOME/config/oeswlssmconfig/AdminServer.

Setting Up Connection to Oracle Database

After configuring Web Service on Oracle WebLogic Server domain in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment".

7.6.3.3.2 Configuring Web Service on Oracle WebLogic Server Domain in a JRF Environment

To create the Web Service on Oracle WebLogic Server domain in a JRF environment, complete the following steps:

The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
1. Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
2. On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
3. On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

Select the Oracle Entitlements Server Web Service Security Module on Weblogic and JRF- 11.1.1.0 [oesclient] option. Click Next.

Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.

The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

The Configure Server Start Mode and JDK screen appears.

Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
- Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.
- Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
- Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.
  
  Note:
  Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.
  
  Note:
  After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.
Optional: Configure Managed Servers, as required.

In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
- Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.

For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

Tip:
Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

Setting Up Connection to Oracle Database

7.6.3.4 Configuring Oracle Service Bus Security Module

To create a Oracle Service Bus Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -onJRF -smType wls -smConfigId myosb_WLS -serverLocation <server_location>

Table 7-9 Oracle Service Bus Security Module Parameters

Parameter	Description
`smType`	Type of security module instance you want to create. For example, `jboss`.
`smConfigId`	Name of the security module instance. For example, `mySM_WLS`.
`serverLocation`	The location of Oracle WebLogic Server.

Note:

Non-controlled distribution is the default distribution mode for Oracle Service Bus Security Module. This will not change even if you edit the distribution mode in the smconfig.prp file.

The Configuration Wizard is displayed. You can create an OES Client domain with Oracle Service Bus environment as follows:

The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next.

The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.

Select the Oracle Entitlements Server Security Module On Service Bus - 11.1.1.0 [OESCLIENT] option. Click Next.

Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.

The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.

The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic. Click Next.

The Configure Server Start Mode and JDK screen appears.

Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.

The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
- Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer.
- Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
- Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001.
  
  Note:
  Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002.
  
  Note:
  After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort property in the smconfig.wls.controlled.prp file or smconfig.prp file with the SSL listen port value. You must then run the smconfig tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort.
Optional: Configure Managed Servers, as required.

In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
- Name: Enter OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1 and OES_ManagedServer_2.
- Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
- SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
- SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1 and OES_ManagedServer_2. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.

For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Oracle Identity and Access Management Components" topic in the Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.

Tip:
Before configuring a machine, use the ping command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.

Setting Up Connection to Oracle Database

After configuring Oracle Service Bus Security Module in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment".

Configuring Authorization Provider

You must configure an Authorization provider. For information about configuring an Authorization provider, see "Configure Authorization providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/security/ConfigureAuthorizationProviders.html

Configuring Role Mapping Provider

You must configure a Role Mapping provider. For information about configuring a Role Mapping provider, see "Configure Role Mapping providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:

http://docs.oracle.com/cd/E23943_01/apirefs.1111/e13952/taskhelp/security/ConfigureRoleMappingProviders.html

7.6.3.5 Configuring IBM WebSphere Security Module

For information on configuring IBM WebSphere Security Module, refer to "Configuring IBM WebSphere Security Module" in the Oracle Fusion Middleware Third-Party Application Server Guide for Oracle Identity and Access Management.

7.6.3.6 Configuring JBoss Security Module

To create a JBoss Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType jboss -smConfigId mySM_JBOSS -serverLocation <middleware>/jbosslocation/

Table 7-10 JBoss Security Module Parameters

Parameter	Description
`smType`	Type of security module instance you want to create. For example, `jboss`.
`smConfigId`	Name of the security module instance. For example, `mySM_WLS`.
`serverLocation`	The location of JBoss Application Server.

Note:

Controlled-push distribution is the default distribution mode for JBoss Security Module. If you want to change the distribution mode, refer to Section 7.6.1.2, "Configuring Non-Controlled and Controlled Pull Distribution Mode".

To make controlled-push mode work, you must login to WebLogic Administration console and go to Environment>Servers>AdminServer>SSL. The Settings for AdminServer page is displayed. Click on Advanced tab and select Use Server Certs.

7.6.3.7 Configuring the Apache Tomcat Security Module

To create a Apache Tomcat Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

config.sh -smType tomcat -smConfigId my_tomcat_sm_push -pdServer oes_server_address -pdPort oes_server_ssl_port -sslPort tomcat_server_ssl_port -serverLocation apache-tomcat Home -jaxwsRIHome  jaxwsRI_Home  -serverUserName username -serverPassword password

Table 7-11 Apache Tomcat Security Module Parameters

Parameter	Description
`smType`	Type of security module instance you want to create. For example, `tomcat`.
`smConfigId`	Name of the security module instance. For example, `my_tomcat_sm_push`.
`pdServer`	The address of the Oracle Entitlements Server Administration Server.
`pdPort`	The SSL port number of the Oracle Entitlements Server Administration Server. For example, `7002`.
`sslPort`	The SSL port number of the Apache Tomcat Server. For example, `8449`.
`serverLocation`	The location of Apache Tomcat Server.
`jaxwsRIHome`	The location of JAXWS-RI Note: JAXWS support is required in controlled-push mode. Apache Tomcat does not have JAXWS support by default. You can download JAXWS-RI from the following location: `http://jax-ws.java.net/2.1.7/`
`serverUserName`	Specify the Oracle WebLogic Server Administration username. For example: `weblogic`
`serverPassword`	Specify the Oracle WebLogic Server Administration password.

Note:

Controlled-push distribution is the default distribution mode for Apache Tomcat Security Module. If you want to change the distribution mode, refer to Section 7.6.1.2, "Configuring Non-Controlled and Controlled Pull Distribution Mode".

7.6.3.8 Configuring Java Security Module

To create a Java Security Module instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as follows:

Note:

If you are using Java Security Module in the proxy mode with Web Service Security Module or RMI Security Module, then you must use oes-ws-client.jar or oes-rmi-client.jar and ensure that you do not use oes-client.jar.

config.sh -smType java -smConfigId mySM_Java

In controlled push mode, you will be prompted for the Oracle Entitlements Server Administration Server username, password, and a new key store password for enrollment.

In non-controlled and controlled pull modes, you will be prompted for Oracle Entitlements Server schema username, and Password.

Table 7-12 describes the parameters you specify on the command line.

Table 7-12 JSE Security Module Parameters

Parameter	Description
`smType`	Type of security module instance you want to create. For example, `java`.
`smConfigId`	Name of the security module instance. For example, `mySM_java`.

Note:

Controlled-push distribution is the default distribution mode for JSE Security Module. If you want to change the distribution mode, refer to Section 7.6.1.2, "Configuring Non-Controlled and Controlled Pull Distribution Mode".

The Java Security Module Instance is created at OES_CLIENT_HOME/oes_sm_instances/mySM_java. If you use the default values described in Table 7-12.

7.6.3.9 Configuring RMI Security Module

To configure a RMI Security Module Instance, you must run the config.sh (located in OES_CLIENT_HOME/oessm/bin for Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin for Windows) as follows:

config.sh -smType rmi -smConfigId mySM_Rmi -serverPort 9405

In non-controlled and controlled-pull distribution modes when prompter specify the Oracle Entitlements Server schema username and password.

Table 7-13 describes the parameters you specify on the command line.

Table 7-13 RMI Security Module Parameters

Parameter	Description
`smType`	The type of security module instance you want to create. For example, `rmi`.
`smConfigId`	The name of the security module instance. For example, `mySM_rmi`.
`serverPort`	The RMI listening port. For example, `9405`.

Note:

Controlled-push distribution is the default distribution mode for RMI Security Module. If you want to change the distribution mode, refer to Section 7.6.1.2, "Configuring Non-Controlled and Controlled Pull Distribution Mode".

This command also creates client configuration for the RMI Security Module Instance.

7.6.3.10 Configuring Microsoft .NET Security Module

This section includes the following topics:

Prerequisites for Configuring .NET Security Module
Microsoft .NET Configuration Scenarios

7.6.3.10.1 Prerequisites for Configuring .NET Security Module

Before configuring .NET Security Module, you must complete the following steps:

Open the dotnetsm_config.properties file (located in <MW_Home>\as_1\oessm\dotnetsm\configtool) and update the following information:

application.config.file: Specify the path of the configuration file based on the type of .Net application. For example: app.config or web.config
application.log4NetXmlfile: Specify the location of log4net.xml configuration file. If you do not have an existing logging configuration file specify the default location (OES_CLIENT_HOME/oessm/dotnetsm/logging/log4Net.xml).
wssm.smurl: Specify the OES webservice uri exposed through the WSSM in the following format:

http://<host>:<port>/Ssmws
gac.utility: Specify the Microsoft .NET Framework Global Assembly Cache Utility Location. You can define the following operations:

config: If you select this option, then SMconfig tool registers OES-PEP.dll and log4NET.dll in GAC Utility.

remove: If you select this option, then SMconfig tool removes the DLL from the GAC util and removes the configuration parameters from application.config.file.

7.6.3.10.2 Microsoft .NET Configuration Scenarios

You can configure .NET Security Module in the following scenarios:

Scenario 1: .NET and Web Service on a Single Machine
Scenario 2: .NET and Web Service on Different Machines

Scenario 1: .NET and Web Service on a Single Machine

If .NET and Web Service are installed on a single machine, the following configurations are possible:

Configuring .NET Security Module and Web Service Security Module
Configuring .NET Security Module

Configuring .NET Security Module and Web Service Security Module

Perform the configuration in this scenario if .NET and Web Service are installed on a single machine, and you want to configure .NET Security Module and Web Service Security Module.

Run the config.cmd located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType dotnetws -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config> -smConfigId myDotnet –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410

Table 7-14 describes the parameters you specify on the command line.

Table 7-14 .NET Security Module Parameters

Parameter	Description
`smType`	The type of security module instance you want to create. For example, `dotnetws`.
`smConfigId`	The name of the security module instance. For example, `myDotnet`.
`prpFileName`	Specify the path to the `smconfig.prp` file located in `<OES_Client_Home>\oessm\wssm\configtool`.
`dotnetprpFileName`	Specify the path to the `dotnetsm_config.properties` file located in `<OES_Client_Home>\oessm\dotnetsm\configtool`.
`pdServer`	The address of the Oracle Entitlements Server Administration Server.
`pdPort`	The port number of the Oracle Entitlements Server Administration Server. For example, `7002`.
`WSListeningPort`	The web service listening port. For example, `9410`.

This command also creates client configuration for the .NET Security Module Instance.

Configuring .NET Security Module

Perform the configuration in this scenario if .NET and Web Service are installed on a single machine, and Web Service Security Module is already configured.

Before you configure a .NET Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Run the config.cmd (located in OES_CLIENT_HOME\oessm\bin) for Windows as follows:

config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>

Table 7-16 describes the parameters you specify on the command line.

Table 7-15 .NET Security Module Parameters

Parameter	Description
`smType`	The type of security module instance you want to create. For example, `dotnet`.
`smConfigId`	The name of the security module instance. For example, `myDotnet`.
`prpFileName`	Specify the path to the `smconfig.prp` file located in `<OES_Client_Home>\oessm\wssm\configtool`.
`dotnetprpFileName`	Specify the path to the `dotnetsm_config.properties` file located in `<OES_Client_Home>\oessm\dotnetsm\configtool`.

This command also creates client configuration for the .NET Security Module Instance.

Ensure that the application.config file for your .NET application contains the SsmUrl, SsmId and log4NetXml values in the appSettings section.

For example:

<appSettings>    <add key="SsmUrl" value="<wssm.smurl>"
    <add key="SsmId" value="<smConfigId>"/>
    <add key="FailureRetryCount" value="3"/>
    <add key="FailbackTimeoutMilliSecs" value="180000"/>
    <add key="RequestTimeoutMilliSecs" value="10000"/>
    <add key="SynchronizationIntervalMilliSecs" value="60000"/>
    <add key="log4NetXmlfile" value="<application.log4NetXmlfile> "/>
  </appSettings>

Scenario 2: .NET and Web Service on Different Machines

Perform the configuration in this scenario if .NET and Web Service are installed on different machines.

Run the config.cmd (located in OES_CLIENT_HOME\oessm\bin) for Windows as follows:

config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>

Table 7-16 describes the parameters you specify on the command line.

Table 7-16 .NET Security Module Parameters

Parameter	Description
`smType`	The type of security module instance you want to create. For example, `dotnet`.
`smConfigId`	The name of the security module instance. For example, `myDotnet`.
`prpFileName`	Specify the path to the `smconfig.prp` file located in `<OES_Client_Home>\oessm\wssm\configtool`.
`dotnetprpFileName`	Specify the path to the `dotnetsm_config.properties` file located in `<OES_Client_Home>\oessm\dotnetsm\configtool`.

This command also creates client configuration for the .NET Security Module Instance.

Ensure that the application.config file for your .NET application contains the SsmUrl, SsmId and log4NetXml values in the appSettings section.

For example:

<appSettings>    <add key="SsmUrl" value="<wssm.smurl>"
    <add key="SsmId" value="<smConfigId>"/>
    <add key="FailureRetryCount" value="3"/>
    <add key="FailbackTimeoutMilliSecs" value="180000"/>
    <add key="RequestTimeoutMilliSecs" value="10000"/>
    <add key="SynchronizationIntervalMilliSecs" value="60000"/>
    <add key="log4NetXmlfile" value="<application.log4NetXmlfile> "/>
  </appSettings>

7.6.3.11 Configuring Microsoft SharePoint Server (MOSS) Security Module

This section includes the following topics:

Prerequisites for Configuring MOSS Security Module
MOSS Configuration Scenarios
Running Resource Discovery Tool
Migrating Resource Policies

7.6.3.11.1 Prerequisites for Configuring MOSS Security Module

Before configuring a MOSS Security Module instance, you must ensure the following:

Microsoft SharePoint Server (MOSS) is installed on your machine.
The MOSS Web Application, associated with site collections and other resources to be protected by OES MOSS Security Module has been created.

7.6.3.11.2 MOSS Configuration Scenarios

You can configure MOSS Security Module in the following scenarios:

Scenario 1: MOSS and Web Service on a Single Machine
Scenario 2: MOSS and Web Service on Different Machines

Scenario 1: MOSS and Web Service on a Single Machine

If MOSS and Web Service are installed on a single machine, the following configurations are possible:

Configuring MOSS Security Module and Web Service Security Module
Configuring MOSS Security Module

Configuring MOSS Security Module and Web Service Security Module

Perform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and you want to configure MOSS Security Module and Web Service Security Module.

Run the config.cmd file located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType mossws –prpFileName <ws_config> –mossprpFileName <moss_config> -smConfigId myMoss –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410

Table 7-17 describes the parameters you specify on the command line.

Table 7-17 MOSS Security Module Parameters

Parameter	Description
`smType`	The type of security module instance you want to create. For example, `mossws`.
`smConfigId`	The name of the security module instance. For example, `myMoss`.
`prpFileName`	Specify the path to the `smconfig.prp` file located in `<OES_Client_Home>\oessm\wssm\configtool`.
`mossprpFileName`	Specify the path to the `moss_config.properties` file located in `<OES_Client_Home>\oessm\mosssm\adm\configtool`.
`pdServer`	The address of the Oracle Entitlements Server Administration Server.
`pdPort`	The port number of the Oracle Entitlements Server Administration Server. For example, `7002`.
`WSListeningPort`	The web service listening port. For example, `9410`.

This command also creates client configuration for the MOSS Security Module Instance.

Configuring MOSS Security Module

Perform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and Web Service Security Module is already configured.

Before you configure a MOSS Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.

Run the config.cmd file located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>

Table 7-19 describes the parameters you specify on the command line.

Table 7-18 MOSS Security Module Parameters

Parameter	Description
`smType`	The type of security module instance you want to create. For example, `moss`.
`smConfigId`	The name of the security module instance. For example, `myMoss`.
`prpFileName`	Specify the path to the `smconfig.prp` file located in `<OES_Client_Home>\oessm\wssm\configtool`.
`mossprpFileName`	Specify the path to the `moss_config.properties` file located in `<OES_Client_Home>\oessm\mosssm\adm\configtool`.

This command also creates client configuration for the MOSS Security Module Instance.

Scenario 2: MOSS and Web Service on Different Machines

Perform the configuration in this scenario if MOSS and Web Service are installed on different machines.

Run the config.cmd file located in OES_CLIENT_HOME\oessm\bin directory (on Windows), as follows:

config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>

Table 7-19 describes the parameters you specify on the command line.

Table 7-19 MOSS Security Module Parameters

Parameter	Description
`smType`	The type of security module instance you want to create. For example, `moss`.
`smConfigId`	The name of the security module instance. For example, `myMoss`.
`prpFileName`	Specify the path to the `smconfig.prp` file located in `<OES_Client_Home>\oessm\wssm\configtool`.
`mossprpFileName`	Specify the path to the `moss_config.properties` file located in `<OES_Client_Home>\oessm\mosssm\adm\configtool`.

This command also creates client configuration for the MOSS Security Module Instance.

7.6.3.11.3 Running Resource Discovery Tool

You must run the Resource Discovery tool to locate the MOSS resources.

Run the MOSSResourceDiscovery.exe file, located in <OES_CLIENT_HOME/oessm/mosssm/lib directory (on Windows). You will be prompted for the following parameters:

Enter the folder path where you want to create OES policy file - Specify the path of the folder where the resource files will be created. Note that the directory used for storing the exported resources must be created beforehand.
Enter Path where Admin Url file is located - Specify the path to <OES_CLIENT_HOME/oessm/mosssm/adm/discovery/AdmUrls.txt file. This file is used to extract the admin URLs.
Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01 - Specify the URL of the top level MOSS sites to be protected by OES.
Enter Application Name of the MOSS application to be protected by OES e.g. MossApp - Specify the name of the MOSS application to be protected by OES.

Note:
Ensure that the MOSS application name that you provide is same as the value defined for moss.app.name parameter in moss_config.properties file.
Enter Resource Type of all the MOSS resources e.g. MossResourceType - Specify the resource type of all the MOSS resources to be protected by OES.

Note:
Ensure that the MOSS resource type that you provide is same as the value defined for moss.resource.type parameter in moss_config.properties file.

Following is a sample execution of MOSSResourceDiscovery.exe file:

C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\lib>MOSSResourceDiscovery.exe
----------------------------------------------------------
         Welcome to the MOSS Resource Discovery
----------------------------------------------------------
Enter the folder path where you want to create OES policy file
 
c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy
 
Enter Path where Admin Url file is located
 
C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\adm\Discovery\AdmUrls.txt
 
Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01
 
http://alesw2k8:9581
 
Enter Application Name of the MOSS application to be protected by OES e.g. MossApp
 
MossApp
 
Enter Resource Type of all the MOSS resources e.g. MossResourceType
 
MossResourceType
 
Resource Discovery starts....
SpSitePath is http://alesw2k8:9581

7.6.3.11.4 Migrating Resource Policies

To migrate the MOSS resource policies to OES policy store, complete the following steps:

Create an empty file named jps-config.xml in the directory of your choice. Then, open up the file and add the following content:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd">
    <serviceProviders>
        <serviceProvider type="POLICY_STORE" name="policy.db" class="oracle.security.jps.internal.policystore.OPSSPolicyStoreProvider" />
    </serviceProviders>
    <serviceInstances>
        <serviceInstance name="policystore.db" provider="policy.db">
            <property name="policystore.type" value="DB_ORACLE" />
            <property name="jdbc.url" value="jdbc:oracle:thin:@db_host:db_port:service_name" />
            <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver" />
            <property name="security.principal" value="prefix_OPSS" />
            <property name="security.credential" value="password" />
            <property name="oracle.security.jps.farm.name" value="cn=oes_domain"/>
            <property name="oracle.security.jps.ldap.root.name" value="cn=jpsroot" />
        </serviceInstance>
    </serviceInstances>
    <jpsContexts default="default">
        <jpsContext name="default"> 
            <serviceInstanceRef ref="policystore.db" />
        </jpsContext>
    </jpsContexts>
</jpsConfig>

Go to OES_CLIENT_HOME/oessm/bin directory (on Windows), or OES_CLIENT_HOME\oessm\bin directory (on Linux or UNIX)
Update the variable -Doracle.security.jps.config in manage-policy.cmd (on Windows) or in manage-policy.sh (on Linux or UNIX) so that -Doracle.security.jps.config points to the jps-config.xml file you created in step 1.
Update the OES_CLIENT_HOME and OES_INSTANCE_NAME variables in manage-policy.cmd (on Windows) or in manage-policy.sh (on Linux or UNIX) to reflect your Oracle Entitlements Server Client environment.
Run the manage-policy.cmd file (on Windows) or manage-policy.sh file (on Linux or UNIX).

Following is a sample execution of manage-policy.cmd file:

C:\Oracle\Middleware\Oracle_OESClient\oessm\bin>manage-policy.cmd

Please input the application name for the protected MOSS application e.g MossApp:
MossApp

Input the resource type for the MOSS resources e.g MossResourceType:
MossResourceType

Input the Moss resource file:
c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy\object

Creating resource: /_layouts

7.6.4 Locating Security Module Instances

The Oracle Entitlements Server security module instances are created in the OES_CLIENT_HOME/oes_sm_instances. directory.

For Oracle WebLogic Server security module, the domain configuration is located in DOMAIN_HOME/config/fmwconfig.

You can create, delete, or modify the security module instances, as required.

7.6.5 Using the Java Security Module

After configuring Java Security Module for your program, you must start the Java Security module for your program by completing the following:

Set a new Java System Property -Doracle.security.jps.config and specify the location of the jps-config.xml file (located in OES_CLIENT_HOME/oes_sm_instances/<SM_NAME>/config) as the value.
Enter oes-client.jar (located in OES_CLIENT_HOME/modules/oracle.oes_sm.1.1.1) into the classpath of the program.

When a Security Module is configured as a proxy client, set the authentic.identity.cache.enabled system property to true. The configuration is based on the type of Security Module being used and is done for the JVM in which the Web Services or RMI Security Module remote proxy is executing.

Specifically:

If the Security Module is a WebLogic Server Security Module, the system property -Dauthentic.identity.cache.enabled=true should be appended to the JAVA_OPTIONS environment variable in the setDomainEnv.sh script on Linux or UNIX or the setDomainEnv.cmd script on Windows.
If the Security Module is a Java Security Module, the system property -Dauthentic.identity.cache.enabled=true should be added to the program being protected by the Java Security Module.

7.6.6 Configuring the PDP Proxy Client

You can configure a PDP Proxy Client for your web service Security Module or RMI Security Module, as described in Table 7-20:

Table 7-20 PDP Proxy Client Security Module Parameters

Parameter	Description
o`racle.security.jps.pdp.isProxy`	Specify `true` as the value.
`oracle.security.jps.pdp.PDPTransport`	Specify Web Service (`WS`) or (RMI).
`oracle.security.jps.pdp.proxy.PDPAddress`	Specify `http://hostname:port` (WS) or `rmi://hostname:port` (RMI).

You must run the config.sh (located in OES_CLIENT_HOME/oessm/bin on Linux or UNIX) or config.cmd (located in OES_CLIENT_HOME\oessm\bin on Windows) as shown in the following example:

For Java Security Module:

OES_CLIENT_HOME/oessm/bin/config.sh -smType <SM_TYPE> -smConfigId <SM_NAME>

The SM_TYPE can be java, wls, or was. and for SM_NAME enter an appropriate name.

Note:

For a sample procedure of configuring the PDP Proxy client, refer to Appendix E, "Configuring the PDP Proxy Client for Web Service Security Module".

7.7 Getting Started with Oracle Entitlements Server After Installation

After installing Oracle Entitlements Server, refer to the following documents: