25.16 Understanding Remote Policy and Application Domain Management

Several remote management modes enable Administrators to update, or validate, or delete an existing agent registration.

This section provides the following topics:

25.16.1 Remote Policy Management Modes, Templates, and Flags

Access Manager provides two modes to manage Application Domains and their policies without registering or modifying the companion agent. Remote policy and Application Domain management supports only create and update functions. Remote management does not support removing Application Domains or policies.

Note:

Application Domain removal is a manual task that must be performed using the Oracle Access Management Console.

Table 25-32 describes these remote Application Domain management modes. Again, command parameters include the mode, and an input *Request.xml file using a relative path with respect to $OAM_REG_HOME, the preferred location for input files):

./oamreg.sh <mode> <input_file> [prompt_flag] [component.oam.config_file] <mode> value

Table 25-32 Remote Policy Management Modes, Templates, and Flags

Mode and Template Description

policyCreate

$OAM_REG_HOME/input/

CreatePolicyRequest.xml

Allows Administrators to create Host Identifiers and an Application Domain without registering an Agent.

./bin/oamreg.sh policyCreate input/myCreatePolicyRequest.xml

See Also: "Create Policy Request Template"

policyUpdate

$OAM_REG_HOME/input/

UpdatePolicyRequest.xml

Allows Administrators to update existing Host Identifiers and Application Domain without updating an Agent.

./bin/oamreg.sh policyUpdate input/UpdatePolicyRequest.xml

See Also: "Update Policy Request Template"

Flag

Optional

[prompt_flag] value: [-noprompt]

When the optional -noprompt flag is used, oamreg can read input from system.in by using echo and pipe to pass data.

Examples from $OAM_REG_HOME location:

(echo username; echo password; echo webgate_password;) | ./bin/oamreg.sh inband input/Request.xml -noprompt component.oam.conf

(echo username; echo password; echo webgate_password; echo httpscert_trust_prompt;) | ./bin/oamreg.sh inband input/Request.xml -noprompt

(echo username; echo password; echo webgate_password; echo cert_password;) | ./bin/oamreg.sh inband input/Request.xml -noprompt

(echo username; echo password; echo webgate_password; echo httpscert_trust_prompt; echo cert_password;) | ./bin/oamreg.sh inband input/Request.xml -noprompt

component.oam.config_file

Optional. Remote registration accepts a configuration file with a URI list as an argument. component.oam.config_file defines the full path to a file containing any number of protected or public URIs. Ensure that the file uses the following syntax and format:

  • At least one protected URI is required

  • Only one product family is allowed per file

  • Comments begin with '#'

  • Keyword 'public_uris': list public URIs on separate lines after this key word.

  • Keyword 'protected_uris': list URIs to be protected on separate lines after this key word

Note: You can configure the authentication scheme for a policyusing the following format (the policy name and authentication scheme name must be separated by a Tab character):

<Policy Name> 'tab' <Authentication Scheme Name>

For example:

########################
protected_uris 
########################
protected policy1 Basic Over LDAP 
/finance/protected1/**
/finance/protected2/** 

protected policy2 Client Certificate
/finance/protected3/*.js,*.png,*.gif

########################
public_uris 
########################
/finance/public 
/finance/test1/public

25.16.2 Create Policy Request Template

The CreatePolicyRequest.xml file with the remote policyCreate mode allows Administrators to create Host Identifiers and an Application Domain without creating or updating an agent registration.

  • Create a Host Identifier add multiple hostPortVariations (host port pairs).

  • Create an Application Domain.

  • Add multiple protected, public, and excluded resources. Resources can be with or without query strings, both are supported.

  • Create default authentication and authorization policies for the resources that do not require customized policies.

Many of the same parameters are found in the CreatePolicyRequest.xml file and the expanded (full) Agent registration templates discussed earlier. CreatePolicyRequest.xml provides elements for Authentication and Authorization Policies and resources (with no <agentName> element).

Some parameters in the CreatePolicyRequest.xml file are new and not included in the full agent registration XML files, while certain elements in the original agent registration file are used to create or update. However, some elements are The primary differences of CreatePolicyRequest.xml are specific to:

  • Elements for Authentication and Authorization Policies and resources are provided

  • No <agentName> element or related elements are provided

See Also:

"Remote Policy Management Template Elements"

25.16.3 Update Policy Request Template

UpdatePolicyRequest.xml and CreatePolicyRequest.xml are nearly identical. Both provide the same elements, with the exception of the <protectedAuthnScheme> element.

See Also:

"Remote Policy Management Template Elements"

Using UpdatePolicyRequest.xml, Administrators can:

  • Update a Host Identifier add multiple hostPortVariations (host port pairs)

  • Update an Application Domain

  • Add multiple protected, public, and excluded resources.(with or without query strings).

  • Update default authentication and authorization policies for the resources that do not require customized policies

  • Create customized policies that include:

    • Policy display name

    • Policy description

    • Authentication scheme (Authentication policies only)A subset of resources to be associated with the policy

25.16.4 Remote Policy Management Template Elements

This topic describes the unique remote management elements for Application Domain management found in the CreatePolicyRequest.xml and UpdatePolicyRequest.xml files.

These elements are described in Table 25-33.

See Also:

Table 15-8 for a description of elements common to remote registration and remote management.

Table 25-33 Remote Management Template Elements

Element Description Example 
 <rregAuthenticationPolicies>
  <rregAuthenticationPolicy>

Specifies the name and description for the Authentication Policy (to use when creating a new policy or updating an existing policy).

 
 <rregAuthenticationPolicies>
  <rregAuthenticationPolicy>
     <name>AuthenticationPolicy1</name>
     <description>Authentication policy 
     created using policyUpdate mode of  
     rreg tool</description>
  .
  .
  </rregAuthenticationPolicy>
 </rregAuthenticationPolicies>

    <authnSchemeName>

Specifies the Authentication Scheme to use in the Authentication Policy.

 
 <rregAuthenticationPolicies>
  .
  .
      authnSchemeName>LDAPScheme
      </authnSchemeName> 
  .
  .
  </rregAuthenticationPolicy>
 </rregAuthenticationPolicies>

<uriList>

Identifies a resource that requires authentication using the policy.

 
 <rregAuthenticationPolicies>
  .
  .
     <uriList>
       - <uriResource>
           <uri>/res1</uri> 
           <queryString /> 
         </uriResource>
      </uriList>
  .
  .
  </rregAuthenticationPolicy>
 </rregAuthenticationPolicies>

 <rregAuthorizationPolicies>
  <rregAuthorizationPolicy>

Specifies the name and description for the Authorization Policy (to use when creating it anew or updating an existing policy).

 
 <rregAuthorizationPolicies>
  <rregAuthorizationPolicy>
     <name>AuthorizationPolicy1</name>
     <description>Authorization policy 
     created using policyUpdate mode of  
     rreg tool</description>
  .
  .
  </rregAuthorizationPolicy>
 </rregAuthorizationPolicies>

<uriList>

Identifies a resource that requires Authorization using the Authorization Policy.

 
 <rregAuthorizationPolicies>
  .
  .
     <uriList>
       - <uriResource>
           <uri>/res1</uri> 
           <queryString /> 
         </uriResource>
      </uriList>
  .
  .
  </rregAuthorizationPolicy>
 </rregAuthorizationPolicies>