Oracle® Access Manager Access Administration Guide 10g (10.1.4.0.1) Part Number B25990-01 |
|
|
View PDF |
This chapter provides an overview for people who are new to Access System setup and administration.
This chapter assumes you have at least a little familiarity with the purpose of Oracle Access Manager and the Identity System. For references to these topics, see the "Preface".
This chapter discusses the following topics:
The Access System provides centralized authentication, authorization, and auditing to enable single sign-on and secure access control across enterprise resources. You use the Access System to set up security policies that control access to resources. Resources include Web content, applications, services, and objects in applications, and similar types of data in non-Web (non-HTTP) resources.
The Access System stores information about configuration settings and access policies in a directory server that uses Oracle Access Manager-specific object classes. You can use the same directory to store the Access System configuration settings, access policy data, and the Identity System user data, or this data can be stored on separate directory servers.
The Access System consists of the following components:
The Policy Manager is installed on a Web server in the same directory as the Identity System component WebPass. See the Oracle Access Manager Introduction manual for an illustration that shows the location of WebPass. The Policy Manager provides a login interface to the Access System. Master Access Administrators and Delegated Access Administrators use the Policy Manager to define resources to be protected, and to group resources into policy domains. A policy domain consists of resource types to protect, rules for protection, policies for protection, and administrative rights.
The Policy Manager has a component called the Access System Console, that permits administrators to add, change, and remove Access Clients and Access Servers, configure authentication and authorization schemes, configure master audit settings, and configure host identifiers.
You do not need to configure the Policy Manager application user interface the way you do the Identity System applications.
The Access Server is a standalone server, or several instances, that provide authentication, authorization, and auditing services. The Access Server validates credentials, authorizes users, and manages user sessions. The Access Server receives requests from an Access Client and queries authentication, authorization, and auditing rules in the directory server as follows:
Authentication involves determining what authentication method is required for a resource, gathering credentials over HTTP, and returning an HTTP response that is based on the results of credential validation.
Authorization involves granting access based on a policy and an identity established during authentication.
The WebGate is an out-of-the-box Access Client for HTTP-based resources. WebGate is an NSAPI or ISAPI plug-in that intercepts HTTP requests for Web resources and forwards them to the Access Server.
The Access System supports single sign-on, enabling you to establish login policies that allow users to access multiple applications with a single login.
During installation and setup, the following Access System configuration tasks are completed:
The Policy Manager application was installed and configured.
A directory to store access policies was selected.
Policy Manager was configured to communicate with the directory server that stores access policies.
One or more authentication schemes may have been configured. Configuring authentication schemes during setup is optional.
At least one Access Server and one AccessGate were installed and configured.
The Access Server's transport security communication mode was selected.
Table 1-1 provides a review of Access System installation and setup, which is described in detail in the Oracle Access Manager Installation Guide.
Table 1-1 Overview of Access System Installation and Setup
To perform this task | Read |
---|---|
Install the Policy Manager |
Oracle Access Manager Installation Guide |
Set up the Policy Manager |
Oracle Access Manager Installation Guide |
Install the Access Server |
Oracle Access Manager Installation Guide |
Install a WebGate |
Oracle Access Manager Installation Guide |
The Access System enables you to control who is allowed to access data. You can create access policies that extend beyond the Identity System applications. For example, if you have an online benefits system, you can configure access policies that only permit employees to view portions of the benefits Web site that are relevant to them. Or you can configure access policies so that external customers are allowed to see your inventory Web pages but not other corporate information.
Table 1-2 provides an overview of configuring the Access System.
Table 1-2 Overview of Access System Policy-Related Configuration
Perform this task | Description | Read |
---|---|---|
Enter host IDs |
Map host name variations to a single Web server instance. This ensures that the Access System can process variations in information that it receives when users request resources. |
|
Create a policy domain and define resources to protect |
A resource is something you want to protect, such as a Web page, plus the actions applied to that item, for instance, an update. A policy domain is a logical set of resources identified by fully qualified path names or URLs that you want to protect, plus the rules for protection, policies for protection, and administrative rights. |
"Protecting Resources with Policy Domains" |
Create policies for URL patterns |
Default rules apply blanket coverage for all of the URLs in a policy domain. You can, however, specify individual policies with their own authorization, authentication, and auditing rules for URL patterns and functions such as HTTP get, put, and so on. |
"About Policy Domains and Their Policies" |
Create an authentication scheme |
Validate the identities of people who want to access your resources. Define the method of authentication (for instance, x.509 certificates), the plug-in used to map authentication credentials to a user's identity in the directory, and mapping to the user's DN in the directory. |
"Configuring User Authentication" |
Create an authorization scheme |
Determine if people with valid credentials are permitted (authorized) to access particular resources, and possibly perform additional actions depending on the authorization rules. |
"Configuring User Authorization" |
Create a master audit rule |
The Access System must have a Master Audit Rule to begin adding data to the audit log file. The audit log file records administrative events such as clearing data from caches. |
|
Configure single sign-on |
Single sign-on allows users to authenticate to multiple applications with one login. |
|
Create a shared secret |
The shared secret is used to generate the key that encrypts cookies sent between the WebGate and the user's browser. |
"Creating a Shared Secret Key" |
Note: Note that before you define your policy domains and policies you may want to have already defined a few Access Administrators and configured at least one Access Server and WebGate, as mentioned in Table 1-3. |
You configure the Access System by defining people who can serve as administrators, adding system components such as Access Servers and AccessGates, and setting basic system parameters.
You also manage the Access System by adding more servers, by defining caching parameters, and by extending your access policies using custom plug-ins. Table 1-3 provides an overview of managing the Access System.
Table 1-3 Overview of Managing the Access System
To perform this task | Read |
---|---|
Configure Access Administrators |
"Configuring Access Administrators and Server Settings" |
Configure server settings |
"Configuring Access Administrators and Server Settings" |
Configure AccessGates and Access Servers |
"Configuring WebGates and Access Servers" |
Add Access Servers |
Oracle Access Manager Installation Guide. To ease this process, you may choose to add more Access Servers using silent installation or cloning, as described in the Oracle Access Manager Installation Guide. |
Install Access Manager SDK |
Oracle Access Manager Developer Guide |
Add non-HTTP access clients |
Oracle Access Manager Developer Guide |
Manage caching |
Oracle Access Manager Deployment Guide |