| Oracle® Web Services Manager Deployment Guide 10g (10.1.3.3.0) Part Number E10298-01 |
|
|
View PDF |
| Oracle® Web Services Manager Deployment Guide 10g (10.1.3.3.0) Part Number E10298-01 |
|
|
View PDF |
This chapter describes the authentication types supported by Oracle Web Services Manager (Oracle WSM) and how to configure them.
This chapter includes the following sections:
Oracle WSM supports two types of authentication:
System Authentication – System authentication is the verification of the identities of the Oracle WSM administrator and any other users authorized to manage system components and features. By default, users and passwords are stored in the administrative registry that resides in the Oracle WSM Database. You can also configure Oracle WSM to authenticate system users using an LDAP v3 directory. See Oracle Web Services Manager Administrator's Guide for information on roles.
End User Authentication – End-user authentication verifies the identity of users who request services that are protected by Oracle WSM. When a requesting application requests a connection, the Policy Enforcement Point (PEP) that enforces the authentication and authorization policy steps for the Oracle WSM Policy Manager handles the request. For an overview of PEPs, see "Oracle Web Services Manager Deployment". You can use any of the following resources to enforce the authentication and authorization policy steps to verify the identity of the requesting application:
Oracle Access Manager
CA eTrust SiteMinder
Standard LDAP v3 directories
Microsoft Active Directory
Oracle Access Manager and Oracle WSM provide an integrated and comprehensive identity management, Web services security, and system monitoring solution.
This section explains how to integrate Oracle WSM and Oracle Access Manager to authenticate users and to verify their privileges.
Note:
Oracle Access Manager was previously known as Oblix NetPoint and Oracle COREid.You can use the Oracle Access Manager to provide authentication and authorization services for Oracle WSM operations. Oracle Access Manager authenticates a client's identity and then authorizes different levels of access depending on the identity of the client.
This overview briefly describes the components of Oracle Access Manager. It also identifies the requirements for integrating Oracle Access Manager with Oracle WSM.
Oracle Access Manager is comprised of the following components:
Identity System – The Identity System manages identity information about individuals, groups, organizations, and other objects. The Identity System also leverages user identity and policy information for other applications and systems across the enterprise. This eliminates the need to create and manage separate user identity repositories for each application.
The Identity System consists of an Identity Server and a WebPass component. Administrators configure these components using a Web-based administration tool known as the Identity System Console.
See the Oracle Access Manager Installation Guide and the Oracle Access Manager Identity and Common Administration Guide.
Access System – The Access System is the access-control system that provides single sign-on across any Web application. It supports a variety of access policies, and is fully integrated with the Identity System so that changes in user profiles are instantly reflected in the Access System's policy enforcement.
The Access System consists of the Policy Manager, Access Server, and WebGate:
Policy Manager – The Policy Manager provides a Web-based interface where administrators can create and manage access policies. The Policy Manager also communicates with the directory server to write policy data, and communicates with the Access Server when certain policy modifications are made.
For more information about installing the Policy Manager, see Oracle Access Manager Installation Guide.
Master Access Administrators and Delegated Access Administrators use the Policy Manager and Access System Console.
Access System Console – This is a Web-based application that provides administrators with the features and functionality related to System Configuration, System Management, and Access System Configuration.
Access Server – Access Server receives requests and then queries authentication, authorization, and auditing rules in the directory server. Based on the information in the directory server, the Access Server sends the authentication scheme, validates user credentials, authorizes the user, audits, and manages the session.
For more information and an overview of Access Server processes, see Oracle Access Manager Introduction.
WebGate – WebGate is a server plug-in Oracle Access Manager access client that intercepts HTTP requests for Web resources and forwards them to the Access Server for authentication and authorization. A WebGate is shipped out-of-the-box with Oracle Access Manager.
AccessGate – An AccessGate is a custom access client that is specifically developed using the Software Development Kit (SDK) and Oracle Access Manager APIs, either by the customer or by Oracle. An AccessGate is a form of access client that processes requests for Web and non-Web resources (that is, non-HTTP) from users or applications.
The following components must be installed in the order specified in the procedure that follows. For more information, see Oracle Access Manager Installation Guide.
Install Oracle Web Services Manager, as described in Oracle Web Services Manager Installation Guide.
Install and set up the Identity, System including:
Identity Server
WebPass
See Oracle Access Manager Installation Guide for more information.
Install and set up at least one instance of each of the following components:
Policy Manager (includes the Access System Console):
Define the policy base during the Policy Manager setup.
Define the policy domain root during the Policy Manager setup.
Accept the default authentication schemes during the Policy Manager setup. (Otherwise, you must create the authentication schemes using the Access System Console after setup.)
Create the Master Access Administrator who will have the authority to create policy domains, resource types, access control templates called schemes, and to assign other administrators the role of Delegated Administrator of a policy domain.
Access Server.
Create AccessGate and install it on the same machine as Oracle WSM.
See the Oracle Access Manager Developer Guide for more information.
Using the Oracle Access Manager Policy Manager, protect resources:
Create a policy domain
Bind the resource types to URL mappings.
Create one or more authorization rules and associate users and groups with these rules. An authorization rule identifies who can access a resource and who is explicitly denied access to a resource. You can include one or more authorization rules in an authorization expression for a policy domain or policy. See the "Configuring User Authorization" chapter in Oracle Access Manager Access System Administration Guide.
Create default rules, including an authentication rule, authorization expressions, and an audit rule for the policy domain.
Create policies to protect subsets of resources in the policy domain. Policies enable you to differentiate how subsets of resources in a domain are protected. You can use policies to establish more or less stringent protection for a subgroup of resources of a policy domain. See "Protecting Resources with Policy Domains" in Oracle Access Manager Access System Administration Guide
Test the policy domain.
See Oracle Access Manager Access System Administration Guide for more information.
Configure Oracle WSM to use AccessGate.
Configure AccessGate to work with Oracle WSM.
See "Configuring AccessGate to Work with Oracle Access Manager".
Configure policy steps in Oracle WSM.
The next sections describe authentication mechanisms, resources, and URL patterns for the Access Server and AccessGate.
Oracle WSM supports the following Oracle Access Manager authentication mechanisms:
Oracle WSM collapses these three authentication methods into two methods and implements them as User Name and Password and Client Certificates.
Table E-1 shows the correspondence between the Oracle WSM and Oracle Access Manager authentication mechanisms.
Table E-1 Authentication Mechanisms Compared
| Oracle Web Services Manager |
Oracle Access Manager |
|---|---|
|
User Name and Password |
Basic over LDAP |
|
User Name and Password |
Oracle Access and Identity |
|
Client Certificates |
Client Certificates |
When you integrate Oracle WSM and Oracle Access Manager, you must decide whether to use user names and passwords (Basic over LDAP) or client certificates for authentication.
Resources
The only resource supported is HTTP.
URL Patterns
URL patterns must look like the following example:
http:///gateway/services/TimeService
Complete the following steps to set up authentication policies in the Oracle WSM Policy Manager:
Install Oracle WSM.
Install AccessGate on the system where Oracle WSM resides.
Change the startup script for Oracle WSM to include the library path for AccessGate Java native libraries.
For a Microsoft Windows installation, this procedure assumes that you have installed the Access Manager SDK in the following directory
C:\Oblix\NetPoint\AccessServerSDK
The Oracle WSM startup script is the following:
install_home\bin\wsmadmin.bat
where install_home is the root directory for your Oracle WSM installation.
For a Linux installation, this procedure assumes that you have installed the Access Manager SDK in the following directory:
/Oblix/NetPoint/AccessServerSDK
The Oracle WSM startup script is the following:
install_home\bin\wsadmin.sh
where install_home is the root directory for your Oracle WSM installation.
To facilitate the handshake between AccessGate and Oracle Access Manager, run the utility configureAccessGate.exe, located in the following directory:
installdirectory\AccessServerSDK\oblix\tools\configureaccessgate
where installdirectory is the root folder for your Access Manager SDK installation.
From a command prompt, execute the following command:
configureAccessGate.exe -i installdirectory\AccessServerSDK -t AccessGate -P AccessGatePwd -w CoreSvAccessGt -m open -h AccessServerHostname -p accessserverport -a accessserverid -r AccessServerpassphrase
The parameters are described in Table E-2.
Table E-2 Description of configureAccessGate.exe Parameters
| Parameter | Description |
|---|---|
|
|
Installation directory for AccessServerSDK |
|
|
AccessGate keyword. Enter as shown. |
|
|
AccessGate password. When an entry for AccessGate is created in Oracle Access Manager, a password may be specified. |
|
|
AccessGate name that was specified when the AccessGate entry is created in Oracle Access Manager. |
|
|
Oracle Access Manager intercomponent mode. The valid values are |
|
|
Name of the host on which Access Server is installed. |
|
|
Port on which Access Server is running. |
|
|
Access Server name in Oracle Access Manager |
|
|
Access Server simple mode password. This password is required if Access Server in Oracle Access Manager is running in |
The following is a summary of tasks that you must complete to set up policies on an Oracle Access Manager Policy Manager.
Task overview: Setting up a Policy in the Oracle Access Manager Policy Manager
Create a policy domain.
Create resource-type-to-URL mappings.
Create policies in the policy domain.
Define default authentication rules.
Define default authorization rules and associate users and groups with the rules.
The following sections illustrate how to use the Oracle Access Manager Policy Manager application in Oracle Access Manager to create a policy domain named Oracle WSM. It also describes how to use an Oracle Access and Identity Basic Over LDAP authentication scheme to protect a service named TimeService. This service was created in the Oracle Web Services Manager Gateway (gateway).
The following example shows the service ID for TimeService is SID0002001.
To protect the TimeService resource using an Oracle Access and Identity authentication scheme
Launch the Access System Console.
Enter the following URL in a browser:
http://WebPass_hostname:port/access/oblix
where WebPass_hostname refers to the machine hosting the WebPass application server, port refers to the HTTP port number of the WebPass application server instance, and /access/oblix connects to the Access System Console.
Select the Oracle Access Manager Policy Manager application, and click Create Policy Domain in the left navigation pane.
Enter Oracle WSM in the Name field, specify an optional description, and click Save.
To add resources, click the Resources tab, then click Add.
Enter the following details for the gateway/services/TimeService and gateway/services/SID0002001 URLs:
Resource Type – http
URL Prefix – /gateway/services/TimeService
To add an Authorization rule for this Policy Domain, click the Authorization Rules tab, then click Add.
Enter and save the following information:
Name – SimpleAuthRule
Enabled – Yes
Allow takes precedence – No
Click the Allow Access and complete the following steps:
People – Click Select User to select by user name. Use the Search facility to display configured users, and click Add before the name of each user who is allowed to access resources protected by this rule.
Role – Select No Role in the Role selection box to prevent users from being selected based on roles or select Anyone to allow anyone access to the protected resources.
Rule – Enter an LDAP filter that specifies the users and groups who are allowed to access
Click Select User, and add the users to whom you want to give access.
Click Policies and create a policy named TimePolicy with the following information:
The following paragraphs describe how to use the Oracle Access Manager Policy Manager to create a policy domain called Oracle WSM. It shows how to use client certificates to protect the TimeService service.
To create a policy using a client certificate authentication scheme
Launch the Access System Console and select the Policy Manager.
From the Policy Manager, click Create Policy Domain in the left navigation pane.
Enter Oracle WSM in the Name field and click Save.
In the Description field, type a brief description of the policy domain.
Click the Resources tab, and add the following resources:
Click the Default Rules tab, select the Authentication Rule sub-tab, click Add, give the rule a name, and choose the Client Certificates authentication scheme.
Click the Authorization Rules tab, click Add, then add the following information:
Save the rule.
Click Allow Access sub-tab, and select the allowed users.
Click Select User and add the users to whom you want to give access.
Click Policies, then create TimePolicy by entering the following information:
Save the policy rule.
Click the policy rule that was just created (TimePolicy).
Click Authentication Rule sub-tab.
The following sections describe these tasks in detail.
The following sections illustrate how to configure policy steps for a gateway:
The following example shows how to configure policy steps for User Name and Password for a gateway.
Register the TimeService service to a gateway.
Modify the request pipeline for this service and include the following steps in the following order:
Extract Credentials
Oracle Access Manager Authenticate Authorize step
Namespaces – Enter a list of name spaces separated by spaces (white space-delimited strings).
UserID xpath – Enter an xpath that points to the location of the user name, for example, wsse:Username.
Password xpath – Enter an xpath for password, for example, wsse:Password.
AccessGate Install Directory – The following is the default installation directory for AccessGate:
On Microsoft Windows, the default directory is C:\Program Files\Netpoint\AccessServerSDK.
On Linux, the default directory is: /opt/netpoint/AccessServerSDK.
These directory paths differ if your AccessGate installation directory is different.
Save the policy.
Commit the changes.
Send a request to the gateway with the following service URL, including the user name and password in the HTTP header.
http://<host:port>/gateway/services/TimeService
The user name and password be for one of the users allowed by the current Oracle Access Manager authorization rules.
When the policy steps correctly have been configured correctly, the service will respond. Otherwise a SOAPFault error message is returned.
Register the TimeService service on a gateway.
Modify the request pipeline for this service and include the following steps in the following order:
Verify Signature
Oracle Access Manager Authenticate Authorize step
Keystore location – Enter the location of the keystore file.
Keystore password – Enter the password for the keystore file.
Signer's public-key alias – Enter the signer's public-key alias.
AccessGate Install Directory – The first of the following two examples is for Windows, and the second is for Linux.
C:\Oblix\NetPoint\AccessServerSDK /Oblix/NetPoint/AccessServerSDK
These directory paths differ if your AccessGate installation directory is different.
Save the policy by clicking Save.
Commit the changes by clicking Commit.
Send a request to the gateway through the following URL:
http://<host:port>/gateway/services/TimeService
If the policy steps have been configured correctly, the service will respond. Otherwise, a SOAPFault error message is returned.
The Oracle Access Manager Authenticate Authorize policy step uses the Java Native Interface (JNI) libraries. Therefore, you must configure your environment variables to load the shared libraries.
If your system is managed using Oracle Process Manager and Notification (OPMN), then use the following procedure for your platform. Your Oracle WSM installation is managed using OPMN if you use the opmnctl start and stop commands to start and stop Oracle WSM.
Open the ORACLE_HOME/opmn/conf/opmn.xml file.
Find the OC4J instance that is hosting the gateway or agent component. Look for the following entries in the opmn.xml file.
<ias-component id="group1" status="enabled">
<process-type id="Name_of_OC4J_Instance" module-id="OC4J" STATUS="ENABLED">
<module-data>
<category id="start-parameters">
<data id="java-options" value="server ..."/>
On Microsoft Windows, add the path for the Access Server SDK to the Java options as shown below in bold:
<ias-component id="group1" status="enabled">
<process-type id="Name_of_OC4J_Instance" module-id="OC4J" status="enabled">
<module-data>
<category id="start-parameters">
<data id="java-options" value="server
-Djava.library.path=c:\pathto\AccessServerSDK\oblix\lib ..."/>
On Linux, add the LD_LIBRARY_PATH and LD_ASSUME_KERNEL environment variables as shown in bold:
<ias-component id="group1" status="enabled"> <environment> <variable id="LD_LIBRARY_PATH" value="/pathto/AccessServerSDK/oblix/lib" append="true"/> <variable id="LD_ASSUME_KERNEL" value=2.4.19"/> </environment> <process-type id="Name_of_OC4J_Instance" module-id="OC4J" status="enabled"> <module-data> <category id="start-parameters"> <data id="java-options" value="server ..."/>
Standalone Oracle WSM Basic Install Deployments
If you installed a standalone version of Oracle WSM using the Basic installation option, then your Oracle WSM is not managed by OPMN. Oracle WSM is started using the wsmadmin command. If this is the case, then perform the step appropriate to the platform on which Oracle WSM is installed:
On Microsoft Windows, edit the ORACLE_HOME\owsm\bin\wsmadmin.bat file. Add \pathto\AccessServerSDK\oblix\lib to the Path environment variable.
On Linux, edit the ORACLE_HOME/owsm/bin/wsmadmin.sh file. Add /pathto/AccessServerSDK/oblix/lib to the Path environment variable, and set the LD_ASSUME_KERNEL environment variable to 2.4.19.
You can configure Active Directory to support both Oracle WSM System User authentication and End-User authentication.
To configure Active Directory to provide authentication services for end users, you must verify that your PEP supports the Active Directory Authenticate policy step, then add that step to the policy associated with the PEP. For more information, see Oracle Web Services Manager Administrator's Guide.
Note:
Active Directory cannot be used to authenticate the Oracle Web Services Manager system user.You can configure an LDAP Directory to support either Oracle WSM System User authentication, or end-user authentication, or both. For more information, see the "Managing Oracle Web Services Manager Roles" chapter in Oracle Web Services Manager Administrator's Guide.
