Skip Headers
Oracle® Role Manager Administrator's Guide
Release 10g (10.1.4)

Part Number E12029-02
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

2 Component Configuration

This chapter includes information about the default configuration of the Oracle Role Manager server and how to modify these defaults.

This chapter includes the following sections:

2.1 Understanding Default Server Configuration

This section shows the default values that are set during initial deployment of Oracle Role Manager to help you determine whether you need to use different values for your installation.

Each configurable component of the Oracle Role Manager server has a corresponding XML file to use as a starting place, should you find that you need to modify the configuration. The configurable components in Oracle Role Manager are:

2.1.1 Authentication

Oracle Role Manager authentication configuration controls the form of accepted SSO tokens, encryption algorithm, System Identity credentials, and person credentials for direct access to the Oracle Role Manager Web UI.

Table 2-1 shows the default configuration for the Authentication component of Oracle Role Manager.

Table 2-1 Authentication Configuration Values

Element Default Value

sso-token

Mapping between the person entity class and the userID attribute.

encryption-algorithm

oracle.iam.rm.authentication.util.SHAEncryption

system-credentials-mapping

Mapping between the systemIdentity entity class and the userID attribute for username, and between the systemIdentity entity class and the userPassword attribute for password.

user-credentials-mapping

Mapping between the person entity class and the userID attribute for username, and between the person entity class and the userPassword attribute for password

failure-policy

Defines the lockout attempt threshold, which is the maximum number of attempts a user can attempt for logging in.

lockout-attempt-threshold

The maximum number of attempts a user can attempt for logging in. The standard default value is 5.


2.1.2 Business Logic Plug-ins

The configuration settings for Business Logic (BL) determine the cache size limit of plug-in packs and the time out value. You may need to either decrease the size limit of plug-in packs if memory is an issue or increase it if there are many plug-in packs loaded and frequently used.

The time out setting specifies the amount of time (in seconds) between submitting a business transaction for finalization and returning control to the user if the process is taking too long. You may want to shorten the value if you want the system to "fail" faster, or lengthen the value if time outs occur too frequently.

Table 2-2 shows the default configuration for the Business Logic Plug-in component of Oracle Role Manager.

Table 2-2 Business Logic Plug-in Configuration Values

Element Default Value

plugin-cache-config size-limit

20

finisher-config default-timeout-sec

60


2.1.3 Bootstrap

The Bootstrap configuration is used to initialize the core System Identities and the System Administrator role during initial deployment.

The privileges for the roles set in this configuration are the minimum required to allow loading of other system roles and mappings to system privileges. The bootstrap configuration defines two system identities: the System Administrator (the user that can log in to the system via the Web UI and command-line tools), and the System User (the account used to access the server directly for system-level functionality).

Note:

In the event where the initial state for these System Identities has been damaged, it can be recovered using the Rebootstrap tool. Refer to Section 4.5 for more information.

Table 2-3 shows the default configuration for the Bootstrap component of Oracle Role Manager.

Table 2-3 Bootstrap Configuration Values

Element Default Value

system-admin

 

display-name

System Administrator

unique-name

System Administrator

admin-role display-name

System Administrator

admin-role unique-name

System Administrator

admin-role delegatable

false

admin-role privileges

systemRole with all permission and sysRolePrivilege with all permission.

system-user

 

display-name

System User

unique-name

System User


2.1.4 Cache

You may want to reduce the heartbeat period (in milliseconds) to keep the cache closer to its limits so cleaning is less frequent, or increase the heartbeat period to handle a larger window when the cache is larger than configured.

Table 2-4 shows the default configuration for the Cache component of Oracle Role Manager.

Table 2-4 Cache Configuration Values

Element Default Value

heartbeat-period

5000


2.1.5 Finalization

The Finalization configuration settings determine the expiration period and renewal period of the finalization lease. The expiration period is the amount of time (in milliseconds) a finalization node will be down before another node attempts to take its place; the smaller it is, the faster fail over will kick in.

The renewal period is the amount of time (in milliseconds) between lease renewals; the smaller it is, the more "up to date" the lease is, however, this can cause more database traffic. The renewal period should always be a fraction of the expiration period. If it is not a fraction of the expiration period, the lease can expire, causing fail over when the finalization server is still running, which will affect performance.

Table 2-5 shows the default configuration for the Finalization component of Oracle Role Manager.

Table 2-5 Finalization Configuration Values

Element Default Value

lease-config expiration-period

15000

lease-config renewal-period

5000


2.1.6 Timers

There are two configurable timer components in Oracle Role Manager, one for the main server, a singleton configuration for the timer subsystem as a whole. The second timer, for batch resolution can have several configurations, one per timer (identified by the job ID), used for integrations with external systems.

The main Timer configuration sets the thread pool property (refer to Table 2-6). Oracle recommends that this default value not be changed.

Table 2-6 Timer Configuration Values

Element Default Value

thread-pool-property

5


The Batch Resolution Timer configuration sets preferences for the batch resolution job. Table 2-7 shows the default configuration values for setting the implementing Java class and whether the timer type is simple (defining a repeat interval of n milliseconds between invocations) or a cron timer (defining a UNIX-style cron timer). The default is the simple timer type. (Refer to Section 2.1.6.1 for more information about cron expressions.)

Table 2-7 Batch Resolution Timer Configuration Values

Element Default Value

factory-classname

oracle.iam.rm.resolution.impl.BatchResolutionTimerFactory

job-id

BatchResolutionJob

singleton

true

simple repeat-interval

14400000

cron cron-expression

N/A


2.1.6.1 Cron Expressions

A cron expression is a string comprised of six or seven fields separated by white space. Fields can contain any of the allowed values, along with various combinations of the allowed special characters for that field. The fields in the expected order is shown in Table 2-8.

Table 2-8 Cron Expressions Allowed Fields and Values

Name Required Allowed Values Allowed Special Characters

Seconds

Y

0-59

, - * /

Minutes

Y

0-59

, - * /

Hours

Y

0-23

, - * /

Day of month

Y

1-31

, - * ? / L W C

Month

Y

0-11 or JAN-DEC

, - * /

Day of week

Y

1-7 or SUN-SAT

, - * ? / L C #

Year

N

empty or 1970-2099

, - * /


Example 2-1 Cron Expressions

Cron expressions can be as simple as * * * * ? * or as complex as 0 0/5 14,18,3-39,52 ? JAN,MAR,SEP MON-FRI 2002-2010.

Here are some more examples:

Expression Means
0 0 12 * * ? Fire at 12:00 PM (noon) every day
0 15 10 ? * * Fire at 10:15 AM every day
0 15 10 * * ? Fire at 10:15 AM every day
0 15 10 * * ? * Fire at 10:15 AM every day
0 15 10 * * ? 2005 Fire at 10:15 AM every day during the year 2005
0 * 14 * * ? Fire every minute starting at 2:00 PM and ending at 2:59 PM, every day
0 0/5 14 * * ? Fire every 5 minutes starting at 2:00 PM and ending at 2:55 PM, every day
0 0/5 14,18 * * ? Fire every 5 minutes starting at 2:00 PM and ending at 2:55 PM, AND fire every 5 minutes starting at 6:00 PM and ending at 6:55 PM, every day
0 0-5 14 * * ? Fire every minute starting at 2:00 PM and ending at 2:05 PM, every day
0 10,44 14 ? 3 WED Fire at 2:10 PM and at 2:44 PM every Wednesday in the month of March
0 15 10 ? * MON-FRI Fire at 10:15 AM every Monday, Tuesday, Wednesday, Thursday and Friday
0 15 10 15 * ? Fire at 10:15 AM on the 15th day of every month
0 15 10 L * ? Fire at 10:15 AM on the last day of every month
0 15 10 ? * 6L Fire at 10:15 AM on the last Friday of every month
0 15 10 ? * 6L Fire at 10:15 AM on the last Friday of every month
0 15 10 ? * 6L 2002-2005 Fire at 10:15 AM on every last friday of every month during the years 2002, 2003, 2004, and 2005
0 15 10 ? * 6#3 Fire at 10:15 AM on the third Friday of every month
0 0 12 1/5 * ? Fire at 12 PM (noon) every 5 days every month, starting on the first day of the month
0 11 11 11 11 ? Fire every November 11 at 11:11 AM

2.1.7 i18n

The i18n configuration file provides the default information about cache configuration size limit and age-limit for the i18n configuration. You can use this file to change the default values. Table 2-8 shows the default values for the i18n configuration.

Table 2-9 i18n Default Configuration Values

Element Default Value

cache-config size-limit

10

age-limit

18000


2.1.8 Deployment

The deployment configuration provides the information about which tablespaces must be used to deploy tables and indexes. By default tables and indexes are deployed to the database user's default tablespace. This new configuration allows:

  • the installer to define which tablespaces must be used

  • the ModelManager to distribute the tables and indexes

Table 2-10 shows the default configuration values for the tablespace names used during deployment.

Table 2-10 Default Tablespace Configuration

Tablespace Default Value

Data tables

ORM_DATA

Indexes

ORM_INDEX


2.2 Sample Configuration Files

To view the sample configuration XML files, you will need to extract them from an archive file. You may want to use these files for convenience as a starting place for your configuration changes.

To get the sample configuration files:

  1. If you have not already extracted the sample configuration files, extract them as follows:

    1. On the Oracle Role Manager installation host, navigate to <ORM_install>/config.

    2. Using an utility like WinZip or gunzip, extract the entire contents of configuration.car into a temporary location.

  2. From the temporary location used to extract the files, navigate to configurations/config.

    This directory contains subdirectories for all the configurable Oracle Role Manager server components.

These can be modified and used as a starting place for configuration.

2.3 Deploying Customizations

Oracle Role Manager configuration is stored in the database and must be deployed before any data is loaded into the system.

If you have needed to alter the standard configuration or standard data model, you will need run a command to deploy your customizations to the database.

Note:

Data model and other configuration changes must be deployed to an empty schema. If you have a prior deployment of Oracle Role Manager whose model or configuration you want to modify, it is recommended that you create the new schemas. You can also create queries for the data that you need to migrate to the new schemas after your customizations have been made, using Oracle Role Manager's JDBC driver,

This procedure assumes you have already completed the following steps:

Refer to the Oracle Role Manager Installation Guide for more information about these assumptions.

To deploy model and configuration customizations:

  1. Create an archive file containing your customizations and append the file name with .car.

  2. In <ORM_install>/config, edit the following two lines in the db.properties file to match your environment:

    db.driverClass=oracle.jdbc.driver.OracleDriver
    db.connection_string=jdbc:oracle:thin:@//$HOST$:$PORT$/$SERVICE_NAME$
    

    where $HOST$ is the database host name, $PORT$ is the database listener port, and $SERVICE_NAME$ is the database service name on which the Oracle Role Manager users/schemas were created.

  3. In a command window, navigate to <ORM_install>/bin.

  4. Run the following command to deploy the configuration and data model and create the root entities.

    deploy "<collection_of_cars>" <orm-owner> <ormapp-user> <admin-user>
    

    where:

    <collection_of_cars> contains the relative paths and file names of all CAR files to deploy. This collection must be within quotes with delimiters appropriate to the platform (a semicolon (;) for Windows, otherwise a colon (:)).

    <orm-owner> is the username of the ORM database owner user/schema.

    <ormapp-user> is the username of the ORM application user/schema.

    <admin-user> is the username of the Oracle Role Manager System Administrator to create.

  5. At the prompt, type the password of the ORM database owner.

  6. At the prompt, type the password of the ORM application user.

  7. At the prompt, type the password for the ORM Administrator account.

2.4 Logging Configuration

The logging.properties and the JVM.properties files determine the logging messages of the command-line tools. It provides the information about logging level, filename, and location.

To configure logging, reset the following default configuration values:

For more information about logging configuration, visit the Java Web site at

http://java.sun.com/j2se/1.4.2/docs/guide/util/logging/overview.html.