Oracle® Role Manager Administrator's Guide Release 10g (10.1.4) Part Number E12029-02 |
|
|
View PDF |
This chapter includes information about the default configuration of the Oracle Role Manager server and how to modify these defaults.
This chapter includes the following sections:
This section shows the default values that are set during initial deployment of Oracle Role Manager to help you determine whether you need to use different values for your installation.
Each configurable component of the Oracle Role Manager server has a corresponding XML file to use as a starting place, should you find that you need to modify the configuration. The configurable components in Oracle Role Manager are:
Oracle Role Manager authentication configuration controls the form of accepted SSO tokens, encryption algorithm, System Identity credentials, and person credentials for direct access to the Oracle Role Manager Web UI.
Table 2-1 shows the default configuration for the Authentication component of Oracle Role Manager.
Table 2-1 Authentication Configuration Values
Element | Default Value |
---|---|
Mapping between the |
|
oracle.iam.rm.authentication.util.SHAEncryption |
|
Mapping between the |
|
Mapping between the |
|
Defines the lockout attempt threshold, which is the maximum number of attempts a user can attempt for logging in. |
|
lockout-attempt-threshold |
The maximum number of attempts a user can attempt for logging in. The standard default value is 5. |
The configuration settings for Business Logic (BL) determine the cache size limit of plug-in packs and the time out value. You may need to either decrease the size limit of plug-in packs if memory is an issue or increase it if there are many plug-in packs loaded and frequently used.
The time out setting specifies the amount of time (in seconds) between submitting a business transaction for finalization and returning control to the user if the process is taking too long. You may want to shorten the value if you want the system to "fail" faster, or lengthen the value if time outs occur too frequently.
Table 2-2 shows the default configuration for the Business Logic Plug-in component of Oracle Role Manager.
The Bootstrap configuration is used to initialize the core System Identities and the System Administrator role during initial deployment.
The privileges for the roles set in this configuration are the minimum required to allow loading of other system roles and mappings to system privileges. The bootstrap configuration defines two system identities: the System Administrator (the user that can log in to the system via the Web UI and command-line tools), and the System User (the account used to access the server directly for system-level functionality).
Note:
In the event where the initial state for these System Identities has been damaged, it can be recovered using the Rebootstrap tool. Refer to Section 4.5 for more information.Table 2-3 shows the default configuration for the Bootstrap component of Oracle Role Manager.
Table 2-3 Bootstrap Configuration Values
Element | Default Value |
---|---|
system-admin |
|
display-name |
System Administrator |
unique-name |
System Administrator |
admin-role display-name |
System Administrator |
admin-role unique-name |
System Administrator |
admin-role delegatable |
false |
admin-role privileges |
|
system-user |
|
display-name |
System User |
unique-name |
System User |
You may want to reduce the heartbeat period (in milliseconds) to keep the cache closer to its limits so cleaning is less frequent, or increase the heartbeat period to handle a larger window when the cache is larger than configured.
Table 2-4 shows the default configuration for the Cache component of Oracle Role Manager.
The Finalization configuration settings determine the expiration period and renewal period of the finalization lease. The expiration period is the amount of time (in milliseconds) a finalization node will be down before another node attempts to take its place; the smaller it is, the faster fail over will kick in.
The renewal period is the amount of time (in milliseconds) between lease renewals; the smaller it is, the more "up to date" the lease is, however, this can cause more database traffic. The renewal period should always be a fraction of the expiration period. If it is not a fraction of the expiration period, the lease can expire, causing fail over when the finalization server is still running, which will affect performance.
Table 2-5 shows the default configuration for the Finalization component of Oracle Role Manager.
There are two configurable timer components in Oracle Role Manager, one for the main server, a singleton configuration for the timer subsystem as a whole. The second timer, for batch resolution can have several configurations, one per timer (identified by the job ID), used for integrations with external systems.
The main Timer configuration sets the thread pool property (refer to Table 2-6). Oracle recommends that this default value not be changed.
The Batch Resolution Timer configuration sets preferences for the batch resolution job. Table 2-7 shows the default configuration values for setting the implementing Java class and whether the timer type is simple
(defining a repeat interval of n milliseconds between invocations) or a cron
timer (defining a UNIX-style cron timer). The default is the simple
timer type. (Refer to Section 2.1.6.1 for more information about cron expressions.)
Table 2-7 Batch Resolution Timer Configuration Values
Element | Default Value |
---|---|
oracle.iam.rm.resolution.impl.BatchResolutionTimerFactory |
|
job-id |
BatchResolutionJob |
singleton |
true |
14400000 |
|
cron cron-expression |
N/A |
A cron
expression is a string comprised of six or seven fields separated by white space. Fields can contain any of the allowed values, along with various combinations of the allowed special characters for that field. The fields in the expected order is shown in Table 2-8.
Table 2-8 Cron Expressions Allowed Fields and Values
Name | Required | Allowed Values | Allowed Special Characters |
---|---|---|---|
Seconds |
Y |
0-59 |
, - * / |
Minutes |
Y |
0-59 |
, - * / |
Hours |
Y |
0-23 |
, - * / |
Day of month |
Y |
1-31 |
, - * ? / L W C |
Month |
Y |
0-11 or JAN-DEC |
, - * / |
Day of week |
Y |
1-7 or SUN-SAT |
, - * ? / L C # |
Year |
N |
empty or 1970-2099 |
, - * / |
Example 2-1 Cron Expressions
Cron expressions can be as simple as * * * * ? *
or as complex as 0 0/5 14,18,3-39,52 ? JAN,MAR,SEP MON-FRI 2002-2010
.
Here are some more examples:
Expression | Means |
---|---|
0 0 12 * * ? | Fire at 12:00 PM (noon) every day |
0 15 10 ? * * | Fire at 10:15 AM every day |
0 15 10 * * ? | Fire at 10:15 AM every day |
0 15 10 * * ? * | Fire at 10:15 AM every day |
0 15 10 * * ? 2005 | Fire at 10:15 AM every day during the year 2005 |
0 * 14 * * ? | Fire every minute starting at 2:00 PM and ending at 2:59 PM, every day |
0 0/5 14 * * ? | Fire every 5 minutes starting at 2:00 PM and ending at 2:55 PM, every day |
0 0/5 14,18 * * ? | Fire every 5 minutes starting at 2:00 PM and ending at 2:55 PM, AND fire every 5 minutes starting at 6:00 PM and ending at 6:55 PM, every day |
0 0-5 14 * * ? | Fire every minute starting at 2:00 PM and ending at 2:05 PM, every day |
0 10,44 14 ? 3 WED | Fire at 2:10 PM and at 2:44 PM every Wednesday in the month of March |
0 15 10 ? * MON-FRI | Fire at 10:15 AM every Monday, Tuesday, Wednesday, Thursday and Friday |
0 15 10 15 * ? | Fire at 10:15 AM on the 15th day of every month |
0 15 10 L * ? | Fire at 10:15 AM on the last day of every month |
0 15 10 ? * 6L | Fire at 10:15 AM on the last Friday of every month |
0 15 10 ? * 6L | Fire at 10:15 AM on the last Friday of every month |
0 15 10 ? * 6L 2002-2005 | Fire at 10:15 AM on every last friday of every month during the years 2002, 2003, 2004, and 2005 |
0 15 10 ? * 6#3 | Fire at 10:15 AM on the third Friday of every month |
0 0 12 1/5 * ? | Fire at 12 PM (noon) every 5 days every month, starting on the first day of the month |
0 11 11 11 11 ? | Fire every November 11 at 11:11 AM |
The i18n configuration file provides the default information about cache configuration size limit and age-limit for the i18n configuration. You can use this file to change the default values. Table 2-8 shows the default values for the i18n configuration.
The deployment configuration provides the information about which tablespaces must be used to deploy tables and indexes. By default tables and indexes are deployed to the database user's default tablespace. This new configuration allows:
the installer to define which tablespaces must be used
the ModelManager to distribute the tables and indexes
Table 2-10 shows the default configuration values for the tablespace names used during deployment.
To view the sample configuration XML files, you will need to extract them from an archive file. You may want to use these files for convenience as a starting place for your configuration changes.
To get the sample configuration files:
If you have not already extracted the sample configuration files, extract them as follows:
From the temporary location used to extract the files, navigate to configurations/config
.
This directory contains subdirectories for all the configurable Oracle Role Manager server components.
These can be modified and used as a starting place for configuration.
Oracle Role Manager configuration is stored in the database and must be deployed before any data is loaded into the system.
If you have needed to alter the standard configuration or standard data model, you will need run a command to deploy your customizations to the database.
Note:
Data model and other configuration changes must be deployed to an empty schema. If you have a prior deployment of Oracle Role Manager whose model or configuration you want to modify, it is recommended that you create the new schemas. You can also create queries for the data that you need to migrate to the new schemas after your customizations have been made, using Oracle Role Manager's JDBC driver,This procedure assumes you have already completed the following steps:
A database instance has been created for Oracle Role Manager with the appropriate tablespaces.
The Oracle Role Manager database owner and application user schemas have been created and contain no data.
The database is accessible and the service on which Oracle Role Manager is installed is started.
Refer to the Oracle Role Manager Installation Guide for more information about these assumptions.
To deploy model and configuration customizations:
Create an archive file containing your customizations and append the file name with .car
.
In <ORM_install>
/config
, edit the following two lines in the db.properties
file to match your environment:
db.driverClass=oracle.jdbc.driver.OracleDriver db.connection_string=jdbc:oracle:thin:@//$HOST$:$PORT$/$SERVICE_NAME$
where $HOST$
is the database host name, $PORT$
is the database listener port, and $SERVICE_NAME$
is the database service name on which the Oracle Role Manager users/schemas were created.
In a command window, navigate to <ORM_install>
/bin
.
Run the following command to deploy the configuration and data model and create the root entities.
deploy "<collection_of_cars>" <orm-owner> <ormapp-user> <admin-user>
where:
<collection_of_cars>
contains the relative paths and file names of all CAR files to deploy. This collection must be within quotes with delimiters appropriate to the platform (a semicolon (;
) for Windows, otherwise a colon (:
)).
<orm-owner>
is the username of the ORM database owner user/schema.
<ormapp-user>
is the username of the ORM application user/schema.
<admin-user>
is the username of the Oracle Role Manager System Administrator to create.
At the prompt, type the password of the ORM database owner.
At the prompt, type the password of the ORM application user.
At the prompt, type the password for the ORM Administrator account.
The logging.properties and the JVM.properties files determine the logging messages of the command-line tools. It provides the information about logging level, filename, and location.
To configure logging, reset the following default configuration values:
Set the global logging level using the following syntax:
.level = INFO
Set the message limit that are printed on the console to FINE and above:
java.util.logging.ConsoleHandler.level = FINE
Set the message limit that are printed to the file to FINE and above:
java.util.logging.FileHandler.level = FINE
Set the file handler limit:
java.util.logging.FileHandler.limit = 100000
java.util.logging.FileHandler.count = 10
Set the hierarchy indexing manager logger to log FINE messages, for example:
oracle.iam.rm.hierarchy.level = FINE
For more information about logging configuration, visit the Java Web site at
http://java.sun.com/j2se/1.4.2/docs/guide/util/logging/overview.html.