14 Extending the Domain with Authorization Policy Manager and Identity Navigator

This chapter covers the following topics:

• Section 14.1, "Extending the Domain with Oracle Authorization Policy Manager"

• Section 14.2, "Extending the Domain with Oracle Identity Navigator"

14.1 Extending the Domain with Oracle Authorization Policy Manager

Oracle Authorization Policy Manager (APM) is the single centralized console for managing authorization for Fusion applications/J2EE applications and Oracle Fusion Middleware components that provide various services to those applications. An application administrator has a single console for administering various Authorization polices for an application.

You can use either WLST commands or Fusion Middleware Control to manage application policies. Using WLST command requires manually running commands. Fusion Middleware Control offers a graphical user interface, but it is a rather complex tool. It requires you to work with low-level security artifacts and to know names and concepts used by developers, such as permission class names or task-flow names.

Authorization Policy Manager greatly simplifies the creation, configuration, and administration of application policies over those two other tools by providing the following features:

• User-friendly names and descriptions of security artifacts. For details, see the "OPSS Authorization Model" chapter in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.

• A way to organize application roles by business, product, or any other parameter specific to an application. For details, see the "Role Categories" section in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.

• A uniform graphic interface to search, create, browse, and edit security artifacts. For details, see the "Querying Security Artifacts, and "Managing Security Artifacts" chapters in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.

• A way to specify a subset of applications that a role can manage. For details, see the "Delegated Administration" chapter in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.

14.1.1 Base Authorization Policy Manager Platform

The APM Console enables an APP administrator to manage following artifacts at a high level when it comes to authorization.

1. External Roles

2. Application Roles

3. Resources–Target

4. Policy–Subject, Target, Grants

Other artifacts include:

1. Entitlements (aggregation of resources)

2. Resource types (metadata definition for resources)

3. Role templates (role generation based on templates with template policies)

Note:

The administration of these artifacts varies. For example, creation of enterprise roles is done externally in an identity and provisioning system. APM will only provide read level services for Enterprise Roles.

14.1.2 Prerequisites

Before configuring Authorization Policy Manager, ensure that the following tasks have been performed:

1. Install the following software on IDMHOST1 and IDMHOST2 as described in Chapter 4.

   • Oracle WebLogic Server

   • Oracle Identity and Access Management

2. Make sure that the APM schema was created by following the steps in Chapter 3.

14.1.3 Configuring Authorization Policy Manager on IDMHOST1

Start the configuration wizard by executing the command:

MW_HOME/oracle_common/common/bin/config.sh

Then proceed as follows:

1. On the Welcome Screen, select Extend an Existing WebLogic Domain. Click Next

2. On the screen Select a WebLogic Domain, using the Navigator, select the domain home of the admin server, for example:

    /u01/app/oracle/plus/admin/IDMDomain/aserver/IDMDomain/
   

   Click Next

3. On the Select Extension Source screen, select Oracle Authorization Policy Manager. Click Next.

4. The Configure RAC Multi Datasources screen shows the Multi Datasources for previously configured components in your domain. Do not make any changes.

   Click Next.

5. On the Configure JDBC Component Schema screen, select Configure selected Component schemas as RAC multi data source schemas in the next panel. Click Next

6. On the screen Configure RAC Multi Data Source Component Schemas, select all the Multi Data source Schemas and enter the following:

   Service Name: For example, idmedg.us.oracle.com

   For the First RAC Node, enter:

   • HostName: For example, idmdb1.us.oracle.com

   • Instance Name: For example, idmedg1

   • Port: For example, 1521

   Click Add to add an additional row.

   For the second RAC Node, enter

   • HostName: For example, idmdb2.us.oracle.com

   • Instance Name: For example, idmedg2

   • Port: For example, 1521

   Select APM MDS Schema and Enter the UserName and Password. For example:

   EDG_MDS password

7. On the Test Component Schema screen, select All the Schemas and then click Test Connections. Validate that the test for all the schemas completed successfully. Click Next.

8. On the Select Optional Configuration screen, do not make any selections. Click Next.

9. On the Configuration Summary screen, click Extend to extend the domain.

10. On the Extending Domain screen, click Done to exit the Configuration Wizard.

14.1.4 Stopping and Starting the Admin Server IDMHOST1

In this Enterprise Deployment Topology, APM is being deployed to the Administration Server. To complete the deployment of APM, stop and start WebLogic Administration Server on IDMHOST1 as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."

Validating Authorization Policy Manager

Validate the implementation using the APM Console, at http://ADMINVH.mycompany.com:7001/apm.

The APM console login page is displayed. Log in using the WebLogic administrator credentials.

14.1.5 Authorization Policy Manager on IDMHOST2

In this Enterprise Deployment Topology, APM is deployed to the Administration Server in an active-passive configuration. Because APM is failed over along with the Administration Server, there is no need to provision APM on IDMHOST2.

Follow the steps in Section 6.13, "Manually Failing Over the Administration Server" to fail over APM from IDMHOST1 to IDMHOST2.

14.1.6 Configure Oracle HTTP Servers to Access Authorization Policy Manager Console

On each of the web servers on WEBHOST1 and WEBHOST2, a file called admin.conf was created in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. (See Section 6.9, "Configuring Oracle HTTP Server for the Administration Server".)

Edit admin.conf and add the following lines inside the virtual host definition:

<Location /apm>
    SetHandler weblogic-handler
    WebLogicHost ADMINVHN
    WebLogicPort 7001
</Location>

After editing the file should look like this:

NameVirtualHost *:80

<VirtualHost *:80>

    ServerName admin.mycompany.com:80
    ServerAdmin you@your.address
    RewriteEngine On
    RewriteOptions inherit

# Admin Server and EM
  <Location /console>
  SetHandler weblogic-handler
  WebLogicHost ADMINVHN
  WeblogicPort 7001
    </Location>

<Location /consolehelp>
SetHandler weblogic-handler
WebLogicHost ADMINVHN
WeblogicPort 7001
</Location>

<Location /em>
SetHandler weblogic-handler
WebLogicHost ADMINVHN
WeblogicPort 7001
</Location>

<Location /apm>
  SetHandler weblogic-handler
  WebLogicHost ADMINVHN
  WebLogicPort 7001
</Location>

</VirtualHost>

Restart the Oracle HTTP Server as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."

14.1.6.1 Validating the Implementation

Validate the implementation using the APM Console at http://admin.mycompany.com:7001/apm. The APM console login page is displayed. Log in using the WebLogic administrator's credentials.

14.1.7 Configuring Authorization Policy Manager to Use an External LDAP Store

By default, Oracle WebLogic Server uses the local LDAP store that is created as part of the installation and configuration process. Typically, enterprise deployments require a centralized LDAP store to provision users, groups, roles, and policies, so you must configure Oracle WebLogic Server to use an external LDAP store, such as Oracle Internet Directory. Configuring APM with an external LDAP store is covered in Chapter 17, "Integrating Components." Please refer to Section 17.1, "Migrating Policy and Credential Stores" for the steps on Configuring APM to use an External LDAP Store.

14.2 Extending the Domain with Oracle Identity Navigator

Oracle Identity Navigator is an administrative portal designed to act as a launch pad for Oracle Identity Management components. It allows you to access the Oracle Identity Management consoles from one site. It is installed with other Oracle Identity Management components, and enables you access other components by product discovery.

Oracle Identity Navigator is a J2EE application deployed on a Oracle WebLogic Administration Server. It uses Oracle Metadata Service.

The Oracle Identity Navigator report feature relies on Oracle Business Intelligence Publisher.

14.2.1 Prerequisites

Install Software on IDMHOST1 and IDMHOST2

Install the following software on IDMHOST1 and IDMHOST2 as described in Chapter 4.

1. Oracle WebLogic Server

2. Oracle Identity and Access Management

14.2.2 Configure Oracle Identity Navigator on IDMHOST1

Start the configuration wizard by executing the command:

MW_HOME/oracle_common/common/bin/config.sh

Then proceed as follows:

1. On the Welcome Screen, select Extend an Existing WebLogic Domain. Click Next

2. On the screen Select a WebLogic Domain, using the Navigator, select the domain home of the administration server, for example:

    /u01/app/oracle/plus/admin/IDMDomain/aserver/IDMDomain/
   

   Click Next

3. On the Select Extension Source screen, select Oracle Identity Navigator. Click Next

4. The Configure RAC Multi Datasources screen shows the Multi Datasources for previously configured components in your domain. Do not make any changes. Click Next.

5. On the Select Optional Configuration screen, do not make any selections. Click Next

6. On the Configuration Summary screen, click Extend to extend the domain.

7. On the Extending Domain screen, click Done to exit the Configuration Wizard.

14.2.3 Stopping and Starting the Administration Server IDMHOST1

Stop and Start WebLogic Admin Server on IDMHOST1 as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."

14.2.4 Provisioning Oracle Identity Navigator on IDMHOST1

In this Enterprise Deployment Topology, Oracle Identity Navigator is deployed to the Admin Server in an active-passive model. Since Oracle Identity Navigator is failed over along with the Admin Server, there is no need to provision Oracle Identity Navigator on IDMHOST2.

Follow the steps in Section 6.13, "Manually Failing Over the Administration Server".

14.2.5 Configuring Oracle HTTP Servers to Access Oracle Identity Navigator Console

On each of the web servers on WEBHOST1 and WEBHOST2, a file called admin.conf was created in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. (See Section 6.9, "Configuring Oracle HTTP Server for the Administration Server".)

Edit admin.conf and add the following lines in the virtual host definition:

<Location /oinav>
    SetHandler weblogic-handler
    WebLogicHost ADMINVHN
    WebLogicPort 7001
</Location>

After editing the file should look like this:

NameVirtualHost *:80

<VirtualHost *:80>

    ServerName admin.mycompany.com:80
    ServerAdmin you@your.address
    RewriteEngine On
    RewriteOptions inherit

# Admin Server and EM
  <Location /console>
  SetHandler weblogic-handler
  WebLogicHost ADMINVHN
  WeblogicPort 7001
    </Location>

<Location /consolehelp>
SetHandler weblogic-handler
WebLogicHost ADMINVHN
WeblogicPort 7001
</Location>

<Location /em>
SetHandler weblogic-handler
WebLogicHost ADMINVHN
WeblogicPort 7001
</Location>

<Location /apm>
  SetHandler weblogic-handler
  WebLogicHost ADMINVHN
  WebLogicPort 7001
</Location>

<Location /oinav>
  SetHandler weblogic-handler
  WebLogicHost ADMINVHN
  WebLogicPort 7001
</Location>

</VirtualHost>

Restart the Oracle HTTP Server as described in Section 18.1, "Starting and Stopping Oracle Identity Management Components."

14.2.6 Validating Oracle Identity Navigator

Validate the implementation using the Oracle Identity Navigator Console at http://admin.mycompany.com:7001/oinav. The Oracle Identity Navigator login page is displayed. Log in using the WebLogic administrator's credentials.