Running an SSM Without an SCM

This section provides information and instructions for running an SSM without an SCM.

Overview

An SCM is responsible for storing and maintaining the configuration data for all SSMs running on a machine. An SSM receives its configuration data from the SCM at startup and whenever a configuration change is made and distributed from the Administration Server. The SCM receives and caches the updated information, and provides it to the SSM when it is restarted.

An SSM can run without an SCM by obtaining its configuration information from data that is exported from the OES database using the PolicyIX tool. This tool allows you to export configuration data to an XML file that is read by the SSM when it is restarted.

The PolicyIX tool can extract both policy and configuration information from the database. In this context, it is used to extract configuration information only.
Information in this section does not apply to the WLS SSM, which uses configuration information maintained in the WebLogic 9.x/10.x Administration Console. It does not use either an SCM or configuration data exported from the OES database.

Choosing How to Run the SSM

Use the following criteria when deciding whether to use an SCM or exported configuration data:

A running SCM provides the ability to centrally manage all SSM configurations on a machine. This is extremely useful when running multiple SSMs and configuration changes are common.
The SCM is an additional process that must be installed and maintained. This may be unneeded if configuration changes are relatively rare.
When using an XML file, a manual export must be performed whenever a configuration change is made in the database. This may prove cumbersome, particularly when frequent configuration changes are made.
Once an SSM is set up to obtain configuration data from an XML file, it cannot be switched to use an SCM. The SSM must be removed and then reinstalled.
An SCM configuration must be maintained in the database whether or not an SCM is used on the SSM machine. The SCM configuration is the collection point for the SSM’s configuration data that is exported from the database to the XML file.

Installing An SSM Without An SCM

During the SSM installation process, the Centralized Configuration of Security Providers window displays, as shown in Figure 9-1. When you clear the Allow centralized configuration... checkbox, the SSM will not use an SCM.

Exporting Configuration Data

Perform the following steps to export an SSM’s configuration data using the PolicyIX tool:

In the BEA_HOME/ales32-admin/bin directory, enter the following command:

policyIX.bat <exportID> -exportConfig policyIX_config.xml

where <exportID> is the name of the SSM configuration to export.

Two files will be generated in the bin directory: wles.securityrealm.xml and wles.securityrealm.xml.sig.

Copy the two files to the SSM instance’s bin directory.

For example, for an WLS 8.1 SSM instance name of WLS8Domain, copy the files to BEA_HOME/ales32-ssm/wls8/WLS8Domain/bin.

Restart the SSM and ignore the instructions about starting the SCM.
Repeat these steps whenever the SSM’s configuration is updated in the Administration Server.

Disabling an SCM

Stop SCM.
Export the SSM configuration as documented in the previous section, Exporting Configuration Data.

In the BEA_HOME/ales32-admin/bin directory, enter the following command:

policyIX.bat <exportID> -exportConfig policyIX_config.xml

where <exportID> is the name of the SSM configuration to export. wles.securityrealm.xml and wles.securityrealm.xml.sig will be generated in the bin directory.

Copy the two files to the directory in which you start the SSM.
Restart the SSM.

During SSM initialization, the authorization engine first attempts to retrieve configuration data from XMLConfiguration and, second, SCMConfiguration. XMLConfiguration will find the configuration files as copied under the directory in which you start the SSM.