> Installing Security Service Modules > Post Installation Tasks

Installing Security Service Modules

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Post Installation Tasks

This section describes tasks you must perform after you install Security Service Modules and discusses other considerations. For additional information about post-installation configuration and integration for use with BEA WebLogic Server, BEA WebLogic Portal, BEA AquaLogic Data Services Platform, BEA AquaLogic Service Bus, Apache Web Server, Microsoft IIS web server and Web Services, see Integrating ALES with Application Environments.

Note: Some of the procedures described here require basic knowledge of both WebLogic Server and AquaLogic Enterprise Security products. If you need assistance with any task, see the Administration Console online help or the Administration and Deployment Guide for more details. It is assumed that you know the location of the products you have installed, including the WebLogic Server, the Security Service Module, and the Administration Server.

 

Enrolling the Service Control Manager

This section describes how to enroll the Service Control Manager. Each machine on which you install a Security Service Module must have one (and only one) enrolled Service Control Manager. You only need to follow this procedure if you installed the Security Service Module on a machine other than the one that contains the Administration Server.

During the enrollment process, the Service Control Manager and Administration Server exchange certificates with each other. The Service Control Manager sends its identity certificate to the Administration Server, which adds the certificate to its trusted peer keystore. Likewise, the Administration Server sends a list of certificates to the SCM.

The certificates are stored in Java keystores. After the Service Control Manager is enrolled, you should be able to find the identity.jks, peer.jks and trust.jks keystores in the BEA_HOME/ales22-scm/bin folder.

Note: While you can use the demonstration digital certificate to enroll in a development environment, you should never use it in a production environment.

To enroll the Service Control Manager, perform the following steps:

  1. Open a command window and go to the Service Control Manager /bin directory, for example:
    2. BEA_HOME/ales22-scm/bin

    Where:

    • BEA_HOME is the directory where your BEA products are installed.
    • ales22-scm is the directory where you installed the Service Control Manager.
  2. Run the following script:
    3. enrolltool demo

    The Enrollment menu appears.

  3. Type: 5 and press <ENTER>, and do one of the following:
    • If the domain you to which you want to enroll the SSM is listed, go to step 4.
    • If the domain you want to use is not listed, type: 3, press <ENTER> to register the domain, enter the following information, Type: 5 and press <ENTER> again:
      • Enter Enterprise Domain Name :> (For example: asi)
      Enter Primary Admin URL :> (For example: https://adminmachine:7010/asi)
      Secondary Admin URL :> (This value is optional. Same format as primary URL)
      SCM name :> (For example: ssmmachinename_ssm)
      SCM port :> (Default: 7010)
  4. Select the domain you want to use and press <ENTER>.
  5. Enter the admin username and password. This is the username and password of the security administrator that is enrolling the SCM.
  6. Enter and confirm the following passwords:
    • Private key password—Protects the identity of the Service Control Manager you are creating
    • identity.jks password—Protects the ssl\identity.jks keystore. This keystore contains the identities for all the components you are enrolling.
    • peer.jks password—Protects the ssl\peer.jks keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.
    • trust.jks password—Protects the ssl\trust.jks keystore. This keystore contains the AquaLogic Enterprise Security CA certificate used for enrollment.

For more information on enrolltool utility options, see Administrative Utilities in the ALES Administration Reference.

 

Configuring a Service Control Manager

You configure a Service Control Manager (SCM) for each of the machines on which you have installed one or more Security Service Modules (SSM). Each machine must have one (and only one) configured Service Control Manager. For example, if you install an SSM on the same machine as the Administration Server, you must use the adminconfig SCM, which was configured for you when you installed the Administration Server.

Note: When you use the Instance Wizard to create an instance of a SSM on a machine, you link the instance to an SCM by name. When you install multiple SSMs of different types (Web Server or Web Services, WebLogic Server 8.1 or 9.x, and Java) on the same machine, they all must use the same SCM.

You configure an SCM using the AquaLogic Enterprise Security Administration Console. For information, see "Configuring a Service Control Manager" in the Administration Server Console Help.

 

Configuring and Binding a Security Service Module

Configure an SSM with the security providers that you require for the SSM and bind it to the SCM. You have the option of configuring either the default security providers that ship with the product or custom security providers, which you develop or purchase from third-party security vendors.

Security Providers for the WebLogic Server SSM

The Security Service Module for WebLogic Server 9.x is configured differently from the Security Service Module for WebLogic Server 8.1. When you use the WLS 9.x SSM, you configure security providers and other aspects of the SSM in the WebLogic Administration Console, rather than the ALES Administration Console. You still use the ALES Administration Console to write security policies and to configure SSMs other than the WLS 9.x SSM. You must also use the ALES Administration Console to configure the ASI Authorizer and ASI Role Mapper providers. For information about configuring the WLS 9.x SSM, see Configuring the WebLogic Server 9.x SSM in Integrating ALES with Application Environments.

The WebLogic Server 8.1 SSM supports the following types of security providers:

Console Extension for Security Providers in the WLS 9.x Console

ALES includes an extension to the WebLogic Server 9.x Administration Console. If you are using the WLS 9.x SSM for WLS, you must install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.

To install the ALES security provider console extension, copy ales_security_provider_ext.jar from BEA_HOME/ales22-ssm/wls9-ssm/lib to the BEA_HOME/WLS_HOME/domains/DOMAIN_NAME/console-ext directory, where DOMAIN_NAME is the name of your WebLogic Server 9.x domain.

Security Providers for the Web Services SSM

At a minimum, a Web Services SSM security configuration must include the following providers:

Security Providers for the Java SSM

The Java Security Service Module supports the following types of security providers:

Configuring and Binding Security Providers

To configure these providers and bind the configuration to the SCM, perform the following steps:

  1. In the Administration Console, expand the Security Configuration node in the left pane, and click Unbound Configurations. The Unbound Security Service Module Configurations page displays.
  2. Click Create a New Security Service Module Configuration. The Edit Security Service Module Configuration page displays.
  3. In the Configuration ID text box, enter an identity for the SSM (for example, weblogic81_ssm) and click Create.
    4. Note: Later, when you use the Instance Wizard to create an instance of the SSM to which this security configuration will be applied, you will use the Configuration ID to link the SSM instance to this security configuration.
  4. Click the Providers tab and create the desired providers.
  5. Click on the SCM that you previously configured for this SSM. The Edit a Service Control Manager Configuration page displays.
  6. Click on the Binding tab and bind the SSM configuration to the SCM.

 

Creating an Instance of a Security Service Module

Before starting a Security Service Module, you must first create an instance of the Security Service Module using the Instance Wizard. You can create any number of instances of the Security Service Module. You must then enroll each instance that you want to use. Each instance has its own set of providers.

To create an instance of a Security Service Module:

  1. Start the Instance Wizard:
    • On Windows, click Start > Programs > BEA AquaLogic Enterprise Security > <Type of Security Service Module> > Create New Instance.
    • On UNIX, if you are using X-windows, go to BEA_HOME/ales22-ssm/<ssm-type>/adm and enter: instancewizard.sh. If you are not using X-windows, use a console based installer.
  2. In the Instance Name text box, enter the name to assign to this instance. The name must be unique for SSMs on this machine.
  3. In the Authorization Engine port text box, enter the port number for the Authorization and Role Mapping engine to use.
  4. In the Configuration ID text box, enter the configuration identifier to use with this instance. The Configuration ID was specified when you configured your module, as described in Configuring and Binding a Security Service Module.
  5. From the Enterprise Domain drop-down box, select the domain to which this instance belongs.
  6. Click Next.
  7. In the Location text box, enter the location for this instance. The default instance is located within the installation directory of the Security Service Module.
  8. Click Next.
  9. Click Done when the instance wizard completes.

Web Server SSM Instances

When you create an instance of the Apache Web Server SSM, you must also add the Apache user to the asiusers group on the machine running the Apache Web Server SSM; otherwise, the Administration Server will not have the permissions required to access the Apache Web Server SSM instance and deploy the security policy and the security configuration.

When the InstanceWizard creates an instance of the IIS Web Server SSM, it adds the information listed in Table 4-1 to the following location in the Microsoft Windows Registry: 

HKEY_LOCAL_MACHINE\SOFTWARE\BEA Systems\ALES\IIS Module\2.2

Table 4-1 Registry Configuration Data
Value Name
Type
Description/Setting
ALES_HTTP_SERVER
String
The configuration directory of the Web Server SSM.
ALES_LOG_LEVEL
DWORD
By default, the log level is set to 2 (INFORMATIONAL).

 

Enrolling the Instance of the Security Service Module

You must have the Administration Server running prior to enrolling the Security Service Module. When the SSM is enrolled, the SSM and Administration Server exchange certificates with each other. The SSM sends its identity certificate to the Administration Server, which adds the certificate to its trusted peer keystore. The Administration Server sends to the SSM the list of certificates the SSM must trust. In addition, the Administration Server sends the enrolled identity to other ALES servers with which the SSM supposed to communicate, such as the SCM instance the SSM is associated with.

The certificates are stored in Java keystores. After the SSM is enrolled, you should be able to find the identity.jks, peer.jks and trust.jks keystores in the BEA_HOME/ales22-ssm/wls-ssm/instance/instancename/ssl folder.

Note: While you can use the demonstration digital certificate in a development environment, you should never use it in a production environment.

To enroll the Security Service Module:

  1. Open a command window and go to the Security Service Module instance /adm directory: BEA_HOME/ales22-ssm/<ssm-type>/instance/instancename/adm, where instancename is the name you assigned to the instance when you created it.
  2. Run the following script:

    3. enroll demo

  3. Enter the admin username and password. This is the username and password of the Security Administrator doing the enrollment (if you used the default values and have not yet changed them, the default username is system and the password is weblogic).
  4. Enter and confirm the following passwords:
    • Private key password—This password protects the identity of the Security Service Module that you are creating.
    • identity.jks password—This password protects the ssl\identity.jks keystore. This keystore contains the identities for all the components you are enrolling.
    • peer.jks password—This password protects the ssl\peer.jks keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.
    • trust.jks password—This password protects the ssl\trust.jks keystore. This keystore contains the AquaLogic Enterprise Security CA certificate used for enrollment.

For more information on enrolltool utility options, see Administrative Utilities in the ALES Administration Reference.

 

Starting and Stopping Processes

After you install the Security Service Module, create the instance, and enroll it, you must start the necessary processes by running the appropriate batch or shell scripts. Before you start these processes, make sure that the Administration Server and all of its services are running.

For each machine, you must start the following processes:

For instructions on how to start and stop the required processes, see Starting and Stopping Processes for Security Service Modules in the Administration and Deployment Guide.

Starting the Web Services SSM

To start an instance of the Web Services SSM on Windows:

  1. Click Start > Programs > BEA AquaLogic Enterprise Security > Security Service Module > Web Service Security Service Module>instancename>Start ARME (console mode). The Start ARME command windows appears and indicates that the ARME started.
  2. Click Start > Programs > BEA AquaLogic Enterprise Security > Security Service Module > Web Service Security Service Module> instancename > Start Web Service (console mode). The Start Web Service command windows appears and indicates that the Web Services SSM started.

To start an instance of the Web Services SSM on UNIX:

  1. Open a command prompt, cd to BEA_HOME/ales22-ssm/webservice-ssm/instance/<instancename>/bin and enter WLESarme.sh start, where <instancename> is the name of the Web Services SSM.
  2. Open another command prompt, cd to BEA_HOME/ales22-ssm/webservice-ssm/instance/<instancename>/bin and enter WLESws.sh start, where <instancename> is the name of the Web Services SSM.

 

What's Next?

You have completed the installation and configuration of the ALES Security Service Modules. Your Security Administrator can now configure additional security services using the security providers for your Security Service Module, through the AquaLogic Enterprise Security Administration Console. If you configured the providers as part of the post install, you can now make changes to your configuration using the console.

Before you continue to configure security services, read the information on security configuration in the Administration Console help. This section provides additional information on how to configure the Service Control Manager, the Security Service Module, and the providers, and then deploy your changes.

For additional information about post-installation configuration and integration for use with BEA WebLogic Server, BEA WebLogic Portal, BEA AquaLogic Data Services Platform, BEA AquaLogic Service Bus, Apache Web Server, Microsoft IIS web server and Web Services, see Integrating ALES with Application Environments.


  Back to Top       Previous  Next