ALES_ADMIN_HOME is the directory in which you have installed the AquaLogic Enterprise Security Administration Server; by default, this is BEA_HOME/ales26-admin.
This is the Policy Import tool, which you can use to import your policy files. Normally all the tool needs is a path to a valid policy loader configuration file. All the settings are listed in that file. You can use additional command line arguments to override the settings listed in the configuration file.
If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.
As of AquaLogic Enterprise Security version 2.5, policy loading is now transactional: all policies are loaded, or none. In addition, the BLMContextManager API has been updated to include transactional methods.
Run in initial mode. There should be no versioned files in the policy directory in this mode.
-recover
Run in recover mode to revert to an earlier policy set. There should be checkpoint files (generated automatically during a previous load) in the policy directory in this mode.
-load
Run in policy load mode (default). Load policy from the files specified in the configuration file.
-remove
Run in policy remove mode. Remove the policies described in the files specified in the configuration file
Example
>policyloader.bat MyAppPolicy.conf
load_adminpolicy
Loads the admin policy. This tool does not take any arguments. It needs to be run only once per Administration Server installation. It needs to run after the database schema has been loaded. Once this is tool is run, it will set the correct policy that will allow the system user to access the Administration Console.
Usage
ALES_ADMIN_HOME\bin\load_adminpolicy.bat
Example
>load_adminpolicy.bat
policyIX
The Policy Propagation Import/Export tool. You can use this tool to propagate your policy from one environment to another, and to export SSM configuration data for use when an SCM is not associated with the SSM. An example would be moving policy from a development installation to a QA installation, or from a staging installation to a production deployment. You can also use policyIX to import and export policy data between ALES and AquaLogic Enterprise Repository.
If you import a file that uses multi-byte characters, the file must be UTF-8 encoded.
Exporting Policy
To use the policyIX tool to export policy, pass it an XML configuration file that basically specifies the top level resource node you want to export. The tool determines all the related policy elements that are related to that resource and its leaf nodes. When you import the exported file in another environment, the policyIX tool creates a replica of the original resource tree with accompanying policy.
Exporting Configuration Data
The PolicyIX tool allows you to export configuration data (configured either through the ALES Administration Console, or directly via the BLM API) for a given SSM to an XML file, and use it with the configured SSMs when the SCM is not available.
To use the tool to export SSM configuration data, pass it the SSM configuration ID to export, the exportConfig parameter, the config.xml file and, optionally, the name of the exported XML file.
PolicyIX uses the existing settings for the SSL infrastructure, specified during the Administration server installation, to sign the exported configuration files. Specifically, the PolicyIX.bat file invokes the tool with -Dales.policyTool.signer=wles-admin. The ales.policyTool.signer property is a required Java property that specifies the alias of the signing key in the identity keystore, which must be equal to the Administration server machine name.
The public key of the Administration server is then retrieved from the SSL peer keystore for the purpose of validating the configuration file's signature. This public key is available from the Administration server's certificate, which was added to the SSL peer keystore during the enrollment process.
The unencoded signature of the XML file is stored in a corresponding signature file, whose name is derived from the full name of the signed XML file (including extension) with the added .sig extension. For example, myconfig.xml.sig.
After you export the configuration data, you must manually copy the XML configuration file and signature file to the SSM configuration directory, BEA_HOME/ales26-ssm/<ssm-type>/instance-name/config.
If you do not use the default name (wles.securityrealm.xml) for this configuration file, set the wles.realm.filename property in the BEA_HOME/ales26-ssm/<ssm-type>/instance-name/config/security.properties file. See Installing an SSM Without an Associated SCM in Installing Security Service Modules for additional information about the security.properties file.
Command line parameter that specifies the SSM configuration ID to export. This entry must match the SSM configuration ID that is specified when the SSM instance was created on the server machine. The configuration ID is the means by which the SSM receives it configuration. If -exportConfig is specified, the exportID is required and must be in the first position.
-exportConfig
Command line parameter that instructs PolicyIX to export the SSM configuration. If -exportConfig is specified it must be in the second position.
exportName
Command line parameter that specifies the name of the exported XML file. If it is not provided, wles.securityrealm.xml is used by default. If -exportConfig is specified exportName is optional, but must be in the forth position if present.
The default name for this configuration file is wles.securityrealm.xml. If you do not use the default name, set the wles.realm.filename property in the security.properties file.
config.xml
This configuration file contains BLM configuration and import or export configuration detail. If you run policyIX in import mode, then the configuration file may also contain policy data to be imported. A sample policyIX configuration file can be found at ALES_ADMIN_HOME/config/policyIX_config.xml. See Table 2-1 and the comments in the sample policyIX_config.xml file for information about the values to include in your configuration file.
Contains either one export_configuration or one import_configuration element, plus one blm_configuration element and optionally one aler_configuration element.
export_configuration
Used if -export switch is used for the policyIX tool
Contains one clipping_resource element.
clipping_resource
The clipping Resource node. All related policy elements will be exported.
The value attribute specifies the Resource node. For example:
<clipping_resource value="//app/policy"/>
import_configuration
Used if -import switch is used for the policyIX tool
Contains one policy_load_procedure element.
policy_load_procedure
Specifies how to handle existing policies.
Possible values:
override - Add policy to already existing policy
delete_existing - Delete the policy being imported from destination before importing new policy
blm_configuration
Container for elements that specify how to connect to ALES.
Contains multiple blm_property elements.
blm_property
Name/value pairs that specify how to connect to ALES.
Possible property names and values are:
server_ip - Machine name or IP address of server running BLM
server_port - Port of the BLM server. Default is normally the Admin Console SSL port +1.
userID - ALES Admin username. Default is system
userPassword - Can also be provided at the command prompt by using the -passwdPrompt option. Default is weblogic.
print_info - If set to true, then BLMAlreadyExists exceptions and exceptions related to removing Rules will be sent to standard console output.
aler_configuration
Container for elements that specify how to connect to AquaLogic Enterprise Repository (ALER). Used only with -exportToALER or -importFromALER options.
Contains multiple aler_property elements.
aler_property
Name/value pairs that specify how to connect to ALER.
Possible property names and values are:
server_url - ALER connection URL
username - user name to use to connect to ALER
userPassword - user password to connect to ALER
assetDescription - A description of the asset, only used when the asset is submitted
assetName - name of the asset to export or import
importAssetVersion - Asset version to import, only valid if the -importFromALER policyIX option is used.
policy.xml
If you run policyIX in export mode, then policy data will be exported into this file. If you run policyIX in import mode and the XML configuration file does not contain policy data, then this file will contain policy configuration and data to be imported.
-passwdPrompt
If you use this option, the admin password will be read from command line.
exportToALER
Export data directly from ALES to ALER based on configuration parameters in the config.xml file. To export data to ALER from a policy file, specify the pathname of the file. If a policy file is specified, no connection is made to ALES.
importFromALER
Import policy data directly from ALER to ALES based on configuration parameters in the config.xml file. To import data from ALER to a policy file, specify the pathname of the file. If a policy file is specified, no connection is made to ALES.
To export a policy node to AquaLogic Enterprise Repository:
>policyIX.bat -exportToALER config.xml
To import policy data from AquaLogic Enterprise Repository:
>policyIX -importFromALER config.xml
policyexporter
Export ALES policy data from a database server to a directory in policyloader format. The tool requires an empty directory into which it will export the files and that directory must exist before running the tool. Any existing policy files in that directory will replaced or deleted. On UNIX, the program will prompt for each input, and then user can input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.
Directory path to which the files will be exported. Use to export to the current directory.
Example
>policyexporter.bat c:\MyPolicy
install_ales_schema
Installs the ALES policy database schema into the database server. If the schema already exists, it will be replaced, including existing policy. On UNIX, the program prompts you to input the arguments. Make sure the current working directory is ALES_ADMIN_HOME/bin before running the tool.
A secure password utility tool. Encrypts the password with the key and saves it using based64 encoding into the password file with corresponding alias. You can use this tool to store or update the password for the system user or the database user. The ASIAuthorizer and BLM both look into the password.xml for the correct password to connect to the ALES database.
Send a simple SOAP call to the server, and see if server returns a valid SOAP result.
-action status
Get the server status. Could be INITING or READY.
-action wait
Continuously ping the server until the server replies. If you use this option together with the -reps option, sends ping until the server replies or the number of pings specified by the -reps option has been sent.
-action waitready
Like wait, but waits for the server to reach READY status, not just to respond to the SOAP communication.
-url
The Managed Server SOAP service URL (endpoint), usually ends with /ManagedServer. For example, https://host:7011/ManagedServer.
-msg
The message used by the log action to send to the server.
-reps
Repeat count. Used with the -wait and -waitready actions.
-interval
Sleep interval between each action, in milliseconds. Default is 1000 msecs (1s).
A utility to translate policy rules from the ALES ASIAuthorizer format to XACML. It reads ALES policies from an input file in policyloader format, translates ALES rules to XACML, and stores the XACML rules to an output file.
The input policy file name. If no input file is provided, read standard input, until EOF is detected.
-out
The output policy file name. If no output file is provided, print to standard output.
Example
>policy2XACML.bat -in rule -out rule.xacml
enrolltool
Enrolls an SCM instance by acquiring security certificates from the associated ALES Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments in the Administration and Deployment Guide for more information). Before enrolling an SCM instance, make sure that the ALES Administration Server is running.
Usage
ALES_SCM_HOME\bin\enrolltool.bat <demo|secure>
ALES_SCM_HOME/bin/enrolltool.sh <demo|secure>
Options
demo
Enrolls the SCM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.
secure
Enrolls the SCM instance and verifies the Administration Server certificate using a CA certificate from the trust.jks key store in directory ALES_SCM_HOME/ssl. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.
Menu Options
When the tool is started, it displays the following menu options.
Show Enrolled Domains
Show Un-enrolled Domains
Register Domain
Unregister Domain
Enroll
Un-enroll
Exit
Below you will find the explanations for each option.
Show Enrolled Domains shows the list of all enrolled security domains including the following information for each of the domains:
URLs of primary and secondary policy distributors (BLM),
public and private ports of the SCM instance, and
the name of the SCM instance.
Show Un-enrolled Domains shows the list of all un-enrolled domains including the following information for each of the domains:
URLs of primary and secondary policy distributors (BLM),
public and private ports of the SCM instance, and
the name of the SCM instance.
Register Domain registers a new enterprise security domain. You must enter the following data about the domain:
the domain name,
the URLs of the primary and secondary Administration Severs,
listening port number and
name of the SCM instance.
The new data is stored in the ALES_SCM_HOME\config\SCM.properties file. Initially, the new domain is un-enrolled. You must enroll it by selecting Option 1 of the menu.
Unregister Domain unregisters an enterprise security domain. The domain must be un-enrolled before it can be unregistered. You can un-enroll a domain by selecting Option 6 of the menu.
Enroll enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator's username and password to access the administration server. If the SCM is enrolled the first time, you will be asked to enter passwords for the SCM certificate private key and for key stores being generated by the tool.
Un-enroll un-enrolls the SCM instance associated with the chosen security domain. You will be asked for the administrator's username and password to access the administration server.
Example
>enrolltool demo
enroll
Enrolls an SSM instance by acquiring security certificates from the associated Administration Server. The enrollment is required to configure one-way or two-ways SSL communication (see Configuring SSL for Production Environments for more information). Before enrolling an SSM instance, make sure that the ALES Administration Server is running.
During the enrollment process, you will be asked for the administrator's username and password to connect to the ALES Administration Server. If the SSM is enrolled the first time, you will be asked to enter passwords for the SSM certificate private key and for key stores being generated by the tool.
Usage
SSM_INSTANCE_HOME\adm\enroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/enroll.sh <demo|secure>
Options
demo
Enrolls the SSM instance and verifies Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory SSM_INSTANCE_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.
secure
Enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk142_08/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.
Example
>enroll demo
unenroll
Un-enrolls an SSM instance. As the result of the un-enrollment, the SSM identity certificate will be removed from the trusted-peer key stores of servers the SSM communicates to. Before un-enrolling an SSM instance, make sure that the ALES Administration Server is running.
During the un-enrollment process, you will be asked for the administrator's username and password to connect to the ALES administration server.
Usage
SSM_INSTANCE_HOME\adm\unenroll.bat <demo|secure>
SSM_INSTANCE_HOME/adm/unenroll.sh <demo|secure>
Options
demo
Un-enrolls the SSM instance and verifies the Administration Server certificate using the demo CA certificate from the DemoTrust.jks key store in directory SSM_INSTANCE_HOME/ssl. If this option is specified, the tool does not verify matching of the Administration Server host with the one from the certificate. This option should never be used in a production environment.
secure
Un-enrolls the SSM instance and verifies the Administration Server certificate using trusted CA certificates from the file cacerts in directory BEA_HOME/jdk142_08/jre/lib/security. If this option is specified, the tool verifies matching of the Administration Server host with the one from the certificate.
Example
>unenroll demo
Configuration File Usage
All ALES configuration files are currently shipped in the config directory of the Admin, SCM, and SSM instance. This section describes which tools use the various configuration files, and for what purpose.
Administration Server Configuration Files
Table 2-2 describes which configuration files are required for which tools on an AquaLogic Enterprise Security Administration Server installation.
Table 2-2 Admin Configuration Files
Tool
Config File
Explanation
Admin Examples
admin_install.properties
This admin_install.properties file is set up like a Java properties file and can be read to determine the input parameters selected during the install of the Admin Server.
Admin installer when run in silent mode
silent_install_admin.xml
This silent_install_admin.xml file captures the input parameters selected during the install of the Admin Server. This file can later be used for doing silent installs for similar configurations.
annotation_transform.bat|sh
annotation_config.properties
annotation_transform.xml
The annotation_transform tool invokes the annotation_transform.xml ant script and gets its configuration from annotation_config.proerties. This tool is only needed when you have created annotated policy files via Eclipse.
policyloader.bat|sh
asi.properties
The policyloader tool uses the asi.properties file to initialize the BLM API, which it uses to communicate with the BLM server.
policyIX.bat|sh
policyIX_config.xml
The policyIX_config.xml file needs to be updated before being used as input to the policyIX tool.
BLM WebApp
WLESblm.properties
The WLESblm.properties file is used to configure the BLM WebApp. The BLM looks for this file based on the setting for the Java option ales.blm.home,and then in /config/WLESblm.propeties .
WebService interface to BLM
blm.wsdl and pd.wsdl
The WSDL files are needed to compile a Web service client that will be able to talk to the BLM server via SOAP messages.
install_ales_schema.bat|sh
uninstall_ales_schema.bat|sh
upgrade_ales_schema.bat|sh
databaseloader.bat|sh
database.properties
The database.properties file contains the JDBC URL specified during install and is used by persistence layer to connect to the database.
set-env.bat|sh
set-wls-env.bat|sh (WLS 8.x)
WLESWeblogic.conf (WLS 8.x)
WLESTomcat.conf
log4j.properties
The log4j.properties file is referenced in the set-env files used when configuring an SSM. This file controls the log4j logging for the entire SSM.
set-wls-env.bat|sh (WLS 9.x)
WLESWeblogic.conf (WLS 9.x)
log4j.wls9.properties
The log4j.wls9.properties file is similar to log4j.properties, but specific to when used for a WLS9.x SSM.
set-env.bat|sh
set-wls-env.bat|sh
WLESWeblogic.conf
WLESTomcat.conf
WLESarme.properties
This file is used to configure the ASI Authorization provider.
WLESWebLogic.bat|sh
WLESWebLogic.conf
This file is used by the Wrapper tool that is used to start the WebLogic server.
WLESTomcat.bat|sh
WLESTomcat.conf
This file is used by the Wrapper tool that is used to start the Tomcat server.
propagateInitialCache.bat|sh
asiadmin.xml
This asiadmin.xml file is used by the propagateInitialCache tool. The tool runs only for bootstrap purposes upon install to properly initialize the SCM and Admin SSM. It is automatically run as part of database schema install or via "WLESadmin.bat|sh init".
load_adminpolicy.bat|sh
load.standardbase.conf
The load.standardbase.conf file is used by the load_adminpolucy tool to load the initial Admin policy after a fresh install.
security.properties
This file contains ALES configuration properties for an SSM. By default, the ALES runtime looks for a property file called 'security.properties' in the working directory. Only applicable to SSM running on Tomcat and WLS8.x.
SSM.properties
Can be used to determine the location of SCM and Admin install directories.
loaderauthority.xml
This file was the Naming Authority file used by the policyloader tool. It use of this file has now been deprecated and is no longer used.
healthlog4j.properties
This file controlled the log4j settings for the Java wrappers that were used for running BLM and ARME native processes. The use of this file has now been deprecated and is no longer used.
SCM Configuration Files
Table 2-3 describes which configuration files are used by the SCM install.
Table 2-3 SCM Configuration Files
Tool
Config File
Explanation
scm_install.properties
This scm_install.properties file is set up like a Java properties file and can be read to determine the input parameters selected during the install of the Admin Server.
WLESscm.bat|sh
WLESscm.conf
This file is used by the Wrapper tool that is used to start the SCM server.
asisignal.bat|sh
enrolltool.bat|sh
WLESscm.conf
log4j.properties
The log4j.properties file is referenced from the startup scripts of the tools.
enrolltool.bat|sh
SCM.properties
Properties file for the SCM
WLESscm.conf
kernel.xml
Config file for the Phoenix Java container framework that is used for creating the SCM process.
WLESscm.conf
java.policy
Configures the security policy for the SCM Java process.
Note:
The SCM process is also controlled by SCM_HOME/apps/scm-asi/SAR-INF/config.xml. This file controls the various modules that make up the SCM process.
SSM Common Configuration Files
Table 2-4 describes which configuration files are used by the SSM instance. Most files are common between various types of SSM instances; those that are specific to an SSM are described in the explanation column. Most files are located in the config directory but when this is not the case the directory is listed.
Table 2-4 Common SSM Config Files
Tool
Config File
Explanation
SSM_HOME/adm/ssm_install.properties
This ssm_install.properties file is set up like a Java properties file and can be read to determine the input parameters selected during the install of the SSM. Unlike most other files, this file is located in the SSM_HOME/adm directory.
SSM_HOME/adm/silent_install.properties
This silent_install.xml file captures the input parameters selected during the install of the SSM. This file can later be used for doing silent installs for similar configurations. Unlike most other files, this file is located in the SSM_HOME/adm directory.
SSM Examples
adm/ssm_instance.properties
This ssm_instance.properties file is set up like a java properties file and can be read to find out what were the input parameters selected during the install of the SSM and creation of the SSM instance. Unlike most other files, this file is located in the INSTANCE_HOME/adm directory.
SSM instance wizard when run in silent mode
adm/silent_instance.xml
This silent_instance_admin.xml file captures the input parameters selected during the install of the SSM and creation of the SSM instance. This file can later be used for doing silent installs for similar configurations. Unlike most other files, this file is located in the INSTANCE_HOME/adm directory.
annotation_transform.bat|sh
annotation_config.properties
annotation_transform.xml
The annotation_transform tool invokes the annotation_transform.xml ant script and gets its configuration from annotation_config.proerties. This tool is needed only when you have created an annotated policy files via Eclipse.
policyloader.bat|sh
asi.properties
The policyloader uses the asi.properties file to initialize the BLM API that it uses to communicate with the BLM server.
policyIX.bat|sh
policyIX_config.xml
The policyIX_config.xml file needs to be updated before being used as input to policyIX tool.
set-env.bat|sh
enroll.bat|sh
unenroll.bat|sh
WLESarme.properties
log4j.properties
The log4j.properties file is referenced from the startup scripts of the tools.
set-env.bat|sh
WLESarme.properties
This file is used to configure the ASI Authorization provider.
shortcut.xml
Internal file used on Windows to control the shortcut menu items.
SSM.properties
Can be used to determine the location of SCM and Admin install directories.
loaderauthority.xml
This file was the Naming Authority file used by the policyloader tool. The use of this file has now been deprecated and it is no longer used.
healthlog4j.properties
This file controlled the log4j settings for the Java wrappers that were used for running BLM and ARME native processes. The use of this file has now been deprecated and it is no longer used.
Web Serivce SSM Configuration Files
The files shown in Table 2-5 are specific to the Web Service SSM.
Table 2-5 Web Service SSM Configuration Files
Tool
Config File
Explanation
access_control-xacml-2.0-context-schema-os.xsd
access_control-xacml-2.0-policy-schema-os.xsd
xacml.wsdl
XML schema and WSDL files that will be required when creating a WS SSM XACML client to connect to the WS SSM XACML WebService endpoint.
ssm-soap-types.xsd
SSM-SOAPWS.wsdl
XML schema and WSDL files that will be required when creating a WS SSM client to connect to the WS SSM server.
WLESws.bat|sh
WLESws.wrapper.conf
This file is used by the Wrapper tool that is used to start the Web service server.
security.properties
Properties file for the Web service server.
WLESws.wrapper.conf
kernel.xml
Config file for the Phoenix Java container framework that is used for creating the Web service Java process.
WLESws.wrapper.conf
java.policy
Configures the security policy for the Web service Java process.
WLS SSM Configuration Files
The files shown in Table 2-6 are specific to the WLS SSM.
Table 2-6 WLS SSM Configuration Files
Tool
Config File
Explanation
DefaultAuthorizerInit.ldift
ALES version of the LDIF Template file used by the WLS DefaultAuthorizer Provider. This file needs to be copied to the WLS domain if you plan to configure the WLS DefaultAuthorizer and ASI Authorizer providers together for the same SSM configuration.
XACMLAuthorizerInit.ldift (only WLS9.x)
ALES version of the LDIF Template file used by the WLS XACMLAuthorizer Provider. This file needs to be copied to the WLS domain if you plan to configure the WLS XACMLAuthorizer and ASI Authorizer providers together for the same SSM configuration.
WLESWebLogic.bat|sh
WLESWebLogic.conf
This file is used by the Wrapper tool that can be used to start the WebLogic server.
security.properties
Properties file for the WLS SSM server. Only applicable to SSM running WLS8.x.
