Integrating ALES with Application Environments

Introduction

Document Scope and Audience

Guide to this Document

Contact Us!

Securing ALES Components

Using the Administration Console

Default Database Objects

Creating a New Admin User

ALES Resources

Administrative Operations

Privileges

Context Attributes

Evaluation Functions

Authorization Queries

Enumerated Types

ALES Identities

Default Role Mapping Policies

Default Authorization Policies

Viewing Authorization Policies

Setting Up Application Security Administrators

Overview

Establishing a Resource Parent for the Application

Create Administrative Users

Identity Directories

Users and Groups

Policies for Application-Level Administration

Integrating ALES with Applications

Overview

Security Service Modules

SSM Security Providers

Integrating ALES with Other BEA Applications

Configuring the Web Server SSM

Understanding the Web Server SSMs

Web Server SSM Overview

Web Server Environmental Binding

Web Server SSM Features

Web Single Sign-on Capabilities

What is Web Single Sign-On?

Single Sign-On Use Cases

Single Sign-On with ALES Identity Assertion

Authentication Service Features

Authorization Service Features

Auditing Service Features

Role Mapping Features

Credential Mapping Features

Administration Features

Session Management Features

Configuration Features

Web Server Constraints and Limitations

Web Server SSM Integration Tasks

Configuring and Deploying Policy for the Web Server SSM

Creating Resources

Creating Policies

Modifying Admin and Everyone Role Mapping Policies

Configuring the Application Deployment Parent

Configuring the ALES Identity Assertion and Credential Mapping Providers

Distributing Policy and Security Configuration

Configuring the Web Server Environmental Binding

Configuring the Environmental Binding for the Microsoft IIS Web Server

Configuring the Microsoft IIS Web Server Binding Plug-In File

Configuring the NamePasswordForm.acc File for the IIS Web Server

Deploying and Testing the IIS Web Server Sample Application

Configuring the Environmental Binding for the Apache Web Server

Downloading and Installing the Apache Web Server

Configuring the ALES Module

Configuring the NamePasswordForm.html File for the Apache Web Server

Deploying and Testing the Apache Web Server Sample Application

Configuring Web Single Sign-on with ALES Identity Assertion

Configuring Web Server SSMs to Web Server SSMs for SSO

Configuring Web Server SSMs to WebLogic Server SSMs for SSO

Configuring Web Server SSM Properties

Session Settings

Authentication Settings

Mapping JAAS Callback Type to Form and Form Fields

Role Mapping Settings

Credential Mapping Settings

Naming Authority Settings

Logging Level Setting

Environment Variables Accessible Using CGI

Configuring the Web Services SSM

Overview of the Web Services SSM

Web Services Security Service APIs

Authentication Service

Authorization Service

Auditing Service

Role Mapping Service

Credential Service

Configuring and Deploying Policy for the Web Services SSM

Binding the Web Services SSM to a Web Services Client

Configuring SSL in the Web Services SSM

Configuring One-Way SSL

Configuring Two-Way SSL

Configuring a WS-SSM for Two-Way SSL

Configuring a Web Services Client for Two-Way SSL

Adding New Identity Assertion Types

Configuring the WebLogic Server 8.1 SSM

Location of the WebLogic Server Domain

Modifying the startWebLogic File

Defining Security Properties

Starting and Stopping Processes

Additional Post-Installation Considerations

Protecting a Cluster of WebLogic Servers

Security Configuration

Resource Configuration

Policy Configuration

Configuring the WebLogic Server 9.x SSM

Overview of the WebLogic Server 9.x SSM

Simplified Procedure for Configuring WebLogic Server 9.x SSM

Prerequisites for Configuring the WebLogic Server 9.x SSM

Configuring the WebLogic Server 9.x SSM

Silent Configuration Mode

Sample Contents of File ConfigTool.Properties:

ConfigTool Interactive Mode Sample Output

Interactive Configuration Mode

ConfigTool Interactive Mode Sample Output

Post ConfigTool Tasks

Manual (Advanced) Procedure for Configuring WebLogic Server 9.x SSM

Prerequisites for Configuring the WebLogic Server 9.x SSM

Configuring the WebLogic Server 9.x SSM: Main Steps

Console Extension for Security Providers in the WLS 9.x Console

Modifying the startWebLogic File

Configuring Security Providers for the WebLogic Server 9.x SSM

Configuring a WLS 9.x Security Realm for ALES

Using the WebLogic Server Console to Configure Security Providers

Using the ALES Administration Console to Configure Security Providers

Post-Installation Considerations for WLS 8.1 SSM and WLS 9.x SSM

Additional Post-Installation Considerations

Setting the Boot Login for WebLogic Server

Creating a WebLogic Boot Policy

Creating the User Identity

Creating Resources for WebLogic Server

Grant Server Resource to Admin Role

Grant Admin Role to WebLogic User/Group

Binding the Resource to the ASI Authorization Provider

Distributing the Policies to the Security Service Module

Creating a WebLogic Console Policy

Protecting Resources

Integrating with BEA Workshop for WebLogic Platform

Overview of the ALES Annotations Plug-in

Setting Up the ALES Annotations Plug-in for Workshop

Example: Using ALES Annotations in a WebLogic Bean Class

Create a WebLogic SessionBean

Add ALES Annotations to the WebLogic Bean Class

Configure ALES Annotations Properties

Export the ALES Policy File from Workshop

Import an ALES Annotations policy using policyIX

Use the Resources Defined with ALES Annotations to Write Policies

ALES Tag Library Plug-in for Workshop

ALES Tag Library Overview

ALES Tag Library Tags

ALES Tag Library Walk-Through

Authenticated Subject is Determined by WebLogic Server

Example of Using ALES Tags in a JSP Page

Adding the ALES Tag Library to Workshop

Integration Prerequisites

Integrating the Tag Library with Workshop: Main Steps

Using Tag Resources in Your ALES Policy Definitions

How to Write Policies That Return Response Attributes

ALES Tag Library Reference

Integrating with WebLogic Portal

Introduction

Integration Features

Supported Use-case Scenario

Constraints and Limitations

Integration Pre-Requisites

Integrating with WebLogic Portal 9.2: Main Steps

Creating the Portal Application Security Configuration

Using the WebLogic Server Console to Configure Security Providers

Modifying the Portal Server startWeblogic File

Replacing WLP 9.2 .ldift Files

Integrating with WebLogic Portal 8.1: Main Steps

Creating the Portal Application Security Configuration

Binding the Security Configuration

Distributing the Security Configuration

Creating an Instance of the Security Service Module

Enrolling the Instance of the Security Service Module

Modifying the Portal Server startWeblogic File

Creating the security.properties File

Replacing the Portal p13n_ejb.jar File

Replacing the Portal p13n_system.jar File

Replacing WLP 8.1 .ldift Files

Configuring Policy for the Portal Application

Creating the Identity Directory and Users

Configuring Resources and Privilege

Creating the Realm Resource

Creating the Shared Resources

Creating the Console Resources

Creating the PortalApp Resources

Creating the Role Mapping Policy

Creating Authorization Policies

Policy for Visitor Entitlements to Portal Resources

Configuring Policy for Desktops

Configuring Policy for Books

Configuring Policy for Pages

Configuring Policy for Portlets

Accessing a Portlet Requires Policy that Grants View to the com_bea_p13n Resource

Configuring Policy for Look and Feels

Defining Policy for Portlets using Instance ID

Discovering Portal Application Resources

Distributing Policy and Security Configuration

Starting the WebLogic Portal Server

Configuring Portal Administration to Use the WebLogic Authenticator

Using Portal Administration Tools to Create a Portal Desktop

Accessing the Portal Application

Integrating with AquaLogic Data Services Platform

Introduction

Integration Features

Supported Use-case Scenario

Constraints and Limitations

Integration Pre-Requisites

Integrating with AquaLogic Data Services Platform: Main Steps

Enabling Elements for Access Control

Creating the WebLogic Server SSM Configuration

Binding the SSM Configuration

Distributing the SSM Configuration

Creating an Instance of the Security Service Module

Enrolling the Instance of the Security Service Module

Creating the WebLogic Server startWebLogicALES File

Creating the security.properties File

Configuring Policy for Data Services

Creating the Identity Directory and Users

Configuring Resources and Privilege

Creating the RTLApp Application Resources

Creating the ALDSP Resources

Creating the Role Mapping Policies

Creating Authorization Policies

Discovering Data Services

Distributing Policy and SSM Configuration

Starting the WebLogic Server

Accessing the ALDSP Application

Pre- and Post-Processing Data Redaction Solutions

Overview of Pre- and Post-Processing Data Redaction Solutions

How the Pre-Processing Solution Integrates with ALDSP

Types of Pre-processing Obligations

Predefined ALES Privilege is Required

Predefined ALES Response Attribute Names Are Required

How to Use the Pre-Processing Data Redaction Solution

Modify set-wls-env Script to Enable Pre-Processing Solution

Write Replacement Function

Define Policies for Replacement Function

Define Policies for XQuery Expression

Define Namespace Bindings

How the Post-Processing Solution Integrates With ALDSP

ALES Java Methods

ALES Java Method Parameter Format

ALES Java Method Return Values

How to Write Policies That Return Response Attributes as ALDSP Obligations

How to Write and Configure the Security XQuery Function

How to Integrate the ALES Java Methods

ALES Security XQuery Function Integration Example

Integrating with AquaLogic Enterprise Repository

Introduction

Setting Up ALER to Manage ALES Assets

Setting ALER System Properties for Import and Export

Importing the ALES Policy Asset Type into ALER

Using ALER to Manage ALES Assets

ALES Policy Asset Type

Viewing ALES Policy Assets in the ALER Console

Versioning ALES Assets

Importing and Exporting with policyIX

Exporting to ALER from ALES

Importing to ALES from ALER

Configuration File for ALER Importing and Exporting

Integrating with AquaLogic Service Bus

Introduction

Integrating with AquaLogic Service Bus: Main Steps

Integration Pre-Requisites

Creating the WebLogic Server SSM Configuration

Create an Instance of the Security Service Module

Enroll the Instance of the Security Service Module

Enable the Console Extension for Security Providers in the WLS 9.x Console

Modify the startWebLogic File

Configure ALES Security Providers in the WebLogic Administration Console

Configure the Security Realm

Configure a Database Authenticator

Configure an ASI Authorization Provider

Replace the Default Adjudicator with the ASI Adjudicator

Configure an ASI Role Mapper

Activate Changes

Configure ALES Security Providers in the ALES Administration Console

Create the weblogic User

Create a New SSM Configuration

Bind the Configuration to the SCM

Configuring Resources and Policies for ALSB

Configuring ALSB Resources

Creating a Regular Resource

Creating a Virtual Resource

Creating the ALSB Proxy Service Resources

Creating a Resource Binding Application and Distribution Point

Creating a Resource Tree

Discovering Services

Configuring ALSB Policies

Authorization Policy Examples

Role Mapping Policy Examples

Distribute Changes

Verify the Configuration Using the Performance Auditing Provider

Configure the PerfDBAudit Provider

Restart the Domain

Generate Data

Enabling SAML-based Single Sign-On

Overview

Configuring ALES as a SAML Assertion Consumer

Configuring ALES as a SAML Assertion Producer

Enabling SPNEGO-based Single Sign-on

Configuring Single Sign-On with Microsoft Clients

Requirements

Enabling a Web Service or Web Application

Configuring the SPNEGO Security Provider

Editing the Descriptor File

Configuring Active Directory Authentication

Utility Requirements

Configuring and Verifying Active Directive Authentication

Configure the Active Directory Authentication Provider

Configure the Client .NET Web Service

Configure the Internet Explorer Client Browser

Configure the Sites

Configure Intranet Authentication

Verify the Proxy Settings

Set the Internet Explorer 6.0 Configuration Settings

Authorization Caching

Authorization Cache Operation

Configuring Authorization Caching

Authorization Caching Expiration Functions

AquaLogic Enterprise Security Adapter for Sun Identity Manager