Configuring the Oracle SSM

The Oracle SSM makes use of a feature in Oracle 10g called Fine Grained Access Control (FGAC). FGAC allows an Oracle customer to define access policies to restrict access to database tables for DML operations.

FGAC is used to intercept DML queries on protected tables and filter the result sets based on user entitlements stored in ALES. The Web Service SSM Client Library is used to invoke Authorization queries.

Prerequisites

Oracle 10g Release 2 (10.2.0.1.0) is installed and configured.
ALES Admin is installed on one system.
Web Service SSM is installed and on another system, as described in Configuring SSMs Using ConfigTool. The Web Service SSM needs to be installed and configured properly before you install the Oracle SSM.

As an alternative, you can use the BEA_HOME\ales30-ssm\webservice-ssm\examples\JavaWebServiceClient example to quickly set up a Web Service SSM, and then use the resulting SSM to configure Oracle SSM.

The example program, the Oracle SSM, and the Web Service SSM instance must be on the same system.
The currently logged on user must belong to the ora_dba group on Windows or dba group on Unix.

For instance, if the currently logged on user is 'joe' then 'joe' needs to be in the ora_dba or dba group, as appropriate.

This is required in order to connect as "system" user with "SYSDBA" role.

Steps to Create and Configure the Oracle SSM

Make sure all Administration Server and WebService SSM services have been started.
If the enrollment process has not been performed for the BEA_HOME that this SSM belongs to, then:

Run the enroll tool, as described in Enrollment. You can use demo mode.
Include the password for system in the encrypted password.xml by running the following in the ales30-shared/bin directory:

asipassword.bat|sh system ../keys/password.xml ../keys/password.key

Create an Oracle SSM instance that matches what is listed in ALES30_SSM/oracle-ssm/examples/OracleSSM/build.properties.

To do this, use ALES30_SSM/oracle-ssm/adm/instancewizard.cmd|sh.

Open a shell window and change directory to ORACLE_SSM_INSTANCE/bin.
If required, update JAVA_HOME in ORACLE_SSM_INSTANCE/bin/set-env.bat|sh.
Execute ORACLE_SSM_INSTANCE/bin/setupOracleSSM.bat|sh in the shell window. Substitute your actual values for each field.

        setupOracleSSM.bat|sh

        -jdbc_url <JDBC_URL>

        -oracle_home <c:/oracle/products/10.2.0/db2>

        -db_sys_user <system>

        -db_sys_password <password>

        -ales_ssm_home <c:/bea/ales30-ssm>

        -ws_ssm_instance_dir <c:/bea/ales30-ssm/webservice-ssm/instance/ssmws>

        -db_user <ales_ora_user>

        -db_password <password>

        -load_example_table <true>

Note:

If a password is not provided, the tool prompts for one. The password entry does not echo.

Open a shell window and change the directory to ales30-ssm/oracle-ssm/examples/OracleSSM.
Update build.properties and then execute set-env.bat|sh.
Run ant dist config load.
In ALES Administration Console, perform the following steps:

Go to SSM Configuration of the Web Service SSM and click on Authentication -> FGACIdentityAsserter.
On the Details tab page enter the Key value which is the value of secret property defined inside ORACLE_HOME\ssm-properties\oracle-ssm.properties.

Click Apply.

Go to Deployment. On Configuration tab page, distribute configuration.
Restart Web Service SSM instance.

Update ales30-ssm/oracle-ssm/examples/OracleSSM/Client.properties to reflect your {jdbcUrl,schemaName,queryType,query} settings
Run run.bat|sh to execute client.

Sample Oracle Client Run-Result

Listing 6-1 shows a sample test result for a queryType of select, update, and delete.

SSM Installation and Configuration Guide

Configuring the Oracle SSM

Prerequisites

Steps to Create and Configure the Oracle SSM

Sample Oracle Client Run-Result