SSM Installation and Configuration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Configuring SSMs Using ConfigTool

This section describes how to configure the WLS, WLS 8.1, Java, and Web Service SSMs using the ConfigTool.

 

Prerequisites

 

ConfigTool Overview

For the WLS, WLS 8.1, Web Service, and Java SSMs, this version of ALES provides a utility called the ConfigTool that automates a number of steps that must otherwise be performed manually. In particular, the ConfigTool defines the SSM’s initial configuration as well as a set of basic policies that can be added to or modified as required to secure the application.

Note: Since the WLS SSM uses WebLogic security providers, the ConfigTool adds these to the WebLogic server. They must be managed using the WebLogic console.

It is recommended that you generate an initial configuration with the ConfigTool and then use the Administration Console and Entitlements Management Tool to update or modify the policies as needed to secure the application.

When the ConfigTool runs, the information added depends on template files provided when the SSM is installed. These files are located in the SSM’s config directory. For example, the template files used for configuring the Java SSM are located in C:\bea\ales30-ssm\java-ssm\config\java-ssm\ales-policies.

The data added by the ConfigTool depends on the type of SSM and is based on out-of-box policies that are provided when the SSM is installed. Table 4-1 provides a general description of the type of information added.

Table 4-1 Information Added by ConfigTool
Database Entries
Description
Security Service Module
An SSM is created and used to contain the security providers that make decisions about user requests in the protected application.
Security Providers
Creates a number of security providers that the SSM uses to secure the application.
For example, the ConfigTool adds the following providers for a Web Service SSM:
ASI Adjudicator
Log4j Auditor
ALES Identity Asserter
Database Authenticator
ASI Authorization Provider
ALES Identity Credential Mappers
ASI Role Mapper Provider
Note: For the WLS SSM, the ConfigTool adds providers to WebLogic where they can be managed using the WebLogic console.
Identity Directory
The Identity Directory is used to define and manage Users and Groups for the protected application.
The name to use for creating the Identity Directory is specified in myssm_config.properties prior to running the ConfigTool.
Resources
The resource root that will serve as the parent resource of the application resources to which authorization policies will be assigned.
The name to use for creating the resource root is specified in myssm_config.properties prior to running the ConfigTool.
Policies
A number of default authorization and role mapping policies are added. Those added depend on the SSM type.

Before running the ConfigTool, a properties file must be updated to include names and other information you want the tool to use when adding the initial configuration and policies.

The tool has check (validate) and process options. In check mode, the tool verifies that the SSM instance can be created without error. In process mode, the tool actually creates the SSM instance and configuration. It is recommended that you first run with the check option to make sure that there are no errors.

ConfigTool Steps

The ConfigTool performs a number of steps that are not observable during execution. This section provides a detailed description of ConfigTool operations. These operations are performed in three stages:

Collects and Builds Configuration Data

Performs Preconfiguration Checks

Makes Configuration Changes

Collects and Builds Configuration Data

The following steps are performed:

    1. Reads the configuration information specified in the properties file. Confirms
        any default values that were not specified and prompts for any required data.
    2. Builds a properties object with all the information.
    3. Copies the policy files from the SSM’s /config/<SSM_TYPE>/ales-policies into
        a temporary directory.
    4. Substitutes all "@...@" values in the temp directory with data in the properties object.

Performs Preconfiguration Checks

The following steps are performed. If any check is not verified, it aborts and exit.

    1. If custom.ant.script is enabled, it verifies the existence of the script file.
    2. Verifies that enrollment was performed.
    3. Verifies that asipassword was run
    4. Verifies that the SSM instance does not exist.
    5. Verifies that the ARME port is free.
    6. Check connectivity to BLM server process on the Admin Server.
    7. Check JDBC parameters by connecting to the database.
    8. For all WebLogic domains, it verifies that the domain directory exists and that there
        are no ConfigTool backup files in the domain directory (this prevents affecting a domain
        is already secured).
    9. For WebLogic 9.2 and later, it verifies the config.xml and that the domain is not
        running and then starts it. Then it verifies that WLST script can connect and
        login. Then it shuts down the domain

Makes Configuration Changes

The following steps are performed:

    1. Uses the SSM’s instance wizard (instancewizard.sh|bat) to create the SSM instance.
    2. Uses policy loader and loads policies from temporary directory.
    3. Uses the SetPassword tool to set the password for the Admin Server system user.
    4. For WebLogic domains, edits the StartWeblogic script in the domain, inserts
        ALES JAR files to the CLASSPATH, and adds ALES "JAVA_OPTIONS". It also
        copies the security.properties file.
    5. For WebLogic 9.2 and later, it starts and verifies the WebLogic domain, creates a new
        security realm, creates and configures all required providers (ALES and others). It
        then switches the default realm to the new realm and shuts down the domain.

 

Configuration Steps

  1. If using an SCM on the machine, make sure it is running.
  2. Make a backup copy of myssm_config.properties located in the SSM’s adm directory. Then open the file in a text editor and make the changes shown in Table 4-2.
    Table 4-2 Properties File Modifications
    Field
    Description
    wls.domain.dir
    (WLS, WLS 8.1 SSM Only) The path to the WebLogic domain directory. Note: Use forward slashes.
    Example:
    wls.domain.dir = BEA-HOME/user_projects/domains/App1_domain
    ssm.conf.id
    A unique name for the SSM in the ALES system.
    Example: ssm.conf.id = MyAppName
    db.password
    The ALES database user password. The name of the ALES database user can be obtained by viewing database.properties in the Administration Server’s config directory.
    The ConfigTool will prompt for this value if it is not specified in the properties file. For security purposes, it is recommended that you not store clear-text passwords in the properties file.
    Example: db.password = <password>
    ales.admin.password
    The ALES administrator’s password. The ALES administrator’s default user name and password is system and weblogic respectively.
    The ConfigTool will prompt for this value if it is not specified in the properties file. For security purposes, it is recommended that you not store clear-text passwords in the properties file.
    Example: ales.admin.password = weblogic
    ssm.admin.name
    The username required to boot the application or WebLogic domain secured by the SSM. For WebLogic domains, the default user name is weblogic.
    Example: ssm.admin.name = weblogic
    ssm.admin.password
    The password for the username above. For WebLogic domains, the default password is weblogic.
    Example: ssm.admin.name = weblogic
    The ConfigTool will prompt for this value if it is not specified in the properties file. For security purposes, it is recommended that you not store clear-text passwords in the properties file.
    ssm.type
    Specify the SSM type. One of the following:
    java-ssm — Java SSM
    webservice-ssm — Web Service SSM
    wls8-ssm — WebLogic 8.x domain
    aldsp-ssm — ALDSP-based domain in WebLogic 8.x
    wls-ssm — WebLogic 9.x or 10.x domain
    wls-portal-ssm — Portal-based domain in WebLogic 9.x/10.x
    wls-alsb-ssm — ALSB-based domain in WebLogic 9.x/10.x
    Example: ssm.type = wls-portal-ssm
    db.login
    (REQUIRED ONLY IF THE ADMINISTRATION SERVER IS ON A SEPARATE MACHINE) The ALES database user name.
    The user name user can be obtained by viewing database.properties in the Administration Server’s config directory.
    Example: db.login = alfred
    ales.admin.name
    (REQUIRED ONLY IF THE ADMINISTRATION SERVER IS ON A SEPARATE MACHINE) The ALES administrator’s username.
    The ConfigTool will prompt for this value if it is not specified in the properties file.
    The ALES administrator’s default user name and password is system and weblogic respectively.
    Example: ales.admin.name = system
    ssm.instance.name
    The name that will be assigned to the SSM instance.
    Example: ssm.instance.name = MySsm
    ales.resource.root
    The name that will be used to create the root resource under which the application resources to be secured will be defined.
    The root resource must be preceded by //app/policy/
    Example: ales.resource.root = //app/policy/MyApp
    ales.identity.dir
    A name that will be used to create the Identity directory that will be used to define and manage the application’s users and groups.
    Example: ales.identity.dir = MyDir
    Database JDBC URL
    (REQUIRED ONLY IF THE ADMINISTRATION SERVER IS ON A SEPARATE MACHINE) The JDBC connection string to the ALES database. This varies by database type:
    Oracle — jdbc:oracle:thin:@<server>:<port>:<sid>
    Sybase — jdbc:sybase:Tds:<server>:<port>
    Sql Server — jdbc:sqlserver://<server>:<port>
    Pointbase — jdbc:pointbase:server://<server>/ales
    where:
    <server> — name or IP address of database machine
    <port> — port where the database listener is running
    <sid> — SID for oracle database
    Example for Oracle:
    db.jdbc.url = jdbc:oracle:thin:@db_server:1521:db_sid
    Database JDBC Driver
    (REQUIRED ONLY IF THE ADMINISTRATION SERVER IS ON A SEPARATE MACHINE) The database JDBC driver type. One of the following:
    Oracle — oracle.jdbc.driver.OracleDriver
    Sybase — com.sybase.jdbc3.jdbc.SybDriver
    Sql — com.microsoft.sqlserver.jdbc.SQLServerDriver
    Pointbase — com.pointbase.jdbc.jdbcUniversalDriver
    DB2 — com.ibm.db2.jcc.DB2Driver
    arme.port
    The ARME's port number that was specified when the SSM was installed, by default this is 8000.
    Example: arme.port = 8000
    custom.ant.script
    (Advanced Users Only) If desired, specify an Ant script that will be executed after the configuration is complete. Such a script could be used to add additional configuration information.
    Example:
    custom.ant.script = /<dir_name>/CustomAntScript.xml
  3. Run ConfigTool.bat -check myssm_config.properties to ensure there are no errors.
  4. Run ConfigTool.bat -process myssm_config.properties.

 

Add JDBC Driver to the Classpath

This section describes how to specify the location of the JDBC driver in the CLASSPATH environment variable. This is required if you are using a MS SQL, PointBase, or DB2 database and the WLS, WLS 8.1, Java, or Web Service SSM.

Notes:

Web Service SSM

To add the JDBC driver to the CLASSPATH, edit INSTANCE_HOME/config/WLESws.wrapper.conf and append the JDBC driver to the wrapper.java.classpath parameter.

Example: 

wrapper.java.classpath.48=F:/bea/ales30-ssm/webservice-ssm/lib/sslclient.jar
wrapper.java.classpath.49=F:/bea/ales30-ssm/webservice-ssm/lib/pdsoap11.jar
wrapper.java.classpath.50=F:/bea/ales30-ssm/webservice-ssm/lib/antlr.jar
wrapper.java.classpath.51=F:/pbclient51.jar

Java SSM

To add the JDBC driver to the CLASSPATH, edit INSTANCE_HOME/bin/set-env.bat (or set-env.sh) and append the JDBC driver to the CLASSPATH environment variable.

Example:

set CLASSPATH=%CLASSPATH%;%INSTALL_HOME%\lib\antlr.jar
set CLASSPATH=%CLASSPATH%;%INSTALL_HOME%\lib\jaxrpc.jar
set CLASSPATH=%CLASSPATH%;f:\pbclient51.jar

WLS and WLS 8.1 SSMs

To add the JDBC driver to the CLASSPATH, edit the INSTANCE_HOME/bin/set-wls-env.bat (or set-wls-env.sh)file and append the JDBC driver location to the WLES_POST_CLASSPATH environment variable.

Example: 

set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;%INSTALL_HOME%\lib\jsafeJCE.jar
set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;%INSTALL_HOME%\lib\asn1.jar
set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;%INSTALL_HOME%\lib\certj.jar
set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;f:\pbclient51.jar

  Back to Top       Previous  Next