Administration Application Installation
This section provides information and guidelines to assist you in installing, configuring, and managing the database server and the database client to used with the WebLogic Enterprise Security Administration Application. This information is not meant to replace or supersede in any way the database documentation provided by Oracle and Sybase for their database server and client products. Also, the information provided here assumes that you are familiar with the Oracle database documentation.
BEA WebLogic Enterprise Security stores all policy and configuration data used by the Administration Application and Security Service Modules in the policy database. You can use either an Oracle database or a Sybase database for your policy data storage. You must install and configure the database server software before you install the Administration Application. If you install the Administration Application on a machine other than the machine on which you install the database, you must also install and configure the respective Oracle or Sybase client on that machine.
Note: To perform a database installation and setup, you must be a database administrator with a database administrator username and password and permission to create a new instance. In addition, you should be knowledgeable about the operating system you are working with and be adept at database installations and configuration issues. If you do not feel comfortable performing any of these tasks, ask your database administrator for assistance.
This section covers the following topics:
This section contains the procedures for setting up and administering an Oracle database and an Oracle Client. It covers the following topics:
Before you install and set up your Oracle database, review the following topics to better understand Oracle database configuration requirements:
The Oracle database service is the server in the Oracle client/server architecture (see Figure 3-1). The database service manages a database instance and multiple database users, keeps track of the actual location of data on disks, maintains mapping of logical data to physical data storage, and maintains data and procedure caches in memory. In this section, the example of the Oracle service name is viewed from the client perspective.
Each Oracle service is identified by a global database name and an Oracle system identifier referred to as the SID
. The Oracle global database name is the full name of a database that uniquely differentiates it from any other databases in your network domain. One global database name can represent several database instances. The global database name is also known as the service name. The SID
distinguishes the database instance from any other database instances on the same machine.
Figure 3-1 Oracle Database Setup
An Oracle instance is a running Oracle database made up of memory structures and background processes. Each instance is associated with an SID
. With the Oracle Parallel Server, multiple instances can exist on different machines for a single database.
The policy database is a set of database schemas in which all data are stored. A database schema is a collection of objects associated with a particular schema name. The objects include tables, views, domains, constraints, assertions, privileges, and so on.
A datafile is an Oracle term for a file that contains the contents of logical database structures, such as tables and indexes. One or more datafiles form a logical unit of storage called a tablespace. A datafile is associated with only one tablespace and only one database.
A tablespace is a logical portion of a database used to allocate storage for table and index data. Each tablespace corresponds to one or more physical datafiles. Every Oracle database has a tablespace called SYSTEM
and may have additional tablespaces. A tablespace is used to group related logical structures. The database username or user ID
is a login that is given permission by the database administrator to access a specific database instance. This user is also called the schema owner, that is, the owner of the schema objects such as tables, views and triggers that are created.
Table 3-1 describes the minimum requirements for the system on which the Oracle database server is installed.
Note: On Linux platforms, BEA recommends using the Oracle 9.2.0.4 client. Use of an earlier version may seriously increase the amount of system memory used by the WebLogic Enterprise Security servers or processes. This behavior can eventually cause the server to use up the system memory. The use of 9.2.0.4 does not exhibit this behavior. |
|
As required by Oracle server installation, plus space required to store policy data; 500 MB recommended. |
|
Refer to your installation guide for the Oracle Database Server. |
|
Minimum of one tablespace with 250 MB of free space is required. To approximate space requirements for any policy size, use the formula in Calculating Oracle Tablespace Size Requirements. |
|
Oracle Client that ships with your version of the product. BEA requires that the version of your client software be the same as the database to which you are connecting. Do not use an older version of the client software to connect to a newer version of the database server. |
This section provides additional instructions for installing and configuring an Oracle database for use with the WebLogic Enterprise Security Administration Application.
To install and configure the database, perform the following tasks:
This section provides recommendations for installing the Oracle database and creating a database instance. When you run the Oracle installation program, it automatically starts the Database Configuration Assistant, which you use to create an instance of the database. If the Oracle database is already installed on the database host machine, you can skip this procedure and go to Creating an Instance of an Oracle Database and then go to Configuring an Oracle Policy Database.
To install the Oracle database and create a database instance, perform these steps:
SID
). The SID
distinguishes the database instance from any other database instances on the same machine.SYS
and SYSTEM
Passwords—The Oracle database install program creates two user accounts, SYS
and SYSTEM,
and assigns default passwords. During the installation, you are prompted to change these passwords. For security reasons, Oracle recommends that you specify new passwords for these user accounts when you install the database software.Note: Be sure to record the settings you use for these parameters, because you will need them later in this procedure and also to configure the Oracle Client if you are required to do so.
Note: The Memory setting only applies to Oracle 9i databases.
ora.init
file located in ORACLE_HOME/admin/
db_name
/pfile
directory and go to the step 4.Figure 3-2 Oracle Initialization Parameters Screen
This value must be large enough for good server performance. |
|
Note: Block Size is critical. Some Oracle installs set this value to 4096 by default, which creates problems for some scripts. You must set this value to 8192 or larger. |
|
80. See Calculating Oracle Rollback Tablespace Size Requirements. |
PATH
environment variables as shown in Listing 3-1.Note: In Listing 3-1, <drive>
is the hard drive on which the Oracle database is installed and <version>
is either 90 or 92.
Listing 3-1 System PATH Environment Variable Settings on Windows
For Oracle 9i:
<drive>:\oracle\ora<version>\bin;
C:\Program Files\Oracle\jre\1.3.1\bin;
C:\Program Files\Oracle\jre\1.1.8\bin;
For Oracle 8i:
<drive>:\oracle\ora81\bin;
C:\Program Files\Oracle\jre\1.1.7\bin;
This section describes how to create and configure an instance of an Oracle database. It assumes that the Oracle database software was installed.
Note: You should only perform this procedure when you want to create and configure instances of the database in addition to the instance that was created when the database software was installed.
Perform the following steps to create an instance of an Oracle database:
Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
Note: The Memory setting only applies to Oracle 9i databases.
ora.init
file that is located in ORACLE_HOME/admin/
db_name
/pfile
directory and go to the step 4.To configure an Oracle policy database, you must create the policy database, create a security role and a user, and grant the security role and user access.
To configure a policy database, perform the following steps:
SYSTEM
with the password you set for that user account when you installed the Oracle database software.sqlplus system/
password
@asi
where: password
is the password you set for the system account when you installed the database software and asi
is the database instance name.
SQL>connect sys as sysdba
SQL>create tablespace DATA datafile`
C:/Oracle/oradata/ASI/data.dbf'
size 10M autoextend on next 1M MAXSIZE 250M;
SQL>CREATE ROLEasi_role
;
SQL>GRANT CREATE SESSION toasi_role
;
SQL>GRANT CREATE TABLE toasi_role
;
SQL>GRANT CREATE PROCEDURE toasi_role
;
SQL>GRANT CREATE SEQUENCE toasi_role
;
SQL>GRANT CREATE TRIGGER toasi_role
;
SQL>GRANT CREATE VIEW to asi_role;
SQL>CREATE USERwles
IDENTIFIED BYpassword
default tablespace DATA QUOTA UNLIMITED on DATA;
SQL>GRANT asi_role to wles;
SQL>GRANT SELECT on SYS.V_$LOCKED_OBJECT towles
;
where: asi_role
is the security role you define, wles
is the user you define, and password
is the user password.
sqlplus
wles
/password
@asi
This completes the configuration of the instance of the policy database.
If you intend to install the WebLogic Enterprise Security Administration Application on the same machine as you installed the Oracle database, you do not need to install or configure the Oracle Client. The Oracle database installation includes the Oracle Client, so you can skip this task.
However, if you intend to install the Administration Application on a machine other than the machine on which the Oracle database is installed, you must install and configure an Oracle client on that machine to be able to access the Oracle database server from the client machine.
To install and configure an Oracle Client, you need to know the following information:
For instructions on installing and configuring an Oracle Client, see the following topics:
To install and configure an Oracle Client, perform these steps:
Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
Note: Figure 3-3 shows the Oracle 9i screen. The Oracle 8i screen offers the same options.
Note: Figure 3-4 shows the Oracle 9i screen. The Oracle 8i screen offers the same options.
Figure 3-4 Oracle Net Service Name Configuration Test Page (Oracle 9i)
Note: If you experience problems getting the Oracle Client to connect to the Oracle database instance, check the configuration of the database instance in the ORACLE_HOME\ora<version>\network\admin\tnsnames.ora
file located on the database server host machine, where <version> is 81
, 90
, or 92
.
wles
user, open a command window and type:sqlplus
wles
/password
@asi
This completes the configuration of the Oracle Client.
To install and configure the Oracle Client on a Sun Solaris platform, perform these steps:
Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
dba
and a user ID called oracle
.ORACLE_HOME
environment variable to the local directory. If necessary, refer to your Oracle Installation Guide.where: wles
and password
are the user and password you defined when you configured the policy database and asi
is the database instance name.
If this command is successful, the client is configured, and you can skip the next step of this procedure. If this command fails, proceed to step 9.
$ORACLE_HOME/network/admin/tnsnames.ora
.Note: You may also use a text editor to edit the tnsnames.ora
file. However, you should be familiar with Oracle Net before editing the tnsnames.ora
file with a text editor.
This completes the configuration of an Oracle Client.
There may be some additional considerations when installing Oracle 9i and 8i Clients on Red Hat Advanced Server 2.1. To understand all the considerations relative to installing on the Red Hat Advanced Server in your environment, see the Oracle and Red Hat documentation.
Note: If you are installing the Oracle 8i Client on Red Hat Advanced Server 2.1, the Net8 Configuration tool may hang during the installation process. To start the Net8 Configuration tool, you need to download and install JRE-1.1.8v3, and switch the JRE to use the proper version of the tool: $ORACLE_HOME/bin/netasst
, by changing the value for JREDIR
.
To install and configure an Oracle Client on Red Hat Advanced Server 2.1, perform the following steps:
Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
ship_9204_linux_disk1.cpio.gz
ship_9204_linux_disk2.cpio.gz
ship_9204_linux_disk3.cpio.gz
gunzip
<filename
>
cpio -idmv
<
filename
>.
cpio
./runInstaller
Error in invoking target install of makefile /path/app/oracle/product/
version
/
xyz/lib/ins_
xyz
.mk
, and prompt for Retry
, Ignore
, and Cancel
, where xyz
may be precomp
, or plsql
, or something else and version
is either 8.1.7 or 9i.
The file contains the following lines of text.
path
/app/oracle/product/version
/bin/genclntsh
/lib/libc.so.6: undefined reference to \Q_dl_lazy@GLIBC_2.1.1'
/lib/libc.so.6: undefined reference to \Q_dl_dst_substitute@GLIBC_2.1.1'
/lib/libc.so.6: undefined reference to \Q_dl_out_of_memory@GLIBC_2.2'
/lib/libc.so.6: undefined reference to \Q_dl_relocate_object@GLIBC_2.0'
/lib/libc.so.6: undefined reference to \Q_dl_clktck@GLIBC_2.2'
/lib/libc.so.6: undefined reference to \Q__libc_enable_secure@GLIBC_2.0'
/lib/libc.so.6: undefined reference to \Q_dl_catch_error@GLIBC_2.0'
.....
/usr/bin/ld: cannot find -lclntsh
collect2: ld returned 1 exit status
/bin/chmod: getting attributes of \Qprocob18': No such file or directory
make: *** [procob18] Error 1
/usr/bin/make -f ins_precomp.mk relink ORACLE_HOME=/pathora/u01/app/oracle/product/
version
EXENAME=ott...
./genclntsh
Note: Before continuing with step 13, for Oracle 8i, edit root.sh
and change the line: RMF=/bin/rm -f to RMF="/bin/rm -f",
and the line that starts with RUID=
by adding a single quote just before the last back-slash (\Q
).
./root.sh
The installer continues. At the last step, it starts the Net Configuration tool to let you configure the first Net Service Name.
where: wles
and password
are the user and password you defined when you configured the policy database and asi
is the database instance name.
If this command is successful, the client is configured and you can skip the remaining steps of this procedure. If this command fails, proceed to step 16.
$ORACLE_HOME/network/admin/tnsnames.ora
).Note: If you installing the Oracle 8i Client on Red Hat Advanced Server 2.1, the Net8 Configuration tool may hang during the installation process. Abort that process. To start the Net8 Configuration tool, download JRE-1.1.8v3, and switch the JRE to use the proper version of the tool: $ORACLE_HOME/bin/netasst
, by changing the value for JREDIR
.
Note: If you installing the Oracle 8i Client on Red Hat Advanced Server 2.1, apply the client patch: glibc-2.1.3-stubs.tar.gz
that you downloaded earlier.
This completes the configuration of an Oracle Client.
There may be some additional considerations when installing Oracle 9i and 8i Clients on Red Hat Advanced Server 3. To understand all the considerations relative to installing on the Red Hat Advanced Server in your environment, see the Oracle and Red Hat documentation.
Note: If you are installing the Oracle 8i Client on Red Hat Advanced Server 3.0, the Net8 Configuration tool may hang during the installation process. To start the Net8 Configuration tool, you need to download and install JRE-1.1.8v3, and switch the JRE to use the proper version of the tool: $ORACLE_HOME/bin/netasst
, by changing the value for JREDIR
.
To install and configure an Oracle 9.2 Client on Red Hat Advanced Server 3.0, perform the following steps:
Note: This section provides guidance to assist you, but it does not supersede the documentation provided by Oracle.
ship_9204_linux_disk1.cpio.gz
ship_9204_linux_disk2.cpio.gz
ship_9204_linux_disk3.cpio.gz
gunzip
<filename
>
cpio -idmv
<
filename
>.
cpio
compat-db-4.0.14-5.i386.rpm \
compat-gcc-7.3-2.96.122.i386.rpm \
compat-gcc-c++-7.3-2.96.122.i386.rpm \
compat-libstdc++-7.3-2.96.122.i386.rpm \
compat-libstdc++-devel-7.3-2.96.122.i386.rpm \
Note: Be sure to restore the gcc
and g++
to gcc323
and g++323
after the installation.
p3006854_9204_LINUX.zip
from http://metalink.oracle.com/
. For more information, see Oracle bug 3006854. To apply this patch, run:su - root
# unzip p3006854_9204_LINUX.zip
Archive: p3006854_9204_LINUX.zip
creating: 3006854/
inflating: 3006854/rhel3_pre_install.sh
inflating: 3006854/README.txt
# cd 3006854
# sh rhel3_pre_install.sh
Applying patch...
Patch successfully applied
Note: You cannot run this command as root.
Note: If you are accessing the system through a Telnet connection, make sure that your display is set correctly.
/export/home/oracle
. The UNIX Group Name window appears./tmp/orainstRoot.sh
command as root. Running this command outputs the following two lines:Creating Oracle Inventory pointer file (/etc/oraInst.loc)
Changing groupname of /export/home/oracle to engineering.
Name: ORACLE
Path: /export/home/oracle
The Loading products progress indicator displays in the upper right corner of the window. When the loading completes, the Available Products window appears.
A configuration script needs to be run as root before installation can proceed. Please leave this window up, run /export/home/oracle/root.sh as root from another window, then come back here and click OK to continue.
Running Oracle9 root.sh script...
\nThe following environment variables are set as:
ORACLE_OWNER= dbooth
ORACLE_HOME= /export/home/oracle
Enter the full pathname of the local bin directory: [/usr/local/bin]:
Copying dbhome to /usr/local/bin ...
Copying oraenv to /usr/local/bin ...
Copying coraenv to /usr/local/bin ...
\nCreating /etc/oratab file...
Adding entry to /etc/oratab file...
Entries will be added to the /etc/oratab file as needed by Database Configuration Assistant when a database is created
Finished running generic part of root.sh script.
Now product-specific root actions will be performed.
mydbhost.mydomain.com
.Connecting...Test successful.
This completes the configuration of an Oracle Client.
After you have installed and configured the Oracle database and the Oracle Client, you should tune the database to suit the needs of your particular environment. The following topics provide information to assist in tuning your Oracle database:
To determine the tablespace size requirements, allot the amount of disk space based on the size of your policy. You should use 250 MB as an absolute minimum, provided the rollback segments can handle the policy loading and distribution.
To determine your actual tablespace requirements, see the following topics:
The 250 MB minimum disk-space allotment works fine with a small policy and a small user community such as the following:
Group flattening means that a rule can exist in one of two forms: a simple rule or a composite rule. A composite rule is a combination of two or more simple rules to make them easier to use. The process for reducing a composite rule to its component simple rules is called "flattening the group."
For example, if you had three local users named Joe, Betty, and Sam, you could grant those users a role in an application by creating a composite rule like this:
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, [//user/AcctDept/Joe/, //user/AcctDept/Sam/, //user/AcctDept/Betty/]);
In the policy language, this rule means "grant Joe, Sam, and Betty, who belong to the AcctDept
, the role of bookkeeper
in the accounting application, AcctApp
."
The rule is a composite rule because it reduces or flattens to these three simple rules:
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, //user/AcctDept/Joe/);
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, //user/AcctDept/Sam/);
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, //user/AcctDept/Betty/);
Even though you may see one composite rule, the composite is actually stored and distributed as three flattened simple rules. The main ramification of rule flattening is that your policies can take much more disk space than you might think when simply looking at your policy. For information on how to construct rules, see Securing Resources and Defining Policy Rules in the Policy Managers Guide.
If you want to use the BEA WebLogic Enterprise Security Metadirectory Synchronization Services, you must create an additional set of tables to use to synchronize identity information. As a result, the amount of space required to store identity information approximately doubles so allocate an appropriate amount of extra tablespace. For more information, see Configuring Metadirectories in WebLogic Enterprise Security Administration Application Installation.
You can estimate your space requirements using the following formulas. With group flattening, as with rules, group memberships are also reduced or flattened to their simple data components. For example, if you have a user that belongs to a group through group inheritance, the membership is stored as though the user were a direct member of the group. Thus, there is a separate group to user mapping for each group in the inheritance hierarchy. All numeric results are represented in megabytes. All formulas use the variables described in Table 3-4.
Total number of user attribute values for all users, in thousands |
|
Total number of object attribute values for all resources, in thousands |
|
Oracle Corporation recommends using multiple datafiles for any tablespace that approaches one GB in size.
Use the following formula to calculate your tablespace size requirements. For a description of the formula variables, see Table 3-4.
For example, if all the variables had the value 5, the formula looks like this:
Thus, the example requires a minimum of 313 MB of disk space.
The rollback tablespace is required to successfully distribute the largest policy changes between distributions. When you change the policy and distribute it frequently in smaller chunks, the space required is reduced dramatically.
For a very small policy (the built-in policy plus a few hundred users), you can use the system rollback segments that are created during the database installation. However, BEA recommends that you create a new tablespace with a few rollback segments. Configuring 250 MB of rollback segments works fine for the restricted policy mentioned earlier.
For more information on configuring tablespace requirements, see the following topics:
For a very small policy (the built-in policy plus a few hundred users), you can use the system temporary tablespace (TEMP
) that is created during the database installation. For larger policy, check to ensure that your TEMP
setting is sufficient. However, BEA recommends that you create a new temporary tablespace that is at least one-fourth the size of your data tablespace.
The datafile name and tablespace sizes in the following instructions are given for illustration purposes only. You should determine your own needs and replace these values. In addition, BEA chose to use the autoextend
option in the instructions, but your needs may differ. Consult your Oracle documentation for details.
Finally, the following instructions are specific to a Sun Solaris installation. If you are installing on Windows 2000, replace all the forward slashes with back slashes and begin all file paths with the drive name.
To add additional tablespaces, perform the following steps:
sqlplus SYSTEM/
password
@asi
where: password
is the password you defined when you installed the database software asi
is the database instance name.
SQL> create tablespace DATA datafile '/oradata/ASI/data.dbf' size 10 M
autoextend on next 1M MAXSIZE 250M;
where: DATA
is the tablespace name and /oradata/ASI/data.dbf
is the physical datafile used to store the database schema.
SQL> Create tablespace RBS datafile '/oradata/ASI/rbs.dbf' size 10 M
autoextend on next 1M MAXSIZE 250M;
Use the instructions provided in this section to create and enable the maximum number of rollback segments (five) in the rollback tablespace created previously. You may want to do this if the rollback segments for the default database installation are not sufficient. Depending on the size of the rollback tablespace (represented in the commands as rbs_1
to rbs_5
), you can either create and enable more segments or increase the size of the existing segments instead.
To create the rollback segments, open a command window, start SQLplus, and type the following commands:
SQL> create rollback segment rbs_1 tablespace RBS STORAGE(INITIAL 100K
NEXT 100K OPTIMAL 500K MINEXTENTS 2 MAXEXTENTS 100);
SQL> create rollback segment rbs_2 tablespace RBS STORAGE(INITIAL 100K
NEXT 100K OPTIMAL 500K MINEXTENTS 2 MAXEXTENTS 100);
SQL> create rollback segment rbs_3 tablespace RBS STORAGE(INITIAL 100K
NEXT 100K OPTIMAL 500K MINEXTENTS 2 MAXEXTENTS 100);
SQL> create rollback segment rbs_4 tablespace RBS STORAGE(INITIAL 100K
NEXT 100K OPTIMAL 500K MINEXTENTS 2 MAXEXTENTS 100);
SQL> create rollback segment rbs_5 tablespace RBS STORAGE(INITIAL 100K
NEXT 100K OPTIMAL 500K MINEXTENTS 2 MAXEXTENTS 100);
When your Oracle database contains a large policy, you may want to do one or more of the following to optimize performance:
SPFILESID.ORA
; for Oracle 8i, INIT.ORA)
.SORT_AREA_SIZE
for the Oracle server in the initialization parameters file.install_sort_oracle.bat
or install_sort_oracle.sh
to install ASCII sorting, instead of the default dictionary sorting that comes with the database schema installation. This improves the Administration Console response time. See Administering an Oracle Policy Database for details.This section covers the following topics:
This section describes how to configure a new user account in an Oracle policy database. This account is necessary so that the policy for the instance of the Administration Application managed by this user can have a dedicated storage area allocated in the database instance.
Note: To perform this procedure, you must log into the Oracle database server as a database administrator.
To set up a database user account, perform these steps:
sqlplus
dba
/password
@ASERVER
SQL>
create role
asi_role
;
SQL> grant create session to
asi_role
;
SQL> grant create table to
asi_role
;
SQL> grant create procedure to
asi_role
;
SQL> grant create sequence to
asi_role
;
SQL> grant create trigger to
asi_role
;
SQL> grant create view to
asi_role
;
where: asi_role
is the new role.
The following example uses the default tablespaces generated when the Oracle database was first installed, although you can specify any tablespaces.
Note: In this example, you use the default tablespaces generated when you created and configured the Oracle database instance, however, you can specify any tablespaces.
SQL> create user
username
identified by
password
SQL>
default tablespace
usersquota
unlimited
on
users
SQL>
temporary tablespace
tempquota
unlimited
on
temp;
grant
asi_role
tousername
;
conn sys as sysdba
;
GRANT SELECT ON SYS.V_$LOCKED_OBJECT
to
username
;
commit
;
In this case, you grant SELECT
permission to the user you created in step 3. The Oracle database server does not allow you to grant the permission to the asi_role
. BEA WebLogic Enterprise Security uses this dynamic view to check whether one of its tables is currently being accessed. Therefore, the SELECT
permission is required.
Table 3-5 lists and describes the batch and shell files provided for database administration. The files are located in the following directory:
bea\wles42-admin\bin\
bea
is the BEA_HOME
directory.
wles42-admin
is the installation directory for the Administration Application.
Exports policy data. See the BEA WebLogic Enterprise Security Policy Managers Guide for information on how to export policy. The |
|
Installs the policy database schema. See Installing the Policy Database Schema for information on how to install the database schema. |
|
Switches the sort order. When using Administration Console, the list of usernames and other policy elements can be sorted in alphabetical order or in discretionary order. This script is used to switch such sorting order. Alphabetical sort order has better performance than discretionary sort order. The parameters for this script are same as the |
|
Clean up the policy created in the policy database and return it to the same state as it was following the schema installation. The parameters for this script are the same as the |
|
Uninstall the policy database schema from the database server. The parameters for this script are the same as the |
Before running these scripts with an Oracle database, you need to ensure the following setup steps are completed:
PATH
environment.PATH
includes the BIN
and DLL
directory of Oracle installation. ORACLE_HOME
is set, $ORACLE_HOME
/bin is in the PATH
, and $ORACLE_HOME
/lib in the LD_LIBRARY_PATH
.BEA strongly recommends that you backup your original policy database regularly. A database backup is always recommended before you uninstall or re-install the policy database. You may need to contact your database or system administrator to assist with this process. Backups should be done on a regularly scheduled basis.
For instructions on backing up your Oracle database, see the Oracle Backup and Recovery Guide that comes with your Oracle documentation.
This section contains the procedures for setting up and administering an Sybase database and a Sybase Client. It covers the following topics:
Before you begin to set up your Sybase database, review the following topics to better understand Sybase database configuration requirements:
The Sybase Adaptive Server is the server in the Sybase client/server architecture (see Figure 3-5). It manages multiple databases and multiple users, keeps track of the actual location of data on disks, maintains mapping of logical data description to physical data storage, and maintains data and procedure caches in memory.
The policy database is a set of database schemas in which all data are stored. The Sybase database contains a set of related data tables and other database objects organized and presented to serve a specific purpose.
A database device is a Sybase term that represents the portion of a device (a portion of a hard drive, such as a partition) that is dedicated to holding database data. When creating the database device, you can choose either a raw partition or an existing file system. Choosing a raw partition can increase the performance of the database server.
Figure 3-5 Sybase Adaptive Server Setup
The Database Login ID is a login created by a system administrator to log onto the Adaptive Server. Each Database Login has a password and a default database to access. A login is valid if the Adaptive Server has an entry for that user in the system table syslogins
.
The Database Administrator (DBA) has a special database login ID that can access all databases in the Adaptive Server. The DBA is also referred to as the system administrator. In fact, the name of the DBA login is sa
(for System Administrator).
The Database Owner (DBO) is a special database login with permission to perform all actions on a policy database. Usually, the login that creates the database automatically becomes the DBO. The Database User ID is dbo (lowercase), which is different from its Database Login ID. For your policy database, you can use any Database Login ID as the DBO.
The Database User ID pertains to one specific database and is a login given permission by the DBO or DBA (system administrator) to access that one database. In most cases, the database user ID is the same as the Database Login ID. However, in some cases, they may be different, as with the special dbo user ID.
A database schema is a collection of objects associated with a particular schema name. The objects include tables, views, domains, constraints, assertions, privileges, and so on.
The policy owner is a Database User ID that controls the set of database schema in the database. BEA recommends that you not use dbo as a policy owner because it requires special administration. The WebLogic Enterprise Security architecture allows multiple policy owners in its database, each owning a policy different from the other policies.
Table 3-6 describes the minimum requirements for the system on which the Sybase Adaptive Server is installed.
Refer to the Sybase Adaptive Server Enterprise Installation Guide for details. |
|
A minimum of two database devices is required, each having 250 MB. To approximate space requirements for any policy size, use the formula in Calculating Sybase Database Size Requirements. |
|
This section provides instructions for installing and configuring a Sybase database for use with the WebLogic Enterprise Security Administration Application.
For guidance on installing and configuring the database, see the following topics:
This section provides recommendations for installing and configuring the Sybase database software. If the Sybase database is already installed on the database host machine, you can skip this procedure and go to Setting the Sybase Database Configuration Parameters.
To install the Sybase Adaptive Server, perform these steps:
Note: In Sybase 12.5, you can choose the logical page size of 2K, 4K, 8K and 16K when building the server. This choice can affect the maximum length of usernames, resource names, and the length of rules, etc., when administering the security policy. See the Sybase Adaptive Server documentation for more information regarding the logical page size and column size limit.
isql
or the Sybase Adaptive Server tool to set the sa
password and the Sybase database configuration parameters. Do one of the following:isql
, open a command console and log into the server as user sa
and set the Sybase database configuration parameters. For instructions on how to use isql
, see Sybase Adaptive Server Enterprise Installation Guide.To make modifications to the server configuration, you must login as a Sybase system administrator. After making changes, you must restart the Sybase database server for the change to take effect. Table 3-7 describes the settings that BEA recommends for the Sybase configuration parameters. These setting are case sensitive.
You can access Sybase Adaptive Server from the same machine as the Adaptive Server or from another client machine. To access it from a client machine, you must install the Sybase Open Client on the client machine and configure the client machine to connect to the Sybase database server (see Installing and Configuring a Sybase Database Client).
Figure 3-6 Sybase Central Java Edition Tool
Use this procedure to set the Sybase database configuration parameters.
Note: If you installed the Sybase database software and set these parameters as described in Installing the Sybase Database, skip this procedure and go to Creating Sybase Database Devices.
To set the Sybase database configuration parameters, perform the following steps:
Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Sybase.
isql
or the Sybase Server Config tool to set the sa
password and the Sybase database configuration parameters. Do one of the following:isql
, open a command console and log into the server as user sa
and modify the server configuration. For instructions on how to use isql
, see Sybase Adaptive Server Enterprise Installation Guide.Note: After you make the configuration changes, reboot the database server machine to have changes take effect.
Figure 3-7 Configure Sybase Servers Screen
sa
, select the Command Line Change Option, and set the Sybase configuration parameters listed and described in Table 3-7The policy database requires at least two database devices, each having at least 250 MB of free space. The first device stores policy data and the other stores the transaction log. You must create these two database devices before you create and configure the policy database.
Note: For better performance, BEA recommends a raw partition as the best configuration for the database device. Obviously, you must allocate sufficient disk space to ensure that the database meets your performance requirements.
For instructions on how to create Sybase database devices, see the Chapter "Managing Adaptive Server Databases" in the Sybase Adaptive Server Enterprise Configuration Guide for the platform on which you installed the database server: Microsoft Windows, Solaris, or Linux.
Like other Sybase databases, the policy database contains at least one set of database schemas, owned by a user referred to as the policy owner. While it is unusual, the same database may contain multiple sets of policies, each owned by a different user.
Note: Before continuing, be sure that you have the names of two existing database devices that have sufficient free space to hold the data and transaction log for the policy database. If the database devices do not exist, go to Creating Sybase Database Devices and create them.
To create and configure the policy database, perform these steps:
isql -Usa -S
ASERVER
1>use master
2>go
1>create databasess
policy on asi_data_dev = 250 log on asi_log_dev =
250
where: ss
policy
is the name of the database. The name ss
policy
is used only for the purpose of the example. You can assign any name to the database. In this example, the minimum database sizes, 250 MB, are used. If you choose to use other sizes, enter those sizes instead.
asi_data_dev
and asi_log_dev
are the names of the two devices.
2>go
sp_dboption
system procedure to set the database options, type the following commands at the isql
command prompt:
1>use master
2>go
1>sp_dboptionss
policy, "select into/bulkcopy"
,true
2>go
1>sp_dboptionss
policy, "abort tran on log full", true
2>go
1>sp_dboptionss
policy, "trunc log on chkpt", true
2>go
1>sp_dboptionss
policy, "trunc. log on chkpt.", true
2>go
For more information on the sp_dboption
system procedure, see Sybase Adaptive Server Enterprise Reference Manual: Procedures.
Note: In a development database, you may be set the trunc log on chkpt
option to true because the DBA may not have time to run a dump transaction from time-to-time to truncate the transaction log. In a production database, you must set this option to false and perform a dump transaction to back up and truncate the database and transaction logs.
1>use master
1>
2>gosp_addlogin asi,
password
,
ss
policy, null, "asi login"
2>go
The password
must be at least six alphanumeric characters or other characters allowed by Sybase. The name of the default database is ss
policy
. If an asi
login already exists, you must use the sp_modifylogin
command to set its default database to ss
policy
.
1>use
ss
policy
2>go
1>sp_adduser asi
2>go
1>use
ss
policy
2>go
1>grant all to asi
2>go
asi
can connect to the target Sybase database using isql
, open a command window on the machine on which the database is installed and login. For example, using the values specified in the previous step, type the following:
isql -Uasi -
Sserver_name
Password:password
1>
This completes the configuration of the policy database.
Skip this step if you want to administer the Sybase Adaptive Server and run the WebLogic Enterprise Security Administration Application on the machine on which the Sybase Adaptive Server is installed.
You must install the Sybase Open Client (Sybase client for Adaptive Server) to:
The information you need to install and configure the Sybase Open Client includes:
The following topics provide guidance for installing and testing a Sybase Open Client:
If the Sybase Open Client is already installed, you need to ensure that you can access the Adaptive Server from the client. To do so, open a command window and type:
isql
-U loginid -SASERVER
-Ploginidpassword
If this command fails and you know the client is installed, the client is probably not configured properly to point to the database server. If the client is on the same machine as the Sybase database, the client is configured automatically when you do the installation. If the client is on a machine other than the Sybase database machine, you need to configure the client. For instructions on how to configure the Open Client, see the installation and configuration procedure that applies to you particular platform:
To install the Sybase Open Client in a Windows environment, do the following:
Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Sybase.
SYBASE=D:\Sybase
SYBASE-JRE=D:\sybase\shared-1_0\JRE-1_3
SYBASE_OCS=OCS-12_5
PATH
environmental variable includes the bin
and dll
subdirectories of your Sybase installation directory, as shown in the following example (where the installation is on the D: drive):D:\Sybase\OCS-12_5\bin and D:\Sybase\OCS-12_5\dll
Dsedit
utility provided by Sybase, edit the Sybase configuration file sql.ini
in the \ini
sub-folder of your Sybase Open Client installation directory to include a server entry that points to your policy database server. For instructions on how to use the Dsedit
utility to edit the sql.ini
file, see the Sybase Adaptive Server Enterprise Installation Guide for Windows. For parameters required to edit the sql.ini
file, see the sql.ini
file located in \sybase\ini directory on the machine on which the Sybase database server is installed. Here is an example sql.ini
file produced by the Dsedit
utility:[ASERVER]
master=TCP,PCWIZ, 5000
query=TCP,PCWIZ, 5000
isql -U
loginid
-SASERVER
-Ploginidpassword
This completes the configuration of the Sybase Open Client.
To install and configure a Sybase Open Client on Sun Solaris, perform the following steps:
Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Sybase.
sybase
. If the user sybase
does not exist, have your Solaris system administrator create it.SYBASE
environment variable to point to the Sybase installation directory, as shown in the following example:/export/home/sybase
PATH
environment variable to include the bin subdirectory of your Sybase installation directory, as shown in the following example:/export/home/sybase/OCS-12_5/bin
LD_LIBRARY_PATH
environment variable to include the lib subdirectory of your Sybase installation directory, as shown in the following example:/export/home/sybase/OCS-12_5/lib
Dsedit
utility provided by Sybase, edit the Sybase configuration file sql.ini
in the \ini
sub-folder of your Sybase Open Client installation directory to include a server entry that points to your database server. For instructions on how to use the Dsedit
Utility to edit the sql.ini
file, see the Sybase Adaptive Server Enterprise Installation Guide for Solaris. For parameters required to edit the sql.ini
file, see the sql.ini
file located in \sybase\ini
directory on the machine on which the Sybase database server is installed. Here is an example sql.ini
file produced by the Dsedit
utility:[ASERVER]
master=TCP,PCWIZ, 5000
query=TCP,PCWIZ, 5000
isql -U
loginid
-SASERVER
-Ploginpassword
This completes the configuration of the Sybase Open Client.
To install and configure a Sybase Open Client on Red Hat Advanced Server 2.1, perform the following steps:
Note: The section provides guidance to assist you, but it does not supersede the documentation provided by Sybase.
isql -Usa -P
password
-Sserver_name
This completes the configuration of the Sybase Open Client.
After you have installed and configured the Sybase database and the Sybase Client, you should tune the database to suit the needs of your particular environment. The following topics provide information to assist in tuning your Sybase database:
For the policy database, allot the amount of disk space based on the size of your policy. BEA recommends 250 MB as an absolute minimum.
For the policy database transaction log, allot the size for the transaction log database by considering the following factors:
The size of the data and transaction log can be increased later to use any database devices, by using the SQL command alter database
.
To determine the tablespace size requirements, allot the amount of disk space based on the size of your policy, with a 250 MB as an absolute minimum, provided the rollback segments can handle the policy loading and distribution.
To determine your actual tablespace requirements, see the following topics:
The 250 MB minimum space works fine with a small policy and a small user community such as the following:
Group flattening means that a rule can exist in one of two forms: a simple rule or a composite rule. A composite rule is a combination of two or more simple rules to make them easier to use. The process for reducing a composite rule to its component simple rules is called "flattening the group."
For example, if you had three local users named Joe, Betty, and Sam, you could grant those users a role in an application by creating a composite rule like this:
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, [//user/AcctDept/Joe/, //user/AcctDept/Sam/, //user/AcctDept/Betty/]);
In the policy language, this rule means "grant Joe, Sam, and Betty, who belong to the AcctDept
, the role of bookkeeper in the accounting application, AcctApp
."
The rule is a composite rule because it reduces or flattens to these three simple rules:
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, //user/AcctDept/Joe/); and
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, //user/AcctDept/Sam/); and
Grant(//role/bookkeeper, //app/policy/AcctDept/AcctApp, //user/AcctDept/Betty/);
Even though you may see one composite rule, the composite is actually stored and distributed as three flattened simple rules. The main ramification of rule flattening is that your policies can take much more disk space than you might think when simply looking at your policy. For information on how the policy rules and how to construct rules, see Securing Resources and Defining Policy Rules in the Policy Managers Guide.
If you want to use the BEA WebLogic Enterprise Security Metadirectory Synchronization Services, you must create an additional set of tables to use to synchronize identity information. The amount of space required to store identity information approximately doubles so you should allocate an appropriate amount of extra tablespace. For more information, see Configuring Metadirectories in WebLogic Enterprise Security Administration Application Installation.
You can estimate your space requirements using the following formulas. With group flattening, like rules, group memberships are also reduced or flattened to their simple data components. For example, if you have a user that belongs to a group through group inheritance, the membership is stored as though the user were a direct member of the group. Thus, there is a separate group to user mapping for each group in the inheritance hierarchy. All numeric results are represented in megabytes. All formulas use the variables described in Table 3-8.
Total number of user attribute values for all users, in thousands |
|
Total number of object attribute values for all resources, in thousands |
|
Use the following formula to calculate your data size requirements. For a description of the formula variables, see Table 3-8.
For example, if all the variables had the value 5, the formula looks like this:
Thus, the example requires a minimum of 313 MB of disk space.
Note: If your server has logical page size other than 2K, increase this space proportionately.
Use the following formula to calculate log size requirements. For a description of the formula variables, see Table 3-8.
This formula represents the size needed for loading and distribution at once before dumping the transaction log. Once the log is dumped after loading, the space requirement drops by a third.
Note: Contact your Database Administrator to find out the actual database device usage and for assistance on extending the device size or to adding a device. If your server has a logical page size other than 2K, you need to increase this space in proportion.
BEA recommends that you regularly backup your policy databases. If you fail to do so, the transaction log can become quite large and could become so full that the database stops functioning. If you set the trunc log on chkpt
database option to true, you will not have to manually dump the log from time to time. If you do want to manually dump the database or transaction logs, use the dump database
and dump transaction
commands. See your Sybase Administration Guide for more information.
If your policy grows, you may need to expand your policy database. To do so, use the alter database
command. If there is no more free space on any of your Sybase database devices, you may need to create a new device. To do so, use the disk init
command.
If you do create a new database device, be sure not to combine the data and log databases on the same database device. See your Sybase SQL Server Reference Manual for more information.
When your database must contain a large policy, you may want to do one or more of the following to optimize performance:
tempdb
size to facilitate sorting of large data sets.lockpromotion_sybase.bat
or lockpromotion_sybase.sh
to install the lock promotion mechanism to facilitate policy distribution. install_sort_sybase.bat
or install_sort_sybase.sh
to enable ASCII sorting, instead of the dictionary sorting that comes with the default database schema installation. This improves the Administration Console response time.This section covers the following database administration topics:
This section describes how to configure a new user account in a Sybase database. This account is necessary so that the policy for the instance of the Administration Application managed by this user can have a dedicated storage area allocated in the database instance.
To set up the user account, create the login to the Adaptive Server Enterprise database, create the user for policy database, and grant the user privileges to manipulate the policy schema.
Note: BEA strongly recommends that you not use the dbo
of the policy database as the policy owner. While it is possible to do so, it requires additional database configuration that is beyond the scope of this guide.
To create a database user account, perform these steps:
1>use master
1>
2>gosp_addlogin asi,
password
,
ss
policy, null, "asi login"
2>go
where: password
must be at least six alphanumeric characters or other characters allowed by Sybase and ss
policy
is the name of the default database. If an asi
login already exists, you must use the sp_modifylogin
command to set its default database to ss
policy
.
1>use
ss
policy
2>go
1>sp_adduser asi
2>go
isql
command prompt, type the following commands:
1>use
ss
policy
2>go
1>grant all to asi
2>go
Table 3-9 lists and describes the batch and shell files provided for database administration. The files are located in the following directory:
bea\wles42-admin\bin\
bea
is the BEA_HOME
directory.
wles42-admin
is the installation directory for the Administration Application.
Exports policy data. See the BEA WebLogic Enterprise Security Policy Managers Guide for information on how to export policy. The |
|
Installs the policy database schema. See Installing the Policy Database Schema for information on how to install the database schema. |
|
Switches the sort order. When using Administration Console, the list of usernames and other policy elements can be sorted in alphabetical order or in discretionary order. This script is used to switch such sorting order. Alphabetical sort order has better performance than discretionary sort order. The parameters for this script are same as the |
|
Clean up the policy created in the policy database and return it to the same state as it was following the schema installation. The parameters for this script are the same as the |
|
Uninstall the policy database schema from the database server. The parameters for this script are the same as the |
|
Install the lock promotion mechanism to facilitate distribution of large policy in Sybase. See Expanding the Policy Database with Sybase for details. You need DBA access to the database to run this script. |
|
Uninstall the lock promotion mechanism performed by |
Before running these scripts with a Sybase database, you need to ensure the following setup steps are completed:
PATH
environment.SYBASE
environmental variable is set. PATH
includes %SYBASE%\OCS-12_5\
bin and %SYBASE%\OCS-12_5\dll
.PATH
includes $SYBASE/OCS-12_5/bin
and that LD_LIBRARY_PATH
includes $SYBASE/OCS-12_5/lib
.isql
command (the name of the database server, login ID and password).BEA strongly recommends that you backup your original policy database regularly. A database backup is always recommended before you uninstall or re-install the policy database. You may need to contact your database or system administrator to assist with this process. Backups should be done on a regularly scheduled basis.
If you have an existing backup procedure in place, you may choose to run it. Otherwise, follow these steps:
Note: See your Sybase documentation for further information on using these commands.