As discussed in Section 1.3, "Overview of the Oracle Entitlements Server Architecture," the Policy Information Point (PIP) is a system entity that acts as a source for attribute values. Oracle Entitlements Server relies on an Attribute Retriever plug-in to get attribute values from one or more of these information stores. Predefined Attribute Retrievers are shipped with Oracle Entitlements Server. This chapter documents these predefined Attribute Retrievers and related configuration requirements. It contains the following sections.
Section B.1, "Understanding Predefined Attribute Retrievers"
Section B.2, "Configuring the Predefined Attribute Retrievers"
Note:
For more information, see "Working With Attribute Retrievers" in Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server.
Oracle Entitlements Server contains predefined Attribute Retrievers that are used to connect to, and retrieve attribute values from, Lightweight Directory Access Protocol (LDAP) data stores and relational database management systems (RDBMS). These predefined Attribute Retrievers can handle one or more attributes defined in the system without additional programming. They also contain a caching feature and failover.
An in-memory cache mechanism is used to improve performance by reducing communications between Oracle Entitlements Server and the external repository. The cache holds up to 1000 entries and can be enabled for each individual attribute. The cache size is not configurable. If the limit is reached, cache items are removed randomly. Example B-2 illustrates the definition of an individual attribute with the cached
and ttl
properties.
Repository failover can also be configured. When a call for an attribute is received, Oracle Entitlements Server checks whether the primary repository is active. If it is active, the value is retrieved. If the primary repository is not active, it has failed previously and the backup repository is active. In the latter case, Oracle Entitlements Server checks to see if it is time to switch back to the active repository (based on configuration). If it is time to switch back, the switch is made and the value is retrieved from the primary repository. If the configured time has not yet passed, the value is retrieved from the active backup repository.
Note:
If errors occur when retrieving values from the primary repository, Oracle Entitlements Server searches the backup repositories, trying them one by one until an active one is found.
See Section B.2.3, "Configuring Individual Attributes for Predefined Attribute Retrievers" for configuration information.
Configuration information for these Attribute Retrievers is defined in the jps-config.xml
configuration file. You must configure two types of information: attribute query information and repository connection information
Repository connection information is used to connect to the data store and may include its location, JDBC driver and URL or LDAP URL (whichever is applicable) and the user/credential information. This connection information is related to a particular retriever instance. Repository connection information is defined in the <serviceInstances>
section of jps-config.xml
as illustrated in Example B-1.
Example B-1 Repository Connection Information Defined for Attribute Retriever
<serviceInstance name="policystore.rdbms" provider="policy.rdbms"> <property name="jdbc.url" value="jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl"/> <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="oracle.security.jps.farm.name" value="cn=wcai_view_jing.atzsrg"/> </serviceInstance>
Section B.2.1, "Configuring the LDAP Respiratory Attribute Retriever Parameters," Section B.2.2, "Configuring the Database Repository Attribute Retriever Parameters," and Section B.3, "Modifying jps-config.xml" contain information regarding a respiratory connection configuration.
Note:
The instance must also be defined in the default <jpsContexts>
section. See Example B-8, "Declaring the Predefined Attribute Retriever in jpsContext".
Attribute query information is related to a particular attribute and includes its name, the name of the predefined Attribute Retriever used, the search query for retrieval (for example, a SQL query if the store is a relational database or an LDAP query if it's a directory), and any attribute caching information. Attribute query information is defined in the <propertySets>
section of jps-config.xml
as illustrated in Example B-2.
Example B-2 Attribute Query Information Defined for Attribute Retriever
<propertySet name="ootb.pip.attribute.age.based.on.myattr.ldap"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/> <property name="name" value="oespipage_myattr"/> <property name="query" value="(cn=%MyAttr%)"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet>
Section B.2.3, "Configuring Individual Attributes for Predefined Attribute Retrievers" and Section B.3, "Modifying jps-config.xml" contain information regarding an attribute query configuration.
Note:
These predefined Attribute Retrievers can be configured with Oracle Database 11gR1, Oracle Internet Directory 11gR1, and Oracle Virtual Directory 11gR1.
The following sections contain information on the configuration parameters for each type of Attribute Retriever. As previously mentioned, these parameters are in the jps-config.xml
, the configuration file (used by Java EE containers) located in the $DOMAIN_HOME/config/fmwconfig
directory.
Section B.2.1, "Configuring the LDAP Respiratory Attribute Retriever Parameters"
Section B.2.2, "Configuring the Database Repository Attribute Retriever Parameters"
Section B.2.3, "Configuring Individual Attributes for Predefined Attribute Retrievers"
Table B-1 documents the parameters that must be defined when using the LDAP Attribute Retriever. See Example B-5, "Using the Predefined LDAP Attribute Retriever" and Example B-10, "Configuring LDAP Failover" for sample configuration code.
Table B-1 LDAP Attribute Retriever Parameters
Name | Usage |
---|---|
name |
Description: The predefined Attribute Retriever's name Mandatory Accepted Value: String defining the Attribute Retriever service instance. |
description |
Description: A description of the predefined Attribute Retriever Optional Accepted Value: string |
type |
Description: The predefined Attribute Retriever's type Mandatory Accepted Value: LDAP_PIP |
failed.server.retry.interval |
Description: After communication with a primary repository has failed, this attribute defines the interval of time during which the backup repository is used before switching back to the primary repository. Optional Accepted Value: Takes a value equal to the number of seconds. Default value is 15. |
bootstrap.security.principal.key |
Description: Defines the key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. See Section B.4, "Setting Up PIP Connection Credentials." Mandatory Accepted Value: key name of the credential; for example, |
bootstrap.security.principal.map |
Description: Defines the map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. See Section B.4, "Setting Up PIP Connection Credentials." Mandatory Accepted Value: map name of the credential; for example, |
ldap.url |
Description: Defines the URL of the LDAP policy store. Valid in JEE and JSE applications and only applies to LDAP stores. Mandatory Accepted Value: URI of the LDAP policy store in the format |
search.base |
Description: The LDAP search base. Mandatory: For LDAP only. Accepted Value: The DN of the search base object. |
Table B-2 documents the parameters that must be defined when using the RDBMS Attribute Retriever. See Example B-6, "Using the Predefined RDBMS Attribute Retriever with JDBC" and Example B-7, "Using the Predefined RDBMS Attribute Retriever with SQL" for sample configuration code.
Table B-2 RDBMS Attribute Retriever Parameters
Name | Usage |
---|---|
name |
Description: The predefined Attribute Retriever's name Mandatory Accepted Value: String defining the Attribute Retriever service instance. |
description |
Description: A description of the predefined Attribute Retriever Optional Accepted Value: string |
type |
Description: The predefined Attribute Retriever's type Mandatory Accepted Value: RDBMS_PIP |
failed.server.retry.interval |
Description: After the primary repository has failed, this attribute identifies the interval of time during which the backup repository is used before switching back to the primary repository. Optional Accepted Value: Takes a value equal to the number of seconds. Default value is 15. |
bootstrap.security.principal.key |
Description: Defines the key for the password credentials to access the database, stored in the CSF store. Valid in JEE and JSE applications. See Section B.4, "Setting Up PIP Connection Credentials." Mandatory Accepted Value: key name of the credential; for example, |
bootstrap.security.principal.map |
Description: Defines the map for the password credentials to access the database, stored in the CSF store. Valid in JEE and JSE applications. See Section B.4, "Setting Up PIP Connection Credentials." Mandatory Accepted Value: map name of the credential; for example, |
jdbc.driver |
Description: Location of the driver when using Java Database Connectivity (JDBC) API to connect to a database. Mandatory: When using JDBC API to connect to database. Accepted Value: |
jdbc.url |
Description: Takes a URL that points to the database. Mandatory: When using JDBC API to connect to database. Accepted Value: A list of comma-delimited URLs. The first is treated as primary and so on. For example, |
datasource.jndi.name |
Description: Data source JNDI name if you want the PIP instance working through data source rather than directly through JDBC. The data source scenario is supported on WebLogic Server and WebSphere Application Server only. Mandatory: If you want the PIP instance working through data source rather than directly through JDBC. Accepted Value: JNDI name of pre-defined data source object |
Table B-3 documents the parameters to be defined for each attribute retrieved by the configured Attribute Retriever. See Example B-9, "Enabling an Attribute's Cache" for a sample configuration.
Table B-3 Configure Attributes to be Retrieved
Name | Usage |
---|---|
name |
Description: The name of the attribute as defined in the policy store. When using the LDAP predefined Attribute Retriever, the attribute name defined for Oracle Entitlements Server must be the same as the attribute name defined in the LDAP store. Currently, there is no name mapping functionality. Mandatory Accepted Value: Attribute name |
query |
Description: The SQL command or LDAP filter used for the query. Users can use a built-in and custom attributes in the query string. For example, the built-in attribute Mandatory Accepted Value: SQL command or LDAP filter. |
ttl |
Description: The time-to-live in seconds of any cached attribute values when cached is enabled. Optional Accepted Value: Any integer; default value is 60 seconds if cache is enabled. |
cached |
Description: Enables the caching of attribute values. Optional Accepted Value: Default value is false. |
ootb.pip.attr.type |
Description: Should be set to OOTB_PIP_ATTRIBUTE. Mandatory Accepted Value: OOTB_PIP_ATTRIBUTE. |
ootb.pip.ref |
Description: Should be set to an OOTB PIP instance. Mandatory Accepted Value: The PIP service instance name defined in the |
To configure the predefined Attribute Retriever in jps-config.xml
, modify the elements as described in each example in this section. Example B-3 is a sample jps-config.xml
file. The examples following it illustrate the modifications that can be made.
Example B-3 Sample jps-config.xml File
<?xml version="1.0"?> <jpsConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation=" http://xmlns.oracle.com/oracleas/schema/jps-config-11_0.xsd"> <property name="oracle.security.jps.jaas.mode" value="off"/> <property name="oracle.security.jps.enterprise.user.class" value="weblogic.security.principal.WLSUserImpl"/> <property name="oracle.security.jps.enterprise.role.class" value="weblogic.security.principal.WLSGroupImpl"/> <propertySets> <!-- These are the global authenticated role properties --> <propertySet name="authenticated.role.properties"> <property name="authenticated.role.name" value="authenticated-role"/> <property name="authenticated.role.uniquename" value="authenticated-role"/> <property name="authenticated.role.description" value="This is the authenticated role used by identity store service instance."/> </propertySet> <!-- attribute defined for ldap retriever --> <propertySet name="ootb.pip.attribute.age.ldap"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/> <property name="name" value="oespipage"/> <property name="query" value="(cn=%SYS_USER%)"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet> <propertySet name="ootb.pip.attribute.age.based.on.myattr.ldap"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/> <property name="name" value="oespipage_myattr"/> <property name="query" value="(cn=%MyAttr%)"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet> <propertySet name="ootb.pip.attribute.gender.ldap"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/> <property name="name" value="oespipgender"/> <property name="query" value="(oespipage=%oespipage%)"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet> <!-- attribute defined for rdbms retriever --> <propertySet name="ootb.pip.attribute.age.rdbms"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.db"/> <property name="name" value="oespipage"/> <property name="query" value="select oespipage from pip_info_store where username=%SYS_USER%"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet> <propertySet name="ootb.pip.attribute.age.based.on.myattr.rdbms"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.db"/> <property name="name" value="oespipage_myattr"/> <property name="query" value="select oespipage as oespipage_myattr from pip_info_store where username=%MyAttr%"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet> <propertySet name="ootb.pip.attribute.gender.rdbms"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.db"/> <property name="name" value="oespipgender"/> <property name="query" value="select oespipgender from pip_info_store where oespipage=%oespipage%"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet> </propertySets> <serviceProviders> <serviceProvider type="CREDENTIAL_STORE" name="credstoressp" class="oracle.security.jps.internal.credstore.ssp. SspCredentialStoreProvider"> <description>SecretStore-based CSF Provider</description> </serviceProvider> <serviceProvider class="oracle.security.jps.az. internal.runtime.provider.PIPServiceProvider" name="pip.service.provider" type="PIP"/> <serviceProvider type="POLICY_STORE" name="policy.rdbms" class="oracle.security.jps.internal.policystore. OPSSPolicyStoreProvider"> <property name="policystore.type" value="DB_ORACLE"/> <description>DBMS based PolicyStore</description> </serviceProvider> <serviceProvider name="pdp.service.provider" type="PDP" class="oracle.security.jps.az.internal. runtime.provider.PDPServiceProvider"> <description>OPSS Runtime PDP Service Provider</description> </serviceProvider> <serviceProvider name="idstore.xml.provider" type="IDENTITY_STORE" class="oracle.security.jps.internal.idstore. xml.XmlIdentityStoreProvider"> <description>XML-based IdStore Provider</description> </serviceProvider> <serviceProvider name="jaas.login.provider" type="LOGIN" class="oracle.security.jps.internal. login.jaas.JaasLoginServiceProvider"> <description>This is Jaas Login Service Provider and is used to configure login module service instances</description> </serviceProvider> <serviceProvider name="policy.xml" type="POLICY_STORE" class="oracle.security.jps.internal. policystore.xml.XmlPolicyStoreProvider"> <description>XML-based PolicyStore</description> </serviceProvider> <serviceProvider type="POLICY_STORE" name="policy.oid" class="oracle.security.jps.internal. policystore.ldap.LdapPolicyStoreProvider"> <description>LDAP-based PolicyStore</description> <property name="policystore.type" value="OID"/> <property name="connection.pool.maxsize" value="30"/> <property name="connection.pool.provider.type" value="idmpool"/> </serviceProvider> <serviceProvider type="AUDIT" name="audit.provider" class="oracle.security.jps.internal.audit.AuditProvider"> <description>Audit Service</description> </serviceProvider> </serviceProviders> <serviceInstances> <serviceInstance name="credstore" provider="credstoressp" location="./"> <description>File Based Credential Store Service Instance</description> </serviceInstance> <serviceInstance name="idstore.xml" provider="idstore.xml.provider"> <!-- Subscriber name must be defined for XML Identity Store --> <property name="subscriber.name" value="jazn.com"/> <!-- This is the location of XML Identity Store --> <property name="location" value="./user-data.xml"/> <!-- This property set defines the authenticated role --> <propertySetRef ref="authenticated.role.properties"/> </serviceInstance> <serviceInstance name="idstore.loginmodule" provider="jaas.login.provider"> <description>Identity Store Login Module</description> <property name="loginModuleClassName" value="oracle.security.jps.internal. jaas.module.idstore.IdStoreLoginModule"/> <property name="jaas.login.controlFlag" value="REQUIRED"/> <property name="debug" value="true"/> <property name="addAllRoles" value="true"/> </serviceInstance> <serviceInstance name="policystore.rdbms" provider="policy.rdbms"> <property name="jdbc.url" value="jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl"/> <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="oracle.security.jps.farm.name" value="cn=wcai_view_jing.atzsrg"/> </serviceInstance> <serviceInstance name="policystore.rdbms.ds" provider="policy.rdbms"> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="oracle.security.jps.farm.name" value="cn=wcai_view_jing.atzsrg"/> <property value="atzsrgds" name="datasource.jndi.name"/> </serviceInstance> <serviceInstance name="pdp.service" provider="pdp.service.provider"> <property name="oracle.security.jps.runtime.pd.client.sm_name" value="${atzsrg.pdp.configuration_id}"/> <property name="oracle.security.jps.pdp. AuthorizationDecisionCacheEnabled" value="true"/> <property name="oracle.security.jps.pdp. AuthorizationDecisionCacheEvictionCapacity" value="500"/> <property name="oracle.security.jps.pdp. AuthorizationDecisionCacheEvictionPercentage" value="10"/> <property name="oracle.security.jps.pdp. AuthorizationDecisionCacheTTL" value="60"/> <property name="oracle.security.jps.ldap. policystore.refresh.interval" value="30000"/> <property name="oracle.security.jps.policystore. refresh.purge.timeout" value="600000"/> <!-- 10 minutes --> <property name="loading_attribute_backward_compatible" value="false"/> <!-- Properties for controlled mode PD --> <property name="oracle.security.jps.runtime. pd.client.policyDistributionMode" value="non-controlled"/> <property name="oracle.security.jps.runtime. instance.name" value="${atzsrg.pdp.instance_name}"/> </serviceInstance> <serviceInstance name="policystore.oid" provider="policy.oid"> <property name="max.search.filter.length" value="4096"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="ldap.url" value="ldap://scl58126.domainexample.com:3060"/> <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/> <property name="oracle.security.jps.farm.name" value="cn=wcai_view_jing.atzsrg"/> <property name="oracle.security.jps.policystore.resourcetypeenforcementmode" value="Lenient"/> </serviceInstance> <serviceInstance name="policystore.xml" provider="policy.xml" location="./system-jazn-data.xml"/> <serviceInstance name="user.authentication.loginmodule" provider="jaas.login.provider"> <description>User Authentication Login Module</description> <property name="loginModuleClassName" value="oracle.security.jps.internal. jaas.module.authentication.JpsUserAuthenticationLoginModule"/> <property name="jaas.login.controlFlag" value="REQUIRED"/> </serviceInstance> <serviceInstance name="user.assertion.loginmodule" provider="jaas.login.provider"> <description>User Assertion Login Module</description> <property name="loginModuleClassName" value="oracle.security.jps.internal. jaas.module.assertion.JpsUserAssertionLoginModule"/> <property name="jaas.login.controlFlag" value="REQUIRED"/> </serviceInstance> <serviceInstance name="pip.service.ootb.ldap" provider="pip.service.provider"> <property name="type" value="LDAP_PIP"/> <property name="ldap.url" value="ldap://scl58126.domainexample.com:3060"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="search.base" value="cn=pip_info_store, cn=wcai_view_jing.atzsrg,cn=JPSContext,cn=jpsTestNode"/> <property name="failed.server.retry.interval" value="10"/> </serviceInstance> <!-- JPS Audit Service Instance--> <serviceInstance name="audit" provider="audit.provider"> <property name="audit.filterPreset" value="None"/> <property name="audit.maxDirSize" value ="0"/> <property name="audit.maxFileSize" value ="104857600"/> <property name="audit.loader.jndi" value="jdbc/AuditDB"/> <property name="audit.loader.interval" value="15" /> <property name="audit.loader.repositoryType" value="File" /> </serviceInstance> <serviceInstance name="pip.service.ootb.db" provider="pip.service.provider"> <property name="type" value="RDBMS_PIP"/> <property name="jdbc.url" value="jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl"/> <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="failed.server.retry.interval" value="10"/> </serviceInstance> <serviceInstance name="pip.service.ootb.db.ds" provider="pip.service.provider"> <property name="type" value="RDBMS_PIP"/> <property value="atzsrgds" name="datasource.jndi.name"/> <property name="failed.server.retry.interval" value="10"/> </serviceInstance> </serviceInstances> <jpsContexts default="default"> <jpsContext name="default"> <serviceInstanceRef ref="policystore.oid"/> <serviceInstanceRef ref="pdp.service"/> <serviceInstanceRef ref="audit"/> <serviceInstanceRef ref="idstore.xml"/> <serviceInstanceRef ref="idstore.loginmodule"/> <serviceInstanceRef ref="pip.service.ootb.ldap"/> <serviceInstanceRef ref="pip.service.ootb.db"/> </jpsContext> <jpsContext name="smsec"> <serviceInstanceRef ref="credstore"/> </jpsContext> </jpsContexts> </jpsConfig>
Example B-4 illustrates how the serviceProvider
element defines the use of a predefined Attribute Retriever by defining the internal Oracle Entitlements Server class.
Example B-4 Declaring the Predefined Attribute Retriever
<serviceProvider class="oracle.security.jps.az.internal.runtime.provider.PIPServiceProvider" name="pip.service.provider" type="PIP"/>
The following examples illustrate how to modify the serviceInstance
element for the predefined Attribute Retriever being used.
Example B-5, "Using the Predefined LDAP Attribute Retriever"
Example B-6, "Using the Predefined RDBMS Attribute Retriever with JDBC"
Example B-7, "Using the Predefined RDBMS Attribute Retriever with SQL"
Example B-8, "Declaring the Predefined Attribute Retriever in jpsContext"
Example B-5 illustrates how to modify the serviceInstance
element when using the predefined LDAP Attribute Retriever.
Example B-5 Using the Predefined LDAP Attribute Retriever
<serviceInstance name="pip.service.ootb.ldap" provider="pip.service.provider"> <property name="type" value="RDBMS_PIP"/> <property name="ldap.url" value="ldap://dadvmg0065.domainexample.com:3080"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="failed.server.retry.interval" value="10"/> </serviceInstance>
The following two examples illustrate how to modify the serviceInstance
element when using the predefined RDBMS Attribute Retriever. Example B-6 is when using Java Database Connectivity (JDBC) API.
Example B-6 Using the Predefined RDBMS Attribute Retriever with JDBC
<serviceInstance name="pip.service.ootb.db" provider="pip.service.provider"> <property name="type" value="RDBMS_PIP"/> <property name="jdbc.url" value="jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl"/> <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="failed.server.retry.interval" value="10"/> </serviceInstance>
Example B-7 is when using a SQL database.
Example B-7 Using the Predefined RDBMS Attribute Retriever with SQL
<serviceInstance name="pip.service.ootb.db" provider="pip.service.provider"> <property name="type" value="RDBMS_PIP"/> <property name="datasource.jndi.name" value="DB_RAC"/> <property name="failed.server.retry.interval" value="10"/> </serviceInstance>
Example B-8 illustrates how to declare the predefined Attribute Retriever reference in the jpsContext
element. This sample defines a predefined RDBMS Attribute Retriever.
Example B-8 Declaring the Predefined Attribute Retriever in jpsContext
<jpsContext name="default"> <serviceInstanceRef ref="policystore.db"/> <serviceInstanceRef ref="pdp.service"/> <serviceInstanceRef ref="audit"/> <serviceInstanceRef ref="idstore.xml"/> <serviceInstanceRef ref="idstore.loginmodule"/> <serviceInstanceRef ref="pip.service.ootb.db"/> </jpsContext>
Example B-9 illustrates how to configure the caching of a specific attribute value. Caching is enabled per attribute. In this example, the cache record is deleted after 60 seconds.
Example B-9 Enabling an Attribute's Cache
<propertySet name="ootb.pip.attribute.gender.ldap"> <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/> <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/> <property name="name" value="oespipgender"/> <property name="query" value="(oespipage=%oespipage%)"/> <property name="cached" value="true"/> <property name="ttl" value="60"/> </propertySet>
Example B-10 illustrates how to configure the failover behavior. In this example, the primary connection is ldap://dadvmg0065:3080
and the backup connection is ldap://scl58123:3060
. The failed server retry interval is 10 seconds.
Example B-10 Configuring LDAP Failover
<serviceInstance name="pip.service.ootb.ldap" provider="pip.service.provider"> <property name="type" value="LDAP_PIP"/> <property name="ldap.url" value="ldap://dadvmg0065:3080,ldap://scl58123:3060"/> <property name="bootstrap.security.principal.key" value="keyname"/> <property name="bootstrap.security.principal.map" value="mapname"/> <property name="failed.server.retry.interval" value="10"/> </serviceInstance>
As documented in Table B-1, "LDAP Attribute Retriever Parameters" and Table B-2, "RDBMS Attribute Retriever Parameters", the bootstrap.security.principal.key
and bootstrap.security.principal.map
parameters define the key and the map (respectively) to access the data store. Oracle Entitlements Server ships with oesPassword.sh
which sets these LDAP and database connection credentials in the bootstrap credential store. The tool is located in the $OES_SM_INSTANCE_DIRECTORY/bin/
directory. Use the following command to run it.
./oesPassword.sh -setpass
It prompts for the security principal key name, the security principal map name, the username and associated password.
For security reasons, the passwords configured for databases are periodically changed; thus, the Oracle Entitlements Server components (Administration Server and Security Modules) will need to be updated with the new password. The following information documents how this can be done.
The Administration Server uses a WebLogic Server data source to provide database access and database connection management. To change the password, update the data source configuration with the new password using the WebLogic Server console. No additional steps are required.
Security Modules may connect to a particular database in either of the following ways:
The Security Module will connect to the database used as a Policy Store when distributing policies in either the controlled-pull, non-controlled or mixed distribution modes.
The Security Module can connect to any relational database management system (RDBMS) when retrieving attributes from an attribute repository using attribute retrievers. (This connection is not limited to the default Policy Store.)
Both cases can use either the WebLogic Server data source configuration or JDBC properties directly. In cases when connecting via the WLS data source configuration, update the data source configuration with the new password using the WebLogic Server console. No additional steps are required. In cases when connecting via the JDBC properties directly, use the oesPassword utility as discussed in Section B.4, "Setting Up PIP Connection Credentials." The map and key for the credential is defined in jps-config.xml
.