1/24
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Introducing Oracle Entitlements Server
1.1
About Access Control
1.2
Overview of Oracle Entitlements Server
1.2.1
Understanding Oracle Entitlements Server Releases
1.2.2
Using the Authorization Policy Manager Console
1.2.3
Features of Oracle Entitlements Server 11gR2
1.3
Overview of the Oracle Entitlements Server Architecture
1.3.1
The Policy Administration Point
1.3.2
The Policy Decision Point and the Policy Enforcement Point
1.3.2.1
Security Module as PDP
1.3.2.2
Security Module as Combination PDP / PEP
1.3.2.3
Understanding the Types of Security Modules
1.3.3
The Policy Information Point
1.4
How Oracle Entitlements Server Processes Authorization Policies
1.5
About the Supported Access Control Standards
1.5.1
Role-based Access Control (RBAC)
1.5.2
Attribute-Based Access Control (ABAC)
1.5.3
Java Permissions
1.5.4
XACML
1.5.5
PEP API
2
Understanding the Policy Model
2.1
Understanding Oracle Entitlements Server Policies
2.1.1
Understanding the Authorization Policy
2.1.2
Understanding Role Assignments and the Role Mapping Policy
2.2
How Oracle Entitlements Server Evaluates Policies
2.3
The Policy Object Glossary
2.4
Implementing a Policy Use Case
2.4.1
Protecting Software Components
2.4.2
Protecting Business Objects
3
Getting Started
3.1
Before You Begin
3.2
Understanding The Graphical Interface
3.2.1
Assigning Oracle Entitlements Server Administrators
3.2.2
Using the Identity Store
3.2.3
Accessing the Policy Store
3.2.4
Displaying Oracle Platform Security Services Application Grants
3.3
Accessing the Administration Console
3.3.1
Signing In to the Administration Console
3.3.2
Signing Out of the Administration Console
3.4
Navigating the Administration Console
3.4.1
Understanding the Main Tabs
3.4.1.1
Authorization Management Tab
3.4.1.2
System Configuration Tab
3.4.2
Using The Navigation Panel
3.4.3
Using the Home Tab
3.4.4
Accessing Help
3.5
Upgrading from Oracle Entitlements Server Basic
3.5.1
Changing From Basic to Advanced Policy Authorization
3.6
Accessing Oracle Entitlements Server Examples
4
Managing Policies and Policy Objects
4.1
Introducing Policy and Policy Object Management
4.2
Defining an Authorization Policy And Its Components
4.3
Adding Fine-Grained Elements to an Authorization Policy
4.4
Implementing An Authorization Policy Step by Step
4.5
Managing Policy Objects in An Application
4.5.1
Managing Applications
4.5.1.1
Creating an Application
4.5.1.2
Modifying an Application
4.5.1.3
Deleting an Application
4.5.2
Managing Resource Types
4.5.2.1
Creating a Resource Type
4.5.2.2
Modifying a Resource Type
4.5.2.3
Deleting a Resource Type
4.5.3
Managing Resources
4.5.3.1
Creating a Resource
4.5.3.2
Modifying a Resource
4.5.3.3
Deleting a Resource
4.5.4
Managing Entitlements
4.5.4.1
Creating an Entitlement
4.5.4.2
Modifying an Entitlement
4.5.4.3
Deleting an Entitlement
4.5.5
Managing Authorization Policies
4.5.5.1
Creating an Authorization Policy
4.5.5.2
Modifying an Authorization Policy
4.5.5.3
Deleting an Authorization Policy
4.5.6
Managing Application Roles in the Role Catalog
4.5.6.1
Creating an Application Role
4.5.6.2
Modifying an Application Role
4.5.6.3
Mapping External Roles to an Application Role
4.5.6.4
Mapping an External User to an Application Role
4.5.6.5
Deleting an Application Role or Removing External Role Mappings
4.5.6.6
Removing External User Mappings
4.5.7
Managing Role Mapping Policies
4.5.7.1
Creating a Role Mapping Policy
4.5.7.2
Modifying a Role Mapping Policy
4.5.7.3
Deleting a Role Mapping Policy
4.5.8
Managing a Role Category
4.5.9
Managing Attributes and Functions as Extensions
4.5.9.1
Creating an Attribute
4.5.9.2
Modifying an Attribute
4.5.9.3
Deleting an Attribute
4.5.9.4
Creating a Function
4.5.9.5
Modifying a Function
4.5.9.6
Deleting a Function
4.6
Using the Condition Builder
4.6.1
Building a Complex Expression
4.6.2
Passing Parameters to Functions
5
Querying Security Objects
5.1
Searching with the Administration Console
5.2
Finding Objects with a Simple Search
5.3
Finding Objects with an Advanced Search
5.3.1
Searching External Roles
5.3.2
Searching Applications
5.3.3
Searching Resource Types
5.3.4
Searching Application Roles
5.3.5
Searching Role Mapping Policies
5.3.6
Searching Resources
5.3.7
Searching Entitlements
5.3.8
Searching Authorization Policies
5.3.9
Searching Attributes
5.3.10
Searching Functions
5.3.11
Searching for Users
5.4
Understanding Case Sensitivity in Object Names
6
Managing Policy Distribution
6.1
Defining Distribution Modes
6.1.1
Controlled Distribution
6.1.2
Non-controlled Distribution
6.2
Understanding Policy Distribution
6.2.1
Using a Central Policy Distribution Component
6.2.2
Using a Local Policy Distribution Component
6.3
Distributing Policies
6.3.1
Distributing Policies Using the Administration Console
6.4
Using Default or Third Party Digital Certificates
6.4.1
Using a Third Party Certificate with a WebLogic Server Security Module
6.4.2
Using a Third Party Certificate with a Web Services or Java Security Module
6.4.3
Using a Third Party Certificate with a WebSphere Application Server Security Module
6.4.4
Using a Third Party Certificate with a Tomcat or JBoss Security Module
6.5
Debugging Policy Distribution
7
Deploying the Policy Decision Point
7.1
Understanding the PDP Deployment Models
7.1.1
Embedding the PDP Locally
7.1.2
Locating the PDP Remotely
7.2
Using the Security Module Proxy Mode
7.3
Using the XACML Gateway
8
Managing Security Module Configurations
8.1
Before You Begin
8.2
Starting the SMConfig UI
8.3
Modifying Security Module Configurations
8.4
Configuring Security Modules Post-Instantiation
8.4.1
Configuring the Java Security Module
8.4.2
Configuring the RMI Security Module
8.4.3
Configuring the Web Services Security Module
8.4.4
Configuring the WebLogic Server Security Module
8.4.5
Configuring the SharePoint Server (MOSS) Security Module
8.4.6
Configuring the .NET Security Module
8.4.7
Configuring the WebSphere, Tomcat and JBoss Security Modules
8.4.8
Configuring the Oracle Service Bus Security Module
8.5
Configuring the PDP Proxy Client for RMI or Web Services
9
Securing Environment Specific Resources
9.1
Choosing a Security Module Type
9.2
Securing Microsoft Office SharePoint Server Resources
9.2.1
Protecting SharePoint Resources
9.2.1.1
Protecting Web Sites and Web Pages
9.2.1.2
Protecting Web Parts
9.2.1.3
Protecting Lists
9.2.1.4
Protecting Sensitive Content Within Web Pages
9.2.2
Instantiating the MOSS and Web Services Security Modules
9.2.3
Integrating and Disintegrating the MOSS Security Module
9.2.4
Configuring for SharePoint Security
9.3
Securing Oracle Service Bus Resources
9.3.1
Examining the OSB Resource Object
9.3.2
Mapping Secure OSB Resources to Oracle Entitlements Server
9.3.3
Mapping Non-secure OSB Resources to Oracle Entitlements Server
9.3.4
Enabling the WebLogic Server Providers
9.4
Securing WebLogic Server Resources
9.4.1
Integrating with WebLogic Server
9.4.2
Discovering WebLogic Server Resources
9.4.2.1
Enabling Discovery Mode
9.4.2.2
Loading Discovered Resources
9.4.3
Converting WebLogic Server Resources
9.4.4
Mapping WebLogic Server Resources to Policy Objects
9.4.4.1
Enterprise Java Bean Resources
9.4.4.2
Java Naming and Directory Interface Resources
9.4.4.3
URL Resources
9.4.4.4
JDBC Resources
9.4.4.5
JMS Resources
9.4.4.6
Web Services Resources
9.4.4.7
Server Resources
9.5
Securing Oracle WebCenter Content Resources
9.5.1
Integrating with Oracle WebCenter Content
10
Managing System Configurations
10.1
Delegating With Administrators
10.2
Configuring Security Module Definitions
10.2.1
Creating a Security Module Definition
10.2.2
Binding an Application to a Security Module
10.2.3
Unbinding an Application From a Security Module
10.2.4
Deleting a Security Module Definition
10.3
Configuring Identity Directory Service Profiles
10.3.1
Creating an Identity Directory Service Profile
10.3.2
Binding an Application to an Identity Directory Service Profile
10.3.3
Unbinding an Application From an Identity Directory Service Profile
10.3.4
Deleting an Identity Directory Service Profile
11
Delegating With Administrator Roles
11.1
About Delegated Administrators
11.2
Delegating Using Scope and Granularity
11.3
Delegating Application Administration
11.3.1
Adding a Delegated Administrator for An Application
11.3.2
Modifying or Deleting an Application's Delegated Administrator
11.4
Using Policy Domains to Delegate
11.4.1
Creating a Policy Domain
11.4.2
Modifying a Policy Domain
11.4.3
Deleting a Policy Domain
11.5
Delegating Policy Domain Administration
11.5.1
Adding a Delegated Administrator to a Policy Domain
11.5.2
Modifying or Deleting a Policy Domain's Delegated Administrator
11.6
Managing System Administrators Using Administrator Roles
11.6.1
Creating a New Administrator Role
11.6.2
Assigning Privileges to an Administrator Role
11.6.3
Modifying Administrator Role Membership
11.6.4
Deleting an Administrator Role
12
Customizing the Administration Console
12.1
Customizing Authorization Policy Manager
12.2
Customizing Headers, Footers, and Logo
12.3
Customizing Color Schemes
12.4
Customizing the Login Page
13
Management Tasks
13.1
Moving from a Test Environment to Production (T2P)
13.2
Using the Policy Simulator
13.2.1
Understanding Policy Simulation
13.2.2
Choosing the Policy Simulation Mode
13.2.3
Running the Policy Simulator
13.2.3.1
Running the Policy Simulator in Simple Mode
13.2.3.2
Running the Policy Simulator in Advanced Mode
13.3
Using FIPS-compliant Security Providers
13.3.1
Installing the JCE Provider
13.3.2
Configuring JCE
13.4
Managing Audit Tasks
13.4.1
Auditing Oracle Entitlements Server Events
13.4.2
Configuring Oracle Entitlements Server Administration Server for Auditing
13.4.3
Configuring Oracle Entitlements Server Security Modules for Auditing
13.4.3.1
Configuring the WebLogic Server Security Module
13.4.3.2
Configuring Other Security Modules
13.4.4
Additional Auditing Information
13.5
Migrating Policies
13.5.1
Migrating From XML to LDAP
13.5.2
Migrating From LDAP to XML
13.5.3
Migrating From XML to Database
13.5.4
Migrating From Database to XML
13.6
Configuring Cache
13.6.1
Configuring Decision Caching
13.6.2
Configuring Attribute Caching
13.7
Logging
13.8
Debugging
13.8.1
Enabling Debugging By Defining Parameters
13.8.1.1
Configuring Logging for Debugging
13.8.1.2
Searching Logs to Debug Authorization Policies
13.8.2
Enabling Debugging Using Methods
13.8.3
Debugging Policy Distribution
14
Configuring a Disaster Recovery Solution
14.1
Overview of a Multi-Site Deployment
14.2
Multi-Site Deployment Topology
14.3
Task Roadmap
14.4
Prerequisites
14.5
Configuring Disaster Recovery for Oracle Entitlements Server
14.5.1
Setting Up the Primary Server
14.5.2
Setting Up the Standby Server (Duplicate)
14.5.3
Test Log Transfer
14.5.4
Configuring the Oracle Data Guard Broker
14.5.5
Testing Failover and Switchover
14.5.6
Installing Oracle Grid Infrastructure for a Standalone Server
14.5.7
Configuring a Virtual Device for Oracle ASM
14.5.8
Configuring Oracle Restart
14.5.9
Installing OPSS Schema
14.5.10
Installing the Primary Administration Console
14.5.11
Installing the Secondary Administration Console
14.5.12
Configuring the Security Module
A
Installation and Configuration Parameters
A.1
Policy Distribution Configuration
A.1.1
Policy Distribution Component Server Configuration
A.1.2
Policy Distribution Component Client Configuration
A.1.2.1
Policy Distribution Component Client Java Standard Edition Configuration (Controlled Push Mode)
A.1.2.2
Policy Distribution Component Client Java Enterprise Edition Container Configuration (Controlled Push Mode)
A.1.2.3
Policy Distribution Client Configuration (Controlled-Pull Mode)
A.1.2.4
Policy Distribution Client Configuration (Non-controlled Mode)
A.1.2.5
Policy Distribution Client Configuration (Mixed Mode)
A.2
Security Module Configuration
A.2.1
Java Security Module
A.2.2
Web Services Security Module
A.2.3
Web Services Security Module on WebLogic Server
A.2.4
RMI Security Module
A.2.5
WebLogic Server Security Module
A.2.6
WebLogic Server Security Module Discovery Mode
A.3
PDP Proxy Client Configuration
A.3.1
Web Services Security Module PDP Proxy Client
A.3.2
RMI Security Module PDP Proxy Client
A.4
Policy Store Service Configuration
B
Configuring Attribute Retrievers Manually
B.1
Understanding Predefined Attribute Retrievers
B.2
Configuring the Predefined Attribute Retrievers
B.2.1
Configuring the LDAP Respiratory Attribute Retriever Parameters
B.2.2
Configuring the Database Repository Attribute Retriever Parameters
B.2.3
Configuring Individual Attributes for Predefined Attribute Retrievers
B.3
Modifying jps-config.xml
B.4
Setting Up PIP Connection Credentials
B.5
Updating the Database Password
C
Managing Advanced Policies with WLST
C.1
Using the WebLogic Scripting Tool with Oracle Entitlements Server
C.2
Using the WLST Commands
C.2.1
createApplicationPolicy
C.2.2
updateResourceType
C.2.3
updateResource
C.2.4
createPolicy
C.2.5
updatePolicy
C.2.6
deletePolicy
C.2.7
listPolicies
C.2.8
createAttribute
C.2.9
updateAttribute
C.2.10
deleteAttribute
C.2.11
listAttributes
C.2.12
createFunction
C.2.13
updateFunction
C.2.14
deleteFunction
C.2.15
listFunctions
C.2.16
getFunction
C.3
Creating Policy with a Script
Index
Scripting on this page enhances content navigation, but does not change the content in any way.