This chapter describes how to install and configure Oracle Entitlements Server 11g Release 2 (11.1.2.1.0).
It discusses the following topics:
Installation and Configuration Roadmap for Oracle Entitlements Server
Configuring Oracle Entitlements Server Administration Server
Getting Started with Oracle Entitlements Server After Installation
Before you start installing and configuring Oracle Entitlements Server, ensure that you have reviewed the information provided in Part I, "Introduction and Preparation".
Note that IAM_HOME is used to refer to the Oracle Home directory that includes Oracle Identity Manager, Oracle Access Management, Oracle Adaptive Access Manager, Oracle Entitlements Server, Oracle Identity Navigator, Oracle Privileged Account Manager, and Oracle Access Management Mobile and Social. You can specify any name for this Oracle Home directory.
Oracle Entitlements Server is a fine-grained authorization and entitlement management solution that can be used to precisely control the protection of application resources. It simplifies and centralizes security for enterprise applications and SOA by providing comprehensive, reusable, and fully auditable authorization policies and a simple, easy-to-use administration model. For more information, see "Introducing Oracle Entitlements Server" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.
Oracle Entitlements Server 11g includes two distinct components:
Oracle Entitlements Server Administration Server
This component is included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) installation. The Administration Server manages the storage of policy data in the database and the transactional distribution of policies to the Security Modules.
Oracle Entitlements Server Client (Security Module)
This component has its own installer and it is not included in the Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) installation. The Oracle Entitlements Server Client does not require Oracle WebLogic Server.
Table 8-1 lists the tasks for installing and configuring Oracle Entitlements Server.
Table 8-1 Installation and Configuration Flow for Oracle Entitlements Server
No. | Task | Description |
---|---|---|
1 |
Review installation concepts in the Installation Planning Guide. |
Read the Oracle Fusion Middleware Installation Planning Guide, which describes the process for various users to install or upgrade to Oracle Fusion Middleware 11g (11.1.2) depending on the user's existing environment. |
2 |
Review the system requirements and certification documents to ensure that your environment meets the minimum installation requirements for the components you are installing. |
For more information, see Section 2.1, "Reviewing System Requirements and Certification". |
3 |
Obtain the Oracle Fusion Middleware Software. |
For more information, see Section 3.2.1, "Obtaining the Oracle Fusion Middleware Software" |
4 |
Review the Database requirements. |
Oracle recommends that you install Oracle Database. For more information, see Section 3.2.2, "Database Requirements". |
5 |
Create and load the appropriate schemas for Oracle Entitlements Server. |
Depending on the policy store you choose for Oracle Entitlements Server, complete one of the following:
|
6 |
Review WebLogic Server and Middleware Home requirements. |
For more information, see Section 3.2.4, "WebLogic Server and Middleware Home Requirements". |
7 |
Start the Oracle Identity and Access Management Installer. |
For more information, see Section 3.2.6, "Starting the Oracle Identity and Access Management Installer". |
8 |
Install the Oracle Identity and Access Management 11g software. |
Oracle Entitlements Server is included in the Oracle Identity and Access Management Suite. You can use the Oracle Identity and Access Management 11g Installer to install Oracle Identity and Access Management Suite. For more information, see Section 3.2.7, "Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0)". |
9 |
Run the Oracle Fusion Middleware Configuration Wizard to configure Oracle Entitlements Server Administration Server. |
For more information, see Section 8.4, "Configuring Oracle Entitlements Server Administration Server". |
10 |
Install the Oracle Entitlements Server Client software. |
For more information, see Section 8.5, "Installing Oracle Entitlements Server Client". |
11 |
Configure Oracle Entitlements Server Client. |
For more information, see Section 8.6, "Configuring Oracle Entitlements Server Client". |
12 |
Get started with Oracle Entitlements Server. |
For more information, see Section 8.7, "Getting Started with Oracle Entitlements Server After Installation". |
This topic describes how to configure Oracle Entitlements Server in a new WebLogic domain. It includes the following sections:
Configuring Oracle Entitlements Server in a New WebLogic Domain
Configuring Security Store for Oracle Entitlements Server Administration Server
Verifying Oracle Entitlements Server Administration Server Configuration
Performing the configuration in this section deploys the following:
WebLogic Administration Server
Oracle Entitlements Server application on the Administration Server
If you are using Apache Derby, then you must extract the oracle.apm_11.1.1.3.0_template_derby.zip
file (located in IAM_HOME/common/templates/applications
) and save oracle.apm_11.1.1.3.0_template_derby.jar
file to the following location:
IAM_HOME\common\templates\applications
Perform the following steps to configure Oracle Entitlements Server in a new WebLogic domain:
Note:
You must have a dedicated Oracle WebLogic Server domain for Oracle Entitlements Server. Do not configure any other Oracle Identity and Access Management components in this domain.
Run the IAM_HOME/common/bin/config.sh
script (on UNIX), or IAM_HOME\common\bin\config.cmd
(on Windows).
The Fusion Middleware Configuration Wizard appears.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next.
The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_HOME] option, and click Next.
Notes:
When you select the Oracle Entitlements Server for Admin Server- 11.1.1.0 [IAM_HOME] option, the following options are also selected, by default:
Oracle Platform Security Service 11.1.1.0 [IAM_HOME]
Oracle JRF 11.1.1.0 [oracle_common]
If you using Apache Derby, then select the Oracle Entitlements Server Security Module - 11.1.1.0 [IAM_HOME] option.
The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.
The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic
. Click Next.
Note:
When you enter the user name and the password for the administrator, be sure to remember them. This is the WebLogic Administrator user name and password that you must specify for logging in to the WebLogic Server Administration Console. The Oracle WebLogic Server Administration Console is a Web browser-based, graphical user interface that you use to manage a WebLogic Server domain.
The Configure Server Start Mode and JDK screen appears.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.
Note:
Ensure that the JDK version you select is Java SE 6 Update 24 or higher.
The Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select the Oracle Entitlements Server Schema and specify the Schema Owner, Schema Password, DBDS/Service, Host Name, and Port.
Note:
The Schema Owner refers to the name that you specified when creating the database schemas for Oracle Entitlements Server using the Oracle Fusion Middleware Repository Creation Utility (RCU).
For Database related information, refer to the tnsnames.ora
file (located in the DB_INSTALL_DIR
/product/11.2.0/
DB_INSTANCE
/network/admin
directory, where DB_INSTALL_DIR
is the location where Oracle Database was installed, and DB_INSTANCE
by default is dbhome_1)
.
Click Next. The Test JDBC Component Schema screen appears.
Select the component schema you want to test, and click Test Connections. After the test succeeds, click Next. If the test fails, click Previous, correct the values that you entered in step 7, and test the connection again.
The Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure the Administration Server, Managed Servers, Clusters, Machines, Deployments and Services, and RDBMS Security Store. Select the relevant check boxes, and click Next.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
The Creating Domain screen appears. This screen shows the progress of the domain creation. When the domain creation process completes, this screen displays the Domain location and the Admin Server URL.
After reviewing the information displayed on the screen, click Done to close the Configuration Wizard.
A new WebLogic domain to support Oracle Entitlements Server is created in the <MW_HOME>\user_projects\domains
directory (on Windows). On UNIX, the domain is created in the <MW_HOME>/user_projects/domains
directory.
You must run the configureSecurityStore.py
script to configure the security store for Oracle Entitlements Server Administration Server. Security store is a repository of system and application-specific policies, credentials, and keys.
The configureSecurityStore.py
script is located in the <IAM_HOME>\common\tools
directory. You can use the -h
option for help information about using the script.
Configure the security store for Oracle Entitlements Server Administration Server as follows:
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -s <datasource> -f <farmname> -t <servertype> -j <jpsroot> -m <mode> -p <password>
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_Home>\user_projects\domains\base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1
For an example of the join
option, see "Configuring the Database Security Store Using the Join Option".
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -s <datasource> -f <farmname> -t <servertype> -j <jpsroot> -m <mode> -p <password>
For example:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_Home>/user_projects/domains/base_domain -t DB_ORACLE -j cn=jpsroot -m create -p welcome1
For an example of the join
option, see "Configuring the Database Security Store Using the Join Option".
Table 8-2 describes the parameters that you may specify on the command line.
Table 8-2 OES Administration Server Security Store Configuration Parameters
Parameter | Description |
---|---|
|
Location of the Oracle Entitlements Server Administration Server Domain. |
|
The data source of security store configured in domain. It is optional, default value is |
|
The security store farm name. It is optional, default value is the domain name. |
|
The policy store type. For example: It is optional, default value is |
|
The distinguished name of jpsroot. It is optional, default value is |
|
|
|
The configuration mode of the domain. For example: It is optional, default value is Note: If For example: If the OES Administration Server is deployed in the domain where other Oracle Identity and Access Management components (OIM, OAM, OAAM, OPAM, or OIN) are deployed, then the domain is configured in mixed mode. In this case, the OES Administration Server is used for managing the Oracle Identity and Access Management policies only. It should not be used to manage the policies for any other applications protected by OES Security Modules. If For example: If you want to use OES Administration Server to manage custom applications which are protected by OES Security Modules, then the OES Administration Server must be deployed in a domain with non-controlled distribution mode. |
|
The OPSS schema password. |
|
The directory containing the encryption key file |
|
The password used when the domain's key file was generated. If |
|
The user name of the OPSS schema. If |
You must start the Administration Server by running the following command on the command line:
Windows:
MW_HOME\user_projects\domains\domain_name\bin\startWebLogic.cmd
UNIX:
MW_HOME/user_projects/domains/domain_name/bin/startWebLogic.sh
To verify that your Oracle Entitlements Server Administration Server configuration was successful, use the following URL to log in to the Oracle Entitlements Server Administration Console:
http://hostname:port/apm/
Where hostname
is the DNS name or IP address of the Administration Server and port
is the address of the port on which the Administration Server listens for requests. You can obtain these values from the AdminServer.log
file.
The AdminServer.log
file is located in the MW_HOME/user_projects/domains/domain_name/servers/AdminServer/logs
directory (on UNIX) or the MW_HOME\user_projects\domains\domain_name\servers\AdminServer\logs
directory (on Windows).
For more information, see the section "Logging In to and Signing Out of the User Interface" in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.
This section contains the following topic:
Before installing the Oracle Entitlements Server Client software, ensure that you have installed and configured the Oracle Entitlements Server Administration Server.
For more information on obtaining Oracle Entitlements Server Client 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
To install Oracle Entitlements Server Client, extract the contents of oesclient.zip
to your local directory and then start the Installer by executing one of the following commands:
UNIX: <full path to the runInstaller directory>/runInstaller -jreLoc <full path to the JRE directory>
Windows: <full path to the setup.exe directory>\setup.exe -jreLoc <full path to the JRE directory>
Note:
The installer prompts you to enter the absolute path of the JDK that is installed on your system. When you install Oracle WebLogic Server, the jdk
directory is created under your Middleware Home. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JRE is located in C:\
MW_HOME
\jdk
, then launch the installer from the command prompt as follows:
<full path to the setup.exe directory>\setup.exe -jreLoc C:\
MW_HOME
\jdk
\jre
You must specify the -jreLoc
option on the command line when using the JDK to avoid installation issues.
Follow the instructions in Table 8-3 to install Oracle Entitlements Server Client.
If you need additional help with any of the installation screens, click Help to access the online help.
Table 8-3 Installation Flow for the Oracle Entitlements Server Client
No. | Screen | Description and Action Required |
---|---|---|
1 |
Welcome |
Click Next to continue. |
2 |
Prerequisite Checks |
If all prerequisite checks pass inspection, then click Next to continue. |
3 |
Specify Installation Location |
In the Oracle Home Directory field, enter the directory where you want to install the Oracle Entitlements Server client. This directory is also referred to as Note: If the Security Module you want to configure requires creation or extension of a WebLogic domain, then you must install the Oracle Entitlements Server client in the Middleware Home that was created during WebLogic Server installation. This applies to the following Security Module configurations:
For the above Security Module configurations, Oracle recommends that you install the Oracle Entitlements Server client in a separate directory in the same Middleware Home where the Oracle Entitlements Server Administration server is installed. For example, For the other Security Modules, the Click Next to continue. |
4 |
Installation Summary |
The Installation Summary Page screen displays a summary of the choices that you made. Review this summary and decide whether to start the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. Click Save to save the installation response file, which contains your responses to the Installer prompts and fields. To continue installing Oracle Entitlements Server Client, click Install. |
5 |
Installation Progress |
The Installation Progress screen appears. Monitor the progress of your installation. The location of the installation log file is listed for reference. Make a note of the name and location of the installation log file for your reference. After the installation progress reaches 100%, click OK. If you are installing on a UNIX system, you may be asked to run the |
8 |
Installation Complete |
Click Finish to dismiss the installer. This installation process copies the OES Client software to your system and creates an |
To verify that your Oracle Entitlements Server Client installation is successful, go to your OES_CLIENT_HOME
directory which you specified during installation, and verify that the OES_CLIENT_HOME
directory is created and populated with product files.
You can also verify the installation log file that is generated after the installation is complete. The name and location of the installation log file is displayed on the Installation Progress screen (in step 5) of the Oracle Entitlements Server Client installation.
If you have installed the Oracle Entitlements Server Client software in a separate Middleware Home than the Oracle Entitlements Server Administration Server, then after installing the Oracle Entitlements Server Client software, you must apply a patch to the oracle_common
directory using OPatch, as described in the steps below.
Note:
Skip this step if you are installing the Oracle Entitlements Server Client software into the same Middleware Home as the Oracle Entitlements Server Administration Server, because it has already been applied automatically.
This patch applies only to the following Security Module configurations:
WebLogic Server Security Module in a JRF environment
Web Service Security Module on Oracle WebLogic Server domain in a JRF environment
WebSphere Security Module in a JRF environment
Oracle Service Bus Security Module
To apply a patch to oracle_common
directory using OPatch, do the following:
Go to the OES_CLIENT_HOME/oneoffpatches
directory.
Extract the contents of the p15894053_111160_Generic.zip
file to a directory. By default, this directory is named p15894053_111160_Generic
.
Go to the OES_CLIENT_HOME/oneoffpatches/p15894053_111160_Generic
directory, and follow the instructions provided in the README.txt
file.
Policy data is distributed in a controlled manner or in a non-controlled manner.
The distribution mode is defined in the jps-config.xml
configuration file for each Security Module. The specified distribution mode is applicable for all Application Policy objects bound to that Security Module.
Note:
Oracle recommends that you configure Oracle Entitlements Server Client in the controlled distribution mode. However, if you configure a Security Module in a JRF environment, then non-controlled distribution mode is the only supported distribution mode.
This section describes how to configure the following:
For introductory information about distribution modes, see the section "Defining Distribution Modes" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server.
The following sections explains how to configure the distribution modes.
To configure a controlled push distribution mode, open the smconfig.prp
file (located in OES_CLIENT_HOME/oessm/SMConfigTool
) in a text editor, and edit the following parameters described in Table 8-4.
Table 8-4 smconfig.prp File Parameters (Controlled Distribution)
Parameter | Description |
---|---|
|
Accept the default value |
|
Enter the address of the Oracle Entitlements Server Administration Server. |
|
Enter the SSL port number of the Oracle Entitlements Server Administration Server. You can find the SSL port number from the WebLogic Administration console. |
Open the smconfig.prp
file (located in OES_CLIENT_HOME/oessm/SMConfigTool
) in a text editor and edit the following parameters described in Table 8-5.
Table 8-5 smconfig.prp File Parameters Non- Controlled Distribution
Parameter | Description |
---|---|
|
Enter non- |
|
Specify the policy store type. For example, |
|
If you are using database as the policy store, then specify your database policy store JDBC URL. For example, |
|
If you are using LDAP as the policy store, then specify your LDAP URL. For example, |
|
Specify your domain name. The default value is |
|
Specify the root name of jps context. The default value is |
If you are configuring a Non-Controlled or Controlled Pull Distribution Mode, then you must set up a connection to an Oracle Database. The procedure for setting up connection to an Oracle Database differs based on the type of Security Module you choose to configure.
This section includes the following topics:
Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment
Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment
Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment
If you configure a Security Module in a non-JRF environment, then you must complete the following steps for setting up a connection to an Oracle Database:
Create a JDBC Data Source using the WebLogic Server Administration Console. This data source is used to connect to the Policy Store of the OES Administration Server. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:
When you follow the instructions in the above link, then in step 7 you are required to enter a value for Database User Name. The value for this parameter must be same as the one you used when creating schemas for Oracle Entitlements Server using the Oracle Fusion Middleware Repository Creation Utility (RCU). For example, prefix
_OPSS.
Open the jps-config.xml
file located in MW_HOME
/user_projects/domains/
Domain_Name
/config/oeswlssmconfig/AdminServer
directory (on UNIX), or MW_HOME
\user_projects\domains\
Domain_Name
\config\oeswlssmconfig\AdminServer
directory (on Windows).
Locate pdp.service
and replace the existing jdbc.url
property with the following property:
<property value="jdbc/OPSSDBDS" name="datasource.jndi.name"/>
Note:
jdbc/OPSSDBDS
is the name of the JDBC datasource used for the OES.
Delete the following properties:
jdbc.driver
jdbc.url
bootstrap.security.principal.key
bootstrap.security.principal.map
Save the jps-config.xml
file.
Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment
If you configure a Security Module in a JRF environment, then you must complete the following steps for setting up a connection to an Oracle Database:
Create a JDBC Data Source using the WebLogic Server Administration Console. This data source is used to connect to the Policy Store of the OES Administration Server. For more information, see "Create JDBC generic data sources" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:
When you follow the instructions in the above link, then in step 7 you are required to enter a value for Database User Name. The value for this parameter must be same as the one you used when creating schemas for Oracle Entitlements Server using the Oracle Fusion Middleware Repository Creation Utility (RCU). For example, prefix
_OPSS.
Start the Oracle Entitlements Server Client domain. For more information, see Appendix C, "Starting the Stack".
Reassociate the policies using the WLST reassociateSecurityStore
command, as follows:
Start the WLST shell.
cd ORACLE_HOME/common/bin
./wlst.sh
Connect to the WebLogic Administration Server using the WLST connect command.
connect ("AdminUser", "AdminPassword", "hostname:port")
For example:
connect ("weblogic", "welcome1", "ADMINHOST:7001")
Run the reassociateSecurityStore
command.
reassociateSecurityStore(domain="OESDomain", servertype="DB_ORACLE", datasourcename="Datasource_Name", jpsroot="cn=reassociatedb", join="true")
Note:
The values for domain
and jpsroot
must be same as the value for farmname
in the jps-config.xml
file. This file is located in MW_HOME
/user_projects/domains/
Domain_Name
/config/fmwconfig
directory (on UNIX), or MW_HOME
\user_projects\domains\
Domain_Name
\config\fmwconfig
directory (on Windows)
datasourcename
is the name of the Data Source that you created in step 1.
Restart the Oracle Entitlements Server Client domain after the command completes successfully. For more information, see Appendix C, "Starting the Stack".
These section describes how to configure the Security Module quickly using pre-existing smconfig.prp
files.
Configuring Web Service Security Module in a Controlled Push Mode
Configuring Oracle WebLogic Server Security Module in a Controlled Push Mode
To configure Java Security Module instance in a controlled distribution mode, do the following:
Open smconfig.java.controlled.prp
file (located in, OES_CLIENT_HOME/oessm/SMConfigTool
) in a text editor, and then specify the parameters described in Table 8-4.
Run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
config.sh –smConfigId <SM_NAME> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smcon fig.java.controlled.prp
When prompted, specify the following:
New key store password for enrollment.
Oracle Entitlements Server user name (This is the Administration Server's user name).
Oracle Entitlements Server password (This is the Administration Server's password)
To configure RMI Security Module instance in a controlled distribution mode, then do the following:
Open smconfig.rmi.controlled.prp
file (located in OES_CLIENT_HOME/oessm/SMConfigTool
) in a text editor, and then specify the parameters described in Table 8-4.
Run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
config.sh –smConfigId <SM_NAME> -RMIListeningPort <RMISM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.rmi.controlled.prp
When prompted, specify the following:
New key store password for enrollment
Oracle Entitlements Server user name (This is the Administration Server's user name)
Oracle Entitlements Server Password (This is the Administration Server's password)
To configure Web Service Security Module instance in a controlled distribution mode, do the following:
Open smconfig.ws.controlled.prp
file (located in OES_CLIENT_HOME/oessm/SMConfigTool
) in a text editor, and then specify the parameters described in Table 8-4.
Run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
config.sh –smConfigId <SM_NAME> -WSListeningPort <WSSM_PORT> -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.ws.controlled.prp
When prompted, specify the following:
New key store password for enrollment
Oracle Entitlements Server user name (This is the Administration Server's user name)
Oracle Entitlements Server password (This is the Administration Server's password)
To configure Oracle WebLogic Server Security Module instance in a controlled distribution mode, do the following:
Open smconfig.wls.controlled.prp
file (located in OES_CLIENT_HOME/oessm/SMConfigTool
) in a text editor, and then specify the parameters described in Table 8-4.
Run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
for Windows) as follows:
config.sh –smConfigId <SM_NAME> -prpFileName $OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.wls.controlled.prp –serverLocation <Location of Web Logic Server Home
Create a Oracle Entitlements Server Client domain, as described in Configuring OES Client Domain in a Non-JRF Environment or Configuring OES Client Domain in a JRF Environment.
Oracle Entitlements Server Client includes the following Security Modules:
Configuring Web Service Security Module on Oracle WebLogic Server
Configuring Microsoft SharePoint Server (MOSS) Security Module
The WebLogic Security Module is a custom Java Security Module that includes both a Policy Decision Point and a Policy Enforcement Point. It can receive requests directly from the WebLogic Server without the need for explicit authorization API calls. It will only run on the WebLogic Server container.
To configure a WebLogic Server Security Module instance, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
On UNIX:
config.sh -onJRF -smType wls -smConfigId mySM_WLS -serverLocation MW_HOME/wlserver_10.3/
On Windows:
config.sh -onJRF -smType wls -smConfigId mySM_WLS -serverLocation MW_HOME\wlserver_10.3\
Note:
If you are using a non-JRF environment, do not specify the -onJRF
parameter.
In non-controlled and controlled-pull distribution modes, when prompted, specify the Oracle Entitlements Server schema owner and password.
Table 8-6 describes the parameters you specify on the command line.
Table 8-6 Oracle WebLogic Server Security Module Parameters
Parameter | Description |
---|---|
|
Type of security module instance you want to create. It should be |
|
Name of the security module instance. For example, |
|
Location of the Oracle WebLogic Server. |
Note:
Non-controlled mode is the default distribution mode for Oracle WebLogic Server Security Module in a JRF environment.
Controlled-push mode is the default distribution mode for Oracle WebLogic Server Security Module in a non-JRF environment.
Controlled-push mode is not supported for Oracle WebLogic Server Security Module in a JRF enabled domain.
The Configuration Wizard is displayed. You can create an Oracle Entitlements Server Client domain in a JRF environment and a non-JRF environment. Depending on the option you select complete one of the following:
To create the Oracle Entitlements Server Client domain without JRF, complete the following steps:
The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select the Oracle Entitlements Server WebLogic Security Module - 11.1.1.0 [oesclient] option. Click Next.
Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.
The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.
The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic
. Click Next.
The Configure Server Start Mode and JDK screen appears.
Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.
Note:
Ensure that the JDK version you select is Java SE 6 Update 24 or higher.
The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer
.
Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001
.
Note:
Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002
.
Note:
After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort
property in the smconfig.wls.controlled.prp
file or smconfig.prp
file with the SSL listen port value. You must then run the smconfig
tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort
.
Optional: Configure Managed Servers, as required.
In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
Name: Enter OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
On successful domain creation you may review the folder structure and files of the WebLogic Server Security Module instance. The jps-config.xml
configuration file for the WebLogic Server Security Module instance configuration is located in $DOMAIN_HOME/config/oeswlssmconfig/AdminServer
.
Setting Up Connection to an Oracle Database
After configuring OES Client domain in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment".
To create the OES Client domain with JRF, complete the following steps:
The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select the Oracle Entitlements Server WebLogic Security Module On JRF - 11.1.1.0 [oesclient] option. Click Next.
Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.
The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.
The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic
. Click Next.
The Configure Server Start Mode and JDK screen appears.
Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.
Note:
Ensure that the JDK version you select is Java SE 6 Update 24 or higher.
The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer
.
Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001
.
Note:
Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002
.
Note:
After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort
property in the smconfig.wls.controlled.prp
file or smconfig.prp
file with the SSL listen port value. You must then run the smconfig
tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort
.
Optional: Configure Managed Servers, as required.
In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
Name: Enter OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
Setting Up Connection to an Oracle Database
After configuring OES Client domain in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment".
To create a Web Service Security Module instance, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
for UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
for Windows) as follows:
config.sh -smType ws -smConfigId mySM_Ws -serverPort 9410
In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.
In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.
Table 8-7 describes the parameters you specify on the command line.
Table 8-7 Web Service Security Module Parameter
Parameters | Description |
---|---|
|
Type of security module instance you want to create. For Web Service security module, the value for this parameter should be |
|
Name of the security module instance. For example, |
|
The web service listening port. For example, |
Note:
Controlled-push distribution is the default distribution mode for Web Service Security Module.
This command also creates client configuration for Webservice Security Module Instance.
To create a Web Service Security Module instance on Oracle WebLogic Server, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
for UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
for Windows) as follows:
config.sh -onJRF -smType ws -onWLS -smConfigId mySM_WsOnWLS -serverLocation <WebLogic_server_Home> -serverPort <WebLogic_server_port> -pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -serverUserName <username> -serverPassword <password>
Note:
If you are using a non-JRF environment, do not specify the -onJRF
parameter.
In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.
In non-controlled and controlled-pull distribution modes when prompted, specify the Oracle Entitlements Server schema user name and password.
Table 8-8 describes the parameters you specify on the command line.
Table 8-8 Parameters for Web Service Security Module on Oracle WebLogic Server
Parameters | Description |
---|---|
|
Type of security module instance you want to create. For Web Service security module, the value for this parameter should be |
|
Name of the security module instance. For example, |
|
The address of the Oracle Entitlements Server Administration Server. |
|
The SSL port of the Oracle Entitlements Server Administration Server. For example, 7002. |
|
Location of the Oracle WebLogic Server. |
|
The value for For example, 7001. |
|
Specify the Oracle WebLogic Server Administration username. For example: |
|
Specify the Oracle WebLogic Server Administration password. |
Note:
Controlled-push distribution is the default distribution mode for Web Service Security Module on Oracle WebLogic Server in a non-JRF environment.
Non-controlled distribution is the default distribution mode for Web Service Security Module on Oracle WebLogic Server in a JRF environment.
This command also creates client configuration for Webservice Security Module Instance on Oracle WebLogic Server.
The Configuration Wizard is displayed. You can create an OES Client domain with Web Service on Oracle WebLogic Server in a JRF environment and Web Service on Oracle WebLogic Server in a non-JRF environment. Depending on the option you select complete one of the following:
Configuring Web Service on Oracle WebLogic Server Domain in a Non-JRF Environment
Configuring Web Service on Oracle WebLogic Server Domain in a JRF Environment
To create a Web Service on Oracle WebLogic Server domain in a Non-JRF environment, complete the following steps:
The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select the Oracle Entitlements Server Web Service Security Module on Weblogic- 11.1.1.0 [oesclient] option. Click Next.
Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.
The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.
The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic
. Click Next.
The Configure Server Start Mode and JDK screen appears.
Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.
Note:
Ensure that the JDK version you select is Java SE 6 Update 24 or higher.
The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer
.
Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001
.
Note:
Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002
.
Note:
After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort
property in the smconfig.wls.controlled.prp
file or smconfig.prp
file with the SSL listen port value. You must then run the smconfig
tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort
.
Optional: Configure Managed Servers, as required.
In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
Name: Enter OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
On successful domain creation you may review the folder structure and files of the Web Service Security Module instance on Oracle WebLogic Server. The jps-config.xml
configuration file for the Web Service Security Module instance on Oracle WebLogic Server is located in $DOMAIN_HOME/config/oeswlssmconfig/AdminServer
.
Setting Up Connection to Oracle Database
After configuring Web Service on Oracle WebLogic Server domain in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment".
To create the Web Service on Oracle WebLogic Server domain in a JRF environment, complete the following steps:
The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option.
Note:
If you want to extend an existing WebLogic domain, then you must follow these steps:
Select the Extend an existing WebLogic domain option on the Welcome screen. Click Next.
On the Select a WebLogic Domain Directory screen, select the existing domain that you want to use. Click Next.
On the Select Extension Source screen, choose whether to extend the domain by selecting one of the listed products, or by browsing to an extension template. Click Next. The Specify Domain Name and Location screen appears. Continue with step 4.
Click Next. The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select the Oracle Entitlements Server Web Service Security Module on Weblogic and JRF- 11.1.1.0 [oesclient] option. Click Next.
Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.
The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.
The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic
. Click Next.
The Configure Server Start Mode and JDK screen appears.
Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.
Note:
Ensure that the JDK version you select is Java SE 6 Update 24 or higher.
The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer
.
Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001
.
Note:
Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002
.
Note:
After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort
property in the smconfig.wls.controlled.prp
file or smconfig.prp
file with the SSL listen port value. You must then run the smconfig
tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort
.
Optional: Configure Managed Servers, as required.
In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
Name: Enter OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
Setting Up Connection to Oracle Database
After configuring Web Service on Oracle WebLogic Server domain in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment".
To create a Oracle Service Bus Security Module instance, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
config.sh -onJRF -smType wls -smConfigId myosb_WLS -serverLocation <server_location>
Table 8-9 Oracle Service Bus Security Module Parameters
Parameter | Description |
---|---|
|
Type of security module instance you want to create. For example, |
|
Name of the security module instance. For example, |
|
The location of Oracle WebLogic Server. |
Note:
Non-controlled distribution is the default distribution mode for Oracle Service Bus Security Module.
The Configuration Wizard is displayed. You can create an OES Client domain with Oracle Service Bus environment as follows:
The Fusion Middleware Configuration Wizard appears after you invoke the Security Module configuration tool.
On the Welcome screen, select the Create a new WebLogic domain option. Click Next.
The Select Domain Source screen appears.
On the Select Domain Source screen, ensure that the Generate a domain configured automatically to support the following products: option is selected.
Select the Oracle Entitlements Server Security Module On Service Bus - 11.1.1.0 [OESCLIENT] option. Click Next.
Note:
Ensure that you do not select the domain template Oracle Entitlements Server for Admin Server - 11.1.1.0 [IAM_HOME] which is associated with the Oracle Entitlements Server Administration Server.
The Specify Domain Name and Location screen appears.
Enter a name and a location for the domain to be created, and click Next.
The Configure Administrator User Name and Password screen appears.
Enter a user name and a password for the administrator. The default user name is weblogic
. Click Next.
The Configure Server Start Mode and JDK screen appears.
Note:
When you enter the user name and the password for the administrator, be sure to remember them.
Choose a JDK from the Available JDKs and then select a WebLogic Domain Startup Mode. Click Next.
Note:
Ensure that the JDK version you select is Java SE 6 Update 24 or higher.
The Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Administration Server and Managed Servers, Clusters, and Machines, Deployments and Services, and RDBMS Security Store options. Click Next.
Optional: Configure the following Administration Server parameters:
Name: Valid server names are a string of characters (alphabetic and numeric). The name must be unique in the domain. For example, AdminServer
.
Listen address: From the drop-down list, select a value for the listen address. See Specifying the Listen Address for information about the available values.
Listen port—Enter a valid value for the listen port to be used for regular, nonsecure requests (through protocols such as HTTP and T3). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7001
.
Note:
Ensure that the value for the listen port is different from the listen port of the other Oracle Identity and Access Management components. For more information, see "Managing Ports" in the Oracle Fusion Middleware Administrator's Guide.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S). The default value is the next available listen port. If you leave this field blank, the default value is used. For example, 7002
.
Note:
After you specify the SSL listen port value, you must update the oracle.security.jps.pd.clientPort
property in the smconfig.wls.controlled.prp
file or smconfig.prp
file with the SSL listen port value. You must then run the smconfig
tool for Oracle WebLogic Server Security Module and set the Administration Server SSL port to the port specified in oracle.security.jps.pd.clientPort
.
Optional: Configure Managed Servers, as required.
In the Configure Managed Servers screen, click Add and create two Managed Servers. Enter the following information:
Name: Enter OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen address: From the drop-down list, select a value for the listen address for OES_ManagedServer_1
and OES_ManagedServer_2
.
Listen port—Enter a valid value for the listen port to be used for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
SSL enabled—Select this check box to enable the SSL listen port. By default, SSL is disabled for all new servers.
SSL listen port—Enter a valid value to be used for secure requests (through protocols such as HTTPS and T3S) for OES_ManagedServer_1
and OES_ManagedServer_2
. The default value is the next available listen port. If you leave this field blank, the default value is used. The valid listen port range is 1 to 65535.
Optional: Configure Clusters, as required.
For more information about configuring clusters for Oracle Identity and Access Management products, see the "Configuring High Availability for Identity Management Components" topic in the guide Oracle Fusion Middleware High Availability Guide.
Optional: Assign Managed Servers to clusters, as required.
Optional: Configure Machines, as needed. This step is useful when you want to run the Administration Server on one machine and Managed Servers on another physical machine.
Tip:
Before configuring a machine, use the ping
command to verify whether the machine or host name is accessible.
Optional: Assign the Administration Server to a machine.
Optional: Select Deployments, such as applications and libraries, and Services to target them to a particular cluster or server.
Optional: Configure RDBMS Security Store, as required.
On the Configuration Summary screen, review the domain configuration, and click Create to start creating the domain.
Setting Up Connection to Oracle Database
After configuring Oracle Service Bus Security Module in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment".
Configuring Authorization Provider
You must configure an Authorization provider. For information about configuring an Authorization provider, see "Configure Authorization providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:
Configuring Role Mapping Provider
You must configure a Role Mapping provider. For information about configuring a Role Mapping provider, see "Configure Role Mapping providers" topic in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help document, available at the following link:
You can configure WebSphere in a JRF environment, and WebSphere in a non-JRF environment. Depending on the option you select complete one of the following:
To configure WebSphere Security Module in a non-JRF environment, complete the following steps:
Create a new application server using the IBM WebSphere console and name it OesServer
.
Start the Oracle Entitlements Server (OesServer) you created for IBM WebSphere.
Open the smconfig.prp
file in a text editor and specify the pd client port and the pd app client context. The pd client port number is the SSL port number of the IBM WebSphere application server and pd app client contex is the location where the was-client.jar is deployed. For example:
oracle.security.jps.pd.was.client.appcontext=pd-client oracle.security.jps.pd.clientPort=8002
Run the config.sh
command as follows:
$OES_CLIENT_HOME/oessm/bin/config.sh -smType was -smConfigId mySM_WAS -serverLocation WAS_HOME -profileName <dmgr_profileName>
WAS_HOME
is the location of the IBM WebSphere Application Server.
For any distribution mode you choose, you must specify the IBM WebSphere server user name and password, when prompted.
In controlled push mode, you will be prompted for Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.
In non-controlled and controlled-pull modes, you will be prompted for Oracle Entitlements Server schema user name and password.
Table 8-10 describes the parameters you specify on the command line.
Table 8-10 IBM WebSphere Security Module Parameter
Parameter | Description |
---|---|
|
Type of security module instance you want to create. For example, |
|
Name of the security module instance. For example, |
|
Location of the IBM WebSphere Server. |
Note:
Controlled-push distribution is the default distribution mode for IBM WebSphere Security Module a non-JRF environment.
Configure SSL for the IBM WebSphere application server as follows:
Import the Oracle WebLogic Server demo trust certificate into IBM WebSphere node default trust keystore and cell default trust keystore by using keytool to export WLS demo trust certificate from WLS demo trust keystore file, or OES trust.jks
file into a .der
, as shown in the following example:
keytool -exportcert -keystore $OES_CLIENT_HOME/oessm/enroll/DemoTrust.jks -alias wlscertgencab -file ~/was.der
Import the was.der
file into WAS node default trust keystore and cell default trust keystore. as follows:
You may find the import in IBM WebSphere Administration Server console:
security->SSL certificate and key management -> Key stores and certificates -> <NodeDefaultTrustStore> <CellDefaultTrustStore> (here you need to choose one name) -> Signer certificates.
Click Add.
Enter an alias. For example, WLS.
Choose the .der
file that you exported earlier, and select data type as DER.
Import the issued private key into the IBM WebSphere node default keystore as follows:
You may find the import in IBM WebSphere Administration Server console:
security->SSL certificate and key management -> Key stores and certificates -> NodeDefaultKeyStore -> Personal certificates.
Click Import.
Select Keystore and enter the path to the keystore file (located in OES_CLIENT_HOME/oes_sm_instances/mySM_WAS/security/identity.jks
)
Select JKS as type and enter the password you used to create the keystore file.
The certificate alias name is the same name as the hostname.
Note:
You must import demo trust certificate into two trust stores for the WAS ND edition. For the private key, you must import one keystore.
Enable Inbound SSL for the server running IBM WebSphere Security Module as follows:
In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.
Expand inbound tree to get:Inbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.
In the General Properties page, select Override inherited values.
From the SSL configuration list, select NodeDefaultSSLSettings.
Click Update certificate alias list button and then choose the new imported private key alias in the Certificate alias in key store list.
Click Apply.
Enable Out bound SSL for the server running IBM WebSphere Security Module, follows:
In the IBM WebSphere administration console, go to Security >SSL certificate and key management -> Manage endpoint security configurations.
Expand inbound tree to get:Outbound->DefaultCell(CellDefaultSSLSettings) -> nodes -> DefaultCellFederatedNode -> servers -> <server name running IBM WebSphere Security Module> and select the server.
In the General Properties page, select Override inherited values.
From the SSL configuration list, select NodeDefaultSSLSettings.
Click Update certificate alias list and choose the new imported private key alias in the Certificate alias in key store list.
Click Apply.
Setting Up Connection to Oracle Database
After configuring WebSphere Security Module in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a Non-JRF Environment".
To configure WebSphere Security Module in a JRF environment, complete the following steps:
Configure IBM WebSphere Application Server, as described in Oracle Fusion Middleware Configuration Guide for IBM WebSphere Application Server available at the following link:
http://docs.oracle.com/cd/E21764_01/web.1111/e17764/toc.htm
Note:
In the Add Products to Cell screen, ensure that you select Oracle JRF for WebSphere - 11.1.1.0 [oracle_common]
Run the config.sh
command as follows:
$OES_CLIENT_HOME/oessm/bin/config.sh -smType was -smConfigId mySM_WAS -onJRF -conntype SOAP -host <websphere_host> -port <websphere_port> -user <username> -password <password> -serverLocation WAS_HOME -profileName <dmgr_profileName>
WAS_HOME
is the location of the IBM WebSphere Application Server.
For any distribution mode you choose, you must specify the IBM WebSphere server user name and password, when prompted.
In controlled push mode, you will be prompted for Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.
In non-controlled and controlled-pull modes, you will be prompted for Oracle Entitlements Server schema user name and password.
Table 8-10 describes the parameters you specify on the command line.
Table 8-11 IBM WebSphere Security Module Parameter
Parameter | Description |
---|---|
|
Type of security module instance you want to create. For example, |
|
Name of the security module instance. For example, |
|
Location of the IBM WebSphere Server. |
|
Specify the WebSphere host name. |
|
Specify the WebSphere Node Manager port. For example: |
|
Specify the WebSphere username. For example: |
|
Specify the WebSphere password. |
Note:
Non-controlled distribution is the default distribution mode for IBM WebSphere Security Module in a JRF environment.
Setting Up Connection to Oracle Database
After configuring WebSphere Security Module in a non-controlled or controlled-pull distribution mode, you must set up a connection to an Oracle Database, as described in "Setting Up Connection to an Oracle Database for Security Modules Configured in a JRF Environment".
To create a JBoss Security Module instance, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
config.sh -smType jboss -smConfigId mySM_JBOSS -serverLocation <middleware>/jbosslocation/
Table 8-12 JBoss Security Module Parameters
Parameter | Description |
---|---|
|
Type of security module instance you want to create. For example, |
|
Name of the security module instance. For example, |
|
The location of JBoss Application Server. |
Note:
Controlled-push distribution is the default distribution mode for JBoss Security Module.
To make controlled-push mode work, you must login to WebLogic Administration console and go to Environment>Servers>AdminServer>SSL. The Settings for AdminServer page is displayed. Click on Advanced tab and select Use Server Certs.
To create a Apache Tomcat Security Module instance, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
config.sh -smType tomcat -smConfigId my_tomcat_sm_push pdServer <oes_server_address> -pdPort <oes_server_port> -sslPort <oes_server_ssl_port> -serverLocation <apache-tomcat Home> -jaxwsRIHome <jaxwsRI_Home> -serverUserName <username> -serverPassword <password>
Table 8-13 Apache Tomcat Security Module Parameters
Parameter | Description |
---|---|
|
Type of security module instance you want to create. For example, |
|
Name of the security module instance. For example, |
|
The address of the Oracle Entitlements Server Administration Server. |
|
The port number of the Oracle Entitlements Server Administration Server. For example, |
|
The SSL port number of the Oracle Entitlements Server Administration Server. For example, |
|
The location of Apache Tomcat Server. |
|
The location of JAXWS-RI Note: JAXWS support is required in controlled-push mode. Apache Tomcat does not have JAXWS support by default. You can download JAXWS-RI from the following location: |
|
Specify the Oracle WebLogic Server Administration username. For example: |
|
Specify the Oracle WebLogic Server Administration password. |
Note:
Controlled-push distribution is the default distribution mode for Apache Tomcat Security Module.
To make controlled-push mode work, you must login to WebLogic Administration console and go to Environment>Servers>AdminServer>SSL. The Settings for AdminServer page is displayed. Click on Advanced tab and select Use Server Certs.
To create a Java Security Module instance, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as follows:
Note:
If you are using Java Security Module in the proxy mode with Web Service Security Module or RMI Security Module, then you must use oes-ws-client.jar
or oes-rmi-client.jar
and ensure that you do not use oes-client.jar
.
config.sh -smType java -smConfigId mySM_Java
In controlled push mode, you will be prompted for the Oracle Entitlements Server Administration Server username, password, and a new key store password for enrollment.
In non-controlled and controlled pull modes, you will be prompted for Oracle Entitlements Server schema username, and Password.
Table 8-14 describes the parameters you specify on the command line.
Table 8-14 JSE Security Module Parameters
Parameter | Description |
---|---|
|
Type of security module instance you want to create. For example, |
|
Name of the security module instance. For example, |
Note:
Controlled-push distribution is the default distribution mode for JSE Security Module.
The Java Security Module Instance is created at OES_CLIENT_HOME/oes_sm_instances/mySM_java
. If you use the default values described in Table 8-14.
To configure a RMI Security Module Instance, you must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
for UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
for Windows) as follows:
config.sh -smType rmi -smConfigId mySM_Rmi -serverPort 9405
In controlled push mode, when prompted, specify the Oracle Entitlements Server Administration Server user name, Oracle Entitlements Server Administration Server password, and a new key store password for enrollment.
In non-controlled and controlled-pull distribution modes when prompter specify the Oracle Entitlements Server schema username and password.
Table 8-15 describes the parameters you specify on the command line.
Table 8-15 RMI Security Module Parameters
Parameter | Description |
---|---|
|
The type of security module instance you want to create. For example, |
|
The name of the security module instance. For example, |
|
The RMI listening port. For example, |
Note:
Controlled-push distribution is the default distribution mode for RMI Security Module.
This command also creates client configuration for the RMI Security Module Instance.
This section includes the following topics:
Before configuring .NET Security Module, you must complete the following steps:
Open the dotnetsm_config.properties
file (located in <MW_Home>\as_1\oessm\dotnetsm\configtool
) and update the following information:
application.config.file: Specify the path of the configuration file based on the type of .Net application. For example: app.config
or web.config
application.log4NetXmlfile: Specify the location of log4net.xml
configuration file. If you do not have an existing logging configuration file specify the default location (OES_CLIENT_HOME/oessm/dotnetsm/logging/log4Net.xml
).
wssm.smurl: Specify the OES webservice uri exposed through the WSSM in the following format:
http://<host>:<port>/Ssmws
gac.utility: Specify the Microsoft .NET Framework Global Assembly Cache Utility Location. You can define the following operations:
config
: If you select this option, then SMconfig tool registers OES-PEP.dll
and log4NET.dll
in GAC Utility.
remove
: If you select this option, then SMconfig tool removes the DLL from the GAC util and removes the configuration parameters from application.config.file
.
You can configure .NET Security Module in the following scenarios:
Scenario 1: .NET and Web Service on a Single Machine
If .NET and Web Service are installed on a single machine, the following configurations are possible:
Configuring .NET Security Module and Web Service Security Module
Perform the configuration in this scenario if .NET and Web Service are installed on a single machine, and you want to configure .NET Security Module and Web Service Security Module.
Run the config.cmd
located in OES_CLIENT_HOME\oessm\bin
directory (on Windows), as follows:
config.cmd -smType dotnetws -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config> -smConfigId myDotnet –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410
Table 8-16 describes the parameters you specify on the command line.
Table 8-16 .NET Security Module Parameters
Parameter | Description |
---|---|
|
The type of security module instance you want to create. For example, |
|
The name of the security module instance. For example, |
|
Specify the path to the |
|
Specify the path to the |
|
The address of the Oracle Entitlements Server Administration Server. |
|
The port number of the Oracle Entitlements Server Administration Server. For example, |
|
The web service listening port. For example, |
This command also creates client configuration for the .NET Security Module Instance.
Configuring .NET Security Module
Perform the configuration in this scenario if .NET and Web Service are installed on a single machine, and Web Service Security Module is already configured.
Before you configure a .NET Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.
Run the config.cmd
(located in OES_CLIENT_HOME\oessm\bin)
for Windows as follows:
config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>
Table 8-18 describes the parameters you specify on the command line.
Table 8-17 .NET Security Module Parameters
Parameter | Description |
---|---|
|
The type of security module instance you want to create. For example, |
|
The name of the security module instance. For example, |
|
Specify the path to the |
|
Specify the path to the |
This command also creates client configuration for the .NET Security Module Instance.
Ensure that the application.config
file for your .NET application contains the SsmUrl
, SsmId
and log4NetXml
values in the appSettings
section.
For example:
<appSettings> <add key="SsmUrl" value="<wssm.smurl>" <add key="SsmId" value="<smConfigId>"/> <add key="FailureRetryCount" value="3"/> <add key="FailbackTimeoutMilliSecs" value="180000"/> <add key="RequestTimeoutMilliSecs" value="10000"/> <add key="SynchronizationIntervalMilliSecs" value="60000"/> <add key="log4NetXmlfile" value="<application.log4NetXmlfile> "/> </appSettings>
Scenario 2: .NET and Web Service on Different Machines
Perform the configuration in this scenario if .NET and Web Service are installed on different machines.
Before you configure a .NET Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.
Run the config.cmd
(located in OES_CLIENT_HOME\oessm\bin)
for Windows as follows:
config.cmd -smType dotnet -smConfigId myDotnet -prpFileName <ws_config> –dotnetprpFileName <dotnetsm_config>
Table 8-18 describes the parameters you specify on the command line.
Table 8-18 .NET Security Module Parameters
Parameter | Description |
---|---|
|
The type of security module instance you want to create. For example, |
|
The name of the security module instance. For example, |
|
Specify the path to the |
|
Specify the path to the |
This command also creates client configuration for the .NET Security Module Instance.
Ensure that the application.config
file for your .NET application contains the SsmUrl
, SsmId
and log4NetXml
values in the appSettings
section.
For example:
<appSettings> <add key="SsmUrl" value="<wssm.smurl>" <add key="SsmId" value="<smConfigId>"/> <add key="FailureRetryCount" value="3"/> <add key="FailbackTimeoutMilliSecs" value="180000"/> <add key="RequestTimeoutMilliSecs" value="10000"/> <add key="SynchronizationIntervalMilliSecs" value="60000"/> <add key="log4NetXmlfile" value="<application.log4NetXmlfile> "/> </appSettings>
This section includes the following topics:
Before configuring a MOSS Security Module instance, you must ensure the following:
Microsoft SharePoint Server (MOSS) is installed on your machine.
The MOSS Web Application, associated with site collections and other resources to be protected by OES MOSS Security Module has been created.
You can configure MOSS Security Module in the following scenarios:
Scenario 1: MOSS and Web Service on a Single Machine
If MOSS and Web Service are installed on a single machine, the following configurations are possible:
Configuring MOSS Security Module and Web Service Security Module
Perform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and you want to configure MOSS Security Module and Web Service Security Module.
Run the config.cmd
file located in OES_CLIENT_HOME\oessm\bin
directory (on Windows), as follows:
config.cmd -smType mossws –prpFileName <ws_config> –mossprpFileName <moss_config> -smConfigId myMoss –pdServer <oes_server_address> -pdPort <oes_server_ssl_port> -WSListeningPort 9410
Table 8-19 describes the parameters you specify on the command line.
Table 8-19 MOSS Security Module Parameters
Parameter | Description |
---|---|
|
The type of security module instance you want to create. For example, |
|
The name of the security module instance. For example, |
|
Specify the path to the |
|
Specify the path to the |
|
The address of the Oracle Entitlements Server Administration Server. |
|
The port number of the Oracle Entitlements Server Administration Server. For example, |
|
The web service listening port. For example, |
This command also creates client configuration for the MOSS Security Module Instance.
Configuring MOSS Security Module
Perform the configuration in this scenario if MOSS and Web Service are installed on a single machine, and Web Service Security Module is already configured.
Before you configure a MOSS Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.
Run the config.cmd
file located in OES_CLIENT_HOME\oessm\bin
directory (on Windows), as follows:
config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>
Table 8-21 describes the parameters you specify on the command line.
Table 8-20 MOSS Security Module Parameters
Parameter | Description |
---|---|
|
The type of security module instance you want to create. For example, |
|
The name of the security module instance. For example, |
|
Specify the path to the |
|
Specify the path to the |
This command also creates client configuration for the MOSS Security Module Instance.
Scenario 2: MOSS and Web Service on Different Machines
Perform the configuration in this scenario if MOSS and Web Service are installed on different machines.
Before you configure a MOSS Security Module instance using the command mentioned below, ensure that you have configured the Web Service Security Module, as described in Configuring Web Service Security Module on Oracle WebLogic Server.
Run the config.cmd
file located in OES_CLIENT_HOME\oessm\bin
directory (on Windows), as follows:
config.cmd -smType moss -smConfigId myMoss -prpFileName <ws_config> –mossprpFileName <moss_config>
Table 8-21 describes the parameters you specify on the command line.
Table 8-21 MOSS Security Module Parameters
Parameter | Description |
---|---|
|
The type of security module instance you want to create. For example, |
|
The name of the security module instance. For example, |
|
Specify the path to the |
|
Specify the path to the |
This command also creates client configuration for the MOSS Security Module Instance.
You must run the Resource Discovery tool to locate the MOSS resources.
Run the MOSSResourceDiscovery.exe
file, located in <OES_CLIENT_HOME/oessm/mosssm/lib
directory (on Windows). You will be prompted for the following parameters:
Enter the folder path where you want to create OES policy file - Specify the path of the folder where the resource files will be created. Note that the directory used for storing the exported resources must be created beforehand.
Enter Path where Admin Url file is located - Specify the path to <OES_CLIENT_HOME/oessm/mosssm/adm/discovery/AdmUrls.txt
file. This file is used to extract the admin URLs.
Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01 - Specify the URL of the top level MOSS sites to be protected by OES.
Enter Application Name of the MOSS application to be protected by OES e.g. MossApp - Specify the name of the MOSS application to be protected by OES.
Note:
Ensure that the MOSS application name that you provide is same as the value defined for moss.app.name
parameter in moss_config.properties
file.
Enter Resource Type of all the MOSS resources e.g. MossResourceType - Specify the resource type of all the MOSS resources to be protected by OES.
Note:
Ensure that the MOSS resource type that you provide is same as the value defined for moss.resource.type
parameter in moss_config.properties
file.
Following is a sample execution of MOSSResourceDiscovery.exe
file:
C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\lib>MOSSResourceDiscovery.exe ---------------------------------------------------------- Welcome to the MOSS Resource Discovery ---------------------------------------------------------- Enter the folder path where you want to create OES policy file c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy Enter Path where Admin Url file is located C:\Oracle\Middleware\Oracle_OESClient\oessm\mosssm\adm\Discovery\AdmUrls.txt Enter SharePoint site URL and DONOT append url with /. e.g. http://sharepoint01 http://alesw2k8:9581 Enter Application Name of the MOSS application to be protected by OES e.g. MossApp MossApp Enter Resource Type of all the MOSS resources e.g. MossResourceType MossResourceType Resource Discovery starts.... SpSitePath is http://alesw2k8:9581
To migrate the MOSS resource policies to OES policy store, complete the following steps:
Go to OES_CLIENT_HOME/oessm/bin
directory (on Windows), or OES_CLIENT_HOME\oessm\bin
directory (on UNIX)
Run the manage-policy.cmd
file (on Windows), or manage-policy.sh
file (on UNIX)
Following is a sample execution of manage-policy.cmd
file:
C:\Oracle\Middleware\Oracle_OESClient\oessm\bin>manage-policy.cmd Please input the application name for the protected MOSS application e.g MossApp: MossApp Input the resource type for the MOSS resources e.g MossResourceType: MossResourceType Input the Moss resource file: c:\inetpub\wwwroot\wss\VirtualDirectories\9581\policy\object Creating resource: /_layouts
The Oracle Entitlements Server security module instances are created in the OES_CLIENT_HOME/oes_sm_instances
. directory.
For Oracle WebLogic Server security module, the domain configuration is located in DOMAIN_HOME/config/oeswlssmconfig
.
You can create, delete, or modify the security module instances, as required.
After configuring Java Security Module for your program, you must start the Java Security module for your program by completing the following:
Set a new Java System Property -Doracle.security.jps.config
and specify the location of the jps-config.xml
file (located in OES_CLIENT_HOME/oes_sm_instances/<SM_NAME>/config
) as the value.
Enter oes-client.jar
(located in OES_CLIENT_HOME/modules/oracle.oes_sm.1.1.1
) into the classpath of the program.
When a Security Module is configured as a proxy client, set the authentic.identity.cache.enabled
system property to true. The configuration is based on the type of Security Module being used and is done for the JVM in which the Web Services or RMI Security Module remote proxy is executing.
Specifically:
If the Security Module is a WebLogic Server Security Module, the system property -Dauthentic.identity.cache.enabled=true
should be appended to the JAVA_OPTIONS environment variable in the setDomainEnv.sh script on Unix or the setDomainEnv.cmd script on Windows.
If the Security Module is a Java Security Module, the system property -Dauthentic.identity.cache.enabled=true
should be added to the program being protected by the Java Security Module.
You can configure a PDP Proxy Client for your web service Security Module or RMI Security Module, as described in Table 8-22:
Table 8-22 PDP Proxy Client Security Module Parameters
Parameter | Description |
---|---|
o |
Specify |
|
Specify Web Service ( |
|
Specify |
You must run the config.sh
(located in OES_CLIENT_HOME/oessm/bin
on UNIX) or config.cmd
(located in OES_CLIENT_HOME\oessm\bin
on Windows) as shown in the following example:
For Java Security Module:
OES_CLIENT_HOME/oessm/bin/config.sh -smType <SM_TYPE> -smConfigId <SM_NAME>
The SM_TYPE
can be java
, wls
, or was
. and for SM_NAME
enter an appropriate name.
Note:
For a sample procedure of configuring the PDP Proxy client, refer to Appendix H, "Configuring the PDP Proxy Client for Web Service Security Module".
After installing Oracle Entitlements Server, refer to the following documents: