This chapter provides instructions on how to configure services and PEP calls for authorization against a group based policy. Group (also known as enterprise role) based access control is the best practice recommended by Oracle Entitlements Server. Oracle Entitlements Server can retrieve group information by user name with the OPSS user assertion login module. This will require an identity store configured in the OES configuration (jps-config.xml).
To configure the LDAP Identity Store, you need to perform the following tasks:
Section D.1.2, "Add idstore.oid Instance into Default Context"
Section D.1.3, "Add LDAP Principal to Bootstrap Credential Store"
Add the following Identity store service instance into SM_INSTANCE_HOME/config/jps-config.xml
, within the <serviceInstances>
tag. For more information about identity store configuration, see "Configuring the Identity Store Service" in Oracle Fusion Middleware Application Security Guide.
Update the bold attribute values according to your LDAP information.
<serviceInstance name="idstore.oid" provider="idstore.ldap.provider"> <property name="subscriber.name" value="dc=usmedium,dc=oracle,dc=com" /> <property name="idstore.type" value="OID" /> <property name="ldap.url" value="ldap://<host>:<port>" /> <property name="bootstrap.security.principal.map" value="oidstore"/> <property name="bootstrap.security.principal.key" value="mykey"/> <extendedProperty> <name>user.search.bases</name> <values> <value>cn=users,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> <extendedProperty> <name>group.search.bases</name> <values> <value>cn=groups,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> <property name="username.attr" value="uid" /> <propperty name="groupname.attr" value="cn" /> </serviceInstance>
Add the identity store instance into the default context as shown below:
<jpsContexts default="default">
<jpsContext name="default">
<serviceInstanceRef ref="audit"/>
<serviceInstanceRef ref="credstore"/>
<serviceInstanceRef ref="idstore.oid"/>
<serviceInstanceRef ref="pdp.service"/>
</jpsContext>
Use oesPassword.sh/bat to set the LDAP Principal to the bootstrap credential store. In Section D.1.1, "oidstore", "mykey" were used as the map-key in the bootstrap credential store. You need to use oesPassword.sh/bat to set up the LDAP connection user and the password into bootstrap credential store.
bash-3.2$ ./oesPassword.sh -setpass
Enter credential map name: oidstore
Enter credential key name: mykey
Enter username for map:oidstore key:mykey: cn=orcladmin
Enter password for map:oidstore key:mykey:
Enter password for map:myid key:mykey again:
PepRequestFactory pepRequestFactory = PepRequestFactoryImpl.getPepRequestFactory();
String username; // get username from your OAG integration context
String resource; // get request resource from OAG integration context
String action; // get request action from OAG integration context
PepRequest request = pepRequestFactory.newPepRequest(username, action, resource);
PepResponse response = request.decide();