1/28
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documents
Conventions
1
Introducing Oracle Entitlements Server
1.1
About Access Control
1.2
Overview of Oracle Entitlements Server
1.2.1
Understanding Oracle Entitlements Server Releases
1.2.2
Using the Authorization Policy Manager Console
1.2.3
Features of Oracle Entitlements Server 11gR2
1.3
Overview of the Oracle Entitlements Server Architecture
1.3.1
The Policy Administration Point
1.3.2
The Policy Decision Point and the Policy Enforcement Point
1.3.2.1
Security Module as PDP
1.3.2.2
Security Module as Combination PDP / PEP
1.3.2.3
Understanding the Types of Security Modules
1.3.3
The Policy Information Point
1.4
How Oracle Entitlements Server Processes Authorization Policies
1.5
About the Supported Access Control Standards
1.5.1
Role-based Access Control (RBAC)
1.5.2
Attribute-Based Access Control (ABAC)
1.5.3
Java Permissions
1.5.4
XACML
1.5.5
PEP API
2
Understanding the Policy Model
2.1
Understanding Oracle Entitlements Server Policies
2.1.1
Understanding the Authorization Policy
2.1.2
Understanding Role Assignments and the Role Mapping Policy
2.2
How Oracle Entitlements Server Evaluates Policies
2.3
The Policy Object Glossary
2.4
Implementing a Policy Use Case
2.4.1
Protecting Software Components
2.4.2
Protecting Business Objects
3
Getting Started
3.1
Before You Begin
3.2
Understanding The Graphical Interface
3.2.1
Assigning Oracle Entitlements Server Administrators
3.2.2
Using the Identity Store
3.2.3
Accessing the Policy Store
3.2.4
Displaying Oracle Platform Security Services Application Grants
3.3
Accessing the Administration Console
3.3.1
Signing In to the Administration Console
3.3.2
Signing Out of the Administration Console
3.4
Navigating the Administration Console
3.4.1
Understanding the Main Tabs
3.4.1.1
Authorization Management Tab
3.4.1.2
System Configuration Tab
3.4.2
Using The Navigation Panel
3.4.3
Using the Home Tab
3.4.4
Accessing Help
3.5
Upgrading from Oracle Entitlements Server Basic
3.5.1
Changing From Basic to Advanced Policy Authorization
3.6
Accessing Oracle Entitlements Server Examples
4
Managing Policies and Policy Objects
4.1
Introducing Policy and Policy Object Management
4.2
Defining an Authorization Policy And Its Components
4.3
Adding Fine-Grained Elements to an Authorization Policy
4.4
Implementing An Authorization Policy Step by Step
4.5
Managing Policy Objects in An Application
4.5.1
Managing Applications
4.5.1.1
Creating an Application
4.5.1.2
Modifying an Application
4.5.1.3
Deleting an Application
4.5.2
Managing Resource Types
4.5.2.1
Creating a Resource Type
4.5.2.2
Modifying a Resource Type
4.5.2.3
Deleting a Resource Type
4.5.3
Managing Resources
4.5.3.1
Creating a Resource
4.5.3.2
Modifying a Resource
4.5.3.3
Deleting a Resource
4.5.4
Managing Entitlements
4.5.4.1
Creating an Entitlement
4.5.4.2
Modifying an Entitlement
4.5.4.3
Deleting an Entitlement
4.5.5
Managing Authorization Policies
4.5.5.1
Creating an Authorization Policy
4.5.5.2
Modifying an Authorization Policy
4.5.5.3
Deleting an Authorization Policy
4.5.6
Managing Application Roles in the Role Catalog
4.5.6.1
Creating an Application Role
4.5.6.2
Modifying an Application Role
4.5.6.3
Mapping External Roles to an Application Role
4.5.6.4
Mapping an External User to an Application Role
4.5.6.5
Deleting an Application Role or Removing External Role Mappings
4.5.6.6
Removing External User Mappings
4.5.7
Managing Role Mapping Policies
4.5.7.1
Creating a Role Mapping Policy
4.5.7.2
Modifying a Role Mapping Policy
4.5.7.3
Deleting a Role Mapping Policy
4.5.8
Managing a Role Category
4.5.9
Managing Attributes and Functions as Extensions
4.5.9.1
Creating an Attribute
4.5.9.2
Modifying an Attribute
4.5.9.3
Deleting an Attribute
4.5.9.4
Creating a Function
4.5.9.5
Modifying a Function
4.5.9.6
Deleting a Function
4.6
Using the Condition Builder
4.6.1
Building a Complex Expression
4.6.2
Passing Parameters to Functions
5
Querying Security Objects
5.1
Searching with the Administration Console
5.2
Finding Objects with a Simple Search
5.3
Finding Objects with an Advanced Search
5.3.1
Searching External Roles
5.3.2
Searching Applications
5.3.3
Searching Resource Types
5.3.4
Searching Application Roles
5.3.5
Searching Role Mapping Policies
5.3.6
Searching Resources
5.3.7
Searching Entitlements
5.3.8
Searching Authorization Policies
5.3.9
Searching Attributes
5.3.10
Searching Functions
5.3.11
Searching for Users
5.4
Understanding Case Sensitivity in Object Names
6
Managing Policy Distribution
6.1
Defining Distribution Modes
6.1.1
Controlled Distribution
6.1.2
Non-controlled Distribution
6.2
Understanding Policy Distribution
6.2.1
Using a Central Policy Distribution Component
6.2.2
Using a Local Policy Distribution Component
6.3
Distributing Policies
6.3.1
Distributing Policies Using the Administration Console
6.4
Using Default or Third Party Digital Certificates
6.4.1
Configuring Oracle Entitlements Server Security Module (Client) When Third Party Certificate is Used in Administration Server
6.4.1.1
Configuring the WebLogic Security Module if a Third Party Digital Certificate Is Used On the Administration Side
6.4.1.2
Configuring the Web Services or Java Security Module if a Third Party Digital Certificate Is Used On the Administration Side
6.4.1.3
Configuring the IBM WebSphere Application Server Security Module if a Third Party Digital Certificate Is Used On the Administration Side
6.4.2
Adding Signer if Third Party Certificate Is Used in a Security Module with an IBM Websphere Administration Side
6.4.3
Adding Signer if Third Party Certificate Is Used in a Security Module with a WebLogic Administration Side
6.4.4
Using a Third Party Certificate with a WebLogic Server Security Module
6.4.5
Using a Third Party Certificate with a Web Services or Java Security Module
6.4.6
Using a Third Party Certificate with a WebSphere Application Server Security Module
6.4.7
Using a Third Party Certificate with a Tomcat or JBoss Security Module
6.5
Debugging Policy Distribution
7
Deploying the Policy Decision Point
7.1
Understanding the PDP Deployment Models
7.1.1
Embedding the PDP Locally
7.1.2
Locating the PDP Remotely
7.2
Using the Security Module Proxy Mode
7.3
Using the XACML Gateway
8
Managing Security Module Configurations
8.1
Before You Begin
8.2
Starting the SMConfig UI
8.3
Modifying Security Module Configurations
8.4
Configuring Security Modules Post-Instantiation
8.4.1
Configuring the Java Security Module
8.4.2
Configuring the RMI Security Module
8.4.3
Configuring the Web Services Security Module
8.4.4
Configuring the WebLogic Server Security Module
8.4.5
Configuring the SharePoint Server (MOSS) Security Module
8.4.6
Configuring the .NET Security Module
8.4.7
Configuring the WebSphere, Tomcat and JBoss Security Modules
8.4.8
Configuring the Oracle Service Bus Security Module
8.5
Configuring the PDP Proxy Client for RMI or Web Services
9
Securing Environment Specific Resources
9.1
Choosing a Security Module Type
9.2
Securing Microsoft Office SharePoint Server Resources
9.2.1
Protecting SharePoint Resources
9.2.1.1
Protecting Web Sites and Web Pages
9.2.1.2
Protecting Web Parts
9.2.1.3
Protecting Lists
9.2.1.4
Protecting Sensitive Content Within Web Pages
9.2.2
Instantiating the MOSS and Web Services Security Modules
9.2.3
Integrating and Disintegrating the MOSS Security Module
9.2.4
Configuring for SharePoint Security
9.3
Securing Oracle Service Bus Resources
9.3.1
Examining the OSB Resource Object
9.3.2
Mapping Message Level OSB Resources to Oracle Entitlements Server
9.3.3
Mapping Transport Level OSB Resources to Oracle Entitlements Server
9.3.4
Enabling the WebLogic Server Providers
9.4
Securing WebLogic Server Resources
9.4.1
Integrating with WebLogic Server
9.4.2
Discovering WebLogic Server Resources
9.4.2.1
Enabling Discovery Mode
9.4.2.2
Loading Discovered Resources
9.4.3
Converting WebLogic Server Resources
9.4.4
Mapping WebLogic Server Resources to Policy Objects
9.4.4.1
Enterprise Java Bean Resources
9.4.4.2
Java Naming and Directory Interface Resources
9.4.4.3
URL Resources
9.4.4.4
JDBC Resources
9.4.4.5
JMS Resources
9.4.4.6
Web Services Resources
9.4.4.7
Server Resources
9.5
Securing Oracle WebCenter Content Resources
9.5.1
About the Oracle WebCenter Content and Oracle Entitlements Server Integration
9.5.2
Terminology for Oracle WebCenter Content and Oracle Entitlements Server Directories
9.5.3
Integration Roadmap
9.5.4
Prerequisites
9.5.4.1
Reviewing System Requirements and Certification
9.5.4.2
Installing the Oracle Database
9.5.4.3
Installing the Oracle WebLogic Server and Creating the Oracle Middleware Home
9.5.4.4
Installing Oracle Identity and Access Management Suite 11g R2PS2 in the WebLogic Home
9.5.4.5
Obtaining Oracle Entitlements Server Client Software
9.5.4.6
Installing Oracle Entitlements Server Client
9.5.5
Oracle WebCenter Content Base Installation
9.5.5.1
Installing Oracle WebCenter Content
9.5.5.2
Creating the Oracle WebCenter Content Schema
9.5.5.3
Creating the WebCenter Domain
9.5.5.4
Starting the Servers in the WebCenter Domain
9.5.5.5
Configuring WebCenter Content
9.5.6
Configuring Oracle Entitlements Server
9.5.6.1
Running RCU to Create the OPSS Schema
9.5.6.2
Creating the OES Domain using the IDM Configuration Wizard
9.5.7
Configuring the OES Security Store using the Security Store Configuration Tool
9.5.8
Integrating WebCenter Content with OES
9.5.8.1
Creating a Data Source in Oracle WebCenter Content Domain
9.5.8.2
Reassociating Oracle WebCenter Content Domain Security Store
9.5.8.3
Updating the config.cfg File of the WCC Domain
9.5.8.4
Adding Permission in JRE for WebCenter Content Version is 11.1.1.7.0 or Lower
9.5.8.5
Installing the WCC-OES Connector
9.5.9
Creating the Application, Resource Types, Resources, and Policies
9.5.9.1
Creating a New Application
9.5.9.2
Creating the UCM Pre-Search Query Resource Type
9.5.9.3
Creating the UCM CRUD Operation Resource Type
9.5.9.4
Creating a Resource
9.5.9.5
Creating Policies
9.5.10
Verification and Troubleshooting
9.5.10.1
Verifying Oracle WebCenter Content Is Working
9.5.10.2
Troubleshooting Tips
9.5.11
Post-Integration Set Up (Example)
9.5.11.1
Creating Users in the OES Domain (oes_domain)
9.5.11.2
Creating Users in the WebCenter Content Domain (wcc_domain)
9.5.11.3
Adding Metadata Values Using the Configuration Manager in WebCenter Content
9.5.11.4
Checking In Documents
10
Managing System Configurations
10.1
Delegating With Administrators
10.2
Configuring Security Module Definitions
10.2.1
Creating a Security Module Definition
10.2.2
Binding an Application to a Security Module
10.2.3
Unbinding an Application From a Security Module
10.2.4
Deleting a Security Module Definition
10.3
Configuring Identity Directory Service Profiles
10.3.1
Creating an Identity Directory Service Profile
10.3.2
Binding an Application to an Identity Directory Service Profile
10.3.3
Unbinding an Application From an Identity Directory Service Profile
10.3.4
Deleting an Identity Directory Service Profile
11
Delegating With Administrator Roles
11.1
About Delegated Administrators
11.2
Delegating Using Scope and Granularity
11.3
Delegating Application Administration
11.3.1
Adding a Delegated Administrator for An Application
11.3.2
Modifying or Deleting an Application's Delegated Administrator
11.4
Using Policy Domains to Delegate
11.4.1
Creating a Policy Domain
11.4.2
Modifying a Policy Domain
11.4.3
Deleting a Policy Domain
11.5
Delegating Policy Domain Administration
11.5.1
Adding a Delegated Administrator to a Policy Domain
11.5.2
Modifying or Deleting a Policy Domain's Delegated Administrator
11.6
Managing System Administrators Using Administrator Roles
11.6.1
Creating a New Administrator Role
11.6.2
Assigning Privileges to an Administrator Role
11.6.3
Modifying Administrator Role Membership
11.6.4
Deleting an Administrator Role
12
Customizing the Administration Console
12.1
Customizing Authorization Policy Manager
12.2
Customizing Headers, Footers, and Logo
12.3
Customizing Color Schemes
12.4
Customizing the Login Page
13
Management Tasks
13.1
Moving from a Test Environment to Production (T2P)
13.2
Using the Policy Simulator
13.2.1
Understanding Policy Simulation
13.2.2
Choosing the Policy Simulation Mode
13.2.3
Running the Policy Simulator
13.2.3.1
Running the Policy Simulator in Simple Mode
13.2.3.2
Running the Policy Simulator in Advanced Mode
13.3
Using FIPS-compliant Security Providers
13.3.1
Installing the JCE Provider
13.3.2
Configuring JCE
13.4
Managing Audit Tasks
13.4.1
Auditing Oracle Entitlements Server Events
13.4.2
Enabling Audit
13.4.3
Loading the Audit Log to a Database
13.4.3.1
Creating the Audit View Schema using RCU
13.4.3.2
Extending the OES Domain using the IDM Configuration Wizard
13.4.3.3
Configuring Audit Settings
13.4.4
Configuring Oracle Entitlements Server Security Modules for Auditing
13.4.4.1
Configuring the WebLogic Server Security Module
13.4.4.2
Configuring Other Security Modules
13.4.5
Additional Auditing Information
13.5
Migrating Policies
13.5.1
Migrating From XML to LDAP
13.5.2
Migrating From LDAP to XML
13.5.3
Migrating From XML to Database
13.5.4
Migrating From Database to XML
13.6
Configuring Cache
13.6.1
Configuring Decision Caching
13.6.2
Configuring Attribute Caching
13.7
Logging
13.8
Debugging
13.8.1
Enabling Debugging By Defining Parameters
13.8.1.1
Configuring Logging for Debugging
13.8.1.2
Searching Logs to Debug Authorization Policies
13.8.2
Enabling Debugging Using Methods
13.8.3
Debugging Policy Distribution
14
Configuring a Disaster Recovery Solution
14.1
Overview of a Multi-Site Deployment
14.2
Multi-Site Deployment Topology
14.3
Task Roadmap
14.4
Prerequisites
14.5
Configuring Disaster Recovery for Oracle Entitlements Server
14.5.1
Setting Up the Primary Server
14.5.2
Setting Up the Standby Server (Duplicate)
14.5.3
Test Log Transfer
14.5.4
Configuring the Oracle Data Guard Broker
14.5.5
Testing Failover and Switchover
14.5.6
Configuring a Virtual Device for Oracle ASM
14.5.7
Installing Oracle Grid Infrastructure for a Standalone Server
14.5.8
Configuring Oracle Restart
14.5.9
Installing OPSS Schema
14.5.10
Installing the Primary Administration Server
14.5.11
Installing the Secondary Administration Server
14.5.12
Configuring the Security Module
15
Configuring an Oracle RAC Disaster Recovery Solution
15.1
Multi-Site Oracle Data Guard with Oracle RAC Database Deployment Topology
15.2
Oracle RAC Primary to Oracle RAC Standby Data Guard
15.2.1
Installing Oracle Clusterware
15.2.2
Installing Oracle Real Application Clusters
15.3
Setting Up Data Guard for Oracle RAC Databases
15.3.1
Preparing the Primary Database for Standby Database Creation
15.3.2
Creating a Physical Standby Database
15.3.3
Configuring the Oracle Data Guard Broker
15.3.4
Performing Switchover and Failover Operations with Data Guard Broker
15.4
Configuring Oracle Entitlements Server for High Availability Disaster Recovery
15.4.1
Oracle Entitlements Server High Availability Disaster Recovery Configuration Roadmap
15.4.2
Prerequisites for Installing Oracle Entitlements Server
15.4.3
Installing OPSS Schema
15.4.4
Installing Oracle Entitlements Server Administration Server Cluster on Master Policy Store on OESHOST1
15.4.4.1
Install Oracle Entitlements Server Administration Server with Primary Oracle RAC Database
15.4.4.2
Create the Oracle Entitlements Server Administration Server Domain with WebLogic Server Cluster
15.4.4.3
Configuring Security Store for Oracle Entitlements Server Administration Server
15.4.4.4
Configuring Oracle HTTP Server for Oracle Entitlements Server Administration Console HTTP Request Distribution
15.4.4.5
Access the Oracle Entitlements Server Administration Console
15.4.5
Installing Oracle Entitlements Server Client in High Availability Environment
15.4.6
Configuring WebLogic Security Module Cluster in Controlled-Pull Distribution Mode with JDBC URL with Master Oracle RAC Database Policy Store
15.4.7
Installing Oracle Entitlements Server Administration Server Cluster
15.4.7.1
Install Oracle Entitlements Server Administration Server with Secondary Oracle RAC Database
15.4.7.2
Create the Oracle Entitlements Server Administration Server Domain with WebLogic Server Cluster
15.4.7.3
Export Encryption Key from Primary Domain
15.4.7.4
Configuring Security Store for Oracle Entitlements Server Administration Server
15.4.7.5
Configuring Oracle HTTP Server for Oracle Entitlements Server Administration Console HTTP Request Distribution
15.4.7.6
Access the Oracle Entitlements Server Administration Console
15.4.8
Configuring WebLogic Security Module Cluster in Controlled-Pull Distribution Mode with JDBC URL with Secondary Oracle RAC Database Policy Store
16
Tuning Performance and Monitoring Components
16.1
Understanding Key Concepts and Components in Oracle Entitlements Server Deployment
16.2
Oracle Entitlements Server Performance Planning
16.2.1
Define Your Performance Objectives and Requirements
16.2.1.1
Understand Performance Constraints
16.2.1.2
Define Operational Requirements
16.2.1.3
Identify Performance Goals
16.2.1.4
Conduct Performance Evaluations
16.2.2
Design Authorization for Applications
16.2.2.1
Policy Design
16.2.2.2
Best Practices for Designing Application Authorization
16.3
Performance Tuning Considerations for Oracle Entitlements Server
16.3.1
Tuning the OES Policy Store
16.3.1.1
Oracle Database System Parameters Tuning
16.3.1.2
Oracle Database REDO Log and UNDO Tablespace Tuning
16.3.1.3
Tablespaces Tuning
16.3.1.4
Schema Statistics Gathering
16.3.1.5
EclipseLink Tuning
16.3.2
Tuning of OES Administration Server
16.3.2.1
WLST Tuning
16.3.2.2
OES Administration Server Tuning
16.3.3
Tuning OES Security Modules
16.3.3.1
OES Security Module Memory Sizing
16.3.3.2
WebLogic Security Module
16.3.3.3
Java Security Module
16.3.3.4
Web Service Security Module
16.3.3.5
Tomcat Security Module
16.3.4
Tuning OES Distribution Service
16.3.5
Tuning OES Attribute Retrievers
16.3.6
Tuning OES Cache
16.3.7
Tuning Resource Intensive Operations
16.3.8
Enabling Logging
16.3.8.1
Enable Logging for Performance Measurement
16.3.8.2
Enable Logging for Snapshot Generation Measurement
16.3.8.3
Enable Logging for Migration Performance Measurement
A
Installation and Configuration Parameters
A.1
Policy Distribution Configuration
A.1.1
Policy Distribution Component Server Configuration
A.1.2
Policy Distribution Component Client Configuration
A.1.2.1
Policy Distribution Component Client Java Standard Edition Configuration (Controlled Push Mode)
A.1.2.2
Policy Distribution Component Client Java Enterprise Edition Container Configuration (Controlled Push Mode)
A.1.2.3
Policy Distribution Client Configuration (Controlled-Pull Mode)
A.1.2.4
Policy Distribution Client Configuration (Non-controlled Mode)
A.1.2.5
Policy Distribution Client Configuration (Mixed Mode)
A.2
Security Module Configuration
A.2.1
Java Security Module
A.2.2
Web Services Security Module
A.2.3
Web Services Security Module on WebLogic Server
A.2.4
RMI Security Module
A.2.5
WebLogic Server Security Module
A.2.6
WebLogic Server Security Module Discovery Mode
A.3
PDP Proxy Client Configuration
A.3.1
Web Services Security Module PDP Proxy Client
A.3.2
RMI Security Module PDP Proxy Client
A.4
Policy Store Service Configuration
B
Configuring Attribute Retrievers
B.1
Understanding Predefined Attribute Retrievers
B.2
Configuring the Attribute Retrievers Using SMConfig UI
B.2.1
Prerequisites
B.2.2
Running the SMConfig UI to Edit the jps-config.xml File
B.2.3
Adding, Editing, or Deleting Attribute Retrievers
B.2.4
Adding, Editing, or Deleting Attributes in Attribute Retriever Configuration
B.3
Configuring the Predefined Attribute Retrievers Manually
B.3.1
Roadmap
B.3.2
Configuring Individual Attribute Values
B.3.3
Declaring the PIP Service Provider
B.3.4
Configuring Repository Connection
B.3.4.1
Configuring the LDAP Repository Attribute Retriever Parameters
B.3.4.2
Configuring the Database Repository Attribute Retriever Parameters
B.3.4.3
Setting Up PIP Connection Credentials
B.3.4.4
Updating the Database Password
B.3.5
Declaring the Predefined Attribute Retriever Reference in jpsContexts Section
B.3.6
Configuring Cache and Failover
B.3.7
Sample jps-config.xml File
B.4
Configuring the Custom Attribute Retrievers Manually
B.4.1
Configuring the jps-config.xml Configuration File
B.4.2
Implementing Custom PIP Interface
C
Configuring an Oracle Service Bus 12.1.3 Domain to Take Use of an OSB Security Module from OES 11.1.2.2
C.1
Configuring an Oracle Service Bus 12.1.3 Domain to Take Use of an OSB Security Module from Oracle Entitlements Server 11.1.2.2
C.2
Configuring OSB Security
D
Configuring Enterprise Role Based Authorization for Oracle API Gateway and OES Integration
D.1
Configure LDAP Identity Store
D.1.1
Add LDAP Identity Store Instance
D.1.2
Add idstore.oid Instance into Default Context
D.1.3
Add LDAP Principal to Bootstrap Credential Store
D.2
Use Username in String as SubjectObj for PepRequest
E
Managing Advanced Policies with WLST
E.1
Using the WebLogic Scripting Tool with Oracle Entitlements Server
E.2
Using the WLST Commands
E.2.1
createApplicationPolicy
E.2.2
updateResourceType
E.2.3
updateResource
E.2.4
createPolicy
E.2.5
updatePolicy
E.2.6
deletePolicy
E.2.7
listPolicies
E.2.8
createAttribute
E.2.9
updateAttribute
E.2.10
deleteAttribute
E.2.11
listAttributes
E.2.12
createFunction
E.2.13
updateFunction
E.2.14
deleteFunction
E.2.15
listFunctions
E.2.16
getFunction
E.2.17
listAppRoles
E.2.18
getResourceType
E.2.19
getResource
E.3
Creating Policy with a Script
Index
Scripting on this page enhances content navigation, but does not change the content in any way.