1 Overview of the Provisioning Gateway Administrative Console

The Provisioning Gateway Administrative Console enables administrators to set up, gather, and manage information from the Provisioning Gateway Web service. The following modules can be accessed from the Provisioning Gateway Administrative Console:

  • Settings

  • Users

  • Reports and Logs

1.1 Accessing the Provisioning Gateway Administrative Console

To access the Provisioning Gateway Administrative Console:

  • Open a Web browser and enter the following URL:

    https://yourserverhost/v-go pm console/logon.aspx

    where

    yourserverhost is the name of the server where you installed Provisioning Gateway.

    The Logon Page opens.

1.1.1 Version Information

The About module provides information about which versions of Provisioning Gateway and Microsoft .NET Framework are installed.

  • Product Version. Indicates which version of Provisioning Gateway is installed.

  • .NET Framework. Indicates which version of Microsoft .NET Framework is installed.

1.1.2 Logon Page

Enter your logon credentials to access the Provisioning Gateway Web Service and click Log On. The username and password should be the same as the directory authentication credentials. For example, for Active Directory or AD LDS (ADAM), the username would be in the format: domainname\username.

For Sun or IBM, the username would be in the format: uid=username.

Note:

The Provisioning Gateway server recognizes only credentials that it has access to. On Active Directory or AD LDS (ADAM), those recognized credentials are domain accounts. For Sun and IBM, the account must exist in the storage. If no storage has been defined, the account is authenticated against the local accounts on the server where the Web service is running.

1.1.3 Security Settings

Provisioning Gateway can be run without changing the default security settings. Security can be increased by changing several of the settings.

You can edit the Provisioning Gateway security settings through the Microsoft .Net Framework ASP.NET Configuration Settings. These settings are then changed in the Provisioning Gateway configuration files:

  • <local directory>\Provisioning Gateway\Service\web.config

  • <local directory>\Provisioning Gateway\Console\web.config

1.1.4 Granting Access to the Provisioning Gateway Administrative Console

By default, all users are denied access to the Provisioning Gateway Administrative Console. You can assign users provisioning rights through the Oracle Enterprise Single Sign-On Administrative Console. You can perform the following actions on users:

  • Provisioning a logon (adding, modifying, deleting credentials) for a user. Assign these rights in the Provisioning tab of a template.

  • Deleting an SSO user. Do this on the Delete SSO User Right tab of the Provisioning Gateway node.

Configure these settings and publish them to the repository to grant users access to the Provisioning Gateway Administrative Console.

See the Oracle Enterprise Single Sign-On Suite Administrator's Guide for more information on using these settings.

1.1.5 Changing the Encryption Algorithm

By default, the Provisioning Gateway Web service uses 3DES encryption. To increase security, you can change encryption to AES. In order to enable this feature, you must edit a setting in Oracle Service Properties:

  1. Go to Control Panel > Internet Information Services.

  2. Right-click the Provisioning Gateway Service Web site. Select Properties.

  3. Click the ASP.NET tab. Verify that the ASP.NET version is set to 2.0.x. (If it is not set to 2.0, change the setting and click Apply.) Click Edit Configuration.

  4. In the ASP.NET Configuration Settings dialog, highlight EncryptionAlgorithm and click Edit.

  5. In the Value field, replace 3DES with AES_256. This value causes the Provisioning Gateway Service to use the AES encryption method.

1.1.6 Enabling SSL

For testing purposes, you can enable SSL by changing the localhost.UP key in Provisioning Gateway Console Properties:

  1. In the ASP.NET Configuration Settings dialog, highlight localhost.UP and click Edit.

    Description of pg_ag_aspnet_cfg_set2.jpg follows
    Description of the illustration pg_ag_aspnet_cfg_set2.jpg

  2. Go to Control Panel > Internet Information Services. Right-click the Provisioning Gateway Console Web site. Select Properties.

  3. Click the ASP.NET tab. Verify that the ASP.NET version is set to 2.0.x. (If it is not set to 2.0, change the setting and click Apply.) Click Edit Configuration.

  4. In the Value field, replace: http://localhost/Provisioning Gateway Service/UP.asmx by entering https://localhost/Provisioning Gateway Service/UP.asmx.

  5. You can now edit the properties for the Provisioning Gateway Service in IIS to turn on SSL.

1.1.7 Setting Permissions

When you install Provisioning Gateway, you must create a specific service account, at the domain level, in order for Provisioning Gateway to function properly. This section describes how to increase security by creating such an account with a specific set of permissions to certain objects within Active Directory.

In order to increase security, Oracle recommends that this service account be created as a member of the Domain Users group. (For the purposes of this document, the service account is named PMSERVICE; however, you can follow any naming convention you choose).

The instructions in this section describe how to:

  • Create the service account (PMSERVICE) as a member of the Domain Users group.

  • Grant a specific set of permissions to certain objects within Active Directory to the serviced account.

  • Create templates for provisioning.

  • Provision a user.

Note:

The PMSERVICE account must also be a member of the local administrator's group on the IIS server where the Provisioning Gateway server-side components are installed.

You will need an account with Domain Admin and Schema Admin privileges in order to complete certain tasks involving the installation of Logon Manager, extending the schema, installing software, and modifying certain permissions within Active Directory.

1.2 General Recommendations and Notes

Microsoft recommends that you not install Internet Information Server (IIS) on a Domain Controller. Oracle recommends that you install the Provisioning Gateway Server-side components on a member server, not a Domain Controller.

The procedures and recommendations presented in this document have been tested in a controlled environment where the desired results were achieved. Oracle recommends that you test these procedures in a non-production environment that resembles your working network as closely as possible.

The procedures outlined herein involve changes that can affect your entire domain. Specialized policies, trust, inheritance issues, and intra- and inter-site replication issues, particularly as they exist in large enterprises, cannot be fully tested outside of the actual environment.

As with any issues that could affect a large number of users, Oracle recommends a prudent, error-on-the-side-of-caution approach to testing and deploying this product by those who are responsible for installing, configuring, and maintaining it.