Docstoc

PI_L15

Document Sample
PI_L15 Powered By Docstoc
					Configuring Oracle Application Server Components in OID

Copyright © 2004, Oracle. All rights reserved.

Objectives

After completing this lesson, you should be able to do the following: • Describe identity management • Explain the default Identity Realm • Describe the OracleAS Administration Model • Explain application-specific access control • Manage users and groups • Describe relationship between OracleAS Portal and Oracle Internet Directory • Identify OracleAS Portal entries in the directory • Configure OID settings in OracleAS Portal
15-2 Copyright © 2004, Oracle. All rights reserved.

Identity Management: Overview

Identity management describes the set of processes and strategies by which users are created and managed in the enterprise application environment.
Web application Database Operating system Legacy system Directories

Users

15-3

Copyright © 2004, Oracle. All rights reserved.

Benefits of Identity Management

For Administrators: • Lower costs of user administration • Improved user provisioning • Better security through centralized management of security policies and authorizations • Scalable administration through delegation For Users: • Improved productivity through quicker access to applications • Improved usability with single user identity and credentials, and application personalization

15-4

Copyright © 2004, Oracle. All rights reserved.

Oracle Identity Management
Oracle Identity Management Infrastructure
OracleAS Certificate Authority Delegated Administration Services Oracle Internet Directory Provisioning Service Directory Integration Services OracleAS SSO

3rd-Party LDAP Directory 3rd-Party Authentication Service

JAAS Roles, Component access Controls, Java2 Permissions,…

DB Enterprise Roles VPD Label Security, ..

E-Biz Responsibility

File permissions interpersonal rights, secure mail, service discovery, …

Oracle Application Server

Oracle RDBMS

Oracle E-Business Suite

Oracle Collaboration Suite

15-5

Copyright © 2004, Oracle. All rights reserved.

Oracle Identity Management Infrastructure
Oracle Identity Management Infrastructure
OracleAS Certificate Authority Delegated Administration Services Oracle Internet Directory Provisioning Service Directory Integration Services OracleAS SSO

15-6

Copyright © 2004, Oracle. All rights reserved.

Oracle Application Server Components and OID
OID enables Oracle Application Server components to: • Maintain single-user identity • Store and manage the configuration information

15-7

Copyright © 2004, Oracle. All rights reserved.

OID and Application Environment
ASP IM Realm ABC IM Realm XYZ IM Realm

ABC Users ASP Users App A App A App B App B (Shared)

XYZ Users

App C

Nonhosted

Hosted

15-9

Copyright © 2004, Oracle. All rights reserved.

Default Schema and Directory Information Tree (DIT)
• Oracle Universal Installer (OUI) installs the default schema and DIT for the Oracle directory-enabled products. OUI installs the following DIT components:
– – – – – Base schema elements Root Oracle Context Default Identity Management Realm Identity Management Realm-Specific Oracle Context Default password policy

•

15-10

Copyright © 2004, Oracle. All rights reserved.

Default Identity Management Realm

The default Identity Management Realm includes the following: • Sitewide information • Discovery mechanism
Root DSE Identity Management Realm-Specific DIT
Oracle Component 1

Root Oracle Context Products Groups
Oracle Component 3 Component Entries

Oracle Component 2 Component Entries

Component Entries
15-11

Copyright © 2004, Oracle. All rights reserved.

Identity Management Realm-Specific Oracle Context
The Identity Management Realm-specific Oracle context includes: • Component information that is specific to an Identity Management Realm • Discovery mechanism • Access policy • Default password policy

15-12

Copyright © 2004, Oracle. All rights reserved.

Identity Management Realm-Specific Common Entries
• Identity Management Realm-specific common entries contain information for locating users and groups. Some of the attributes of the common entries are as following:
– – – – User Search Base User Nickname Attribute Group Search Base orclUserObjectClass
Users Groups

•

orclCommonUserSearchBase orclCommonGroupSearchBase orclCommonUserNickNameAttribute

15-13

Copyright © 2004, Oracle. All rights reserved.

Default Identity Management Realm Configuration
Site Root

COM XYZ ABC

Root Context

Users
15-15

Groups

Oracle Context

Copyright © 2004, Oracle. All rights reserved.

OracleAS Bootstrap Model

OID installation creates the following set of users to facilitate OracleAS deployment bootstrap: • OID super user (orcladmin) • OID enterprise subscriber super user (cn=orcladmin,cn=users,<Subscriber DN>)

15-16

Copyright © 2004, Oracle. All rights reserved.

OID Administration Delegation Flow
1 1 1
Root Oracle Context Id.M Realm-Specific Oracle Context

2
2 3
AS Components

4 5
Users and groups

OID super user Id M Realm super user Oracle context admin

6

AS admin User and group admin

15-17

Copyright © 2004, Oracle. All rights reserved.

Delegated Directory Administration

You can implement access control using OID at two levels: • Authorization of users • Authorization of administrators

Access controls

15-18

Copyright © 2004, Oracle. All rights reserved.

OID Protection Domains

Following are the OID protection domains: • Entire directory • Default subscriber context administrative domain • Default subscriber context-specific directory information tree • Subscriber-specific subtree • Application-specific footprint in the directory • User-specific information

15-19

Copyright © 2004, Oracle. All rights reserved.

Directory Roles

OID can have the following roles associated with it: • OID global administrator • Subscriber-specific or domain administrator • Application-specific roles

15-20

Copyright © 2004, Oracle. All rights reserved.

Oracle Application Server Administration Model
• OracleAS Administrator should be a member of iASAdmins group in OID to configure various Oracle Application Server components. The DN of the iASAdmins group is: cn=iASAdmins,cn=Groups,<Oracle Context DN>

•

15-21

Copyright © 2004, Oracle. All rights reserved.

User Administration

• •

All Oracle Application Server users are represented as user objects in OID. The Oracle Application Server administrator can delegate user management to other users by adding them to:
– The User Create group to delegate user creation – The User Edit group to delegate user edit – The User Delete group to delegate user deletion

•

All these groups are created under the groups container of the Oracle Context.

15-22

Copyright © 2004, Oracle. All rights reserved.

Group Administration

•

An Oracle Application Server administrator can delegate group management to other users by adding them to:
– Group Create group to delegate group creation – Group Edit group to delegate group edit – Group Delete group to delegate group deletion

•

All these groups are created under groups node of the Oracle Context.

15-23

Copyright © 2004, Oracle. All rights reserved.

Administrative Groups

• • •

The Oracle Application Server components read user and group information from the OID. OID enables this by granting privileges to various administrative groups. The administrative groups are as follows:
– Authentication Services – Users Security Administration – User Proxy Privilege

15-24

Copyright © 2004, Oracle. All rights reserved.

Administer Users and Groups in Oracle Application Server
The privileges that are associated with users and groups administration are: • Privileges to create a user • Privileges to edit the properties of a user • Privileges to delete a user • Delegate the user administration to other users • Privilege to create groups • Privileges to edit the properties of a group • Privileges to delete a group • Delegate administration of groups to other users

15-25

Copyright © 2004, Oracle. All rights reserved.

Storage of User Credentials

The user authentication credentials stored in the OID server are as following: • Credentials for directory usage • Credentials for authenticating a user to Oracle components

15-26

Copyright © 2004, Oracle. All rights reserved.

Password Policies

• •

• •

Password policies are a set of rules that govern how the password is used. Each Identity Management Realm has its own Password policy that is applicable for all users under that Identity Management Realm. Password policies are enforced by the OID server during ldapbind and ldapcompare. The OID server checks if the password that is added or modified using ldapadd and ldapmodify meets the password policy.

15-27

Copyright © 2004, Oracle. All rights reserved.

Managing Password Policies Using ODM

You can manage password policies using ODM: • View password policy • Modify password policy

15-29

Copyright © 2004, Oracle. All rights reserved.

Modifying Password Policies by Using ODM
You can modify the password policies by performing the following steps using ODM: • In the navigation pane, expand Oracle Internet Directory> directory_server_instance> Password Policy Management. • Select the password policy that you want to modify. • In the right pane, all the attributes of the password policy are displayed in the fields. • Change the editable attributes that you want to modify. • When you are finished, click Apply to save the changes.
15-31 Copyright © 2004, Oracle. All rights reserved.

Managing Password Policies by Using Command-Line Tools
You can manage the password policies by using the command-line tools: • You can view a password policy entry.
ldapsearch -p 4032 -h incq171b -b " " -s sub "objectclass=pwdpolicy"

•

You can modify a password policy entry.

ldapmodify -p 4032 -h incq171b -v "cn=pwdpolicyentry,cn=common,cn=products, o=oidc, dc=com" changetype: modify replace: pwdMaxAge pwdMaxAge: 100000
15-32 Copyright © 2004, Oracle. All rights reserved.

Modifying the OID Administrator Password

15-33

Copyright © 2004, Oracle. All rights reserved.

Modifying the Administrator Password

15-34

Copyright © 2004, Oracle. All rights reserved.

Relationship Between OracleAS Portal and OID
OracleAS Portal requires the following interaction with OID: • OracleAS Portal-specific entries stored in the directory • Group attributes stored in the directory • User attributes stored in the directory • Caching of user and group information from the directory • Populating user and group list of values from the directory through the Delegated Administration Services

15-35

Copyright © 2004, Oracle. All rights reserved.

OracleAS Portal Directory Entries in OID
DSE Root dc=com dc=xyz dc=abc cn=OracleContext cn=Product orclApplicationCommonN ame= portal.030703.1433 cn=OracleContext cn=portal.030703.1433 cn=AUTHENTICATED_USERS cn=DBA

cn=Users

cn=Groups

cn=PORTAL cn=PUBLIC cn=PORTAL_ADMIN

15-36

Copyright © 2004, Oracle. All rights reserved.

Configuring OID Settings in OracleAS Portal

15-38

Copyright © 2004, Oracle. All rights reserved.

Caching OID Information in OracleAS Portal

15-39

Copyright © 2004, Oracle. All rights reserved.

Synchronizing Cached OID Information in OracleAS Portal
Directory Integration Platform Provisioning Integration service OID OracleAS Portal Directory Synchronization Settings

Portal Provisioning Profile

OPCA
Copyright © 2004, Oracle. All rights reserved.

Cached OID information

15-40

Enabling Directory Synchronization in the OracleAS Portal Instance

15-41

Copyright © 2004, Oracle. All rights reserved.

Summary

In this lesson, you should have learned how to: • Describe Identity Management • Explain the default Identity Realm • Describe the OracleAS Administration Model • Explain application-specific access control • Manage users and groups • Describe relationship between OracleAS Portal and Oracle Internet Directory • Identify OracleAS Portal entries in the directory • Configure OID settings in OracleAS Portal

15-42

Copyright © 2004, Oracle. All rights reserved.


				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:10
posted:8/29/2009
language:English
pages:37