This chapter covers the following topics:
Section 14.1, "Extending the Domain with Oracle Authorization Policy Manager"
Section 14.2, "Extending the Domain with Oracle Identity Navigator"
Section 14.3, "Backing Up the Application Tier Configuration"
Oracle Authorization Policy Manager (APM) is the single centralized console for managing authorization for Fusion applications/J2EE applications and Oracle Fusion Middleware components that provide various services to those applications. An application administrator has a single console for administering various Authorization polices for an application.
You can use either WLST commands or Fusion Middleware Control to manage application policies. Using WLST command requires manually running commands. Fusion Middleware Control offers a graphical user interface, but it is a rather complex tool. It requires you to work with low-level security artifacts and to know names and concepts used by developers, such as permission class names or task-flow names.
Authorization Policy Manager greatly simplifies the creation, configuration, and administration of application policies over those two other tools by providing the following features:
User-friendly names and descriptions of security artifacts. For details, see the "OPSS Authorization Model" chapter in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.
A way to organize application roles by business, product, or any other parameter specific to an application. For details, see the "Role Categories" section in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.
A uniform graphic interface to search, create, browse, and edit security artifacts. For details, see the "Querying Security Artifacts, and "Managing Security Artifacts" chapters in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.
A way to specify a subset of applications that a role can manage. For details, see the "Delegated Administration" chapter in the Oracle Fusion Middleware Authorization Policy Manager Administrator's Guide.
This section contains the following topics:
Section 14.1.1, "Base Authorization Policy Manager Platform"
Section 14.1.3, "Configuring Authorization Policy Manager on IDMHOST1"
Section 14.1.4, "Stopping and Starting the Admin Server IDMHOST1"
Section 14.1.6, "Configure Oracle HTTP Servers to Access APM Console"
Section 14.1.7, "Configuring Authorization Policy Manager to Use an External LDAP Store"
The Authorization Policy Manager (APM) Console enables an APM administrator to manage following artifacts at a high level when it comes to authorization.
External Roles
Application Roles
Resources–Target
Policy–Subject, Target, Grants
Other artifacts include:
Entitlements (aggregation of resources)
Resource types (metadata definition for resources)
Role templates (role generation based on templates with template policies)
Note:
The administration of these artifacts varies. For example, creation of enterprise roles is done externally in an identity and provisioning system. APM will only provide read level services for Enterprise Roles.Before configuring Authorization Policy Manager, ensure that the following tasks have been performed:
Start the configuration wizard by executing the command:
MW_HOME/oracle_common/common/bin/config.sh
Then proceed as follows:
On the Welcome Screen, select Extend an Existing WebLogic Domain. Click Next
On the screen Select a WebLogic Domain, using the Navigator, select the domain home of the admin server, for example:
/u01/app/oracle/plus/admin/IDMDomain/aserver/IDMDomain/
Click Next
On the Select Extension Source screen, select Oracle Authorization Policy Manager. Click Next.
The Configure RAC Multi Datasources screen shows the Multi Datasources for previously configured components in your domain. Do not make any changes.
Click Next.
On the Configure JDBC Component Schema screen, select Configure selected Component schemas as RAC multi data source schemas in the next panel. Click Next
On the screen Configure RAC Multi Data Source Component Schemas, select all the Multi Data source Schemas and enter the following:
Service Name: For example, idmedg.us.oracle.com
For the First Oracle RAC Node, enter:
HostName: For example, idmdb1.us.oracle.com
Instance Name: For example, idmedg1
Port: For example, 1521
Click Add to add an additional row.
For the second Oracle RAC Node, enter
HostName: For example, idmdb2.us.oracle.com
Instance Name: For example, idmedg2
Port: For example, 1521
Select APM MDS Schema and Enter the UserName and Password. For example:
EDG_MDS password
On the Test Component Schema screen, select All the Schemas and then click Test Connections. Validate that the test for all the schemas completed successfully. Click Next.
On the Select Optional Configuration screen, do not make any selections. Click Next.
On the Configuration Summary screen, click Extend to extend the domain.
On the Extending Domain screen, click Done to exit the Configuration Wizard.
In this Enterprise Deployment Topology, APM is being deployed to the Administration Server. To complete the deployment of APM, stop and start WebLogic Administration Server on IDMHOST1 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
In this Enterprise Deployment Topology, APM is deployed to the Administration Server in an active-passive configuration. Because APM is failed over along with the Administration Server, there is no need to provision APM on IDMHOST2.
Follow the steps in Section 6.13, "Manually Failing Over the Administration Server" to fail over APM from IDMHOST1 to IDMHOST2.
On each of the web servers on WEBHOST1 and WEBHOST2, a file called admin.conf was created in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. (See Section 6.9, "Configuring Oracle HTTP Server for the Administration Server".)
Edit admin.conf and add the following lines inside the virtual host definition:
<Location /apm>
SetHandler weblogic-handler
WebLogicHost ADMINVHN
WebLogicPort 7001
</Location>
After editing the file should look like this:
NameVirtualHost *:80 <VirtualHost *:80> ServerName admin.mycompany.com:80 ServerAdmin [email protected] RewriteEngine On RewriteOptions inherit # Admin Server and EM <Location /console> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /consolehelp> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /em> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /apm> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location> </VirtualHost>
Restart the Oracle HTTP Server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
By default, Oracle WebLogic Server uses the local LDAP store that is created as part of the installation and configuration process. Typically, enterprise deployments require a centralized LDAP store to provision users, groups, roles, and policies, so you must configure Oracle WebLogic Server to use an external LDAP store, such as Oracle Internet Directory. Configuring APM with an external LDAP store is covered in Chapter 18, "Integrating Components." Please refer to Section 18.1, "Migrating Policy and Credential Stores" for the steps on Configuring APM to use an External LDAP Store.
Note:
You may skip this section if you already have Oracle Identity Navigator as part of your domain or if you have already extended the domain with Oracle Adaptive Access Manager. Oracle Identity Navigator is selected by default when you extend the domain with Oracle Adaptive Access Manager.Oracle Identity Navigator is an administrative portal designed to act as a launch pad for Oracle Identity Management components. It allows you to access the Oracle Identity Management consoles from one site. It is installed with other Oracle Identity Management components, and enables you access other components by product discovery.
Oracle Identity Navigator is a J2EE application deployed on a Oracle WebLogic Administration Server. It uses Oracle Metadata Service.
The Oracle Identity Navigator report feature relies on Oracle Business Intelligence Publisher.
This section contains the following topics:
Section 14.2.2, "Configure Oracle Identity Navigator on IDMHOST1"
Section 14.2.3, "Stopping and Starting the Administration Server IDMHOST1"
Section 14.2.4, "Provisioning Oracle Identity Navigator on IDMHOST1"
Section 14.2.5, "Configuring Oracle HTTP Servers to Access OIN Console"
Install the following software on IDMHOST1 and IDMHOST2 as described in Chapter 4.
Oracle WebLogic Server
Oracle Identity Management
Start the configuration wizard by executing the command:
MW_HOME/oracle_common/common/bin/config.sh
Then proceed as follows:
On the Welcome Screen, select Extend an Existing WebLogic Domain. Click Next
On the screen Select a WebLogic Domain, using the Navigator, select the domain home of the administration server, for example:
/u01/app/oracle/plus/admin/IDMDomain/aserver/IDMDomain/
Click Next
On the Select Extension Source screen, select Oracle Identity Navigator. Click Next
The Configure RAC Multi Datasources screen shows the Multi Datasources for previously configured components in your domain. Do not make any changes. Click Next.
On the Select Optional Configuration screen, do not make any selections. Click Next
On the Configuration Summary screen, click Extend to extend the domain.
On the Extending Domain screen, click Done to exit the Configuration Wizard.
Stop and Start WebLogic Admin Server on IDMHOST1 as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
In this Enterprise Deployment Topology, Oracle Identity Navigator is deployed to the Admin Server in an active-passive model. Since Oracle Identity Navigator is failed over along with the Admin Server, there is no need to provision Oracle Identity Navigator on IDMHOST2.
Follow the steps in Section 6.13, "Manually Failing Over the Administration Server".
On each of the web servers on WEBHOST1 and WEBHOST2, a file called admin.conf was created in the directory ORACLE_INSTANCE/config/OHS/component/moduleconf. (See Section 6.9, "Configuring Oracle HTTP Server for the Administration Server".)
Edit admin.conf and add the following lines in the virtual host definition:
<Location /oinav>
SetHandler weblogic-handler
WebLogicHost ADMINVHN
WebLogicPort 7001
</Location>
After editing the file should look like this:
NameVirtualHost *:80 <VirtualHost *:80> ServerName admin.mycompany.com:80 ServerAdmin [email protected] RewriteEngine On RewriteOptions inherit # Admin Server and EM <Location /console> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /consolehelp> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /em> SetHandler weblogic-handler WebLogicHost ADMINVHN WeblogicPort 7001 </Location> <Location /apm> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location> <Location /oinav> SetHandler weblogic-handler WebLogicHost ADMINVHN WebLogicPort 7001 </Location> </VirtualHost>
Restart the Oracle HTTP Server as described in Section 19.1, "Starting and Stopping Oracle Identity Management Components."
Validate the implementation using the Oracle Identity Navigator Console at http://admin.mycompany.com/oinav. The Oracle Identity Navigator login page is displayed. Log in using the WebLogic administrator's credentials.
It is an Oracle best practices recommendation to create a backup after successfully completing the installation and configuration of each tier, or at another logical point. Create a backup after verifying that the installation so far is successful. This is a quick backup for the express purpose of immediate restoration in case of problems in later steps. The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process. For more details, see the Oracle Fusion Middleware Administrator's Guide.
For information on database backups, refer to the Oracle Database Backup and Recovery Advanced User's Guide.
To back up the installation to this point, follow these steps:
Back up the web tier as described in Section 5.6, "Backing up the Web Tier Configuration."
Back up the database. This is a full database backup, either hot or cold. The recommended tool is Oracle Recovery Manager. You can also use operating system tools such as tar for cold backups.
Back up the Administration Server domain directory as described in Section 6.14, "Backing Up the WebLogic Domain."
Back up the Oracle Internet Directory as described in Section 7.5, "Backing up the OID Configuration."
Back up the Oracle Virtual Directory as described in Section 8.5, "Backing Up the Oracle Virtual Directory Configuration."
For information about backing up the application tier configuration, see Section 19.4, "Performing Backups and Recoveries."