Configure Oracle Entitlements Server

This section describes how to configure Oracle Entitlements Server to work with API Gateway.

Create a resource and authorization policy in OES

The following steps describe how to create a resource and an authorization policy for that resource in Oracle Entitlements Server. For more detailed instructions about each of these steps, refer to the OES documentation.

You can use the OES Authorization Policy Manager web-based administration interface to configure the resource. The web interface is available at the following URL, where OES_HOST refers to the IP or host name of the machine on which OES is running:

http://OES_HOST:7001/apm

Log in using your WebLogic credentials and complete the following steps:

Step 1 - Create the application

To add a new application in OES, perform these steps:

  1. Open the Authorization Management tab.
  2. Right-click on the Applications node in the tree and select New:
  3. Enter a name and a description for the new application, for example, MyApplication and First App.
  4. Click Save at the top right-hand corner of the page.

Step 2 - Create the security module

The next step is to create a new security module:

  1. Open the System Configuration tab.
  2. Double-click the Security Modules node in the tree.
  3. Click New at the top of the Security Modules table.
  4. Enter MySM as the name of the new security module.
  5. Click Add at the top of the Bound to Applications table.
  6. Leave the Search field blank and click the search button to the right of the field.
  7. Select MyApplication from the search results and click Add.
  8. The MyApplication should now be displayed in the Bound to Applications table as follows:

Step 3 - Create the resource type

You will now configure the resource type for the resource that users will be authorized for:

  1. Open the Authorization Management tab again.
  2. Expand the Applications node and then expand the newly created MyApplication node.
  3. Double-click the Resource Types node.
  4. Click New above the table showing the existing Resource Types.
  5. Enter MyResourceType in the Name field.
  6. Add an action for this resource by clicking New above the Actions table.  Add POST as an action.
  7. Click Save to save the new Resource Type, which should now be displayed as in the following screenshot:

Step 4 - Create the resource

The next step is to add the Resource:

  1. Expand the Default Policy Domain and then the Resource Catalog nodes.
  2. Double-click the Resources node.
  3. Click New above the table listing all existing Resources.
  4. Select MyResourceType as the Resource Type.
  5. Enter MyResource as the Resource name.
  6. Click Save to save the Resource, which should now be displayed as in the following screenshot:

Step 5 - Configure the authorization policy

Now you must create the authorization policy that will determine whether to permit or deny access to the resource:

  1. Double-click the Authorization Policies node beneath the Default Policy Domain node in the tree.
  2. Click New above the table showing the existing Authorization Policies.
  3. Enter MyPolicy as the name of the new policy.
  4. Chose to "Permit" access to the resource target using the corresponding Effect check box.
  5. Configure Principals (users, roles, or both) that can access the resource by clicking the "plus" button to the right of the Principals table.
  6. Select the Users tab in the Search Principal window:
  7. Select the default weblogic user from the table and click Add Selected to add the weblogic user to the Selected Principals table, as shown in the previous screenshot. 
Note   The Configure Oracle Entitlements Server required a weblogic user to be available in OES.
  1. Click Add Principals at the bottom of the window.
  2. Next, you must specify a resource target that this policy will act on. Click the "plus" button to the right of the Targets table.
  3. Click the Resources tab on the Search Targets window.
  4. Select MyResourceType in the Resource Type drop-down and click Search.
  5. Select MyResource from the table and click Add Selected to add the resource to the Selected Targets table.
  6. Click Add Targets at the bottom of the page.

Set up the OES client

The OES client distributes policies to individual security modules that protect applications and services. Policy data is distributed in a controlled manner or in a non-controlled manner. The distribution mode is defined in the jps-config.xml configuration file for each security module. The specified distribution mode applies to all application policy objects bound to that security module. Consult with the OES administrator to find out the distribution mode. For the purposes of this section, the controlled distribution mode is used.

Controlled mode

Complete the following steps to configure the OES client in controlled mode:

  1. Open a command prompt and change directory to your OES client installation directory (this is referred to as OES_CLIENT_HOME throughout the remainder of this section).
  2. Set the JAVA_HOME environment variable. For example:
  3. UNIX/Linux
  4. > export JAVA_HOME=/home/oesuser/Oracle/Middleware/jdk160_29
  5. Edit the following file:
  6. OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp
  7. Ensure that the following values are set:
  8. Parameter

    Description

    oracle.security.jps.runtime.pd.client.
    policyDistributionMode

    Accept the default value controlled-push as the distribution mode.

    oracle.security.jps.runtime.pd.client.
    RegistrationServerHost

    Enter the address of the Oracle Entitlements Server Administration Server.

    oracle.security.jps.runtime.pd.client.
    RegistrationServerPort

    Enter the SSL port number of the Oracle Entitlements Server Administration Server.

    You can find the SSL port number from the WebLogic Administration console. By default, 7002 is used.

  9. On UNIX-based systems, run the config.sh script located in the  OES_CLIENT_HOME/oessm/bin directory. 
  10. UNIX/Linux
  11. > ./config.sh –smConfigId MySM -prpFileName OES_CLIENT_HOME/oessm/SMConfigTool/smconfig.java.controlled.prp
  12. When prompted, specify the following:
    • OES user name (Administration Server's user name)
    • OES password (Administration Server's password)
    • New key store password for enrollment
  13. The following shows some sample output:
  14. > ./config.sh -smConfigId MySM -prpFileName
    /home/oesuser/Oracle/Middleware/oes_client/oessm/SMConfigTool/smconfig.java.controlled.prp
    Configuring for Controlled Policy Distribution Mode
    Security Module configuration is created at: /home/oesuser/Oracle/Middleware/oes_client/oes_sm_instances/MySM
    Enter password for key stores: ******
    Enter password for key stores again: ******
    Passwords are saved in credential store.
    Keystores are initialized successfully.
    Please enter a value for OES Admin Server User name:weblogic
    Please enter a value for OES Admin Server Password:
    Enrollment is proceeded successfully.
    
  15. Ensure that the security module has been configured correctly by checking that the OES_CLIENT_HOME/oes_sm_instances/MySM directory has been created.
  16. Depending on your OES client setup, the registration process might not have generated a cwallet.sso file in your OES_CLIENT_HOME/oes_sm_instances/MySM/config directory.  If there is no cwallet.sso file present in the config directory, you can copy the one generated in the config/enroll directory to the config directory using the following commands:
  17. # cd oes_sm_instances/MySM/config
    [oesuser@oeseval config]$ ls
    enroll  jps-config.xml  system-jazn-data.xml
    # cp enroll/cwallet.sso ./
    # ls
    cwallet.sso  enroll  jps-config.xml  system-jazn-data.xml

Non-controlled mode

Alternatively, you can use the non-controlled or controlled pull distribution mode. Consult the Oracle documentation for configuring these modes.

Distribute the OES policy

When the OES client has registered with OES, you can distribute the policy for that application so that clients making authorization requests for this resource will be subject to the policy enforcement rules. 

Follow these steps in the OES Authorization Policy Manager web-based administration interface:

  1. Double-click the MyApplication node in the tree on the Authorization Management tab.
  2. Open the Policy Distribution tab for the application configuration.
  3. Expand the MySM entry in the table.
  4. You should see an entry representing the recently registered OES client instance, as shown in the following screenshot:
  5. Select the MySM application and click Distribute to push the authorization policy configured for this application.
  6. You might need to click Refresh to update the Synced status. You should see a green tick to indicate a successful distribution.
Note   You might have to restart WebLogic for your newly registered security module to be displayed in the list on the Policy Distribution tab.

Related Links