Oracle® Identity Management Guide to Delegated Administration
10g Release 2 (10.1.2) B14086-02 |
|
Previous |
Next |
This chapter describes Oracle Delegated Administration Services, a framework consisting of pre-defined, Web-based units for building administrative and self-service consoles. These consoles can be used by delegated administrators and users to perform specified directory operations.
It contains these topics:
Installing and Configuring Oracle Delegated Administration Services
Starting and Stopping Oracle Delegated Administration Services
Delegated administration is an important feature of the Oracle Identity Management infrastructure. It enables you to store all data for users, groups, and services in a central directory, while distributing the administration of that data to various administrators and end users. It does this in a way that respects the various security requirements in your environment.
Suppose, for example, that your enterprise stores all user, group, and services data in a central directory, and requires one administrator for user data, and another for the e-mail service. Or suppose that it requires the administrator of Oracle Financials to fully control user privileges, and the administrator of OracleAS Portal to fully control the Web pages for a specific user or group. Delegated administration as provided by the Oracle Identity Management infrastructure enables all of these administrators with their diverse security requirements to administer the centralized data in a way that is both secure and scalable. The following privileges can be delegated with Oracle Delegated Administration Services:
Creation, editing, and deletion of users and groups
Assignment of privileges to users and groups
Management of services and accounts
Configuration of Oracle Delegated Administration Services
Resource management of Oracle Reports and Oracle Application Server Forms Services
See Also: The chapter on delegation of privileges for an Oracle technology deployment in Oracle Internet Directory Administrator's Guide for more information about delegated administration |
Oracle Delegated Administration Services is a set of pre-defined, Web-based units for performing directory operations on behalf of a user. It frees directory administrators from the more routine directory management tasks by enabling them to delegate specific functions to other administrators and to end users. It provides most of the functionality that directory-enabled applications require, such as creating a user entry, creating a group entry, searching for entries, and changing user passwords.
You can use Oracle Delegated Administration Services to develop your own tools for administering application data in the directory. Alternatively, you can use the Oracle Internet Directory Self-Service Console, a tool based on Delegated Administration Services. This tool comes ready to use with Oracle Internet Directory.
This section contains these topics:
Applications built by using Oracle Delegated Administration Services enable you to grant a specific level of directory access to each type of user. For example, look at Figure 1-1, which shows the various administrative levels in a hosted environment.
Figure 1-1 Administrative Levels in a Hosted Environment
The global administrator, with full privileges for the entire directory, can delegate to realm administrators the privileges to create and manage the realms for hosted companies. These administrators can, in turn, delegate to end users and groups the privileges to change their application passwords, personal data, and preferences. Each type of user can thus be given the appropriate level of privileges.
Oracle Delegated Administration Services is a J2EE application that is deployed on an Oracle Application Server Containers for J2EE (OC4J) instance. Oracle Delegated Administration Services performs the following basic tasks:
Receive requests from clients
Process those requests—by either retrieving or updating data in Oracle Internet Directory—and compile the LDAP result into an HTML page
Send the HTML page back to the client Web browser
Figure 1-2 shows the flow of information between components in a Oracle Delegated Administration Services environment.
Figure 1-2 Flow of Information Between Components in a Oracle Delegated Administration Services Environment
As Figure 1-2 shows:
The user, from a browser and using HTTP, sends to Oracle Delegated Administration Services a request containing a directory query.
Oracle Delegated Administration Services receives the request and launches the appropriate servlet. This servlet interprets the request, and sends it to Oracle Internet Directory by using LDAP.
Oracle Internet Directory sends the LDAP result to the Oracle Delegated Administration Services servlet.
The Oracle Delegated Administration Services servlet compiles the LDAP result into an HTML page, and sends it to the client Web browser.
When a user logs into an Oracle component, that component may need to obtain information from the directory on the end user's behalf—for example, the password verifier. To do this, the component typically logs into the directory as a proxy user, a feature that enables it to switch its identity to that of the end user.
A problem, however, is that the greater the number of components logging into the directory as proxy users, the greater the risk of a malicious user accessing the directory as a proxy user. To prevent this security problem, the Oracle Delegated Administration Services centralizes proxy user access.
In a Oracle Delegated Administration Services environment, each component, instead of logging into the directory as a proxy user, logs into the central Oracle Delegated Administration Services. Oracle Delegated Administration Services then logs into the directory as a proxy user, switches its identity to that of the end user, and performs operations on that user's behalf. Centralizing proxy user directory access in this way replaces the less secure strategy of granting proxy user access to every component accessing the directory.
Figure 1-3 shows the proxy user feature in an Oracle Delegated Administration Services environment. End users or delegated administrators log in to a central Oracle Delegated Administration Services. They do this by using the Oracle Internet Directory Self-Service Console, the consoles of other Oracle components such as OracleAS Portal, or those of third-party applications. The Oracle Delegated Administration Services then logs into Oracle Internet Directory as a proxy user.
This section tells you how to install and configure Oracle Delegated Administration Services. It contains these topics:
Task 2: Verify that Oracle Delegated Administration Services Is Running
Location of Log Files for Components in the Oracle Delegated Administration Services Environment
See Also: Appendix B, "Troubleshooting Oracle Delegated Administration Services" for information on how to troubleshoot Oracle Delegated Administration Services |
By default, Oracle Delegated Administration Services is installed as part of Oracle Internet Directory 10g Release 2 (10.1.2). However, during the installation process you can also choose to install Oracle Delegated Administration Services by itself. In this manner, you can install multiple instances of Oracle Delegated Administration Services on separate servers that communicate with a single instance of Oracle Application Server.
Note: During installation,Oracle Delegated Administration Services is deployed in the OC4J_SECURITY instance. Because most of the Oracle Delegated Administration Services setup depends on this instance, its important that the name of this instance not be changed. |
See Also:
|
You can use Oracle Enterprise Manager 10g Application Server Control Console to verify that Oracle Delegated Administration Services is running as follows:
Go to the standalone console for the infrastructure instance of Oracle Enterprise Manager that you want to administer by entering the host name of the computer hosting the Oracle Application Server instance and the port number of Oracle Enterprise Manager. The default port number is 1810
, but it may be configured in increments of one, up to 1816
.
Log in using the credentials of an Oracle Application Server administrator.
From the Standalone Instances section of the Farm page, choose the appropriate Oracle Application Server instance.
Locate OC4J_SECURITY in the System Components table. The Status column will contain one of the following:
An up arrow, which indicates the component is up and running
A down arrow, which indicates the component is down and not running
An icon in the shape of a stopwatch, which indicates that the Application Server Control Console is unable to determine the status of the component
If Oracle Delegated Administration Services is not running, then start it by following the instructions in Starting and Stopping Oracle Delegated Administration Services.
See Also: Oracle Internet Directory Administrator's Guide for more information on how to work with the Oracle Enterprise Manager 10g Application Server Control Console |
Alternatively, you can verify that Oracle Delegated Administration Services are running using the following command-line procedures:
To do this, use the following command:
$ORACLE_HOME/opmn/bin/opmnctl status
See Also: Table 1-1 to find log file locations for components in the Oracle Delegated Administration Services environment |
Using any browser, enter:
http://host_name:port_number/orasso/
where host_name
is the name of the computer on which the Oracle HTTP Server is running, and port_number
is the corresponding port number. The default port number of the Oracle HTTP Server is 7777. Try to log in by using the Oracle Application Server Single Sign-On login window.
Using any browser, enter:
http://host_name:port_number/oiddas/
where host_name
is the name of the computer on which the Oracle HTTP Server is running, and port_number
is the corresponding port number. The default port number of the Oracle HTTP Server is 7777. This displays the Oracle Delegated Administration Services home page.
If Oracle Delegated Administration Services is not running, then start it by following the instructions in "Starting and Stopping Oracle Delegated Administration Services".
To do this, follow the instructions in the section "Configuring an Identity Management Realm".
To do this, follow the instructions in the section "Configuring User Entries".
Table 1-1 tells you where to find the log files for components in the Oracle Delegated Administration Services environment.
You can use either the command line or the Oracle Enterprise Manager 10g Application Server Control Console to start and stop Oracle Delegated Administration Services, as described in the following topics.
To start, stop, or restart Oracle Delegated Administration Services by using the command line, enter:
$ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY
To stop Oracle Delegated Administration Services by using the command line, enter:
$ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY
To restart Oracle Delegated Administration Services by using the command line, enter:
$ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
To start, stop, or restart Oracle Delegated Administration Services from the Oracle Enterprise Manager 10g Application Server Control Console:
Go to the standalone console for the infrastructure instance of Oracle Enterprise Manager that you want to administer. This is effected by entering the host name of the computer hosting the Oracle Application Server instance and the port number of Oracle Enterprise Manager. The default port number is 1810
, but it may be configured in increments of one, up to 1816
.
From the Standalone Instances section of the Farm page, choose the appropriate Oracle Application Server instance.
Select the check box next to OC4J_SECURITY in the System Components table and then click the Start, Stop, or Reset button at the top of the list.
See Also:
|