Skip Headers
Oracle® Identity Management Guide to Delegated Administration
10g Release 2 (10.1.2)
B14086-02
  Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

1 Getting Started with Oracle Delegated Administration Services

This chapter describes Oracle Delegated Administration Services, a framework consisting of pre-defined, Web-based units for building administrative and self-service consoles. These consoles can be used by delegated administrators and users to perform specified directory operations.

It contains these topics:

1.1 About Delegated Administration

Delegated administration is an important feature of the Oracle Identity Management infrastructure. It enables you to store all data for users, groups, and services in a central directory, while distributing the administration of that data to various administrators and end users. It does this in a way that respects the various security requirements in your environment.

Suppose, for example, that your enterprise stores all user, group, and services data in a central directory, and requires one administrator for user data, and another for the e-mail service. Or suppose that it requires the administrator of Oracle Financials to fully control user privileges, and the administrator of OracleAS Portal to fully control the Web pages for a specific user or group. Delegated administration as provided by the Oracle Identity Management infrastructure enables all of these administrators with their diverse security requirements to administer the centralized data in a way that is both secure and scalable. The following privileges can be delegated with Oracle Delegated Administration Services:


See Also:

The chapter on delegation of privileges for an Oracle technology deployment in Oracle Internet Directory Administrator's Guide for more information about delegated administration

1.2 About Oracle Delegated Administration Services

Oracle Delegated Administration Services is a set of pre-defined, Web-based units for performing directory operations on behalf of a user. It frees directory administrators from the more routine directory management tasks by enabling them to delegate specific functions to other administrators and to end users. It provides most of the functionality that directory-enabled applications require, such as creating a user entry, creating a group entry, searching for entries, and changing user passwords.

You can use Oracle Delegated Administration Services to develop your own tools for administering application data in the directory. Alternatively, you can use the Oracle Internet Directory Self-Service Console, a tool based on Delegated Administration Services. This tool comes ready to use with Oracle Internet Directory.

This section contains these topics:

1.2.1 Delegation of Directory Data Administration

Applications built by using Oracle Delegated Administration Services enable you to grant a specific level of directory access to each type of user. For example, look at Figure 1-1, which shows the various administrative levels in a hosted environment.

Figure 1-1 Administrative Levels in a Hosted Environment

Description of Figure 1-1  follows
Description of "Figure 1-1 Administrative Levels in a Hosted Environment"

The global administrator, with full privileges for the entire directory, can delegate to realm administrators the privileges to create and manage the realms for hosted companies. These administrators can, in turn, delegate to end users and groups the privileges to change their application passwords, personal data, and preferences. Each type of user can thus be given the appropriate level of privileges.

1.2.2 How Oracle Delegated Administration Services Works

Oracle Delegated Administration Services is a J2EE application that is deployed on an Oracle Application Server Containers for J2EE (OC4J) instance. Oracle Delegated Administration Services performs the following basic tasks:

  1. Receive requests from clients

  2. Process those requests—by either retrieving or updating data in Oracle Internet Directory—and compile the LDAP result into an HTML page

  3. Send the HTML page back to the client Web browser

Figure 1-2 shows the flow of information between components in a Oracle Delegated Administration Services environment.

Figure 1-2 Flow of Information Between Components in a Oracle Delegated Administration Services Environment

This illustration is described in the text.

As Figure 1-2 shows:

  1. The user, from a browser and using HTTP, sends to Oracle Delegated Administration Services a request containing a directory query.

  2. Oracle Delegated Administration Services receives the request and launches the appropriate servlet. This servlet interprets the request, and sends it to Oracle Internet Directory by using LDAP.

  3. Oracle Internet Directory sends the LDAP result to the Oracle Delegated Administration Services servlet.

  4. The Oracle Delegated Administration Services servlet compiles the LDAP result into an HTML page, and sends it to the client Web browser.

1.2.3 How Oracle Delegated Administration Services Provides Secure Access to the Directory

When a user logs into an Oracle component, that component may need to obtain information from the directory on the end user's behalf—for example, the password verifier. To do this, the component typically logs into the directory as a proxy user, a feature that enables it to switch its identity to that of the end user.

A problem, however, is that the greater the number of components logging into the directory as proxy users, the greater the risk of a malicious user accessing the directory as a proxy user. To prevent this security problem, the Oracle Delegated Administration Services centralizes proxy user access.

In a Oracle Delegated Administration Services environment, each component, instead of logging into the directory as a proxy user, logs into the central Oracle Delegated Administration Services. Oracle Delegated Administration Services then logs into the directory as a proxy user, switches its identity to that of the end user, and performs operations on that user's behalf. Centralizing proxy user directory access in this way replaces the less secure strategy of granting proxy user access to every component accessing the directory.

Figure 1-3 shows the proxy user feature in an Oracle Delegated Administration Services environment. End users or delegated administrators log in to a central Oracle Delegated Administration Services. They do this by using the Oracle Internet Directory Self-Service Console, the consoles of other Oracle components such as OracleAS Portal, or those of third-party applications. The Oracle Delegated Administration Services then logs into Oracle Internet Directory as a proxy user.

Figure 1-3 Centralization of the Proxy User Feature in the Oracle Delegated Administration Services

This illustration is described in the text.

1.3 Installing and Configuring Oracle Delegated Administration Services

This section tells you how to install and configure Oracle Delegated Administration Services. It contains these topics:


See Also:

Appendix B, "Troubleshooting Oracle Delegated Administration Services" for information on how to troubleshoot Oracle Delegated Administration Services

1.3.1 Task 1: Install Oracle Delegated Administration Services

By default, Oracle Delegated Administration Services is installed as part of Oracle Internet Directory 10g Release 2 (10.1.2). However, during the installation process you can also choose to install Oracle Delegated Administration Services by itself. In this manner, you can install multiple instances of Oracle Delegated Administration Services on separate servers that communicate with a single instance of Oracle Application Server.


Note:

During installation,Oracle Delegated Administration Services is deployed in the OC4J_SECURITY instance. Because most of the Oracle Delegated Administration Services setup depends on this instance, its important that the name of this instance not be changed.


See Also:

  • Oracle Application Server installation documentation for your operating system

  • Oracle Application Server Administrator's Guide for information on how to use the SSL Configuration Tool, which simplifies and automates post-installation SSL configuration for common Oracle Application Server topologies


1.3.2 Task 2: Verify that Oracle Delegated Administration Services Is Running

You can use Oracle Enterprise Manager 10g Application Server Control Console to verify that Oracle Delegated Administration Services is running as follows:

  1. Go to the standalone console for the infrastructure instance of Oracle Enterprise Manager that you want to administer by entering the host name of the computer hosting the Oracle Application Server instance and the port number of Oracle Enterprise Manager. The default port number is 1810, but it may be configured in increments of one, up to 1816.

  2. Log in using the credentials of an Oracle Application Server administrator.

  3. From the Standalone Instances section of the Farm page, choose the appropriate Oracle Application Server instance.

  4. Locate OC4J_SECURITY in the System Components table. The Status column will contain one of the following:

    • An up arrow, which indicates the component is up and running

    • A down arrow, which indicates the component is down and not running

    • An icon in the shape of a stopwatch, which indicates that the Application Server Control Console is unable to determine the status of the component

If Oracle Delegated Administration Services is not running, then start it by following the instructions in Starting and Stopping Oracle Delegated Administration Services.


See Also:

Oracle Internet Directory Administrator's Guide for more information on how to work with the Oracle Enterprise Manager 10g Application Server Control Console

Alternatively, you can verify that Oracle Delegated Administration Services are running using the following command-line procedures:

1.3.2.1 Step 1: Verify that the Oracle HTTP Server Is Running

To do this, use the following command:

$ORACLE_HOME/opmn/bin/opmnctl status

See Also:

Table 1-1 to find log file locations for components in the Oracle Delegated Administration Services environment

1.3.2.2 Step 2: Verify that the Oracle Application Server Single Sign-On Server Is Running

Using any browser, enter:

http://host_name:port_number/orasso/

where host_name is the name of the computer on which the Oracle HTTP Server is running, and port_number is the corresponding port number. The default port number of the Oracle HTTP Server is 7777. Try to log in by using the Oracle Application Server Single Sign-On login window.

1.3.2.3 Step 3: Verify that Oracle Delegated Administration Services Is Running

Using any browser, enter:

http://host_name:port_number/oiddas/

where host_name is the name of the computer on which the Oracle HTTP Server is running, and port_number is the corresponding port number. The default port number of the Oracle HTTP Server is 7777. This displays the Oracle Delegated Administration Services home page.

If Oracle Delegated Administration Services is not running, then start it by following the instructions in "Starting and Stopping Oracle Delegated Administration Services".

1.3.3 Task 3: Configure the Default Identity Management Realm

To do this, follow the instructions in the section "Configuring an Identity Management Realm".

1.3.4 Task 4: Configure User Entries

To do this, follow the instructions in the section "Configuring User Entries".

1.3.5 Location of Log Files for Components in the Oracle Delegated Administration Services Environment

Table 1-1 tells you where to find the log files for components in the Oracle Delegated Administration Services environment.

Table 1-1 Log Files for Components In Oracle Delegated Administration Services Environment

Application Log File Location

Oracle HTTP Server

$ORACLE_HOME/Apache/Apache/logs

Oracle Application Server Containers for J2EE (OC4J)

$ORACLE_HOME/j2ee/OC4J_SECURITY/log

Oracle Delegated Administration Services

$ORACLE_HOME/opmn/logs/OC4J~OC4J_SECURITY~default_island~1

Oracle Process Manager and Notification Server

$ORACLE_HOME/opmn/logs


1.4 Starting and Stopping Oracle Delegated Administration Services

You can use either the command line or the Oracle Enterprise Manager 10g Application Server Control Console to start and stop Oracle Delegated Administration Services, as described in the following topics.

1.4.1 Starting and Stopping Oracle Delegated Administration Services by Using the Command Line

To start, stop, or restart Oracle Delegated Administration Services by using the command line, enter:

$ORACLE_HOME/opmn/bin/opmnctl startproc process-type=OC4J_SECURITY

To stop Oracle Delegated Administration Services by using the command line, enter:

$ORACLE_HOME/opmn/bin/opmnctl stopproc process-type=OC4J_SECURITY

To restart Oracle Delegated Administration Services by using the command line, enter:

$ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY

1.4.2 Starting, Stopping, and Restarting Oracle Delegated Administration Services by Using Oracle Enterprise Manager 10g Application Server Control Console

To start, stop, or restart Oracle Delegated Administration Services from the Oracle Enterprise Manager 10g Application Server Control Console:

  1. Go to the standalone console for the infrastructure instance of Oracle Enterprise Manager that you want to administer. This is effected by entering the host name of the computer hosting the Oracle Application Server instance and the port number of Oracle Enterprise Manager. The default port number is 1810, but it may be configured in increments of one, up to 1816.

  2. From the Standalone Instances section of the Farm page, choose the appropriate Oracle Application Server instance.

  3. Select the check box next to OC4J_SECURITY in the System Components table and then click the Start, Stop, or Reset button at the top of the list.


See Also: