Oracle® Identity Management Guide to Delegated Administration
10g Release 2 (10.1.2) B14086-02 |
|
Previous |
Next |
This chapter describes how to administer Oracle Delegated Administration Services. It contains these topics:
Creating Applications by Using Oracle Delegated Administration Services
Configuring Oracle Delegated Administration Services in an Existing Oracle Home
Configuring Oracle Delegated Administration Services in a New Oracle Home
Configuring Oracle Delegated Administration Services with Load Balancers in a Different DNS Domain
Configuring Load Balancers for Multiple Instances of Oracle Delegated Administration Services
Configuring Oracle Delegated Administration Services in a Replication Environment
You can embed Oracle Delegated Administration Services into both Oracle and third-party self-service applications that use Oracle Internet Directory. For example, if you are building a Web portal, you can add Oracle Delegated Administration Services to enable end users to change application passwords stored in the directory.
Each unit has a corresponding URL stored in the directory. To invoke a Oracle Delegated Administration Services unit, an application queries the directory at runtime for the corresponding URL.
This section contains these topics:
See Also: The chapter on the Oracle Delegated Administration Services URL API in Oracle Identity Management Application Developer's Guide |
Oracle Delegated Administration Services can perform these operations regarding user entries:
Search for a user entry
Create a user entry
Self-edit a password
Select a user entry and edit it
Select a user entry and delete it
Select a user entry and assign a privilege to that user
View profile of the user who is logged in
User list of values (LOV), a popup window that enables you to lookup and select a user
Edit a user by passing the orclguid
attribute to the URL. The entry is then displayed without the user needing to perform a search.
Delete a user by passing the orclguid
attribute to the URL. The entry is then displayed without the user needing to perform a search.
Assign a privilege to a user by passing the orclguid
attribute to the URL. The entry is then displayed without the user needing to perform a search.
Oracle Delegated Administration Services can perform these operations regarding group entries:
Search for a group entry
Create a group entry
Select a group entry and edit it
Select a group entry and delete it
Select a group entry and assign a privilege to that group
Group list of values (LOV), a popup window that enables you to lookup and select a group
Edit a group by passing the orclguid
attribute to the URL. The entry is then displayed without the user needing to perform a search.
Delete a group by passing the orclguid
attribute to the URL. The entry is then displayed without the user needing to perform a search.
Assign a privilege to a group by passing the orclguid
attribute to the URL. The entry is then displayed without the user needing to perform a search.
You can use Oracle Enterprise Manager 10g Application Server Control Console to configure Oracle Delegated Administration Services in the Oracle Identity Management Oracle home. When you do this, Enterprise Manager:
Sets up the URL for Oracle Delegated Administration Services
Configures the appropriate privileges
Deploys Oracle Delegated Administration Services in an OC4J_SECURITY instance
Note: Before configuring Oracle Delegated Administration Services, ensure that Oracle Application Server Single Sign-On is configured. Configuring Oracle Application Server Single Sign-On also configures mod_osso, which is required by Oracle Delegated Administration Services. mod_osso is an Oracle HTTP Server module that communicates with the OracleAS Single Sign-On server. |
To configure Oracle Delegated Administration Services by using Oracle Enterprise Manager 10g Application Server Control Console:
On the main Application Server Control Console page, select the name of the Oracle Application Server instance you want to manage in the Standalone Instances section. The Oracle Application Server home page opens for the selected instance.
Select the Configure Components button, located just above the System Components table. The Select Component page appears.
Note: The Configure Component button is available only if you have installed but not configured any Oracle Application Server components. |
Select Oracle Delegated Administration Services, then choose Continue. The Login page appears.
Enter the user name and password of the directory super user. The default user name is cn=orcladmin
.
Choose Finish to complete the configuration.
Start Oracle Delegated Administration Services as follows:
In the System Components table, select OC4J_SECURITY in the Name column. The OC4J_SECURITY page opens.
In the General section, select the Start button.
Oracle Delegated Administration Services is configured automatically as part of the default Identity Management and Metadata Repository installation in which Oracle Internet Directory, Oracle Delegated Administration Services, and OracleAS Single Sign-On are selected. In some situations, you may need to configure it on a computer other than that on which the infrastructure is configured. You can do this in one of two ways: either by performing a standalone Oracle Delegated Administration Services installation using the Oracle Installer, or manually.
This section contains these topics:
Performing a Standalone Oracle Delegated Administration Services Installation
Manually Deploying Oracle Delegated Administration Services in a New Oracle Home
To perform a standalone Oracle Delegated Administration Services installation, when prompted by the Oracle Installer, select the Identity Management installation type. On the Configuration Options screen, select Delegated Administration Service.
Note: If you configure Oracle Application Server Single Sign-On and Oracle Delegated Administration Services in separate installations against the same Oracle Internet Directory, then be sure to configure OracleAS Single Sign-On first. This is because Oracle Delegated Administration Services depends onmod_osso , which is not set up during installation unless the Oracle Internet Directory it points to already has OracleAS Single Sign-On configured.
|
See Also: Oracle Application Server 10g Installation Guide for further instructions |
To manually deploy Oracle Delegated Administration Services in a separate Oracle home, follow these steps:
Verify that the computer has at least a core installation that points to an existing Oracle Internet Directory and Oracle Application Server Single Sign-On.
Navigate to the $ORACLE_HOME/dcm/bin directory.
Create a new component by using the following command:
dcmctl createcomponent -verbose -debug -ct oc4j -co OC4J_SECURITY
Start the component by using the following command:
dcmctl start -verbose -debug -co OC4J_SECURITY
Deploy the oiddas.ear
file by using the following command:
dcmctl deployApplication -debug -verbose -a oiddas -f
$ORACLE_HOME
/ldap/das/oiddas.ear -co OC4J_SECURITY
Perform the following steps to add the LD_LIBRARY_PATH
and DISPLAY
environment variables to the opmn.xml file:
Navigate to the $ORACLE_HOME/opmn/conf directory and open opmn.xml in a text editor.
Add the following lines in the OC4J_SECURITY section of opmn.xml:
For a UNIX environment:
<environment>
<prop name="LD_LIBRARY_PATH" value="%ORACLE_HOME%/lib"/>
</environment>
For a Windows environment:
<environment>
<prop name="PATH" value="%ORACLE_HOME%/bin"/>
</environment>
Note the placement of the section <environment>
in the following example.
<oc4j maxRetry="3" instanceName="OC4J_DAS" gid="OC4J_SECURITY" numProcs="1"> <config-file path="/home/ias902/j2ee/OC4J_ DAS/config/server.xml"/> <oc4j-option value="-properties"/> <port ajp="3001-3100" jms="3201-3300" rmi="3101-3200"/> <environment> <prop name="LD_LIBRARY_PATH" value="/home/ias902/lib"/> </environment> </oc4j>
Navigate to the $ORACLE_HOME/dcm/bin directory.
Save the changes to the repository by using the following command:
dcmctl updateconfig -verbose -debug -ct opmn
Restart OPMN by using the following command:
dcmctl restart -verbose -ct opmn
Stop and start the OC4J_SECURITY instance by using the following commands:
dcmctl stop -verbose -debug -ct oc4j -co OC4J_SECURITY
dcmctl start -verbose -debug -ct oc4j -co OC4J_SECURITY
Set the necessary permissions for Oracle Delegated Administration Services. Modify the group by using either Oracle Directory Manager or the command-line tool. Add the DN of the new Oracle Application Server instance where Oracle Delegated Administration Services is currently being deployed as the uniquemember
.
DN of the group to be modified: cn=Associated Mid-tiers,orclApplicationCommonName=DASApp,cn=DAS,cn=Products,cn=OracleContext
The DN on the Oracle Application Server instance is:
orclApplicationCommonName=name of Oracle Application Server instance,cn=IAS Instances, cn=IAS, cn=Products, cn=OracleContext
where name of Oracle Application Server instance
is obtained from $ORACLE_HOME/config/ias.properties.
When configuring Oracle Delegated Administration Services in an environment where Oracle Application Server Single Sign-On is to be configured on separate middle tier nodes, follow the instructions in Chapter 8, "Advanced Configurations" in the Oracle Application Server Single Sign-On Administrator's Guide.
Because Oracle Delegated Administration Services is a stateful application, if you deploy multiple instances of Oracle Delegated Administration Services behind a load balancer, then the load balancer must be configured to support session binding in order to maintain a consistent user experience. Session binding refers to a user session being bound to an origin server in order to maintain state for a specified period of time. In other words, you should configure the load balancer so it routes all requests for each user to the same Oracle Delegated Administration Services middle tier.
To configure Oracle Delegated Administration Services and Oracle Application Server Single Sign-On for a replication environment, follow these steps:
Navigate to the $ORACLE_HOME/config folder and open the ias.properties file in a text editor.
Change the value assigned to the DAS.LaunchSuccess
parameter from true
to false
.
Restart Oracle Delegated Administration Services by following the procedures described in Starting and Stopping Oracle Delegated Administration Services.