Tuesday, December 16, 2014

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Integration OES with OID

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Integration OES with OID




This is the architecture that depicts the configuration of an OID LDAP-based authentication provider used by OPSS applications deployed on a WebLogic Server environment. 

Follow the steps below to configure an OID authentication provider using the Weblogic Administration Console:
1.Open the Firefox web browser using the  icon on the launch panel. Make sure the WebLogic Server is running before continuing on to the next step.
2.Open the WebLogic Administration Console by browsing to http://localhost:7001/console.
Screenshot for Step
Login using the following credentials:
Username: weblogic
Password: welcome1
Screenshot for Step
3.Click the Security Realms link in the Domain Structure pane to show the list of security realms for the domain.
Screenshot for Step
4.Click the myrealm link in the Realms pane to show the settings for the domain's security realm.
Screenshot for Step
5.Click the Providers tab to show the security providers configured for myrealm.
Screenshot for Step
6.Click the Authentication tab to list the currently configured authentication providers for this domain's security realm. The default out-of-the-box providers are shown for the embedded LDAP authentication provider and identity asserter. This is where you configure the new OID authentication provider.
Screenshot for Step
7.Click New to create a new authentication provider for this domain.
Screenshot for Step
8.The Create a new Authentication Provider page is displayed. Give your new authentication provider a name, such as OID Authenticator, select the type called OracleInternetDirectoryAuthenticator, and click OK.
Screenshot for Step
9.You should now see your new OID authenticator in the list of authentication providers, at the bottom of the list.
Screenshot for Step
10.Click the link for your OID authentication provider to configure its settings.
Screenshot for Step
11.The Settings for OID Authenticator is displayed. Click the Provider Specific tab to configure the detailed settings for this provider.
Screenshot for Step
12.This step guides you through all of the settings for configuring your new OID authentication provider. All the settings are made on a single configuration page, however we go through them one section at a time in this instruction.
The first section contains the Connection settings for the OID server. Use the values from the table below for this section:
NameValuePurpose
Host:localhostThe OID host name
Port:3060The standard OID listening port
Principal:cn=orcladminThe LDAP user that logs into OID on behalf of your authentication provider
Credentials:welcome1Password for the principal user
Confirm Credentials:welcome1Confirmation of the password
SSL Enabled:UncheckedEnables or disables SSL connectivity
Validate your settings against the screen shot below:
Screenshot for Step
The next section contains the Users settings for the OID provider. Use the values from the table below for this section:
NameValuePurpose
User Base DN:cn=Users,dc=us,dc=oracle,dc=comThe root (base DN) of the LDAP tree where searches are performed for user data
All Users Filter:Leave as defaultThe LDAP search filter that is used to show all the users below the User Base DN
User From Name Filter:Leave as defaultThe LDAP search filter used to find the LDAP user by name
User Search Scope:Leave as defaultSpecifies how deep in the LDAP tree to search for users
User Name Attribute:Leave as defaultThe attribute of the LDAP user that specifies the user name
User Object Class:Leave as defaultThe LDAP object class that stores users
Use Retrieved User Name as Principal:CheckedSpecifies if the user name retrieved from the LDAP directory will be used as the Principal in the Subject
Validate your settings against the screen shot below:
Screenshot for Step
The next section contains the Groups settings for the OID provider. Use the values from the table below for this section:
NameValuePurpose
Group Base DN:cn=Groups,dc=us,dc=oracle,dc=comThe root (base DN) of the LDAP tree where searches are performed for group data
All Groups Filter:Leave as defaultThe LDAP search filter that is used to show all the groups below the Group Base DN
Group From Name Filter:Leave as defaultThe LDAP search filter used to find the LDAP group by name
Group Search Scope:Leave as defaultSpecifies how deep in the LDAP tree to search for groups
Group Membership Searching:Leave as defaultSpecifies whether group searches into nested groups are limited or unlimited
Max Group Membership Search Level:Leave as defaultSpecifies how many levels of group membership can be searched. This setting is only valid if GroupMembershipSearching is set to limited
Ignore Duplicate Membership:UncheckedDetermines whether duplicates members are ignored when adding groups.
Validate your settings against the screen shot below:
Screenshot for Step
Click Save to persist your changes.
Screenshot for Step
13.Click the Common tab in the Settings for OID Authenticator pane to show settings common to all authentication providers.
Screenshot for Step
14.Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.
Screenshot for Step
15.Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to theAuthentication Providers page.
Screenshot for Step
16.Click the DefaultAuthenticator link to display its common settings so you can change its control flag toSUFFICIENT as well.
Screenshot for Step
17.Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.
Screenshot for Step
18.Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to theAuthentication Providers page.
Screenshot for Step
19.Click Reorder to change the order of your configured authentication providers.
If you remember from the OPSS Concepts self-study course, OPSS obtains its authentication configuration from the authentication provider configuration found in the WebLogic Server domain. It also states that OPSS first looks at all of the LDAP-based authentication providers in the list, and chooses the first one in the list with the highest control flag setting. Because we configured both LDAP-based authentication providers to use the SUFFICIENTcontrol flag setting, OPSS would use the default authenticator if we left the configuration as it is now. In order to ensure that OPSS recognizes your new OID authenticator as its authentication provider, you must reorder your list of authentication providers so that the OID authentication provider is first in the list.
Screenshot for Step
20.Select the OID Authenticator and use the arrows on the right to move it into the first position. Click OK.
Screenshot for Step

21. Navigate to APM (OES Admin Console) using url http://hostname:7001/apm
22. Click on System Configuration -> Administrators->New
24. You have an option of Creating a New Role or Adding the AD groups to Existing Default System Administrator.
        Adding it to the Default System Administrator will make this AD group have APM Admin Console privileges
23. Create a new role for a finer gran authorization












24. Click on Search to search on External AD Groups to be added, Add Selected to add Group and then click on Add Principals 



Monday, December 15, 2014

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Create delegated administrator

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Create delegated administrator 


  • Expand the Applications node in the Navigation Panel.
  • Select the Application to modify.
  • Right-click the Application name and select Open from the menu. The General, Delegated Administrators, Policy Distribution and Simulation tabs are all active.
  • Click the Delegated Administrators tab. The Application name is listed in the displayed table. Click the arrow next to the Application name to see the default ApplicationPolicyAdmin created when the Application object was created. Click the Administrator Role name to display its details, in tabs, below the Delegated Administrators table. 
    • Role Details
    • External Role Mapping
    •  External User Mapping
  • Click New to create a new Administrator Role. Be sure to select the name of the Application to activate New. Alternately, select the Application and select New from the Actions menu. A New Administrator Role dialog is displayed.



  • Provide the following values for the new Administrator Role and click OK. Delegating Application Administration  Name: The entry must be a unique.  Display Name and  Description



  • Select the new Administrator Role to activate its configuration tabs. The Role Details tab is active.
  • Click Edit to define the role details. An Edit Administrator Role dialog is displayed.
  •  Grant View or Manage privileges for the appropriate policy objects and click Save.

Select View or Manage for the listed policy objects. For example, Admin Policy allows the administrator to assign new permissions to an Admin Role. Admin Role, however, allows the administrator to assign members to an Admin Role. 


  • Click the External Role Mapping tab to grant the Administrator Role to members of External Roles. User and groups displayed are from the first LDAP provider with sufficient flag defined in WebLogic Server.
  • Click Add to display the Search Principals dialog.
  •  Complete the query fields in the External Roles search box and click Search. Empty strings fetch all roles. The results display in the Search Results table.
  • Select the external role to map to by clicking its name in the table. Use Ctrl+click to select multiple roles.
  • Click Add Principals. The selected roles display in the External Role Mapping tab.


Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Steps to create an obligation

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Steps to create an obligation


The Security Module PDP evaluates the request and returns a response (and applicable obligations) to the PEP in the form of an authorization decision to grant or deny access. 

The PEP fulfills any obligations, if applicable. An obligation is information returned with the decision upon which the PEP may or may not act. For example, an obligation may contain additional information concerning a decision to deny. The PEP entity is responsible for obligation fulfillment based on its settings. Oracle Entitlements Server is only responsible for forwarding the obligation based on policy configuration.

This thread discusses steps to create an Obligation for a policy.


  • Create an attribute as shown in the examples getChildPersons. The attribute should of Category: Dynamic; Input Values:  Multiple; Type: String

  • Navigate to the authorization policy and create a new obligation by choosing the getChildPersons from the List of Attributes from the window.

  •        In the PIP AttributeRetriever code populate the attribute to return the obligation "getChildPersons" 
            } else if ("getChildPersons".equals(string)) {            return ( ............);
            }













Sunday, December 14, 2014

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Add the PIP JAR files to CLASSPATH

Oracle® Fusion Middleware OES-11g Release 2 (11.1.2.2.0) Add the PIP JAR files to CLASSPATH


  • Build the directories where the JAR files will be stored.
  • Copy necessary .jar files that are needed to by the attribute retrievers/PIP.
  • Add the following lines to the $DOMAIN_HOME/bin/setDomainEnv.sh file.  Setting of the CLASSPPATH variable is toward the bottom of the file, these line should be added immediately following the definition of the variable.


MIND_DOMAIN_APP_DIR=/u01/app/oracle/admin/PIP_LIBS
export MIND_DOMAIN_APP_DIR

CLASSPATH=${CLASSPATH}:${MIND_DOMAIN_APP_DIR}/lib/*:${MIND_DOMAIN_APP_DIR}/lib/dependent/
export CLASSPATH

  • Restart the Admin and SM Servers



Thursday, November 6, 2014

Amazon EC2: Authorizing Inbound Traffic for Your Instances

Amazon EC2: Authorizing Inbound Traffic for Your Instances


Adding a Rule for Inbound SSH Traffic to a Linux Instance


  • In the navigation pane of the Amazon EC2 console, click Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Click view rules to display a list of the rules that are in effect for the instance.








  • In the navigation pane, click Security Groups. Select one of the security groups associated with your instance.
  • In the details pane, on the Inbound tab, click Edit. In the dialog, click Add Rule, and then select SSH from the Type list.






  • In the Source field, specify the public IP address of your computer, in CIDR notation. For example, if your IP address is 203.0.113.25, specify 203.0.113.25/32 to list this single IP address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.
     Use the url  http://checkip.amazonaws.com/ to find you IP Address



  • Click Save.





Amazon EC2: Converting Your Private Key Using PuTTYgen

Amazon EC2: Converting Your Private Key Using PuTTYgen

PuTTY does not natively support the private key format (.pem) generated by Amazon EC2. PuTTY has a tool named PuTTYgen, which can convert keys to the required PuTTY format (.ppk). You must convert your private key into this format (.ppk) before attempting to connect to your instance using PuTTY.


To convert your private key

  • Start PuTTYgen (for example, from the Start menu, click All Programs > PuTTY > PuTTYgen).
  • Under Type of key to generate, select SSH-2 RSA.













































  • Click Load. By default, PuTTYgen displays only files with the extension .ppk. To locate your .pem file, select the option to display files of all types.






















  • Click OK
















  • Click Save private key to save the key in the format that PuTTY can use. PuTTYgen displays a warning about saving the key without a passphrase. Click Yes.

Note
A passphrase on a private key is an extra layer of protection, so even if your private key is discovered, it can't be used without the passphrase. The downside to using a passphrase is that it makes automation harder because human intervention is needed to log on to an instance, or copy files to an instance.






  • Specify the same name for the key that you used for the key pair (for example, my-key-pair). PuTTY automatically adds the .ppk file extension.



















  • Your private key is now in the correct format for use with PuTTY. You can now connect to your instance using PuTTY's SSH client.

Wednesday, November 5, 2014

Amazon Elastic EC2: Steps to launch an Amazon EC2 Instance

Amazon Elastic EC2: Steps to launch an Amazon EC2 Instance

This thread discusses the steps to launch a Linux instance using AWS Management Console.


  • To launch an Amazon EC2 instance, open the Amazon EC2 console using the URL https://console.aws.amazon.com/ec2
  • This will take you the following page.



























  • Click on Launch Instance
  • Select The Amazon Machine Image (AMI).  Select the 64 bit Amazon Linux AMI. Marked
















  • Select t1.micro from the instance type page. Click on Next: Configure Instance Details. This will navigate you to the "Configure Instance Details" Page















  • Click on Review and Launch.


















  • Select "Make General Purpose SSD the default boot volume for all instances from the console going forward " as the option.



  • Click on Edit Security Groups from the Review Instance Launch screen

















  • Select an existing security group. Select the check box and click on Review and Launch






  • Click on Launch



















  • Choose and Existing Key pair if the key pair exists OR create another pair of key.
  • Click on Launch Instance



  • On the Resource screen, click on Running Instance



Amazon EC2 : Connecting to Your Linux Instance from Windows Using PuTTY

Amazon EC2 : Connecting to Your Linux Instance from Windows Using PuTTY
  1. Start PuTTY (from the Start menu, click All Programs > PuTTY > PuTTY).
  2. In the Category pane, select Session and complete the following fields:
    1. In the Host Name box, enter user_name@public_dns_name. Be sure to specify the appropriate user name for your AMI. For example:
      • For an Amazon Linux AMI, the user name is ec2-user.
      • For a RHEL5 AMI, the user name is either root or ec2-user.
      • For an Ubuntu AMI, the user name is ubuntu.
      • For a Fedora AMI, the user name is either fedora or ec2-user.
      • For SUSE Linux, the user name is root.
      • Otherwise, if ec2-user and root don't work, check with the AMI provider.
    2. Under Connection type, select SSH.
    3. Ensure that Port is 22.

  3. In the Category pane, expand Connection, expand SSH, and then select Auth. Complete the following:
    1. Click Browse.
    2. Select the .ppk file that you generated for your key pair, and then click Open.
    3. (Optional) If you plan to start this session again later, you can save the session information for future use. Select Session in the Category tree, enter a name for the session in Saved Sessions, and then click Save.
    4. Click Open to start the PuTTY session.
  4. If this is the first time you have connected to this instance, PuTTY displays a security alert dialog box that asks whether you trust the host you are connecting to.
  5. (Optional) Verify that the fingerprint in the security alert matches the fingerprint that you obtained in step 1. If these fingerprints don't match, someone might be attempting a "man-in-the-middle" attack. If they match, continue to the next step.
  6. Click Yes. A window opens and you are connected to your instance