Skip Headers

Oracle9i Application Server Administrator's Guide
Release 2 (9.0.2)

Part Number A92171-02
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index

Go to previous page Go to next page

12
Managing Oracle Internet Directory

This chapter describes how to manage user privileges in Oracle Internet Directory. It contains the following topics:

Oracle Internet Directory Security

This chapter describes administering Oracle Internet Directory with respect to Oracle9iAS. If you need details on specific Oracle Internet Directory features and tools, or if you need background information on Oracle Internet Directory, see the Oracle Internet Directory Administrator's Guide.

Oracle Internet Directory is an online directory, which is a specialized database that stores information in a hierarchical format for fast lookup and retrieval. It implements Lightweight Directory Access Protocol (LDAP) version 3, an industry-standard protocol for accessing online directory services.

Oracle9iAS can use an Oracle Internet Directory that is already in use in your enterprise. In such cases, you typically work with the Oracle Internet Directory administrator to set up and manage the Oracle9iAS nodes. The Oracle Internet Directory administrator should read this chapter to be aware of how Oracle9iAS uses Oracle Internet Directory.

About the Terms "Subscriber" and "Enterprise"

In Oracle Internet Directory, "subscriber" has the same meaning as "enterprise":

This chapter uses "subscriber" and "enterprise" interchangeably.

How Oracle9iAS Uses Oracle Internet Directory

Oracle9iAS uses containers, groups, and privileges in Oracle Internet Directory. You can use them to administer users and groups. You can delegate privileges to other users ("product administrators") so that they can manage their product. For example, you can give privileges to a user to be a Portal administrator. You can have one or more administrators per product.

When you install Oracle9iAS Infrastructure, the installer configures the metadata repository database to use Oracle Internet Directory. Oracle9iAS creates its own area in Oracle Internet Directory. This enables all Oracle9iAS components (for example, Portal, Wireless, and Delegated Administration Service) to access the same data. It also enables an enterprise to centralize security by managing users and applications under one server.

This model is different from Oracle9iAS Release 1.x. In Release 1.x, each component had its own repository of users.

New Oracle Internet Directory Instance or Existing Oracle Internet Directory Instance

The Oracle Internet Directory that Oracle9iAS uses can be a newly created instance, or you can direct the installer to use an existing Oracle Internet Directory. For example, if you have an existing Oracle Internet Directory instance that you use as a corporate directory and that contains entries for users, and you plan for those users to access applications from Oracle9iAS, then it might make sense to share that Oracle Internet Directory instance with Oracle9iAS.

To distinguish the two types of configuration, this chapter uses the following terms:

Superuser and Administrators in Oracle Internet Directory

Oracle Internet Directory contains the following superuser and administrators:

During Oracle9iAS installation, you specify the password for Oracle Internet Directory superuser and subscriber administrators. The same password is used for these users.

Relationship Between Oracle Internet Directory and the ias_admin User

When you manage Oracle9iAS using the Oracle Enterprise Manager Web site, you log in as the ias_admin user. This user is not stored in Oracle Internet Directory. Instead, information about this user (such as its password) is stored separately for each host. The ias_admin password is the same for all application server installations on one host.

See Also:

"Changing the ias_admin Password"

To manage users, groups, and privileges in Oracle Internet Directory, you do not need to know the ias_admin user password because you do not use Oracle Enterprise Manager to perform these management tasks. However, the ias_admin password may be used internally to set component passwords within Oracle Internet Directory. For this reason, it is important to adhere to the Oracle Internet Directory password policy when setting the ias_admin password.

See Also:

"Password Policies" and "Changing the ias_admin Password"

Oracle9iAS Tree in Oracle Internet Directory

When you install Oracle9iAS Infrastructure, the installer creates the following tree in Oracle Internet Directory (Figure 12-1):

Figure 12-1 Oracle9iAS Tree in Oracle Internet Directory

Text description of securita.gif follows

Text description of the illustration securita.gif

Oracle9iAS stores its information in Oracle Context, which is also used by other Oracle products. Immediately below Oracle Context are Products and Groups.

Under Products, there is an area for each component. Each component area has its own component-specific metadata. You do not have to edit anything under Products.

Under Groups, there is node for each access control group. Oracle9iAS uses groups to assign privileges. To enable a user to have a certain privilege, you add the user to the appropriate group. For example, to enable a user to create new users, you add the user to the oracleDASCreateUser group.

You can assign users to have certain privileges at each level of the tree. For example, you can have Oracle Context administrators, IAS administrators, and Portal administrators.

Tasks

The main administration tasks that you have to perform depend on which mode you are running in. In an existing Oracle Internet Directory, the Oracle Internet Directory administrator performs some of the tasks. In a newly created Oracle Internet Directory, the Oracle Internet Directory installation creates a default configuration to help you perform the tasks.

The following table shows who should perform each task:

Table 12-1 Tasks  
Task Newly created Oracle Internet Directory Existing Oracle Internet Directory

Upgrade Oracle Internet Directory to Release 9.0.2

See "Upgrading Oracle Internet Directory for Oracle9iAS".

n/a

Oracle Internet Directory administrator

Add users to Oracle Internet Directory

See "Creating a User in Oracle Internet Directory".

You do this

Oracle Internet Directory administrator

Add users to groups

See "Adding a User to a Group".

You do this

Oracle Internet Directory administrator

Associate groups with privileges

See the Oracle Internet Directory Administrator's Guide.

Done for you

Oracle Internet Directory administrator

Create privileges

See the Oracle Internet Directory Administrator's Guide.

Done for you

Oracle Internet Directory administrator

Make some users administrators

See "Adding a User to a Group".

You do this

You do this

Set the password policy

See "Modifying the Password Policy".

You do this

Oracle Internet Directory administrator

Change the orcladmin (superuser) password

See "Modifying the orcladmin Password".

You do this

Oracle Internet Directory administrator

Change the application server instance password

See "Changing Instance Passwords in Oracle Internet Directory".

You do this

Oracle Internet Directory administrator

Tools for Managing Oracle Internet Directory

You can perform the tasks described in this chapter using Oracle Directory Manager or Delegated Administration Service. These are tools that you can use to manage Oracle Internet Directory. Oracle Directory Manager is a Java-based tool, and Delegated Administration Service is a browser-based tool.

For a complete description of all the tools that you can use with Oracle Internet Directory, see the Oracle Internet Directory Administrator's Guide.

Oracle Directory Manager

Oracle Directory Manager is a Java-based tool for administering Oracle Internet Directory. You start Oracle Directory Manager with the following command:

(UNIX) ORACLE_HOME/bin/oidadmin
(Windows) From the Start menu, select Programs -> ORACLE_HOME -> Integrated 
Management Tools -> Oracle Directory Manager

The first time you start Oracle Directory Manager, an alert prompts you to connect to a directory server. To connect to a directory server:

  1. Click OK. The Directory Server Connection dialog box appears.

  2. Enter the name of the host on which Oracle Internet Directory resides, and the Oracle Internet Directory port number (the default is 389) in the Directory Server Connection dialog box. Click OK.

  3. Enter the username and password.

    If you are logging in for the first time, you need to log in as the superuser (cn=orcladmin).

  4. Click Login. Oracle Directory Manager appears.

    See Also:

    "Using Oracle Directory Manager" in Chapter 4 of Oracle Internet Directory Administrator's Guide for more information on starting and navigating Oracle Directory Manager.

Delegated Administration Service

Delegated Administration Service is a Web-based tool that enables you to create and manage users and groups. Users can use this tool to update information about themselves (such as changing their passwords).

To access Delegated Administration Service, point your browser to:

http://host:port/oiddas

host specifies the machine running Oracle HTTP Server.

port specifies the port that Oracle HTTP Server is listening on.

Delegating Administration Tasks

During installation of a new Oracle Internet Directory instance, the Oracle Internet Directory superuser creates the Oracle Context, the Subscriber (or Enterprise) Context, and the subscriber administrator with the appropriate privileges.

You can use the subscriber administrator to delegate administration of the Oracle Context tree to Oracle Context administrators. They, in turn, can delegate administration of Oracle9iAS and its components to Oracle9iAS administrators. The Oracle9iAS administrators have the necessary privileges to install all Oracle9iAS components. The Oracle9iAS administrators can delegate administration of users and groups to other users. Figure 12-2 shows the delegation flow.

If you are working in an existing Oracle Internet Directory, you need to work with the Oracle Internet Directory administrator to ensure that you have the following privileges:

Administering Users

All users who access Oracle9iAS should have a user entry in Oracle Internet Directory. This requirement is mandatory for users who access applications that check authentication and authorization.

Newly Created Oracle Internet Directory

Using the subscriber administrator account (which was created during installation) and Delegated Administration Service, you can create users and add them to groups, thus delegating privileges to those users.

You can also delegate user-related operations to other users. To do this, add the users to the appropriate groups, as shown in the following table:

Table 12-2 User operations
To allow a user to do this operation: Add the user to this group:

Create users

User Create (DN: cn=oracleDASCreateUser, cn=groups, <Oracle Context DN>)

Edit user properties

User Edit (DN: cn=oracleDASEditUser, cn=groups, <Oracle Context DN>)

Delete users

User Delete (DN: cn=oracleDASDeleteUser, cn=groups, <Oracle Context DN>)

Existing Oracle Internet Directory

If the Oracle Internet Directory instance also serves as a corporate directory, then it already has users in it. The Oracle Internet Directory administrator is responsible for managing the users.

Creating a User in Oracle Internet Directory

To create users using Delegated Administration Service:

  1. Log in to Delegated Administration Service. You can log in as orcladmin (cn=orcladmin), or as a user who is a member of the IASAdmins or the oracleDASCreateUser group.

    In a browser, go to:

    http://host:port/oiddas
    

    host specifies the machine running Oracle HTTP Server.

    port specifies the port that Oracle HTTP Server is listening on.

  2. Select the Directory tab.

  3. Log in to Oracle Internet Directory.

  4. Select Users in the upper left side of the page.

  5. Click Create. This displays the Create User page.

  6. Enter information for the user in the fields.

  7. Click Submit.

For details on Delegated Administration Service, see Chapter 9, "The Delegated Administration Service", in the Oracle Internet Directory Administrator's Guide.

You can also create users in Oracle Internet Directory using Oracle Directory Manager. For details, see the section "Adding Entries by Using Oracle Directory Manager" in Chapter 7, "Managing Directory Entries", of the Oracle Internet Directory Administrator's Guide.

If you already have users in Oracle Internet Directory, you can create new users using the procedure described in the section "Adding an Entry by Copying an Existing Entry in Oracle Directory Manager" in Chapter 7 of Oracle Internet Directory Administrator's Guide.

Adding a User to a Group

To add a user to a group using Delegated Administration Service:

  1. Log in to Delegated Administration Service. You can log in as orcladmin (cn=orcladmin), or as a user who is a member of the IASAdmins or the oracleDASUserPriv group. You can also log in as the owner of the group.

    In a browser, go to:

    http://host:port/oiddas
    

    host specifies the machine running Oracle HTTP Server.

    port specifies the port that Oracle HTTP Server is listening on.

  2. Select the Directory tab.

  3. Click Groups in the upper left side of the page.

  4. Search for the group to which you want to add users.

  5. Select the group and click Edit. This displays the Edit Group page.

  6. Click Add User Member in the Members section. This displays the Search and Select window.

  7. Search for the user that you want to add to the group.

  8. Click Select. This closes the Search and Select window.

  9. Click Submit on the Edit Group page.

You can also use Oracle Directory Manager to add users to groups. See Chapter 7 of the Oracle Internet Directory Administrator's Guide for details.

Administering Groups

Group memberships define the privileges a user has. To give privileges to a user, add the user to the appropriate groups.

Newly Created Oracle Internet Directory

Operations that you can perform on groups are creating groups, deleting groups, and editing properties of groups. To allow users to perform these operations, add the users to the appropriate groups, as shown in the following table:

Table 12-3 Group operations
To allow a user to do this operation: Add the user to this group:

Create groups

Group Create (DN: cn=oracleDASCreateGroup, cn=groups, <Oracle Context DN>)

Edit group properties

Group Edit (DN: cn=oracleDASEditGroup, cn=groups, <Oracle Context DN>)

Delete groups

Group Delete (DN: cn=oracleDASDeleteGroup, cn=groups, <Oracle Context DN>)

Existing Oracle Internet Directory

In an existing Oracle Internet Directory, you may not have group administration privileges because the Oracle Internet Directory administrator has already set up the necessary groups.

Group Details

In a newly created Oracle Internet Directory, the installer creates groups and associates them with privileges.

In an existing Oracle Internet Directory, the Oracle Internet Directory upgrade process to Release 9.0.2 creates groups mentioned in this chapter, but it does not set up any ACLs in the user namespace because this would override existing ACLs. You and the Oracle Internet Directory administrator can grant the necessary privileges to the groups, or you can associate privileges to existing groups. This section describes the privileges for each group.

Table 12-4 Groups for component administration 
Group DN Required Privilege

IAS Admins

cn=IASAdmins, cn=groups, <Oracle Context DN>

Complete access to the IAS node under Products in Oracle Context

Add access to create Application entity objects under individual products

Proxy access to these application entities

Read and modify user passwords

cn=oracleUserSecurityAdmins, cn=groups, <Oracle Context DN>

Read, write, compare, and search access to the following attributes:

  • userpkcs12

  • orclpkcs12hint

  • userpassword

  • orclpassword

  • orclpasswordverifier

Compare user passwords

cn=authenticationServices, cn=groups, <Oracle Context DN>

Compare access to the userpassword attribute of users

Proxy privilege

cn=userProxyPrivilege, cn=groups, <Oracle Context DN>

Proxy access on behalf of the end user

Oracle Context administration

cn=oracleContextAdmins, cn=groups, <Oracle Context DN>

Complete access within Oracle Context

Table 12-5 Groups for user administration
Group DN Required Privilege

Create user

cn=oracleDASCreateUser, cn=groups, <Oracle Context DN>

Add access to the users container in an enterprise

Edit user attribute

cn=oracleDASEditUser, cn=groups, <Oracle Context DN>

Write access to user entries

Delete user

cn=oracleDASDeleteUser, cn=groups, <Oracle Context DN>

Delete access to the users container in an enterprise

Delegate user administration

cn=oracleDASUserPriv, cn=groups, <Oracle Context DN>

Add access to the users container in an enterprise

Delete access to the users container in an enterprise

Write access to user entries

Table 12-6 Groups for group administration
Group DN Required Privilege

Create group

cn=oracleDASCreateGroup, cn=groups, <Oracle Context DN>

Add access to the groups container in an enterprise

Edit group attribute

cn=oracleDASEditGroup, cn=groups, <Oracle Context DN>

Write access to group entries

Delete group

cn=oracleDASDeleteGroup, cn=groups, <Oracle Context DN>

Delete access to the groups container in an enterprise

Delegate group administration

cn=oracleDASGroupPriv, cn=groups, <Oracle Context DN>

Add access to the groups container in an enterprise

Delete access to the groups container in an enterprise

Write access to group entries

To Determine a Group's Privileges

To determine which privileges a group has, you can use Oracle Directory Manager. See the Oracle Internet Directory Administrator's Guide for details on Oracle Directory Manager.

Administering Privileges of Oracle9iAS Components

Some components in Oracle9iAS need to authenticate users (verify that a user presented the correct password) or to impersonate their clients. The components need the following privileges to perform these operations.

When you install components in Oracle Internet Directory (regardless of whether the Oracle Internet Directory was newly created or existing), the installer adds them to the proper groups. You do not have to add components to groups manually.

Installing and Configuring Oracle9iAS

When you add or remove components from your Oracle9iAS installation, the installer needs to update the configuration information in Oracle Internet Directory. The user who runs the installer needs privileges in the IAS area in Oracle Internet Directory.

Newly Created Oracle Internet Directory

You must be a member of the IASAdmins group, which has privileges to administer the IAS tree in Oracle Internet Directory.

Existing Oracle Internet Directory

You need to have privileges equivalent to those in the IASAdmins group.

Upgrading Oracle Internet Directory for Oracle9iAS

This section describes the upgrade details for Oracle Internet Directory that are specific to Oracle9iAS. For instructions on how to upgrade Oracle Internet Directory to Release 9.0.2, see the Oracle Internet Directory Administrator's Guide.

When you install Oracle9iAS with a new Oracle Internet Directory, the installer installs a new Oracle Internet Directory Release 9.0.2 and configures it for Oracle9iAS. It creates all the groups and sets them up with the appropriate privileges. It also sets up ACLs in the users and the Oracle Context namespaces.

If you upgrade your Oracle Internet Directory to Release 9.0.2 and plan to use it with Oracle9iAS, the upgrade creates ACLs in the Oracle Context namespace, but not in the users namespace. This is to avoid overriding existing policies in the users namespace. It does, however, create groups mentioned in this chapter.

The following ACL policies are not created during the upgrade:

To follow the administration model described in this chapter, you and the Oracle Internet Directory administrator can create the ACLs described in "Group Details" and associate them with the appropriate groups, or you and the Oracle Internet Directory administrator can associate equivalent existing ACLs with the appropriate groups.

The subscriber administrator is also not created during the upgrade process.

For instructions on how to create ACLs in the users namespace and how to associate groups with ACLs, see the Oracle Internet Directory Administrator's Guide.

Password Policies

Oracle Internet Directory enables you to define password policies that are compliant with the security policy of your enterprise.

About Password Policies

A password policy is a set of rules for setting and managing passwords. These rules include:

Oracle Internet Directory enforces password policies for its users. You should be aware of the Oracle Internet Directory password policy for two reasons:

Viewing the Password Policy

All users can view the password policy using Oracle Directory Manager:

  1. Start Oracle Directory Manager with the following command:

    ORACLE_HOME/bin/oidadmin
    
  2. Log in to Oracle Directory Manager. If you are logging in as orcladmin, enter "cn=orcladmin" in the User field. If you are logging in as another user, enter "cn=username,cn=Users,o=DEFAULT SUBSCRIBER,dc=COM" in the User field. This launches the Oracle Directory Manager.

  3. Expand the user entry in the System Objects frame by clicking the plus sign (+) next to it. The user entry is of the form: username@host:port.

  4. Expand the Password Policy Management entry in the System Objects frame by clicking the plus sign (+) next to it.

  5. Select the "cn=PwdPolicyEntry" entry.

    If there is more than one "cn=PwdPolicyEntry" entry, select each one and examine the contents of the Path to Password Policy Entry field in the General Tab in the pane on the right side. Select the entry that has "o=DEFAULTSUBSCRIBER" as part of the path in the Path to Password Policy Entry field. Be sure to examine the full path by clicking in the Path to Password Policy Entry field and moving your cursor to the end of the path.

  6. View the fields in the General tab, in particular the Number of Numeric Characters in Password field and the Minimum Number of Characters of Password field.

Modifying the Password Policy

Only the orcladmin user can modify the Oracle Internet Directory password policy.

  1. Start Oracle Directory Manager with the following command:

    ORACLE_HOME/bin/oidadmin
    
  2. Log in to Oracle Directory Manager. Enter "cn=orcladmin" in the User field. This launches the Oracle Directory Manager.

  3. Expand the user entry in the System Objects frame by clicking the plus sign (+) next to it. The user entry is of the form: username@host:port.

  4. Expand the Password Policy Management entry in the System Objects frame by clicking the plus sign (+) next to it.

  5. Select the "cn=PwdPolicyEntry" entry.

    If there is more than one "cn=PwdPolicyEntry" entry, select each one and examine the contents of the Path to Password Policy Entry field in the General Tab in the pane on the right side.

    Select the entry that has "o=DEFAULTSUBSCRIBER" as part of the path in the Path to Password Policy Entry field.

  6. Modify the fields in the General tab, in particular the Number of Numeric Characters in Password field and the Minimum Number of Characters of Password field.

  7. Click Apply.

Modifying Oracle Internet Directory Passwords

Individual users can change their own passwords using Delegated Administration Service or Oracle Directory Manager. Oracle Internet Directory superusers and administrators can also change the passwords of other users if they have the appropriate permissions.

Passwords are stored in the userPassword attribute.

See the Oracle Internet Directory Administrator's Guide for details.

Modifying the orcladmin Password

You can change the Oracle Internet Directory superuser password using ldapmodify or Oracle Directory Manager.

To modify the password of the orcladmin user in Oracle Internet Directory:

  1. Start Oracle Directory Manager with the following command:

    (UNIX) ORACLE_HOME/bin/oidadmin
    (Windows) From the Start menu, select Programs -> ORACLE_HOME -> Integrated 
    Management Tools -> Oracle Directory Manager
    
  2. Log in to Oracle Directory Manager as the orcladmin user.

  3. Select the orcladmin user entry in the System Objects frame. The user entry is of the form: username@host:port.

  4. Select the System Passwords tab in the pane on the right side.

  5. Enter the new password in the Super User Password field.

  6. Click Apply.

Modifying a User Password

Users can log into Delegated Administration Service to modify their own passwords. The procedure is:

  1. Log in to Delegated Administration Service as the user.

    In a browser, go to:

    http://host:port/oiddas
    

    host specifies the machine running Oracle HTTP Server.

    port specifies the port that Oracle HTTP Server is listening on.

  2. Select the My Profile tab.

  3. Log in to Oracle Internet Directory.

  4. Click Change My Password.

  5. Change your password to Oracle9iAS Single Sign-On:

    1. In the Single Sign-On Password section, in the Old Password field, enter your current password.

    2. In the New Password field, enter your new password, and confirm it in the Confirm New Password field.

    3. Click Submit.

Changing Instance Passwords in Oracle Internet Directory

Each application server instance that uses an infrastructure has an entry in Oracle Internet Directory. The instance uses this entry to manage configuration information in Oracle Internet Directory.

Oracle9iAS generates random passwords for the instances in Oracle Internet Directory. You do not need to know what the passwords are because there are no procedures that you need to run that require the passwords.

However, if your corporate security policy requires that passwords be changed on a regular basis, you can use the resetiASpasswd tool to change the password.


Note:

You cannot use Oracle Directory Manager, Delegated Administration Service, or ldapmodify to change the instance passwords; you can only use resetiASpasswd. The reason for this is that the password needs to be synchronized on the instance host and on Oracle Internet Directory.


To reset the password to a new randomly generated password, execute the following command in the Oracle home of the application server instance whose password you would like to change:

(UNIX) ORACLE_HOME/bin/resetiASpasswd.sh cn=orcladmin password ORACLE_HOME
(Windows) ORACLE_HOME\bin\resetiASpasswd cn=orcladmin password ORACLE_HOME

password is the orcladmin password.

ORACLE_HOME is the full path of the Oracle home for the application server instance. Note that this is identical to the Oracle home in which you run the command.

Removing an Application Server Instance From Oracle Internet Directory

When you deinstall an application server installation using Oracle Universal Installer, the configuration information for the corresponding application server instance is not automatically removed from Oracle Internet Directory. For example, referring to Figure 12-1, "Oracle9iAS Tree in Oracle Internet Directory", if you deinstall the application server installation IAS2 using Oracle Universal Installer, the node named IAS2 is not automatically removed from under IAS Instance in the tree.

It is not a problem to have unused instances in Oracle Internet Directory unless you would like to reuse the same instance name for a subsequent installation. In this case, you must manually remove the instance from Oracle Internet directory before installing the new instance. For example, if you deinstall the IAS2 application server installation using Oracle Universal Installer and would like to install a new installation called IAS2, you must remove the IAS2 instance node from Oracle Internet Directory before doing the new installation.

To remove an application server instance from Oracle Internet Directory:

  1. Start Oracle Directory Manager:

    (UNIX) ORACLE_HOME/bin/oidadmin
    (Windows) From the Start menu, select Programs -> ORACLE_HOME -> Integrated 
    Management Tools -> Oracle Directory Manager
    
  2. Log in to Oracle Directory Manager as cn=orcladmin or a user that is a member of the IASAdmins group.

  3. Expand the Entry Management entry in the System Objects frame by clicking the plus sign (+) next to it.

  4. Expand cn=OracleContext.

  5. Expand cn=Products.

  6. Expand cn=IAS.

  7. Expand cn=IAS Instances.

  8. Under cn=IAS Instances, select the instance you would like to remove.

  9. In the toolbar, select the Edit menu and select Delete.

  10. In the Systems Object frame, under cn=OracleContext, expand cn=Groups.

  11. Select cn=IASAdmins.

  12. In the Properties tab, remove the instance from the uniquemember field. Do not select Edit/Delete from the toolbar, rather, edit the uniquemember field with the cursor to remove the instance. Click Apply.


Go to previous page Go to next page
Oracle
Copyright © 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Solution Area
Go To Table Of Contents
Contents
Go To Index
Index