Skip to content

, , , ,

Oracle Entitlement Server (OES) Lightweight RMI Client

November 21, 2011


Thanks to posts from Subbu one finds it easy to create and configure an RMI client to OES by replacing jps-config of a normal Java SM in the same host. What I want to show here is how to invoke entitlement requests remotely by an RMI client which send requests to a non-controlled RMI SM server. This is almost identical to a XACML/Web Service client except that it’s using RMI which is faster, more convinced an  less error prone.

As I said, I will try keep my RMI SM in non-controlled mode. I found it less problematic this way. Using controlled security modules you may end up in some GUI issues which prevent proper distribution.

Security Module (SM)


So here is my PRP file for this NC (non-controlled) RMI SM:


You may put this in [OES-Client-Home]/oessm/SMConfigTool folder and run  [OES-Client-Home]/oessm/bin/ to add SM to OES. Like this:

./ -prpFileName ../SMConfigTool/smconfig.Telstra_RMI_NC_SM.prp

Now enter your database Policy Store username and password. Note that policy stores are in APM. If things all go well, you’ll have your SM folder under [OES-Client-Home]/oes_sm_instances.


Before we start the RMI server, it’s better to go and modify start-up script to add more logging stuff. Put a simple JUL config file in config folder and add it to Java argument in You’d better create a logs folder too.

handlers= java.util.logging.FileHandler
.level= FINER
java.util.logging.FileHandler.pattern = ./logs/log
java.util.logging.FileHandler.limit = 50000000
java.util.logging.FileHandler.count = 1
java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter

And this is line in

${JAVA_HOME}/bin/java <strong>-Djava.util.logging.config.file=./config/</strong>${OES_INSTANCE_HOME}/config/java.policy${OES_INSTANCE_HOME}/config/jps-config.xml


Now make logs folder and run it.

mkdir logs
nohup ./ &
tail -f nohup.out logs/log


SM Setup

Add a new SM to OES:

Application Binding

Bind this new SM to your application:

Attributed Based Authorization Policy

And finally an authorization policy based on resource, role and a dynamic attribute (key):

All done in OES. No need to distribute changes in policies to modules. It all will be done periodically and automatically (see waitDistributionTime variable).



Here is Client source code. Put it in oes/rmi/client/


I use Maven. Keep things simple. It has very minimal dependency to only 3 files. Here is pom.xml file:


If the connection to RMI server is OK, then run the application and enjoy. Once serverAddress, port, application name and other settings in code is correct, will result something like:

actions = Granted=true. Responses={}

From → java, OES

One Comment
  1. Hi Amin,

    nice blog post. BTW, the controlled mode distribution mode issue has been addressed in OES 11gR1 BP01 (Bundle Patch 1).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: