Oracle Entitlement Server (OES) Lightweight RMI Client
Introduction
Thanks to posts from Subbu one finds it easy to create and configure an RMI client to OES by replacing jps-config of a normal Java SM in the same host. What I want to show here is how to invoke entitlement requests remotely by an RMI client which send requests to a non-controlled RMI SM server. This is almost identical to a XACML/Web Service client except that it’s using RMI which is faster, more convinced an less error prone.
As I said, I will try keep my RMI SM in non-controlled mode. I found it less problematic this way. Using controlled security modules you may end up in some GUI issues which prevent proper distribution.
Security Module (SM)
PRP
So here is my PRP file for this NC (non-controlled) RMI SM:
oracle.security.jps.runtime.pd.client.sm_name=Telstra_RMI_NC_SM | |
# Policy dustribution mode. Possible values: | |
oracle.security.jps.runtime.pd.client.policyDistributionMode=non-controlled | |
# ——– Policy Distributor connectivity information – required for controlled-push distribution mode | |
# Only needed for controlled-push policy distribution mode | |
oracle.security.jps.runtime.pd.client.RegistrationServerHost=[OES-Server] | |
oracle.security.jps.runtime.pd.client.RegistrationServerPort=[OES-Port] | |
# –Policy Store Service Configuration parameters – required only for controlled-pull or non-controlled modes | |
# Policy store type | |
oracle.security.jps.policystore.type=DB | |
# Policy Store URL for DB policy store | |
jdbc.url=jdbc:oracle:thin:@[DB-Host]:[DB-Port]/[DB-SID] | |
# Policy Store URL for LDAP policy store | |
ldap.url= | |
# For both LDAP and DB Policy Store | |
oracle.security.jps.farm.name=cn=oes_domain | |
oracle.security.jps.ldap.root.name=cn=jpsroot | |
#Communication between SM and Policy Distributor is over SSL by default | |
oracle.security.jps.pd.client.sslMode=true | |
bootstrap.security.principal.key=oes_sm_key | |
bootstrap.security.principal.map=oes_sm_map | |
jdbc.driver=oracle.jdbc.driver.OracleDriver | |
#———- ONLY for RMI SM —————————– | |
# port number to accept authorization requests | |
oracle.security.jps.pdp.rmism.RMIRegistryPortNumber=2099 | |
#— Only for Java SM, WS SM, and RMI SM in controlled-push mode — | |
# port to listen for policy distribution. Picked automatically by SM config tool if not specified | |
oracle.security.jps.runtime.pd.client.DistributionServicePort= | |
oracle.security.jps.runtime.pd.client.sm_type=rmi |
Setup
You may put this in [OES-Client-Home]/oessm/SMConfigTool folder and run [OES-Client-Home]/oessm/bin/config.sh to add SM to OES. Like this:
./config.sh -prpFileName ../SMConfigTool/smconfig.Telstra_RMI_NC_SM.prp
Now enter your database Policy Store username and password. Note that policy stores are in APM. If things all go well, you’ll have your SM folder under [OES-Client-Home]/oes_sm_instances.
Logging
Before we start the RMI server, it’s better to go and modify start-up script to add more logging stuff. Put a simple JUL config file in config folder and add it to Java argument in startRMIServer.sh. You’d better create a logs folder too.
handlers= java.util.logging.FileHandler .level= FINER java.util.logging.FileHandler.pattern = ./logs/log java.util.logging.FileHandler.limit = 50000000 java.util.logging.FileHandler.count = 1 java.util.logging.FileHandler.formatter = java.util.logging.SimpleFormatter
And this is line in startRMIServer.sh
${JAVA_HOME}/bin/java <strong>-Djava.util.logging.config.file=./config/logging.properties</strong> -Djava.security.policy=file:${OES_INSTANCE_HOME}/config/java.policy -Doracle.security.jps.config=${OES_INSTANCE_HOME}/config/jps-config.xml com.bea.security.ssmrmi.LauncherWrapper
Run
Now make logs folder and run it.
mkdir logs nohup ./startRMIServer.sh & tail -f nohup.out logs/log
OES
SM Setup
Add a new SM to OES:
Application Binding
Bind this new SM to your application:
Attributed Based Authorization Policy
And finally an authorization policy based on resource, role and a dynamic attribute (key):
All done in OES. No need to distribute changes in policies to modules. It all will be done periodically and automatically (see waitDistributionTime variable).
Client
Code
Here is Client source code. Put it in oes/rmi/client/RmiAuthorizationServiceImpl.java
Maven
<?xml version="1.0" encoding="UTF-8"?> | |
<project xmlns="http://maven.apache.org/POM/4.0.0" | |
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> | |
<modelVersion>4.0.0</modelVersion> | |
<groupId>oes-demo</groupId> | |
<artifactId>authorization-client-rmi</artifactId> | |
<version>1.0-SNAPSHOT</version> | |
<properties> | |
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> | |
<version.oes>11.1.1</version.oes> | |
<version.wls>10.3</version.wls> | |
</properties> | |
<build> | |
<defaultGoal>compile</defaultGoal> | |
</build> | |
<dependencies> | |
<!– wls client for principals and general rmi types –> | |
<dependency> | |
<!– see: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/client/jarbuilder.html –> | |
<groupId>weblogic</groupId> | |
<artifactId>wlfullclient</artifactId> | |
<version>${version.wls}</version> | |
</dependency> | |
<!– RMI types and stubs –> | |
<dependency> | |
<groupId>oracle.oes.sm.rmism</groupId> | |
<artifactId>rmi-types</artifactId> | |
<version>${version.oes}</version> | |
<scope>system</scope> | |
<systemPath>D:/project/OES/oes_client/oessm/rmism/rmi-types.jar</systemPath> | |
</dependency> | |
<dependency> | |
<groupId>oracle.oes.sm.rmism</groupId> | |
<artifactId>rmi-stubs</artifactId> | |
<version>${version.oes}</version> | |
<scope>system</scope> | |
<systemPath>D:/project/OES/oes_client/oessm/rmism/rmi-stubs.jar</systemPath> | |
</dependency> | |
</dependencies> | |
</project> |
If the connection to RMI server is OK, then run the application and enjoy. Once serverAddress, port, application name and other settings in code is correct, will result something like:
actions = Granted=true. Responses={oracle.security.oes.authorization.decision_reason=grant_policy_found}
Hi Amin,
nice blog post. BTW, the controlled mode distribution mode issue has been addressed in OES 11gR1 BP01 (Bundle Patch 1).
Thanks,
Subbu