Oracle Entitlement Server (OES) is a fine grained Authorization Server from Oracle (acquired from BEA’s Aqualogic Entitlement Server) where you define Policy for an application that covers all application resources that must be protected. OES Security Module (OESSM) acts as Policy Enforcement Point (PEP) and can also act as Policy Decision Point (PDP)
.
How to identify what application resource to be protected and what policy to define ?
Well to achieve this, you install & configure OES Security Module and enable Discovery Mode for this Security Module. Once Security Module is configured in Discovery Mode then perform action on application that reflects actual use of application . Based on actions performed by user, OES will generate policy set to files that can be imported to OES Server .
Note: Discovery mode doesn’t implement policy, it just creates policy set that can be imported to OES for enforcement.
Note: Discovery mode doesn’t create policy set of everything and this policy set should be used as starting point to create policies required in OES to protect application.
.
How to enable Discovery Module for OESSM in OES 11g
1. Start OESSM Config tool
cd $OESCLIENT_ORACLE_HOME/oes_sm_instances/[OESSM_NAME]/bin/ (where OESSM_NAME in my case is )
./oessmconfig.sh -jpsconfig [WEBLOGIC_APPS_DOMAIN]/config/fmwconfig/jps-config.xml (jps-config.xml is from $DOMAIN_HOME/config/fmwconfig where application is deployed for which you wish to discovery policy set)
3. Save the changes and it will add following property in [WEBLOGIC_APPS_DOMAIN]/config/fmwconfig/jps-config.xml
oracle.security.jps.discoveryMode
oracle.security.jps.discoveredPolicyDir
Note: Above step will create discovered policy in file discovery-jazn-data.xml under directory defined by oracle.security.jps.discoveredPolicyDir
More on discovered policy format and importing discovered policy data to OES in later posts !!
Note: During Discovery Mode of OESSM, OES policies for that Security Module are not enforced.
Related/References