Delegated Administration
Services: Creating and Managing an Identity Management Realm
Purpose
This lesson provides instructions to create a new
Identity Management Realm by using Delegated Administration Services (DAS).
In addition, you learn to create users in the realm.
Place the cursor on this icon to display all screenshots.
You can also place the cursor on each icon to see only the screenshot associated
with it.
Overview
The Delegated Administration Services (DAS) is
a Web-based administration tool used to manage Identity Management infrastructure.
This tool is used for managing users, groups, and realms. An Identity Management
Realm is an entity or organization that subscribes to the services offered
in the Oracle product stack. In simple terms, realm is the location in OID
where all the user and group contexts reside.
A default realm is created during
the installation of Oracle Identity Management. It is where Oracle components
find users, groups, and associated policies whenever the name of the realm
is not specified. If you accept the defaults while installing Oracle Application
Server 10g Infrastructure, then your default realm is set to the domain
of your machine. Following is an example of such a domain:
dc=acme,dc=com
The default users are located in cn=users,dc=acme,dc=com
and the default groups are located in cn=groups,dc=acme,dc=com.
You can define multiple Identity Management realms within
the same Oracle Identity Management infrastructure. Each realm must have
a unique name. You can create multiple realms if you want to:
Isolate user populations
Have different user communities such as Employees,
Customers, and so on
Enforce different policies to different communities
To create a new Identity Management realm, perform the following:
1.
Open your browser, and enter the following URL:
http://<hostname>.<domain>:7777/oiddas
The Oracle Internet Directory Self Service
Console appears.
Click Login.
Log in to DAS with administrative privileges (User orcladmin).
2.
You will again see the Oracle Internet Directory Self
Service Console. The Self Service Console is a ready-to-use application
created by using Oracle Delegated Administration Services. It provides
a single graphical interface for delegated administrators and end users
to manage data in the directory.
3.
Click the Configuration tab.
4.
Click the Realm Management link.
5.
Click Create on the Identity Management Realms
page.
6.
The Create Identity Management Realm page is displayed.
Enter NASA in the Realm Name field. This name is used to create the directory tree realm in Oracle Internet Directory
(OID). Enter a name in the Realm Contact field, and enter a short
description in the Description field. The Realm Contact
and Description fields are optional. Click Submit to create
the realm with the details you specified.
Wait to see a confirmation page for realm creation.
Click OK.
7.
Enter NASA in the Search Identify Management Realm field, and click Go.
8.
Select NASA in the table, and click View.
9.
Make a note of User Search Base, User Creation Base,
Group Search Base, and Group Creation Base values.
10.
Click Home.
11.
Click the Configuration tab.
12.
Enter the values you noted for User Search Base, User
Creation Base, Group Search Base, and Group Creation Base. Scroll down
and click Submit.
13.
Start Oracle Directory Manager
and view the realm that was created. Open a command window. Change directory
to ORACLE_HOME/bin. Execute oidadmin
by issuing the following command:
sh
oidadmin
The first time you start Oracle
Directory Manager, an alert message is displayed saying that you must connect to a server.
Click OK.
14.
The Directory Server Name Manager
dialog box is displayed. Click Add.
15.
In the Directory Server Connection dialog box, enter values in the Server
and Port fields. Click OK.
Click OK.
16.
The Oracle Directory Manager Connect dialog box appears.
Log in as orcladmin user.
17.
Expand Entry Management and look for dc=com.
Similarly, expand dc=com and dc=oracle. You see the realm,
NASA, that you created.
Restart OC4J_SECURITY. Switch to the browser window
and enter the URL http://<hostname>.<domain>:1810.Click the link for the application server instance.
5.
The Application Server home page of Oracle Enterprise Manager 10g Application Server Control appears. This page provides an overview of the Oracle Application Server
10g instance: status, performance, and configured components. Scroll down
to see the System Components table.
To create a new user in the realm, perform the following:
1.
In the
browser, change the URL to http://<hostname>.<domain>:7777/oiddas.
Click Login and log in to DAS
as the "orcladmin" user. Click the Directory tab.
2.
Click
Create.
3.
On the Create User page, enter values for the mandatory
fields in the Basic Information section. Observe the parent DN field.
In this field, you can select the realm to which the user should belong.
Select the realm you created.
4.
To assign the Privilege Group role to the user, scroll down
to Roles Assignment and select Privilege Group check box. Click
Submit.
Click OK.
5.
Click Logout to log out of DAS. Click Return.
Click Login and log in as the new user you just
created.
Configuring SSO for a multirealm environment enables you
to choose a realm when you log in. Configuring the single sign-on
server for multiple realms involves creating an entry for each realm in the
single sign-on schema. Every realm that you create in OID must have a corresponding
entry in the single sign-on schema. This SSO configuration is also know as "Hosting."
After successful configuration, you see an extra field (Company) on the
login page.
1.
Switch to command prompt and change directory to <ORACLE_HOME>/sso/admin/plsql/wwhost.
Execute the enblhstg.csh
script:
The realm nickname.
This is the value that you enter in the Company field on the login
page.
-id
The realm ID. Choose an integer greater
than 1. The value 1 is reserved for the default realm. The single
sign-on server uses realm IDs internally as an index.
-sp
The sys
schema password. The default is CHANGE_ON_INSTALL.
If you see a warning for duplicated subscriber entry,
choose to use the existing entry.
4.
Edit the login.jsp
file that is present in the <ORACLE_HOME>/j2ee/OC4J_SECURITY/applications/sso/web/jsp folder.
Uncomment the lines shown below, and
save the file.
5.
Open a browser window, and enter the URL http://<hostname>.<domain>:1810.
Log in with ias_admin and ias_admin password. Click the link for the application
server instance in the Standalone Instances table.
6.
Click Restart All.
Click Yes when asked for confirmation.
7.
In the browser window, change the URL to http://<hostname>.<domain>:7777/oiddas.
Click Login and log in as the orcladmin user in the default realm.
8.
Log out and then log in as a user in the new realm you
created.
9.
Log out and log in as the orcladmin user in the new realm. You have
one orcladmin user for each realm. This is required because you may have
different administrators for each realm and each of these administrators
may have different passwords.
Place the cursor on this icon
to hide all screenshots
Bookmark
