Home Learn the Basics View Content Add Content Create Pages Build Portlets Administer Page Groups Administer the Portal Try the Hands-On Exercises
Home
Home
Previous PageGo to page 1 of 8Go to page 2 of 8Go to page 3 of 8Current page 4 of 8Go to page 5 of 8Go to page 6 of 8Go to page 7 of 8Go to page 8 of 8Go to page 9 of 11Go to page 10 of 11Go to page 11 of 11Next Page
 

DAS: Realm Creation and Management

What is a "Realm" as it relates to Oracle Identity Management? In a nutshell, a realm is the location in the directory where all of your user and group context resides in OID.

After you install the 10g AS infrastructure you will have a default realm already configured and ready to use. During installation you would have selected a value for your Infrastructure domain. If you accepted the defaults during installation of your infrastructure, your realm will be set to the domain of the machine you are on. Typically this domain will look something like this:

dc=acme,dc=com

This domain is also referred to as the default identity management realm.

Therefore your default users will be located in:

cn=users,dc=acme,dc=com

Your default groups will be located in:

cn=groups,dc=acme,dc=com

For most deployments the default realm is all you will ever need to manage all of your users, groups and applications.

Some people are under the impression that they need to separate all of their users and applications in order to better manage their infrastructure. This is simply not necessary even if you import user and group identities from other LDAP directories. Using DAS you can delegate administration of users and groups without separating them into different realms.

Some reasons why you may want to create a new realm

Separate password policies for member entries

Different User Communities (One for employees and one for customers)

Different naming attributes

Different sets of services provisioned

Different user schema definitions

Aside from these reasons you probably do not need to configure additional realms for your users, groups and applications.

In this lesson you will learn the following:

How to create a new Identity Management Realm using DAS

Create a new user in the new Realm

 

 

How to create a new Identity Management Realm using DAS

In a browser login to DAS as a user with administrative permission in the default realm. Typically this is the user "orcladmin".

The DAS URL will be the FQDN of the server running your infrastructure plus the port number of the web server followed by /oiddas. If you are not sure of your web server port number you can find out what it is by checking the $ORACLE_HOME/install/portlist.ini file.

Example:

http://aspen.us.oracle.com:7777/oiddas

After you login select the "Configuration" tab.

After selecting the "Configuration" tab you should see a link called "Realm Management" appear above the "Configuration" tab. Click on this link.

In the "Identity Management Realm" form, click the "Create" button.

In the "Create Identity Management Realm" form you will need to fill in three fields.

In the "Realm Name" field assign a meaningful name such as a company or organization name. This name will be used to create the directory tree realm in OID.

For instance, if you give your Realm the name "NASA" a new tree will be created in OID called dc=NASA,dc=com.

The "Realm Contact" and "Description" fields are optional.

After you click the "Submit" button there may be a short delay before your get your confirmation that the new Realm has been created.

Once your new realm has been created you can view the entire realm with the Oracle Directory Manager GUI.

 

After creating the new realm it will be necessary to update the SSO server so that users in our new realm are able to authenticate to their applications. We will be running a sqlplus command to complete this update in the SSO server which will also require you to know the orasso schema password. Do the following to obtain the orasso schema password.

Start the Oracle Directory Manager.

Navigate the DIT as follows:

cn=OracleContext
cn=Products
cn=IAS
cn=IAS Infrastructure Databases
orclReferenceName=iasdb.us.oracle.com
OrclResourceName=ORASSO

The orasso schema password is in the attribute "orclpasswordattribute". Copy this value and use it in the next step.

From the command prompt change directory to:

ORACLE_HOME/sso/admin/plsql/sso

Type the following command:

sqlplus orasso/orassoschemapassword @ssoreoid.sql

Now it will be necessary to restart OC4J_SECURITY. This can be done either by command or through the GUI.

Command line example:

# opmnctl restartproc type=oc4j instancename=OC4J_SECURITY

Alternately you can restart this process from the Web UI. Go to your enterprise manager console:

Example:

http://aspen.us.oracle.com:1810

Click on your infrastructure link.

Select the "OC4J_SECURITY" check box and then click the "Restart" button.

 

Create a new user in the new Realm

Now we will demonstrate how to create a new user in the realm we just created using DAS.

Login to DAS as the "orcladmin" user.

Select the "Directory" tab.

Click on the "Create" button.

In the "Basic Information" section of the form you will see a new field called "parentDN". This field will allow you to select the realm in which the user will be created.

Select your new realm from the "parentDN" field.

Fill in the rest of the mandatory fields and assign the user the "Privileged Group" role.

Click the "Submit" button when you are finished configuring your new user.

 

Verify the new user can login to an SSO application such as DAS.

Logout of DAS and then login to DAS as your new user. Since their are now two user search bases the SSO sever should be able to find the new user in the new realm and check the users credentials.

In the lesson on the next page we will show you how configure DAS and SSO in a hosted configuration. A hosted configuration allows you to select which realm you want to login to.

Watch a viewlet to see how its done.
Oracle Logo Next Page