oracle-idm
Copyright 2019 © LimePoint Pty Ltd. All rights reserved.
License & Authors
-
Author:: LimePoint (support@limepoint.com)
# MintPress® - Automation and Configuration Management
#
# Copyright © 2019 LimePoint. All rights reserved.
#
# This program and its contents are confidential and owned by LimePoint.
# Only licenced users are permitted to access and use of this file.
# This program (or any part of it) may not be disclosed, copied or used
# except as expressly permitted in LimePoint’s End User Licence Agreement.
#
# LimePoint® and MintPress® are Registered Trademarks of LimePoint IP Limited.
# For more information contact LimePoint at http://www.limepoint.com
Deploying OAM Policies
Deploying OAM 11.1.2.3 Policies
You must be on MintPress 3.4.1+ for this to work.
Understanding the Policy Input File
The policy input file is an XML file that MintPress understands. The Format of the file should be as follows:
<?xml version="1.0" encoding="UTF-8"?>
<MintOAM version="11.1.2">
<ApplicationDomains>
<!-- MintPress only accepts 1 value for applicationDomain -->
<ApplicationDomain>
<name>Test Domain</name>
<description>Description of the Test Domain</description>
<policy-order>false</policy-order>
<ResourcePrefixes />
</ApplicationDomain>
</ApplicationDomains>
<HostIdentifiers>
<!-- MintPress only accepts 1 value for HostIdentifier -->
<HostIdentifier>
<name>example.host.com</name>
<description>This is a host identifier</description>
<Hosts>
<host>
<hostName>example1.com.au</hostName>
<port>443</port>
</host>
<host>
<hostName>example1.com.au</hostName>
<port>80</port>
</host>
<!-- You can add as many hosts entries here -->
</Hosts>
</HostIdentifier>
</HostIdentifiers>
<AuthenticationSchemes>
<!-- You can have as many authentication schemes as you want -->
<AuthenticationScheme>
<name>TestAuthenticationScheme</name>
<description>Just a test auth scheme</description>
<!-- The authentication module MUST already exist in OAM, putting this value here won't create it -->
<authnModuleName>LDAP</authnModuleName>
<authnSchemeLevel>2</authnSchemeLevel>
<challengeMechanism>FORM</challengeMechanism>
<ChallengeParameters>
<challengeParameter>
<key>contextType</key>
<value>external</value>
</challengeParameter>
<challengeParameter>
<key>username</key>
<value>string</value>
</challengeParameter>
<challengeParameter>
<key>challenge_url</key>
<value>https://example1.host.com/login</value>
</challengeParameter>
</ChallengeParameters>
<challengeRedirectURL>https://example1.host.com/oam/server/</challengeRedirectURL>
</AuthenticationScheme>
</AuthenticationSchemes>
<Resources>
<!-- You can have as many resources as you want. Remember to use a unique ID for each resource though -->
<Resource>
<!-- This ID is important, you can put any valid ASCII value in here. This does not needs to be the ID of the resource in OAM. This is used only for internal reference in MintPress. This value will be used to refer to this resource in the Authentication and Authorization policy section later -->
<id>1</id>
<description>this is a resource</description>
<protectionLevel>PROTECTED</protectionLevel>
<resourceURL>/testapp1</resourceURL>
<!-- The QueryParameters section is optional and you don't need to have it. If you do, it must be in the following format -->
<QueryParameters>
<queryParameter>
<key>parameter1_name</key>
<value>parameter1_value</value>
</queryParameter>
<queryParameter>
<key>parameter2_name</key>
<value>parameter2_value</value>
</queryParameter>
</QueryParameters>
<resourceTypeName>HTTP</resourceTypeName>
<!-- Operations section is optional, if it exists, it should have the following format. You should only mention the operations you need. If you don't specify the operations tag, all operations will be added -->
<Operations>
<operation>POST</operation>
<operation>GET</operation>
<operation>CONNECT</operation>
<operation>OPTIONS</operation>
<operation>HEAD</operation>
</Operations>
</Resource>
</Resources>
<AuthenticationPolicies>
<!-- You can have as many authentication policies as you like -->
<AuthenticationPolicy>
<name>Example-Policy</name>
<Resources>
<!-- The value here should be the ID that you defined in the resources section. -->
<Resource>1</Resource>
</Resources>
<failureRedirectURL>https://example.com.au/failed</failureRedirectURL>
<successResponses>
<response>
<name>RES_URL</name>
<responseType>HEADER</responseType>
<responseValue>${request.res_type}://${request.res_host}${request.res_complete_url}</responseValue>
</response>
</successResponses>
<!-- This authentication scheme should either (a) exist in OAM or (b) should be defined above in the authenticationscheme section -->
<authenticationSchemeName>TestAuthenticationScheme</authenticationSchemeName>
<authnLevel>2</authnLevel>
<usingDefaultAuthnScheme>false</usingDefaultAuthnScheme>
</AuthenticationPolicy>
</AuthenticationPolicies>
<AuthorizationPolicies>
<!-- You can have as many authorization policies as you like -->
<AuthorizationPolicy>
<name>AuthZ-Policy-1</name>
<description>Policy description</description>
<Resources>
<!-- this should have the unique IDs of resources you defined above -->
<Resource>1</Resource>
<Resource>8</Resource>
</Resources>
<successResponses>
<!-- you can have as many responses here -->
<response>
<name>oracle:idm:ids:attributes.name</name>
<responseType>ATTRIBUTE_ASSERTION</responseType>
<responseValue>$user.attr.displayName</responseValue>
</response>
<response>
<responseType>IDENTITY_ASSERTION</responseType>
</response>
<response>
<name>X-Example-name</name>
<responseType>HEADER</responseType>
<responseValue>$user.attr.givenName</responseValue>
</response>
</successResponses>
<!-- Conditions are optional -->
<Conditions>
<trueCondition>
<name>TRUE</name>
<description>This condition always evaluates to true.</description>
<conditionType>TRUE</conditionType>
</trueCondition>
</Conditions>
<!-- Rules are optional -->
<Rules>
<rule>
<combinerType>SIMPLE</combinerType>
<combiner>
<simpleCombiner>
<combinerMode>ALL</combinerMode>
<Conditions>
<condition>TRUE</condition>
</Conditions>
</simpleCombiner>
</combiner>
<effect>ALLOW</effect>
</rule>
</Rules>
</AuthorizationPolicy>
</AuthorizationPolicies>
</MintOAM>
Importing the Policy File
Create a file with the following content and run it from the MintPress server.
require 'oracle-idm'
opts = {
oam_url: 'http://oamhost:oamport/oam',
# User needs to have privileges to create/update/delete policy objects
oam_user: 'weblogic',
# You can also get the password from the MintPress Vault
oam_password: Mint::Secret.new('welcome123'),
# Path of the policy file. The file should be in the format defined above.
policy_file: '/oracle/app/deploy/example_domain.xml',
# if there is no access where this file is being executed, specify the host from where access is available. MintPress uses OAM Rest calls to configure policies. The URL defined above in oam_url variable should be accessible. If you don't pass the value, MintPress will use localhost
host: MintPress::Infrastructure::Host.new(name: 'oamserver1.mintpress.io', connect_user: 'mintpress', final_user: 'oracle')
}
policy_domain = MintPress::OracleAccessManagement::PolicyModel.new(opts)
policy_domain.deploy
# Harvesting OAM Policies
## Harvesting OAM 11.1.2.3 Policies
You must be on MintPress 3.5.1+ for this to work.
# Harvesting all Policies
Create a file with the following content and run it from the MintPress server.
ruby
require ‘oracle-idm’
opts = { oam_url: ‘oamhost:oamport/oam’, oam_user: ‘weblogic’, oam_password: Mint::Secret.new(‘welcome123’), output_folder: ‘/oracle/app/harvest’, # if there is no access where this file is being executed, specify the host from where access is available. MintPress uses OAM Rest calls to configure policies. The URL defined above in oam_url variable should be accessible. If you don’t pass the value, MintPress will use localhost host: MintPress::Infrastructure::Host.new(name: ‘oamserver1.mintpress.io’, connect_user: ‘mintpress’, final_user: ‘oracle’) } policies = MintPress::OracleAccessManagement::PolicyHarvest.new(opts) policies.harvest
# Harvesting a single application domain
ruby
require ‘oracle-idm’
opts = { oam_url: ‘oamhost:oamport/oam’, oam_user: ‘weblogic’, oam_password: Mint::Secret.new(‘welcome123’), output_folder: ‘/oracle/app/harvest’, appdomain_name: ‘testdomain’ } policies = MintPress::OracleAccessManagement::PolicyHarvest.new(opts) policies.harvest
“‘