SOA Infrastructure: Step by Step Details on Debugging an Oracle Entitlements Server (OES) Security Module Instance

The following details how-to troubleshoot authorization failures in an Oracle Entitlements Server Security Module Instance. The OES product is available for download from the following link.

What is OES? From the OES documentation: "Oracle Entitlements Server provides fine-grained entitlement management solution that secures critical applications with performance and reliability. By combining centralized policy management with distributed policy decision-making and enforcement, it allows you to rapidly adapt to changing business requirements. Typical uses include fine-grained entitlements for application functionality, dynamic data redaction and privacy at the source, and controlling access to web service endpoints."

Troubleshooting:

If the issue at hand is troubleshooting in development “why” a particular policy was either a GRANT or DENY then the best thing to do would be to enable debugging with the SSM instance’s log4j.properties file which is located in the “config” directory of the SSM instance. Once that is done, restart the SSM instance, run the application in question to exercise the policy, and then look into the SSM “instance” log directory for the system_console.log file. Open this file up in a text editor, scroll to the bottom and look for the policy decision in question to understand why a policy evaluated the way it did.

Step by Step Details on Debugging an SSM Instance:

Enable debugging on the RMI-SSM to see verbose debug logging as the application is run. This is a good place to look in order to determine why something is or is not authorized. To enable debugging in this example, goto the OES_HOME\ales32-ssm\rmi-ssm\instance\\config directory. In the following example there is an RMI-SSM instance called "CoherenceSSM" which one will see referenced.

Edit the log4j.properties file and uncomment these lines: log4j.logger.com.bea.security.providers.authorization = DEBUG log4j.logger.com.wles.util.DebugStore=DEBUG
Clear out the log files in BEA_HOME\ales32-ssm\rmi-ssm\instance\CoherenceSSM\log
Re-start the SSM instance.
View the “system_console.log” file under BEA_HOME\ales32-ssm\rmi-ssm\instance\CoherenceSSM\log
This will show an example of an incorrect authorization because the user “dave” is not part of the Coherence_Group for this resource:

This will show an example of an correct authorization because the user “steve” IS part of the Coherence_Group for this resource:
2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.wles.util.DebugStore - queryAccess: DebugStore:

========== Policy Evaluation Info ==========

RequestResource is: //app/policy/CoherenceSSM/testCache

UserInfo:

Name: //user/asi/steve/

Groups: //sgrp/asi/Coherence_Group/ //sgrp/asi/allusers/

Resource Present: true

Roles Granted: NONE

Role Mapping Policies: NONE

ATZ Policies:

1. Result: true; Policy Type: grant

Privilege: any

Resource: //app/policy/CoherenceSSM/testCache

Subject: //sgrp/asi/Coherence_Group/

Constraints: NONE

Delegator: null

========== Policy Evaluation Info ==========

2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.bea.security.providers.authorization.asi.ARME.engine.ARME - unlock policy lock for read

2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.bea.security.providers.authorization.asi.AuthorizationProviderImpl - result is GRANT

2009-02-03 21:21:57,969 [RMI TCP Connection(4)-141.144.104.221] DEBUG com.bea.security.providers.authorization.asi.AccessResultLogger - Subject Subject:

Principal: asi

Principal: steve

Principal: Coherence_Group

privilege join resource //app/policy/CoherenceSSM/testCache result PERMIT

SOA Infrastructure

Friday, September 4, 2009

Step by Step Details on Debugging an Oracle Entitlements Server (OES) Security Module Instance

No comments:

Post a Comment

DISCLAIMER

About Me