oracle entitlements server 11gr2 moss sm installation & …€¦ · install java on sharepoint...
TRANSCRIPT
Page 1 10152012
Oracle Entitlements Server 11gr2 MOSS SM Installation
amp Configuration
Step 1 Prerequisite Software Installation Check Verify pre-requisites
Operating System Microsoft Windows Server 2008 (64 bit)
Application Server IIS 7
Microsoft NET Microsoft NET Framework v40
Microsoft NET SDK 64-bit GAC is required by MOSS configtool
SharePoint Server Microsoft Office SharePoint Server 2010
MOSS Designer Microsoft Office SharePoint Designer 2010
Oracle Entitlements Server OES 11g Admin Server Client (MOSSampWS SM)
Install Java on Sharepoint Server
Install jRockit on the Sharepoint server for the OES SM installation jrockit-jdk160_31-R2823-
410-windows-x86exe
Set JAVA_HOME and the path in Windows
Confirm that java is available with
java ndashversion
Ensure Microsoft Windows SDK is installed
Microsoft Windows SDK for Windows 7 and NET Framework 4 64 bit (new name for the net SDK) should
be installed on the SharePoint Server The GAC Utility is the component that is required from the SDK
Choose
Windows Native Code Development
Windows Headers and Libraries
Tools
NET Development
Intellisense
Tools
Common Utilities
MS Help
App Verifier
Page 2 10152012
Win Perf Toolkit
Debugging Tools
Step 2 Install OES 11g MOSS SM binaries
Install OES SM
gt specify jdk location
gt specify ltORACLE_HOMEgt location
Step3 Configure OES 11gr2 MOSS SM
For OES11gr2 the MOSS SM is available at OES client install $ORACLE_CLIENT_HOME
oessmmosssm MOSS SM works together with WS SSM to provide fine grained authorization solution to
MOSS By default we assume the WS SM and MOSS SM are on the same box but the MOSS SM and WS
SM can be on a different box
Configuration of MOSS includes
DLL deployment
Execution of scripts to make required changes in the configuration files
Execution of resource discovery agent This is a simple script that gathers all the existing resources
from MOSS and dumps them in files These files are then imported into OES to create the resource
hierarchy in OES There will be no authorization policies created in OES The policies will have to be
created manually
OES MOSS SM Configtool automates the process of both OES side and MOSS side configuration Manual
steps to configure the integration are covered in Appendix A of this guide
Step 3A Run SM Configtool and create a WS SM instance to protect MOSS web
application
Go to the ltORACLE_CLIENT_HOMEgtoessmbin and run configcmd to configure OES-MOSS integration
This step can be done in one step (-smType mossws) or split in two steps (configure WS and MOSS -smType
ws amp -smType moss respectively) If OES WS SM and MOSS are installed on the same box (default) the
configuration is done in one step using the following command
Configcmd ndashsmType mossws ndashprpFileName xxx ndashmossprpFileName xxx ndashsmConfigId - -WSListeningPort ndash
pdServer ndashpdPort
The WS and MOSS SM work on the same windows box together with the MOSS installation When the WS
SM and MOSS are on separate boxes WS SM and MOSS SM need to be configured separately WS SM
creation is just like the regular ws sm configuration Use the following command to configure MOSS SM
Configcmd ndashsmType moss ndashprpFileName xxx ndashmossprpFileName xxx
The prpFileName refers to the smconfigprp used to create WS SM Make a backup of
ltORACLE_CLIENT_HOMEgtoessmSMConfigToolsmconfigwscontrolledprp
Edit the File to include the OES admin server details
ltORACLE_CLIENT_HOMEgtoessmSMConfigToolsmconfigwscontrolledprp
lt--
Copyright (c) 2010 2011 Oracle andor its affiliates All rights
reserved
Page 3 10152012
NAME
smconfigwscontrolledprp
DESCRIPTION
This file specifies parameters used by SM configuration script
(configsh)
This file is for WS SM in Controlled Policy Distribution Mode
--gt
Policy distribution mode Possible values
controlled-push - if this mode is set you need to configure Policy
Distribution configuration parameters
oraclesecurityjpsruntimepdclientpolicyDistributionMode=controlled-
push
-------- Policy Distributor connectivity information - required for
controlled-push distribution mode
oraclesecurityjpsruntimepdclientRegistrationServerHost=lthostnamegt
oraclesecurityjpsruntimepdclientRegistrationServerPort=7002
---------- ONLY for WS SM -----------------------------
port number to accept authorization requests
oraclesecurityjpspdpwssmWSServiceRegistryPortNumber=ltwebservice
portgt
Only Supply if you do not use -smConfigId at the command line
SM name
oraclesecurityjpsruntimepdclientsm_name=
gtgtgtgtgtgtgtgtgtgtgtgtOPTIONAL PARAMETERSltltltltltltltltltltltltltltltltlt
------------ Only for Java SM WS SM and RMI SM in controlled-push mode
--------------------
port to listen for policy distribution Picked automatically by SM
config tool if not specified
oraclesecurityjpsruntimepdclientDistributionServicePort=
oraclesecurityjpsruntimepdclientsm_type=ws
mossprpFileName refers to the properties file used to configure MOSS server
There is a template for mossprpFileName at
ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtoolmoss_configproperties
Make a backup of moss_configproperties rename to say dev_configproperties edit the values in the
configuration file
ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtooldev_configproperties
There are mandatory and optional properties in the file Mandatory properties need to be set up according to
the environment Optional properties use default values if not set
gacutility
mosswebextensionlocation = c
mosswebconfig=c
mossSmUrl = httplocalhostltwebserviceSM port gt
Page 4 10152012
mosslog4NetXmlfile = hellip
mosssharepointSite = httpsltsitenamegtport
applicationid = MossApp
mossresourcetype = MossResourceType (default)
mossIgnoredExtensions =(default)
mossIgnoredURLExpression = (default)
Sample configuration file used ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtooldev_configproperties This files lists properties for SMConfigTool to configure MOSS Server
Following section are mandatory properties make sure the properties
are set correctly
Microsoft NET Framework Global Assembly Cache Utility Location
gacutility=EProgram FilesMicrosoft SDKsWindowsv71Bingacutilexe
Location of Microsoft Sharepoint web server extensions which is the
location value of
registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared
ToolsWeb Server Extensions120(MOSS 2007) or
HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsWeb Server
Extensions140(MOSS 2010)
mosswebextensionlocation=CProgram FilesCommon FilesMicrosoft
SharedWeb Server Extensions14
moss web config file
mosswebconfig=CinetpubwwwrootwssVirtualDirectoriesdevhsinlabloca
l443webconfig
OES webservice uri
mossSmUrl = httplocalhost9400
log4net configuration file
mosslog4NetXmlfile=Eappsoraclemiddlewareoessmmosssmadmruntimelog
4netxml
moss site uri that OES is to protect
mosssharepointSite=httpsdevhsinlablocal
the application ID to represent the protected MOSS web application
applicationid = MOSSApp
OES resourcetype name of all the MOSS resources
mossresourcetype = MossResourceType
resource extensions that is ignored when doing authorization for
example the js and css scripts are usually ignored
mossIgnoredExtensions=pngjscssaxdicojpggif
URL expression that is ignored of OES authorization for example the
login pages should usually be ignored
Following value gives a sample of which URL should be ignored for
Page 5 10152012
MOSS2010 FBA site if default login page is used
For MOSS 2007 FBA site _layoutsloginaspx should be ignored if the
default login page is used
mossIgnoredURLExpression=_layoutsAuthenticateaspx_logindefaultaspx
_formsdefaultaspx_trust_trustdefaultaspx_layouts_logindefau
ltaspx
Following are the optional properties default value will be used if
not set
operation for MOSS configuration config or remove default to config
mossoperation = config
MOSS versionsupported versions are 2007 and 2010 default to 2010
mossversion=2010
enable OES default is true
mossenableOES=true
Step 3B Configure Logging
Edit the log configuration file log4netxml located at
ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml to set the location for the MOSS SM
logs
Sample File ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml
ltlog4netgt
ltappender name=RollingFileAppender
type=log4netAppenderRollingFileAppendergt
ltfile value=EOESSharepointlog gt
ltrollingStyle value=Size gt
ltappendToFile value=true gt
ltmaximumFileSize value=1024KB gt
ltmaxSizeRollBackups value=10 gt
ltlayout type=log4netLayoutPatternLayoutgt
ltconversionPattern value=level d logger -
messagenewline gt
ltlayoutgt
ltlockingModel type=log4netAppenderFileAppender+MinimalLock gt
ltappendergt
ltrootgt
ltlevel value=DEBUG gt
ltappender-ref ref=RollingFileAppender gt
ltrootgt
ltlog4netgt
Copy from the JDK loggingproperties to the SM logging directory
Page 6 10152012
gt Copy ltJAVA_HOMEgtlibloggingproperties to
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
- enable the file handler
- change the log file location
- set the logging level
Actual file used
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
Default Logging Configuration File
You can use a different file by specifying a filename
with the javautilloggingconfigfile system property
For example java -Djavautilloggingconfigfile=myfile
Global properties
handlers specifies a comma separated list of log Handler
classes These handlers will be installed during VM startup
Note that these classes must be on the system classpath
By default we only configure a ConsoleHandler which will only
show messages at the INFO and above levels
handlers= javautilloggingConsoleHandler
To also add the FileHandler use the following line instead
handlers= javautilloggingFileHandler javautilloggingConsoleHandler
Default global logging level
This specifies which kinds of events are logged across
all loggers For any given facility this global level
can be overriden by a facility specific level
Note that the ConsoleHandler also has a separate level
setting to limit messages printed to the console
level= FINE
Handler specific properties
Describes specific configuration info for Handlers
default file output is in users home directory
javautilloggingFileHandlerpattern = ELogsSMLogsJRockit_ulog
javautilloggingFileHandlerlimit = 50000
javautilloggingFileHandlercount = 1
javautilloggingFileHandlerformatter = javautilloggingXMLFormatter
Limit the message that are printed on the console to INFO and above
javautilloggingConsoleHandlerlevel = INFO
javautilloggingConsoleHandlerformatter =
javautilloggingSimpleFormatter
Facility specific properties
Page 7 10152012
Provides extra control for each logger
For example set the comxyzfoo logger to only log SEVERE
messages
comxyzfoolevel = SEVERE
Step 4 Run Resource Discovery tool to find the MOSS resources and import to OES
policystore
Open a command line window on the MOSS Server Run MOSSResourceDiscoveryexerdquo
ltORACLE_CLIENT_HOMEgtoessmmosssmlibMOSSResourceDiscoveryexe
It prompts for following parameters
The path of the folder into which the resource files will be created Note that the directory used
for storing the exported resources needs to be created beforehand
Path to ldquomosssmadmdiscoveryAdmUrlstxtrdquo file used to extract the admin URLs
URL of the top level MOSS sites to be protected by OES
Application name of the MOSS application to be protected by OES This has to be consistent
with the property ldquomossappnamerdquo defined in moss_configproperties It is also the same as the
application policy created and bound to WS SSM in step 1
The resource type of all the MOSS resources to be protected by OES In OES 11g MOSS SM we
only support unique resource type for all MOSS resources This has to be consistent with the
property ldquomossresourcetyperdquo defined in moss_configproperties
MOSSResourceDiscovery defines all the MOSS resources as OES resources to be protected by OES and store
them in both XML format and plain text format
Step 4A Import MOSS discovered resources to OES policystore
Edit the jpsconfig file (under ltinstancesgtconfigwsclient) ltoracle_client_homegtoes_sm_instancesltinstance_namegtconfigwsclientjps-configxml ltxml version=10 encoding=UTF-8 standalone=yesgt
ltjpsConfig xmlns=httpxmlnsoraclecomoracleasschema11jps-config-
11_1xsdgt
ltproperty value=off name=oraclesecurityjpsjaasmodegt
ltproperty value=weblogicsecurityprincipalWLSUserImpl
name=oraclesecurityjpsenterpriseuserclassgt
ltproperty value=weblogicsecurityprincipalWLSGroupImpl
name=oraclesecurityjpsenterpriseroleclassgt
ltproperty value=PDP name=approlessourcegt
ltpropertySetsgt
ltpropertySet name=samltrustedissuers1gt
ltproperty value=wwworaclecom name=namegt
ltpropertySetgt
ltpropertySet name=propsdb1gt
ltproperty value=cn=oes_domain
name=oraclesecurityjpsfarmname gt
ltproperty value=DB_ORACLE name=servertype gt
ltproperty value=cn=jpsroot
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 2 10152012
Win Perf Toolkit
Debugging Tools
Step 2 Install OES 11g MOSS SM binaries
Install OES SM
gt specify jdk location
gt specify ltORACLE_HOMEgt location
Step3 Configure OES 11gr2 MOSS SM
For OES11gr2 the MOSS SM is available at OES client install $ORACLE_CLIENT_HOME
oessmmosssm MOSS SM works together with WS SSM to provide fine grained authorization solution to
MOSS By default we assume the WS SM and MOSS SM are on the same box but the MOSS SM and WS
SM can be on a different box
Configuration of MOSS includes
DLL deployment
Execution of scripts to make required changes in the configuration files
Execution of resource discovery agent This is a simple script that gathers all the existing resources
from MOSS and dumps them in files These files are then imported into OES to create the resource
hierarchy in OES There will be no authorization policies created in OES The policies will have to be
created manually
OES MOSS SM Configtool automates the process of both OES side and MOSS side configuration Manual
steps to configure the integration are covered in Appendix A of this guide
Step 3A Run SM Configtool and create a WS SM instance to protect MOSS web
application
Go to the ltORACLE_CLIENT_HOMEgtoessmbin and run configcmd to configure OES-MOSS integration
This step can be done in one step (-smType mossws) or split in two steps (configure WS and MOSS -smType
ws amp -smType moss respectively) If OES WS SM and MOSS are installed on the same box (default) the
configuration is done in one step using the following command
Configcmd ndashsmType mossws ndashprpFileName xxx ndashmossprpFileName xxx ndashsmConfigId - -WSListeningPort ndash
pdServer ndashpdPort
The WS and MOSS SM work on the same windows box together with the MOSS installation When the WS
SM and MOSS are on separate boxes WS SM and MOSS SM need to be configured separately WS SM
creation is just like the regular ws sm configuration Use the following command to configure MOSS SM
Configcmd ndashsmType moss ndashprpFileName xxx ndashmossprpFileName xxx
The prpFileName refers to the smconfigprp used to create WS SM Make a backup of
ltORACLE_CLIENT_HOMEgtoessmSMConfigToolsmconfigwscontrolledprp
Edit the File to include the OES admin server details
ltORACLE_CLIENT_HOMEgtoessmSMConfigToolsmconfigwscontrolledprp
lt--
Copyright (c) 2010 2011 Oracle andor its affiliates All rights
reserved
Page 3 10152012
NAME
smconfigwscontrolledprp
DESCRIPTION
This file specifies parameters used by SM configuration script
(configsh)
This file is for WS SM in Controlled Policy Distribution Mode
--gt
Policy distribution mode Possible values
controlled-push - if this mode is set you need to configure Policy
Distribution configuration parameters
oraclesecurityjpsruntimepdclientpolicyDistributionMode=controlled-
push
-------- Policy Distributor connectivity information - required for
controlled-push distribution mode
oraclesecurityjpsruntimepdclientRegistrationServerHost=lthostnamegt
oraclesecurityjpsruntimepdclientRegistrationServerPort=7002
---------- ONLY for WS SM -----------------------------
port number to accept authorization requests
oraclesecurityjpspdpwssmWSServiceRegistryPortNumber=ltwebservice
portgt
Only Supply if you do not use -smConfigId at the command line
SM name
oraclesecurityjpsruntimepdclientsm_name=
gtgtgtgtgtgtgtgtgtgtgtgtOPTIONAL PARAMETERSltltltltltltltltltltltltltltltltlt
------------ Only for Java SM WS SM and RMI SM in controlled-push mode
--------------------
port to listen for policy distribution Picked automatically by SM
config tool if not specified
oraclesecurityjpsruntimepdclientDistributionServicePort=
oraclesecurityjpsruntimepdclientsm_type=ws
mossprpFileName refers to the properties file used to configure MOSS server
There is a template for mossprpFileName at
ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtoolmoss_configproperties
Make a backup of moss_configproperties rename to say dev_configproperties edit the values in the
configuration file
ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtooldev_configproperties
There are mandatory and optional properties in the file Mandatory properties need to be set up according to
the environment Optional properties use default values if not set
gacutility
mosswebextensionlocation = c
mosswebconfig=c
mossSmUrl = httplocalhostltwebserviceSM port gt
Page 4 10152012
mosslog4NetXmlfile = hellip
mosssharepointSite = httpsltsitenamegtport
applicationid = MossApp
mossresourcetype = MossResourceType (default)
mossIgnoredExtensions =(default)
mossIgnoredURLExpression = (default)
Sample configuration file used ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtooldev_configproperties This files lists properties for SMConfigTool to configure MOSS Server
Following section are mandatory properties make sure the properties
are set correctly
Microsoft NET Framework Global Assembly Cache Utility Location
gacutility=EProgram FilesMicrosoft SDKsWindowsv71Bingacutilexe
Location of Microsoft Sharepoint web server extensions which is the
location value of
registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared
ToolsWeb Server Extensions120(MOSS 2007) or
HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsWeb Server
Extensions140(MOSS 2010)
mosswebextensionlocation=CProgram FilesCommon FilesMicrosoft
SharedWeb Server Extensions14
moss web config file
mosswebconfig=CinetpubwwwrootwssVirtualDirectoriesdevhsinlabloca
l443webconfig
OES webservice uri
mossSmUrl = httplocalhost9400
log4net configuration file
mosslog4NetXmlfile=Eappsoraclemiddlewareoessmmosssmadmruntimelog
4netxml
moss site uri that OES is to protect
mosssharepointSite=httpsdevhsinlablocal
the application ID to represent the protected MOSS web application
applicationid = MOSSApp
OES resourcetype name of all the MOSS resources
mossresourcetype = MossResourceType
resource extensions that is ignored when doing authorization for
example the js and css scripts are usually ignored
mossIgnoredExtensions=pngjscssaxdicojpggif
URL expression that is ignored of OES authorization for example the
login pages should usually be ignored
Following value gives a sample of which URL should be ignored for
Page 5 10152012
MOSS2010 FBA site if default login page is used
For MOSS 2007 FBA site _layoutsloginaspx should be ignored if the
default login page is used
mossIgnoredURLExpression=_layoutsAuthenticateaspx_logindefaultaspx
_formsdefaultaspx_trust_trustdefaultaspx_layouts_logindefau
ltaspx
Following are the optional properties default value will be used if
not set
operation for MOSS configuration config or remove default to config
mossoperation = config
MOSS versionsupported versions are 2007 and 2010 default to 2010
mossversion=2010
enable OES default is true
mossenableOES=true
Step 3B Configure Logging
Edit the log configuration file log4netxml located at
ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml to set the location for the MOSS SM
logs
Sample File ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml
ltlog4netgt
ltappender name=RollingFileAppender
type=log4netAppenderRollingFileAppendergt
ltfile value=EOESSharepointlog gt
ltrollingStyle value=Size gt
ltappendToFile value=true gt
ltmaximumFileSize value=1024KB gt
ltmaxSizeRollBackups value=10 gt
ltlayout type=log4netLayoutPatternLayoutgt
ltconversionPattern value=level d logger -
messagenewline gt
ltlayoutgt
ltlockingModel type=log4netAppenderFileAppender+MinimalLock gt
ltappendergt
ltrootgt
ltlevel value=DEBUG gt
ltappender-ref ref=RollingFileAppender gt
ltrootgt
ltlog4netgt
Copy from the JDK loggingproperties to the SM logging directory
Page 6 10152012
gt Copy ltJAVA_HOMEgtlibloggingproperties to
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
- enable the file handler
- change the log file location
- set the logging level
Actual file used
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
Default Logging Configuration File
You can use a different file by specifying a filename
with the javautilloggingconfigfile system property
For example java -Djavautilloggingconfigfile=myfile
Global properties
handlers specifies a comma separated list of log Handler
classes These handlers will be installed during VM startup
Note that these classes must be on the system classpath
By default we only configure a ConsoleHandler which will only
show messages at the INFO and above levels
handlers= javautilloggingConsoleHandler
To also add the FileHandler use the following line instead
handlers= javautilloggingFileHandler javautilloggingConsoleHandler
Default global logging level
This specifies which kinds of events are logged across
all loggers For any given facility this global level
can be overriden by a facility specific level
Note that the ConsoleHandler also has a separate level
setting to limit messages printed to the console
level= FINE
Handler specific properties
Describes specific configuration info for Handlers
default file output is in users home directory
javautilloggingFileHandlerpattern = ELogsSMLogsJRockit_ulog
javautilloggingFileHandlerlimit = 50000
javautilloggingFileHandlercount = 1
javautilloggingFileHandlerformatter = javautilloggingXMLFormatter
Limit the message that are printed on the console to INFO and above
javautilloggingConsoleHandlerlevel = INFO
javautilloggingConsoleHandlerformatter =
javautilloggingSimpleFormatter
Facility specific properties
Page 7 10152012
Provides extra control for each logger
For example set the comxyzfoo logger to only log SEVERE
messages
comxyzfoolevel = SEVERE
Step 4 Run Resource Discovery tool to find the MOSS resources and import to OES
policystore
Open a command line window on the MOSS Server Run MOSSResourceDiscoveryexerdquo
ltORACLE_CLIENT_HOMEgtoessmmosssmlibMOSSResourceDiscoveryexe
It prompts for following parameters
The path of the folder into which the resource files will be created Note that the directory used
for storing the exported resources needs to be created beforehand
Path to ldquomosssmadmdiscoveryAdmUrlstxtrdquo file used to extract the admin URLs
URL of the top level MOSS sites to be protected by OES
Application name of the MOSS application to be protected by OES This has to be consistent
with the property ldquomossappnamerdquo defined in moss_configproperties It is also the same as the
application policy created and bound to WS SSM in step 1
The resource type of all the MOSS resources to be protected by OES In OES 11g MOSS SM we
only support unique resource type for all MOSS resources This has to be consistent with the
property ldquomossresourcetyperdquo defined in moss_configproperties
MOSSResourceDiscovery defines all the MOSS resources as OES resources to be protected by OES and store
them in both XML format and plain text format
Step 4A Import MOSS discovered resources to OES policystore
Edit the jpsconfig file (under ltinstancesgtconfigwsclient) ltoracle_client_homegtoes_sm_instancesltinstance_namegtconfigwsclientjps-configxml ltxml version=10 encoding=UTF-8 standalone=yesgt
ltjpsConfig xmlns=httpxmlnsoraclecomoracleasschema11jps-config-
11_1xsdgt
ltproperty value=off name=oraclesecurityjpsjaasmodegt
ltproperty value=weblogicsecurityprincipalWLSUserImpl
name=oraclesecurityjpsenterpriseuserclassgt
ltproperty value=weblogicsecurityprincipalWLSGroupImpl
name=oraclesecurityjpsenterpriseroleclassgt
ltproperty value=PDP name=approlessourcegt
ltpropertySetsgt
ltpropertySet name=samltrustedissuers1gt
ltproperty value=wwworaclecom name=namegt
ltpropertySetgt
ltpropertySet name=propsdb1gt
ltproperty value=cn=oes_domain
name=oraclesecurityjpsfarmname gt
ltproperty value=DB_ORACLE name=servertype gt
ltproperty value=cn=jpsroot
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 3 10152012
NAME
smconfigwscontrolledprp
DESCRIPTION
This file specifies parameters used by SM configuration script
(configsh)
This file is for WS SM in Controlled Policy Distribution Mode
--gt
Policy distribution mode Possible values
controlled-push - if this mode is set you need to configure Policy
Distribution configuration parameters
oraclesecurityjpsruntimepdclientpolicyDistributionMode=controlled-
push
-------- Policy Distributor connectivity information - required for
controlled-push distribution mode
oraclesecurityjpsruntimepdclientRegistrationServerHost=lthostnamegt
oraclesecurityjpsruntimepdclientRegistrationServerPort=7002
---------- ONLY for WS SM -----------------------------
port number to accept authorization requests
oraclesecurityjpspdpwssmWSServiceRegistryPortNumber=ltwebservice
portgt
Only Supply if you do not use -smConfigId at the command line
SM name
oraclesecurityjpsruntimepdclientsm_name=
gtgtgtgtgtgtgtgtgtgtgtgtOPTIONAL PARAMETERSltltltltltltltltltltltltltltltltlt
------------ Only for Java SM WS SM and RMI SM in controlled-push mode
--------------------
port to listen for policy distribution Picked automatically by SM
config tool if not specified
oraclesecurityjpsruntimepdclientDistributionServicePort=
oraclesecurityjpsruntimepdclientsm_type=ws
mossprpFileName refers to the properties file used to configure MOSS server
There is a template for mossprpFileName at
ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtoolmoss_configproperties
Make a backup of moss_configproperties rename to say dev_configproperties edit the values in the
configuration file
ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtooldev_configproperties
There are mandatory and optional properties in the file Mandatory properties need to be set up according to
the environment Optional properties use default values if not set
gacutility
mosswebextensionlocation = c
mosswebconfig=c
mossSmUrl = httplocalhostltwebserviceSM port gt
Page 4 10152012
mosslog4NetXmlfile = hellip
mosssharepointSite = httpsltsitenamegtport
applicationid = MossApp
mossresourcetype = MossResourceType (default)
mossIgnoredExtensions =(default)
mossIgnoredURLExpression = (default)
Sample configuration file used ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtooldev_configproperties This files lists properties for SMConfigTool to configure MOSS Server
Following section are mandatory properties make sure the properties
are set correctly
Microsoft NET Framework Global Assembly Cache Utility Location
gacutility=EProgram FilesMicrosoft SDKsWindowsv71Bingacutilexe
Location of Microsoft Sharepoint web server extensions which is the
location value of
registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared
ToolsWeb Server Extensions120(MOSS 2007) or
HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsWeb Server
Extensions140(MOSS 2010)
mosswebextensionlocation=CProgram FilesCommon FilesMicrosoft
SharedWeb Server Extensions14
moss web config file
mosswebconfig=CinetpubwwwrootwssVirtualDirectoriesdevhsinlabloca
l443webconfig
OES webservice uri
mossSmUrl = httplocalhost9400
log4net configuration file
mosslog4NetXmlfile=Eappsoraclemiddlewareoessmmosssmadmruntimelog
4netxml
moss site uri that OES is to protect
mosssharepointSite=httpsdevhsinlablocal
the application ID to represent the protected MOSS web application
applicationid = MOSSApp
OES resourcetype name of all the MOSS resources
mossresourcetype = MossResourceType
resource extensions that is ignored when doing authorization for
example the js and css scripts are usually ignored
mossIgnoredExtensions=pngjscssaxdicojpggif
URL expression that is ignored of OES authorization for example the
login pages should usually be ignored
Following value gives a sample of which URL should be ignored for
Page 5 10152012
MOSS2010 FBA site if default login page is used
For MOSS 2007 FBA site _layoutsloginaspx should be ignored if the
default login page is used
mossIgnoredURLExpression=_layoutsAuthenticateaspx_logindefaultaspx
_formsdefaultaspx_trust_trustdefaultaspx_layouts_logindefau
ltaspx
Following are the optional properties default value will be used if
not set
operation for MOSS configuration config or remove default to config
mossoperation = config
MOSS versionsupported versions are 2007 and 2010 default to 2010
mossversion=2010
enable OES default is true
mossenableOES=true
Step 3B Configure Logging
Edit the log configuration file log4netxml located at
ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml to set the location for the MOSS SM
logs
Sample File ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml
ltlog4netgt
ltappender name=RollingFileAppender
type=log4netAppenderRollingFileAppendergt
ltfile value=EOESSharepointlog gt
ltrollingStyle value=Size gt
ltappendToFile value=true gt
ltmaximumFileSize value=1024KB gt
ltmaxSizeRollBackups value=10 gt
ltlayout type=log4netLayoutPatternLayoutgt
ltconversionPattern value=level d logger -
messagenewline gt
ltlayoutgt
ltlockingModel type=log4netAppenderFileAppender+MinimalLock gt
ltappendergt
ltrootgt
ltlevel value=DEBUG gt
ltappender-ref ref=RollingFileAppender gt
ltrootgt
ltlog4netgt
Copy from the JDK loggingproperties to the SM logging directory
Page 6 10152012
gt Copy ltJAVA_HOMEgtlibloggingproperties to
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
- enable the file handler
- change the log file location
- set the logging level
Actual file used
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
Default Logging Configuration File
You can use a different file by specifying a filename
with the javautilloggingconfigfile system property
For example java -Djavautilloggingconfigfile=myfile
Global properties
handlers specifies a comma separated list of log Handler
classes These handlers will be installed during VM startup
Note that these classes must be on the system classpath
By default we only configure a ConsoleHandler which will only
show messages at the INFO and above levels
handlers= javautilloggingConsoleHandler
To also add the FileHandler use the following line instead
handlers= javautilloggingFileHandler javautilloggingConsoleHandler
Default global logging level
This specifies which kinds of events are logged across
all loggers For any given facility this global level
can be overriden by a facility specific level
Note that the ConsoleHandler also has a separate level
setting to limit messages printed to the console
level= FINE
Handler specific properties
Describes specific configuration info for Handlers
default file output is in users home directory
javautilloggingFileHandlerpattern = ELogsSMLogsJRockit_ulog
javautilloggingFileHandlerlimit = 50000
javautilloggingFileHandlercount = 1
javautilloggingFileHandlerformatter = javautilloggingXMLFormatter
Limit the message that are printed on the console to INFO and above
javautilloggingConsoleHandlerlevel = INFO
javautilloggingConsoleHandlerformatter =
javautilloggingSimpleFormatter
Facility specific properties
Page 7 10152012
Provides extra control for each logger
For example set the comxyzfoo logger to only log SEVERE
messages
comxyzfoolevel = SEVERE
Step 4 Run Resource Discovery tool to find the MOSS resources and import to OES
policystore
Open a command line window on the MOSS Server Run MOSSResourceDiscoveryexerdquo
ltORACLE_CLIENT_HOMEgtoessmmosssmlibMOSSResourceDiscoveryexe
It prompts for following parameters
The path of the folder into which the resource files will be created Note that the directory used
for storing the exported resources needs to be created beforehand
Path to ldquomosssmadmdiscoveryAdmUrlstxtrdquo file used to extract the admin URLs
URL of the top level MOSS sites to be protected by OES
Application name of the MOSS application to be protected by OES This has to be consistent
with the property ldquomossappnamerdquo defined in moss_configproperties It is also the same as the
application policy created and bound to WS SSM in step 1
The resource type of all the MOSS resources to be protected by OES In OES 11g MOSS SM we
only support unique resource type for all MOSS resources This has to be consistent with the
property ldquomossresourcetyperdquo defined in moss_configproperties
MOSSResourceDiscovery defines all the MOSS resources as OES resources to be protected by OES and store
them in both XML format and plain text format
Step 4A Import MOSS discovered resources to OES policystore
Edit the jpsconfig file (under ltinstancesgtconfigwsclient) ltoracle_client_homegtoes_sm_instancesltinstance_namegtconfigwsclientjps-configxml ltxml version=10 encoding=UTF-8 standalone=yesgt
ltjpsConfig xmlns=httpxmlnsoraclecomoracleasschema11jps-config-
11_1xsdgt
ltproperty value=off name=oraclesecurityjpsjaasmodegt
ltproperty value=weblogicsecurityprincipalWLSUserImpl
name=oraclesecurityjpsenterpriseuserclassgt
ltproperty value=weblogicsecurityprincipalWLSGroupImpl
name=oraclesecurityjpsenterpriseroleclassgt
ltproperty value=PDP name=approlessourcegt
ltpropertySetsgt
ltpropertySet name=samltrustedissuers1gt
ltproperty value=wwworaclecom name=namegt
ltpropertySetgt
ltpropertySet name=propsdb1gt
ltproperty value=cn=oes_domain
name=oraclesecurityjpsfarmname gt
ltproperty value=DB_ORACLE name=servertype gt
ltproperty value=cn=jpsroot
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 4 10152012
mosslog4NetXmlfile = hellip
mosssharepointSite = httpsltsitenamegtport
applicationid = MossApp
mossresourcetype = MossResourceType (default)
mossIgnoredExtensions =(default)
mossIgnoredURLExpression = (default)
Sample configuration file used ltORACLE_CLIENT_HOMEgtoessmmosssmmosssmadmconfigtooldev_configproperties This files lists properties for SMConfigTool to configure MOSS Server
Following section are mandatory properties make sure the properties
are set correctly
Microsoft NET Framework Global Assembly Cache Utility Location
gacutility=EProgram FilesMicrosoft SDKsWindowsv71Bingacutilexe
Location of Microsoft Sharepoint web server extensions which is the
location value of
registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared
ToolsWeb Server Extensions120(MOSS 2007) or
HKEY_LOCAL_MACHINESOFTWAREMicrosoftShared ToolsWeb Server
Extensions140(MOSS 2010)
mosswebextensionlocation=CProgram FilesCommon FilesMicrosoft
SharedWeb Server Extensions14
moss web config file
mosswebconfig=CinetpubwwwrootwssVirtualDirectoriesdevhsinlabloca
l443webconfig
OES webservice uri
mossSmUrl = httplocalhost9400
log4net configuration file
mosslog4NetXmlfile=Eappsoraclemiddlewareoessmmosssmadmruntimelog
4netxml
moss site uri that OES is to protect
mosssharepointSite=httpsdevhsinlablocal
the application ID to represent the protected MOSS web application
applicationid = MOSSApp
OES resourcetype name of all the MOSS resources
mossresourcetype = MossResourceType
resource extensions that is ignored when doing authorization for
example the js and css scripts are usually ignored
mossIgnoredExtensions=pngjscssaxdicojpggif
URL expression that is ignored of OES authorization for example the
login pages should usually be ignored
Following value gives a sample of which URL should be ignored for
Page 5 10152012
MOSS2010 FBA site if default login page is used
For MOSS 2007 FBA site _layoutsloginaspx should be ignored if the
default login page is used
mossIgnoredURLExpression=_layoutsAuthenticateaspx_logindefaultaspx
_formsdefaultaspx_trust_trustdefaultaspx_layouts_logindefau
ltaspx
Following are the optional properties default value will be used if
not set
operation for MOSS configuration config or remove default to config
mossoperation = config
MOSS versionsupported versions are 2007 and 2010 default to 2010
mossversion=2010
enable OES default is true
mossenableOES=true
Step 3B Configure Logging
Edit the log configuration file log4netxml located at
ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml to set the location for the MOSS SM
logs
Sample File ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml
ltlog4netgt
ltappender name=RollingFileAppender
type=log4netAppenderRollingFileAppendergt
ltfile value=EOESSharepointlog gt
ltrollingStyle value=Size gt
ltappendToFile value=true gt
ltmaximumFileSize value=1024KB gt
ltmaxSizeRollBackups value=10 gt
ltlayout type=log4netLayoutPatternLayoutgt
ltconversionPattern value=level d logger -
messagenewline gt
ltlayoutgt
ltlockingModel type=log4netAppenderFileAppender+MinimalLock gt
ltappendergt
ltrootgt
ltlevel value=DEBUG gt
ltappender-ref ref=RollingFileAppender gt
ltrootgt
ltlog4netgt
Copy from the JDK loggingproperties to the SM logging directory
Page 6 10152012
gt Copy ltJAVA_HOMEgtlibloggingproperties to
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
- enable the file handler
- change the log file location
- set the logging level
Actual file used
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
Default Logging Configuration File
You can use a different file by specifying a filename
with the javautilloggingconfigfile system property
For example java -Djavautilloggingconfigfile=myfile
Global properties
handlers specifies a comma separated list of log Handler
classes These handlers will be installed during VM startup
Note that these classes must be on the system classpath
By default we only configure a ConsoleHandler which will only
show messages at the INFO and above levels
handlers= javautilloggingConsoleHandler
To also add the FileHandler use the following line instead
handlers= javautilloggingFileHandler javautilloggingConsoleHandler
Default global logging level
This specifies which kinds of events are logged across
all loggers For any given facility this global level
can be overriden by a facility specific level
Note that the ConsoleHandler also has a separate level
setting to limit messages printed to the console
level= FINE
Handler specific properties
Describes specific configuration info for Handlers
default file output is in users home directory
javautilloggingFileHandlerpattern = ELogsSMLogsJRockit_ulog
javautilloggingFileHandlerlimit = 50000
javautilloggingFileHandlercount = 1
javautilloggingFileHandlerformatter = javautilloggingXMLFormatter
Limit the message that are printed on the console to INFO and above
javautilloggingConsoleHandlerlevel = INFO
javautilloggingConsoleHandlerformatter =
javautilloggingSimpleFormatter
Facility specific properties
Page 7 10152012
Provides extra control for each logger
For example set the comxyzfoo logger to only log SEVERE
messages
comxyzfoolevel = SEVERE
Step 4 Run Resource Discovery tool to find the MOSS resources and import to OES
policystore
Open a command line window on the MOSS Server Run MOSSResourceDiscoveryexerdquo
ltORACLE_CLIENT_HOMEgtoessmmosssmlibMOSSResourceDiscoveryexe
It prompts for following parameters
The path of the folder into which the resource files will be created Note that the directory used
for storing the exported resources needs to be created beforehand
Path to ldquomosssmadmdiscoveryAdmUrlstxtrdquo file used to extract the admin URLs
URL of the top level MOSS sites to be protected by OES
Application name of the MOSS application to be protected by OES This has to be consistent
with the property ldquomossappnamerdquo defined in moss_configproperties It is also the same as the
application policy created and bound to WS SSM in step 1
The resource type of all the MOSS resources to be protected by OES In OES 11g MOSS SM we
only support unique resource type for all MOSS resources This has to be consistent with the
property ldquomossresourcetyperdquo defined in moss_configproperties
MOSSResourceDiscovery defines all the MOSS resources as OES resources to be protected by OES and store
them in both XML format and plain text format
Step 4A Import MOSS discovered resources to OES policystore
Edit the jpsconfig file (under ltinstancesgtconfigwsclient) ltoracle_client_homegtoes_sm_instancesltinstance_namegtconfigwsclientjps-configxml ltxml version=10 encoding=UTF-8 standalone=yesgt
ltjpsConfig xmlns=httpxmlnsoraclecomoracleasschema11jps-config-
11_1xsdgt
ltproperty value=off name=oraclesecurityjpsjaasmodegt
ltproperty value=weblogicsecurityprincipalWLSUserImpl
name=oraclesecurityjpsenterpriseuserclassgt
ltproperty value=weblogicsecurityprincipalWLSGroupImpl
name=oraclesecurityjpsenterpriseroleclassgt
ltproperty value=PDP name=approlessourcegt
ltpropertySetsgt
ltpropertySet name=samltrustedissuers1gt
ltproperty value=wwworaclecom name=namegt
ltpropertySetgt
ltpropertySet name=propsdb1gt
ltproperty value=cn=oes_domain
name=oraclesecurityjpsfarmname gt
ltproperty value=DB_ORACLE name=servertype gt
ltproperty value=cn=jpsroot
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 5 10152012
MOSS2010 FBA site if default login page is used
For MOSS 2007 FBA site _layoutsloginaspx should be ignored if the
default login page is used
mossIgnoredURLExpression=_layoutsAuthenticateaspx_logindefaultaspx
_formsdefaultaspx_trust_trustdefaultaspx_layouts_logindefau
ltaspx
Following are the optional properties default value will be used if
not set
operation for MOSS configuration config or remove default to config
mossoperation = config
MOSS versionsupported versions are 2007 and 2010 default to 2010
mossversion=2010
enable OES default is true
mossenableOES=true
Step 3B Configure Logging
Edit the log configuration file log4netxml located at
ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml to set the location for the MOSS SM
logs
Sample File ltORACLE_CLIENT_HOMEgtoessmmosssmadmruntimelog4netxml
ltlog4netgt
ltappender name=RollingFileAppender
type=log4netAppenderRollingFileAppendergt
ltfile value=EOESSharepointlog gt
ltrollingStyle value=Size gt
ltappendToFile value=true gt
ltmaximumFileSize value=1024KB gt
ltmaxSizeRollBackups value=10 gt
ltlayout type=log4netLayoutPatternLayoutgt
ltconversionPattern value=level d logger -
messagenewline gt
ltlayoutgt
ltlockingModel type=log4netAppenderFileAppender+MinimalLock gt
ltappendergt
ltrootgt
ltlevel value=DEBUG gt
ltappender-ref ref=RollingFileAppender gt
ltrootgt
ltlog4netgt
Copy from the JDK loggingproperties to the SM logging directory
Page 6 10152012
gt Copy ltJAVA_HOMEgtlibloggingproperties to
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
- enable the file handler
- change the log file location
- set the logging level
Actual file used
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
Default Logging Configuration File
You can use a different file by specifying a filename
with the javautilloggingconfigfile system property
For example java -Djavautilloggingconfigfile=myfile
Global properties
handlers specifies a comma separated list of log Handler
classes These handlers will be installed during VM startup
Note that these classes must be on the system classpath
By default we only configure a ConsoleHandler which will only
show messages at the INFO and above levels
handlers= javautilloggingConsoleHandler
To also add the FileHandler use the following line instead
handlers= javautilloggingFileHandler javautilloggingConsoleHandler
Default global logging level
This specifies which kinds of events are logged across
all loggers For any given facility this global level
can be overriden by a facility specific level
Note that the ConsoleHandler also has a separate level
setting to limit messages printed to the console
level= FINE
Handler specific properties
Describes specific configuration info for Handlers
default file output is in users home directory
javautilloggingFileHandlerpattern = ELogsSMLogsJRockit_ulog
javautilloggingFileHandlerlimit = 50000
javautilloggingFileHandlercount = 1
javautilloggingFileHandlerformatter = javautilloggingXMLFormatter
Limit the message that are printed on the console to INFO and above
javautilloggingConsoleHandlerlevel = INFO
javautilloggingConsoleHandlerformatter =
javautilloggingSimpleFormatter
Facility specific properties
Page 7 10152012
Provides extra control for each logger
For example set the comxyzfoo logger to only log SEVERE
messages
comxyzfoolevel = SEVERE
Step 4 Run Resource Discovery tool to find the MOSS resources and import to OES
policystore
Open a command line window on the MOSS Server Run MOSSResourceDiscoveryexerdquo
ltORACLE_CLIENT_HOMEgtoessmmosssmlibMOSSResourceDiscoveryexe
It prompts for following parameters
The path of the folder into which the resource files will be created Note that the directory used
for storing the exported resources needs to be created beforehand
Path to ldquomosssmadmdiscoveryAdmUrlstxtrdquo file used to extract the admin URLs
URL of the top level MOSS sites to be protected by OES
Application name of the MOSS application to be protected by OES This has to be consistent
with the property ldquomossappnamerdquo defined in moss_configproperties It is also the same as the
application policy created and bound to WS SSM in step 1
The resource type of all the MOSS resources to be protected by OES In OES 11g MOSS SM we
only support unique resource type for all MOSS resources This has to be consistent with the
property ldquomossresourcetyperdquo defined in moss_configproperties
MOSSResourceDiscovery defines all the MOSS resources as OES resources to be protected by OES and store
them in both XML format and plain text format
Step 4A Import MOSS discovered resources to OES policystore
Edit the jpsconfig file (under ltinstancesgtconfigwsclient) ltoracle_client_homegtoes_sm_instancesltinstance_namegtconfigwsclientjps-configxml ltxml version=10 encoding=UTF-8 standalone=yesgt
ltjpsConfig xmlns=httpxmlnsoraclecomoracleasschema11jps-config-
11_1xsdgt
ltproperty value=off name=oraclesecurityjpsjaasmodegt
ltproperty value=weblogicsecurityprincipalWLSUserImpl
name=oraclesecurityjpsenterpriseuserclassgt
ltproperty value=weblogicsecurityprincipalWLSGroupImpl
name=oraclesecurityjpsenterpriseroleclassgt
ltproperty value=PDP name=approlessourcegt
ltpropertySetsgt
ltpropertySet name=samltrustedissuers1gt
ltproperty value=wwworaclecom name=namegt
ltpropertySetgt
ltpropertySet name=propsdb1gt
ltproperty value=cn=oes_domain
name=oraclesecurityjpsfarmname gt
ltproperty value=DB_ORACLE name=servertype gt
ltproperty value=cn=jpsroot
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 6 10152012
gt Copy ltJAVA_HOMEgtlibloggingproperties to
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
- enable the file handler
- change the log file location
- set the logging level
Actual file used
ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtconfigloggingproperties
Default Logging Configuration File
You can use a different file by specifying a filename
with the javautilloggingconfigfile system property
For example java -Djavautilloggingconfigfile=myfile
Global properties
handlers specifies a comma separated list of log Handler
classes These handlers will be installed during VM startup
Note that these classes must be on the system classpath
By default we only configure a ConsoleHandler which will only
show messages at the INFO and above levels
handlers= javautilloggingConsoleHandler
To also add the FileHandler use the following line instead
handlers= javautilloggingFileHandler javautilloggingConsoleHandler
Default global logging level
This specifies which kinds of events are logged across
all loggers For any given facility this global level
can be overriden by a facility specific level
Note that the ConsoleHandler also has a separate level
setting to limit messages printed to the console
level= FINE
Handler specific properties
Describes specific configuration info for Handlers
default file output is in users home directory
javautilloggingFileHandlerpattern = ELogsSMLogsJRockit_ulog
javautilloggingFileHandlerlimit = 50000
javautilloggingFileHandlercount = 1
javautilloggingFileHandlerformatter = javautilloggingXMLFormatter
Limit the message that are printed on the console to INFO and above
javautilloggingConsoleHandlerlevel = INFO
javautilloggingConsoleHandlerformatter =
javautilloggingSimpleFormatter
Facility specific properties
Page 7 10152012
Provides extra control for each logger
For example set the comxyzfoo logger to only log SEVERE
messages
comxyzfoolevel = SEVERE
Step 4 Run Resource Discovery tool to find the MOSS resources and import to OES
policystore
Open a command line window on the MOSS Server Run MOSSResourceDiscoveryexerdquo
ltORACLE_CLIENT_HOMEgtoessmmosssmlibMOSSResourceDiscoveryexe
It prompts for following parameters
The path of the folder into which the resource files will be created Note that the directory used
for storing the exported resources needs to be created beforehand
Path to ldquomosssmadmdiscoveryAdmUrlstxtrdquo file used to extract the admin URLs
URL of the top level MOSS sites to be protected by OES
Application name of the MOSS application to be protected by OES This has to be consistent
with the property ldquomossappnamerdquo defined in moss_configproperties It is also the same as the
application policy created and bound to WS SSM in step 1
The resource type of all the MOSS resources to be protected by OES In OES 11g MOSS SM we
only support unique resource type for all MOSS resources This has to be consistent with the
property ldquomossresourcetyperdquo defined in moss_configproperties
MOSSResourceDiscovery defines all the MOSS resources as OES resources to be protected by OES and store
them in both XML format and plain text format
Step 4A Import MOSS discovered resources to OES policystore
Edit the jpsconfig file (under ltinstancesgtconfigwsclient) ltoracle_client_homegtoes_sm_instancesltinstance_namegtconfigwsclientjps-configxml ltxml version=10 encoding=UTF-8 standalone=yesgt
ltjpsConfig xmlns=httpxmlnsoraclecomoracleasschema11jps-config-
11_1xsdgt
ltproperty value=off name=oraclesecurityjpsjaasmodegt
ltproperty value=weblogicsecurityprincipalWLSUserImpl
name=oraclesecurityjpsenterpriseuserclassgt
ltproperty value=weblogicsecurityprincipalWLSGroupImpl
name=oraclesecurityjpsenterpriseroleclassgt
ltproperty value=PDP name=approlessourcegt
ltpropertySetsgt
ltpropertySet name=samltrustedissuers1gt
ltproperty value=wwworaclecom name=namegt
ltpropertySetgt
ltpropertySet name=propsdb1gt
ltproperty value=cn=oes_domain
name=oraclesecurityjpsfarmname gt
ltproperty value=DB_ORACLE name=servertype gt
ltproperty value=cn=jpsroot
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 7 10152012
Provides extra control for each logger
For example set the comxyzfoo logger to only log SEVERE
messages
comxyzfoolevel = SEVERE
Step 4 Run Resource Discovery tool to find the MOSS resources and import to OES
policystore
Open a command line window on the MOSS Server Run MOSSResourceDiscoveryexerdquo
ltORACLE_CLIENT_HOMEgtoessmmosssmlibMOSSResourceDiscoveryexe
It prompts for following parameters
The path of the folder into which the resource files will be created Note that the directory used
for storing the exported resources needs to be created beforehand
Path to ldquomosssmadmdiscoveryAdmUrlstxtrdquo file used to extract the admin URLs
URL of the top level MOSS sites to be protected by OES
Application name of the MOSS application to be protected by OES This has to be consistent
with the property ldquomossappnamerdquo defined in moss_configproperties It is also the same as the
application policy created and bound to WS SSM in step 1
The resource type of all the MOSS resources to be protected by OES In OES 11g MOSS SM we
only support unique resource type for all MOSS resources This has to be consistent with the
property ldquomossresourcetyperdquo defined in moss_configproperties
MOSSResourceDiscovery defines all the MOSS resources as OES resources to be protected by OES and store
them in both XML format and plain text format
Step 4A Import MOSS discovered resources to OES policystore
Edit the jpsconfig file (under ltinstancesgtconfigwsclient) ltoracle_client_homegtoes_sm_instancesltinstance_namegtconfigwsclientjps-configxml ltxml version=10 encoding=UTF-8 standalone=yesgt
ltjpsConfig xmlns=httpxmlnsoraclecomoracleasschema11jps-config-
11_1xsdgt
ltproperty value=off name=oraclesecurityjpsjaasmodegt
ltproperty value=weblogicsecurityprincipalWLSUserImpl
name=oraclesecurityjpsenterpriseuserclassgt
ltproperty value=weblogicsecurityprincipalWLSGroupImpl
name=oraclesecurityjpsenterpriseroleclassgt
ltproperty value=PDP name=approlessourcegt
ltpropertySetsgt
ltpropertySet name=samltrustedissuers1gt
ltproperty value=wwworaclecom name=namegt
ltpropertySetgt
ltpropertySet name=propsdb1gt
ltproperty value=cn=oes_domain
name=oraclesecurityjpsfarmname gt
ltproperty value=DB_ORACLE name=servertype gt
ltproperty value=cn=jpsroot
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 8 10152012
name=oraclesecurityjpsldaprootname gt
ltproperty name=jdbcurl
value=jdbcoraclethin1921682081811521HSINDhsinidmdevlocal gt
ltproperty name=jdbcdriver
value=oraclejdbcdriverOracleDriver gt
ltproperty name=securityprincipal value=DEVOES_APM
gt
ltproperty name=securitycredential value=ltpasswordgt
gt
ltpropertySetgt
ltpropertySetsgt
ltserviceProvidersgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
er name=policystoreprovider type=POLICY_STOREgt
ltserviceProvider
class=oraclesecurityjpsinternalcredstoresspSspCredentialStoreProvid
er name=credstoressp type=CREDENTIAL_STOREgt
ltdescriptiongtSecretStore-based CSF providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalidstorexmlXmlIdentityStoreProvider
name=idstorexmlprovider type=IDENTITY_STOREgt
ltdescriptiongtXML-based IdStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystorexmlXmlPolicyStoreProvider
name=policystorexmlprovider type=POLICY_STOREgt
ltdescriptiongtXML-based PolicyStore Providerltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalloginjaasJaasLoginServiceProvider
name=jaasloginprovider type=LOGINgt
ltdescriptiongtThis is Jaas Login Service Provider and is used
to configure login module service instancesltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalkeystoreKeyStoreProvider
name=keystoreprovider type=KEY_STOREgt
ltdescriptiongtPKI Based Keystore Providerltdescriptiongt
ltproperty value=owsm name=providerpropertynamegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalauditAuditProvider
name=auditprovider type=AUDITgt
ltdescriptiongtAudit Serviceltdescriptiongt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsazinternalruntimeproviderPDPServiceProvider
name=pdpserviceprovider type=PDPgt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreOPSSPolicyStoreProvider
name=policyrdbms type=POLICY_STOREgt
ltproperty value=DB_ORACLE name=policystoretypegt
ltserviceProvidergt
ltserviceProvider
class=oraclesecurityjpsinternalpolicystoreldapLdapPolicyStoreProvid
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 9 10152012
er name=policyoid type=POLICY_STOREgt
ltproperty value=OID name=policystoretypegt
ltserviceProvidergt
ltserviceProvidersgt
ltserviceInstancesgt
ltserviceInstance location= provider=credstoressp
name=credstoregt
ltdescriptiongtFile Based Credential Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=idstorexmlprovider name=idstorexmlgt
ltdescriptiongtFile Based Identity Store Service
Instanceltdescriptiongt
ltproperty value=jazncom name=subscribernamegt
ltserviceInstancegt
ltserviceInstance location=system-jazn-dataxml
provider=policystorexmlprovider name=policystorexmlgt
ltdescriptiongtFile Based Policy Store Service
Instanceltdescriptiongt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=idstoreloginmodulegt
ltdescriptiongtIdentity Store Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleidstoreIdStoreLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=default-keystorejks
provider=keystoreprovider name=keystoregt
ltdescriptiongtDefault JPS Keystore Serviceltdescriptiongt
ltproperty value=file name=keystoreprovidertypegt
ltproperty value= name=keystorefilepathgt
ltproperty value=JKS name=keystoretypegt
ltproperty value=oraclewsmsecurity
name=keystorecsfmapgt
ltproperty value=keystore-csf-key
name=keystorepasscsfkeygt
ltproperty value=sign-csf-key name=keystoresigcsfkeygt
ltproperty value=enc-csf-key name=keystoreenccsfkeygt
ltserviceInstancegt
ltserviceInstance provider=auditprovider name=auditgt
ltproperty value=None name=auditfilterPresetgt
ltproperty value=0 name=auditmaxDirSizegt
ltproperty value=104857600 name=auditmaxFileSizegt
ltproperty value=jdbcAuditDB name=auditloaderjndigt
ltproperty value=15 name=auditloaderintervalgt
ltproperty value=File name=auditloaderrepositoryTypegt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=samlloginmodulegt
ltdescriptiongtSAML Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAMLLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 10 10152012
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=saml2loginmodulegt
ltdescriptiongtSAML2 Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulesamlJpsSAML2LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltpropertySetRef ref=samltrustedissuers1gt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=krb5loginmodulegt
ltdescriptiongtKerberos Login Moduleltdescriptiongt
ltproperty value=comsunsecurityauthmoduleKrb5LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltproperty value=true name=storeKeygt
ltproperty value=true name=useKeyTabgt
ltproperty value=true name=doNotPromptgt
ltproperty value=krb5keytab name=keyTabgt
ltproperty value=HOSTlocalhostEXAMPLECOM
name=principalgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=digestauthenticatorloginmodulegt
ltdescriptiongtDigest Authenticator Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestDigestLoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=certificateauthenticatorloginmodulegt
ltdescriptiongtX509 Certificate Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmodulex509X509LoginModule
name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=wssdigestloginmodulegt
ltdescriptiongtWSS Digest Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduledigestWSSDigestLoginModul
e name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userauthenticationloginmodulegt
ltdescriptiongtUser Authentication Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleauthenticationJpsUserAuth
enticationLoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance location=bootstrap provider=credstoressp
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 11 10152012
name=bootstrapcredstoregt
ltproperty value=bootstrap name=locationgt
ltserviceInstancegt
ltserviceInstance provider=jaasloginprovider
name=userassertionloginmodulegt
ltdescriptiongtUser Assertion Login Moduleltdescriptiongt
ltproperty
value=oraclesecurityjpsinternaljaasmoduleassertionJpsUserAssertion
LoginModule name=loginModuleClassNamegt
ltproperty value=REQUIRED name=jaaslogincontrolFlaggt
ltserviceInstancegt
ltserviceInstance
location=Eappsoraclemiddlewareoes_sm_instancesSP_SM_D2ISEVDHQ110_AP
P1_2configenroll provider=credstoressp name=credstoreenrollgt
ltserviceInstance provider=pdpserviceprovider
name=pdpservicegt
ltproperty value=WS
name=oraclesecurityjpspdpPDPTransportgt
ltproperty value=lthttplocalhostwebserviceportgt
name=oraclesecurityjpspdpproxyPDPAddressgt
ltproperty value=10000
name=oraclesecurityjpspdpproxyRequestTimeoutMilliSecsgt
ltproperty value=3
name=oraclesecurityjpspdpproxyFailureRetryCountgt
ltproperty value=180000
name=oraclesecurityjpspdpproxyFailbackTimeoutMilliSecsgt
ltproperty value=60000
name=oraclesecurityjpspdpproxySynchronizationIntervalMilliSecsgt
ltserviceInstancegt
ltserviceInstance provider=policystoreprovider
name=policystoredbgt
ltproperty value=DB_ORACLE name=policystoretype gt
ltpropertySetRef ref=propsdb1 gt
ltserviceInstancegt
ltserviceInstancesgt
ltjpsContexts default=defaultgt
ltjpsContext name=defaultgt
ltserviceInstanceRef ref=pdpservicegt
ltserviceInstanceRef ref=policystoredbgt
ltjpsContextgt
ltjpsContext name=bootstrap_credstore_contextgt
ltserviceInstanceRef ref=bootstrapcredstoregt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorDigestAuthenticatorgt
ltserviceInstanceRef ref=digestauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext
name=oraclesecurityjpsfmwauthenticatorBasicAuthenticatorgt
ltserviceInstanceRef ref=idstoreloginmodulegt
ltjpsContextgt
ltjpsContext name=X509CertificateAuthenticationgt
ltserviceInstanceRef
ref=certificateauthenticatorloginmodulegt
ltjpsContextgt
ltjpsContext name=SAMLgt
ltserviceInstanceRef ref=samlloginmodulegt
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 12 10152012
ltjpsContextgt
ltjpsContext name=smsecgt
ltserviceInstanceRef ref=credstoreenrollgt
ltjpsContextgt
ltjpsContextsgt
ltjpsConfiggt
Run $ORACLE_CLIENT_HOMEoessmbinmanage-policycmd|sh to migrate the resource policies into OES
policy store
ltoracle_client_homegtoessmbingtmanage-policycmd
Ensure that correct values are set for
OES_CLIENT_HOME = ldquoltoracle_client_homegtrdquo
OES_INSTANCE_NAME = ldquoltinstance_namegtrdquo
The policy-management tool migrates the MOSS resources to OES policy store using append mode the
existing moss application and related policies will not be wiped off The input for running this script
application name resource type and MOSS resource file should be consistent with the input of
MOSSResourceDiscovery tool
Start the WS SM ltORACLE_CLIENT_HOMEgtoes_sm_instancesltinstance_namegtbinstartWSServercmd
Restart IIS Sharepoint
gt iisrestart noforce
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 13 10152012
Appendix A OES SM Manual Resource Creation
In case resources (like web sites lists etc) are created in MOSS after resource discovery is done the newly
created resources need to be replicated at OES This can be done by running resource discovery and loading
policy files again or through manual process The following section describes the manual creation of resources
in OES corresponding to web sites lists and web parts etc As the resource model is based on URL the URLs
of the MOSS resources are used to create resources in OES
Web Sites
On creation of new web sites in MOSS the URL of the web sites defines the resource to be created in
OES Say for web URL httpltSharepoint_Server_NamegtTestSite the corresponding resource will be created
by trimming off the initial part of the URL and creating ldquoTestSiterdquo as a resource under the Moss Application
(MossApp) from OES administration server console
Web Parts
Corresponding to a web site there may be a set of pages created for publishing content A web part is
one of the easiest and best way in which content is published in MOSS For authorization on web parts via
OES these web parts may be created as resources in OES Web Parts are created as sub resources of the page
resource and the name of the resource is the display name of the web part
Lists amp Items
The web site creation also creates a set of lists depending upon the template used for creating the
web These lists are incorporated into the resource tree based on whether they are document lists or non-
document lists in the following manner
Document List
Go to the List view page Eg
httpltSharepoint_Server_NamegtTestSiteSharedDocumentsFormsAllItemsaspx
It can be represented ldquoTestSiteSharedDocumentsFormsAllItemsaspxrdquo in OES resource tree
Create the individual items within the list as sub resources to the ldquoSharedDocumentsrdquo eg a
document named Scottsql present in the list may be represented as
ldquoTestSiteSharedDocuments Scottsqlrdquo
Non Document List
Go to the List view page eg
httpltSharepoint_Server_NamegtTestSiteListsAnnouncementsAllItemsaspx
It can be represented as ldquoTestSiteListsAnnouncementsAllItemsaspxrdquo in resource tree
Create the following resources at the same level as ldquoAllItemsaspxrdquo
EditFormaspx
DispFormaspx
Click on any item in the list and notice that the URL appears as the following
httpltSharepoint_Server_Namegtweb1ListsAnnouncementsDispFormaspxID=2ampSource=http3A2F
2Fsharepoint012FTestSite2FLists2FAnnouncements2FAllItems2Easpx
Notice the ID as a URL parameter in the URL This ID is used as a name of the non-document item
and is created as a sub resource of both EditFormaspx and DispFormaspx This has to be done for all items
within a non-document list
Note An easier way of finding the IDrsquos of the individual items is to hover the mouse over the link of
the item and note the ID form the URL displayed on the status bar of the browser
Pages
Pages in MOSS exist either in document libraries or in the web base The page may be modeled by
creating resources breaking up the URL
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 14 10152012
Appendix B OES LDAP Integration
OES LDAP (OPTIONAL)
After installation the Oracle Entitlements Server identity store is associated with the WebLogic Server
embedded LDAP directory While this embedded LDAP directory is fine for development purposes a
supported LDAP directory must be used in production The following procedure reconfigures the default
identity store settings More specific information on configuring LDAP authentication providers can be found
in the Oracle Fusion Middleware Securing Oracle WebLogic Server
Launch the WebLogic Server console
Click Security Realms
Click the settings for myrealm
Click the Provider tab
Click the Authentication tab as displayed in Figure 3-1
Figure 3-1 The Authentication Provider Tab
Description of Figure 3-1 The Authentication Provider Tab Click the New button to create a new
provider
Enter a name and select the type of LDAP-based directory
For example OracleInternetDirectoryAuthenticator
Configure the provider-specific attributes of the LDAP-based directory
This might include the host name and port credentials group search base user search base and the like
Save the provider information
Change the order of the providers so that the LDAP-based directory is first
DefaultAuthenticator and DefaultIdentityAsserter will follow
Click the new provider name to configure it
Click the Configuration tab
Click the Common tab
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-2
Figure 3-2 SUFFICIENT Control Flag
Description of Figure 3-2 SUFFICIENT Control Flag Click the Provider Specific tab
Enter the LDAP configuration information for your identity store and click Save
Return to the Providers tab
Click DefaultAuthenticator to change its configuration
Set the Control Flag to SUFFICIENT and click Save as displayed in Figure 3-3
Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console
Description of Figure 3-3 DefaultAuthentciator Tab in WebLogic Server Console Restart WebLogic
Server
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 15 10152012
Appendix C Creating and protecting a sample MOSS website with the OES 11gr2
MOSS SM
This section provides a step by step demonstration of the creation of a sample MOSS website with pages web
parts and list items and subsequently demonstrates how the OES MOSS 11gr2 SM can be used to protect the
sample MOSS website Since this is a demonstration sample it uses Microsoft FBA for providing
authentication to the sample website It should be noted that this authentication can be easily swapped with any
other authentication mechanism without affecting the capabilities offered by the OES 11gr2 MOSS SM
Step1 Configure Form Based Authentication MOSS 2010 Define the custom OESMembershipProvider and OESRoleProvider in MOSS Central Admin Site In the
webconfig file of the Central Admin Site add the OESMembershipProvider and OESRoleProvider
intoltmembershipgt and ltroleManagergt under ltsystemwebgt section
ltsystemwebgt
hellip
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider
type=OESSharepointProvidersOESMembershipProvider OESSharepoint Version=1000
Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager enabled=true defaultProvider=AspNetWindowsTokenRoleProvider
cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Step2 Configure the OES custom providers in the Security Token Service webconfig file
In MOSS 2010 authentication is handled by Security Token Service so we need to configure the custom
providers in this service Modify the configuration of Security Token Service (CProgram FilesCommon
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 16 10152012
FilesMicrosoft SharedWeb Server Extensions14WebServicesSecurity Tokenwebconfig) Add a
ltsystemwebgt section in ltconfigurationgt to configure the providers
ltsystemwebgt
ltmembership defaultProvider=OESMembershipProvidergt
ltprovidersgt
ltclear gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=OESRoleProvider enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
We can also add a debug configuration in to the SecurityTokenServiceBehavior ltbehaviorgt tag so when
there are errors in the Security Token Service the detailed error log can be found in event logltserviceDebug
includeExceptionDetailInFaults=truegt After this step do an IIS restart the OES custom providers will be
available
Step3 Create a MOSS Web Application to use Form Based Authentication
From MOSS 2010 Central Admin Site Click Manage web applications under Application Management
section click New in the top pane to new a web application In the Create New Web Application window
use the following settings to create a FBA web application
Authentication Select the Claims Based Authentication instead of the Classic Mode
Authentication
IIS Web Site Create a new IIS web site (Use default values for Name Port Host Header and Path)
Security Configuration Allow Anonymous Yes Use Security Sockets Layer (SSL) No
Claims Authentication Types Keep Enable Windows Authentication and Integrated Windows
Authentication selected Use NTLM instead of Negotiate Select Enable Forms Based
Authentication (FBA) type in OESMembershipProvider and OESRoleProvider as the
membership provider and role manager name
Sign In Page URL Use Default Sign In Page
Public URL Use the default settings
Application Pool Select Create new application pool Use default Application pool name Use
Predefined instead of Configurable as the security account
Database Name and Authentication Use default settings
Failover Server Search Server Service Application Connections amp Customer Experience
Improvement Program Use default settings
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 17 10152012
Please see the following figure for sample configurations
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 18 10152012
Click OK to create this web application
Still from Central Admin Site click ldquoManage web applicationsrdquo under ldquoApplication Managementrdquo select User
Policy from the ribbon Click Add Users select default zone and hit Next click the Address Book button type
mossadmin in Find and hit the Search icon this username can be resolved as a Forms Auth user add this
user and grant ldquoFull Controlrdquo under Permissions and hit Finish button
Step4 Configure the web application created in step3 to use FBA
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 19 10152012
Modify the webconfig of this web application add the OESMembershipProvider and OESRoleProvider in the
ltmembershipgt and ltroleManagergt under ltsystemwebgt section DONOT delete the default providers thats
already there
ltsystemwebgt
hellip
ltmembership defaultProvider=igt
ltprovidersgt
ltclear gt
ltadd name=i
type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthMembershipProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESMembershipProvider type=OESSharepointProvidersOESMembershipProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltmembershipgt
ltroleManager defaultProvider=c enabled=true cacheRolesInCookie=falsegt
ltprovidersgt
ltclear gt
ltadd name=c type=MicrosoftSharePointAdministrationClaimsSPClaimsAuthRoleProvider
MicrosoftSharePoint Version=14000 Culture=neutral PublicKeyToken=71e9bce111e9429c gt
ltadd name=OESRoleProvider type=OESSharepointProvidersOESRoleProvider
OESSharepoint Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdc gt
ltprovidersgt
ltroleManagergt
ltsystemwebgt
Please note when we modify webconfig files always back up the original file and use notepad
Do an IIS restart the FBA configuration will be activated Create Site Collections for this web application use
mossadmin as the Primary Site Collection Administrator
Step5 Login to the FBA site as site admin and grant users access to this site
Add Groups
Login to the site (eg httpalesw2k811589) as site admin (mossadmin) Click Site ActionsgtSite
Permissions In the following window click Create Group in the top ribbon type in group1 as group
name change the Allow requests to joinleave this group and Auto-accept request to Yes give Read
permission and take all the other default settings and hit Create group1 is created Please see the following
figure as example
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 20 10152012
In group1 view click NewgtAdd Users In the following window click the Address Book icon type in
mossuser1 and click the search icon this user will be resolved as a Form Auth user add mossuser1 to
group1 Click SettingsgtGroup Settings change Group Owner to be ldquomossuser1rdquo and remove ldquomossadminrdquo
from group1
Follow the same process to create ldquogroup2rdquo with ldquomossuser2rdquo as group owner ldquogroup3rdquo with ldquomossuser3rdquo as
group owner also grant Read access to these two groups
Steps 6-9 below demonstrate Creating MOSS Sub Site Web Pages List Items and Custom Content pages
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 21 10152012
Step 6 Create Sub Site
Still login as site admin (mossadmin) Select Site Actions gt New Site input title as OES Example and
URL Name as httpalesw2k811589example and take other default settings hit create to create the sub
site
Step 7 Create Document Libraries amp List Items
In the ldquoexamplerdquo Sub Site click Site Actions gt New Document Library In the following window use
OES Document as the name and take the other default settings hit Create The OES Document is created
under the Shared Document in the left panel
Click Documents under Library Tools on the top ribbon and then click New Folder type in test as the
name and click Save the test folder is created in OES Document Click into the test folder and Add
document In the Upload Document window browse to the dummy document doc1rtf put it under
test folder and hit OK doc1rtf is uploaded to test folder of OES Document Follow the same process to
upload or create doc2rtf doc3rtf doc4rtf to test folder
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 22 10152012
Step 8 Create Non-Document Libraries amp List Items
Click Site Actions gt More Options when the new window appears click Announcements under
Communications In the following window to create announcement list type in OES Announcement as the
name and take the other default settings Hit Create the OES Announcement will be created and appear in
the left panel
Save the settings and click Add new announcement Give the Title as Announcement 2 (The existing
MOSS announcement will have ID ldquo1rdquo) and input any content in announcement body save the announcement
Follow the same process to create Announcement 3 and Announcement 4 in OES Announcement
Step 9 Create Web Pages
Regular Pages Select Site Actions gt New Page enter page1 as name and hit create Input any content
in the edit pane of this page saveampclose page1aspx is created under Site Pages
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 23 10152012
Web Part Pages Select Site Actions gt More options in the following window click Web Part Page
under Pages and Sites Type in page2 as page name choose Full Page Vertical as Layout template
select Site Pages as save location and hit create to create page2 As the edit web part page window appears
click Add a Web Part add OES Document and OES Announcement into this web part page Click Stop
Editing in the top ribbon Go back to homepage and click Site Pages page2 is created under Site Pages
Custom Content Page Open Microsoft Sharepoint Designer 2010 click Open Site type in site name (eg
httpalesw2k811589example) Login the site as mossadmin Select Site Pages click Page gt Html
from the top ribbon a new untitled page is created under Site Pages change the name as page3aspx With
page3aspx selected click Edit File With gt Sharepoint Designer (Open As HTML) in the popup
window click ok and page3 will be edited in advanced mode in Code view
Add the following in the ltheadgt section of this page
lt Register Namespace=OESSharepointControls TagPrefix=OES Assembly=OESSharepoint
Version=1000 Culture=neutral PublicKeyToken=68b08a2fa869dfdcgt
Add the following in the ltbodygt section
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111
Page 24 10152012
The following sensitive information is protected by OES
ltOESAuthorizationTagLib Resource=Resource1 runat=servergt
account owner Joe Doe
account type primary saving
account balance 1000000
ltOESAuthorizationTagLibgt
Click Site Pages to save and exit the edit window Exit Sharepoint Designer
Step 10 Configure the MOSS Web Application to be protected by OES
Follow Steps 1-4 in the main section of this document to configure the MOSS SM
Step 11 Configure the MOSS Web Application to be protected by OES
Step 111 From APM define the following authorization policies
Grant role authenticatedUser ldquoviewrdquo and ldquoANYrdquo access to all the resources
Deny mossuser1 ldquoviewrdquo access to resource doc4rtf
Deny mossuser3 ldquoviewrdquo access to ldquoOES Announcementrdquo folder
Deny mossuser3 ldquoviewrdquo access to page1aspx
Deny mossuser3 ldquoviewrdquo access to protected page content ldquoResource1rdquo on page3aspx
Deny mossuser4 ldquoviewrdquo access to sub site ldquoOES Examplerdquo
Step 112 Run the example
Navigate to httpltcomputer_namegtltportgtexample FBA is prompted
mossuser1 login as ldquomossuser1rdquo
Document List Items click ldquoOES Documentrdquo and ldquotestrdquo folder ldquodoc1rdquo ldquodoc2rdquo and ldquodoc3rdquo will appear but not
ldquodoc4rdquo since mossuser1 is denied access to it
Non-Document List Items click ldquoOES Announcementrdquo all items are accessible
Regular Web Page mossuser1 can access the page1aspx
Web Parts click web part page ldquopage2aspxrdquo open ldquotestrdquo folder under ldquoOES Documentrdquo only ldquodoc1rdquo
ldquodoc2rdquo ldquodoc3rdquo but not ldquodoc4rdquo appear All items under ldquoOES Announcementrdquo are accessible
Custom content page navigate to ldquopage3aspxrdquo mossuser1 is able to see the protected sensitive content
Similarly login as the other users (mossuser2 mossuser3 etc) and validate their individual access as defined by
policy in step 111