Entitlement Server - Architecture/Components

Hi Friends,

After the first blog "Entitlement Servers- OverView - In Brief" , here we will walk through the architecture of
Oracle Entitlement Servers.

The following point would be covered under this topic:

OES Administration Server , Security Service Model (SSM), Service Control Manager, Policy Distributor (PD), Policy Loader and a little about Policy Administration Point (PAP) , Policy Decision Point (PDP), Policy Enforcement Point (PEP) and Policy Information Point (PIP).

OES Administration Server: The administration server is used for operations like creation, update and deletion of users, groups, roles and resources. To help felicitate this operation, a UI called the ASI is provided. The administration console delegates administration functionality to other users. The OES Administration Server acts as a PAP, the Policy Administration Point. The administration server manages the storage of policy data in the Policy Database and distribution of policies to the SSMs. We will talk about SSMs in the later half.
Following are the components of an Administration Server:

The Business Logic Manager (BLM): Standard API which is used to do the Administration Operations, like creation/deletion/update of user/groups/roles through code. BLM also interacts with the Policy database to control the persistence of Policy Data.

The Policy Distributor (PD) : The policy distributor distributes the policy data over to the SSM for runtime enforcement of Policy at the SSM.

The Policy Loader: The Policy Loader saves and retrieves the policy data from the database.

Security Service Module (SSM) : SSM acts as the Policy Decision Point (PDP). SSM resides in the container where the application that is to be secured. An SSM can be a distributed where application is distributed or deployed as a central entitlement server.

In the case of distributed environment, the application can call/invoke the Security Service of the SSM through the JAVA APIs or the Web-Service calls.

In the scenario, where the SSM is deployed as the central server, the application can send the authorization request to the centralized SSM through a web service call or through a XACML request/response protocol.

Service Control Manager (SCM) : It stores the SSM configuration data and channels (you can think of it as an updater which update all the SSMs of the new configurations and the changes made at the admin server) data to each SSM registers
Policy Information Point (PIP) : These are referred to the storage points from where the policy data is saved and retrieved. Take for example an LDAP server or an external database server.

So friends, these were the various components of an entitlement server.

We will discuss the Architecture/Components and the flow of control in an OES server in my next post.

Please comment with your doubts, suggestions and feedback.

Team: Turning Technology

Entitlement Servers- OverView - In Brief

Hello Friends,

For all u beginners to Oracle Entitlement Server, I would give a brief and a very basic overview on the topic, excluding the installation part in this post. You just have to go through this once to get the most brief and concrete idea of what an entitlement server does and how it achieves the goal of authorization.

This will help get you started. We won't discusses the various topics like PAP, PDP, PEP, PIP, fine-grained authorizaton, ASI in order to keep this first discussion topic simple.

As I said, this would be the basic overview, let's get started!

With the advent and progress of web technology, the demand to get the web resources secured, through time, increased. This included the basic processes like authentication and authorization to a web application.

While authentication process authenticates a particular user and determines if the user is the same as he claims to be, authorization need arises when you need to determine which authenticated user is authorized to assess which resource in an application.
Say for a bank web-site's 'view account balance' link for various users with different roles (like customer,executive,manager,senior manager, etc) and in different groups (like accounts, loans) would have a restricted assess as to who is able to view/use the link.

This process of protecting a resource (the 'view account balance' link) and restricting the access of a particular subject(the authenticated user) to a resource is called authorization process.

To achieve this security measure, complex business logic with the company policies based on the roles and the groups of subjects(users) are coded in the application, which actually make the application bulky and you get a time taking and painful response time.

So now the idea is to separate this complex security logic from the actual application in order to make the application optimized in terms of performance.

This task of entitlement (entitlement: which user is entitled to which/what resource in an application) if achieved through the Entitlement Servers. An entitlement server would intercept an incoming request, authorize the request, by mapping the user with her roles, groups to which she is assigned and with the policy of the organization, finally granting/denying access to a particular resource of the application (in our case the banking web-site).

This entitlement server is available as a plug-in for different platforms and for a range of Application containers live Weblogic and Tomcat, which can be put as a wrapper around the application that is to be secured, intercepting the incoming request and allowing access to the particular resource of the application.

The entitlement server, for this process of authorization, queries various external resources like LDAP server(where information of subjects/users are stored) and the Policy Database(where the organizational policies are stored). The result of these queries are stored in caches (different for different modules of Entitlement Servers, like the Entitlement Administration Server and Security Service Modules/SSMs). This adds an advantage to the performance as the Administration Server and the SSMs reads the cache for the policy decisions that it had made earlier, reducing the external reads. The SSMs can also function independently of the external resources and the Administration Server due to the caching mechanisms.

Another advantage to this security measure is that every time there is some change in the security policy of the organization or a configuration in the security paradigms, a change is required at a central location rather than disturbing the whole application.

In simple words, think of it as the user inputs the data via the request, the application implements the business logic on the input request data and then processes the same and gives response in terms of permission to the user.

This is the basic concept that we achieve through Entitlement Servers.

Reply/comments/queries are most welcome and I would try to help you to the best of my knowledge.