Oracle Entitlements Server Policy Distribution Modes
"Ganesh Kamble" in "OES" on 2014-06-14
Oracle Entitlements Server uses different Policy Distribution Modes to distribute policies to several Policy Decision Points (PDP) in Security Modules. Policy Management and Policy Distribution are two distinct operations in Oracle Entitlements Server. Policy Administration Point (PAP) is responsible for creation and management of application policies. These policies are stored in Policy Information Point (PIP) which can be an LDAP or database. On evaluating the policies, the grant or deny decision made by PDP is sent to the Policy Enforcement Point (PEP) to enforce the result in application.
In this post, I will talk about the Policy Distribution and the three types of supported Policy Distribution Modes. Policy Administration component of Oracle Entitlements Server lets you define, delete and manage policies in policy store. Policy Distribution Component makes these policies available to the PDP services of configured Security Modules. PDP services evaluate these policies and provides grant or deny result on accessing a protected resource.
The Policy distribution may include one or all of the following actions:
- Reading policies from a policy store
- Caching policies in a cache maintained by Security Module
- Preserving policies in a file-based persistent cache which is independent of the policy store
Policy Distribution Modes
The distribution mode configuration is defined in the jps-config.xml file of the Security Module. Oracle Entitlements Server is responsible for distributing the policies the configured Security Modules. The Policy Data can be distributed in one of the following ways:
- Controlled-push: In this distribution mode, the policy distribution is initiated by the Policy Distribution Component of the Oracle Entitlements Server. It ensures that PDP Client receives the policy data that has been stored in the policy store. The Security Module cannot request the policy distribution. The “Distribute” button in OES APM Console marks the policies as “Ready For Distribution”. In this mode, the policies are pushed to the PDP client as soon as they are marked as “Ready For Distribution”. It is supported only on database type of policy stores.
- Controlled-pull: The PDP client of the Security Module periodically pulls the policies from the policy store and stores in a local cache. The default fetch interval is 10 minutes. The policies need to be marked as “Ready For Distribution” in the OES Console. Like Controlled-push distribution mode, Controlled-pull is supported only on database policy store.
- Non-Controlled: The PDP client of the Security Module periodically makes connection to the policy store to retrieve the policy data. This distribution is initiated by the Security Module. The policy store has to be online and available to the PDP service all the time. It is supported on both LDAP and Database type of policy stores.
The choice of the policy distribution mode depends on the following factors:
- The type of policy store you are using – database or LDAP
- How the application policies are actually distributed
- Availability of the OES Administration Server
- Oracle® Fusion Middleware Developer’s Guide for Oracle Entitlements Server : http://docs.oracle.com/cd/E21764_01/security.1111/e14097/distpolicies.htm