Thursday Sep 17, 2009

Complete guide to Oracle IRM (Part 4): Using Windows authentication

Due to an increase in customer activity I have been unable get this guide completed as quick as I would like, sorry! However a whole load of people have been configuring IRM servers to leverage the advantages of using Windows authentication and as such I realized I should add another section to the proposed guide.

Currently the guide comprises of;

 

 

Advantages of using Windows authentication


When using sealed content several things are needed for authorized users to successfully gain access. The aim of any IRM deployment should always be to make use of sealed content as transparent as possible for authorized users. The security of IRM should only be evident when someone attempts to do something they are not allowed to, such as copy/pasting information from the document or trying to take a screen shot. The following are required to allow a user to open sealed content.

  • Oracle IRM Desktop software must be installed
  • Rendering application for the content they are opening should be installed, e.g. Acrobat Reader if they are opening sealed PDF content
  • User must successfully authenticate to the IRM server using either standard or Windows authentication
  • User must have been given rights to the classification the content is sealed to

 

In a corporate environment you typically have access to the end user desktop and therefore are able to deploy the IRM Desktop without the users knowledge. The Oracle IRM Desktop can be deployed silently (page 5 of install guide) and rendering applications are also commonly installed, such as Acrobat Reader and Microsoft Office.

Corporations commonly use Windows authentication as part of an Active Directory deployment. Users authenticate to the workstation/laptop using an account from the Active Directory repository and the workstation/laptop must be a member of either the domain/forest the user account is in, or at least a member of a trusted domain. Using this authentication mechanism with Oracle IRM means that a user doesn't need to re authenticate when accessing sealed documents, because IRM can use their already authenticated Windows credentials.

Ultimately you are trying to achieve the following experience;

  • The Oracle IRM Desktop is installed on end users machines without their interaction
  • Users are automatically setup on the IRM server to use Windows authentication and have rights to the relevant classifications
  • Sealed documents are automatically protected in the repository or network file shares
  • An authorized user then logs into their Windows machine, double clicks on a sealed document and it opens
The only initial difference for the end user is that they may see the Oracle IRM toolbar at the top of the document.

 

 

Oracle IRM and the user identity


This article will go into the details of configuring the IRM server to be able to authenticate users using Windows authentication and also how to use the Oracle IRM Directory Gateway to import users from your Active Directory into the IRM server. For deploying the IRM Desktop automatically, please refer to the installation guide on page 5.

 

The way in which Oracle has implemented Windows authentication in IRM isn't immediately obvious and there are some sound reasons why it works as it does. First we must look at how the IRM Desktop handles controlling access to sealed content.

  • User double clicks on a sealed document
  • Windows looks up the extension of the document (.sdoc, .spdf etc) and loads the Oracle IRM Desktop, passing it the reference to the file
  • IRM Desktop authenticates end user
  • If authentication is successful IRM Desktop validates if user has rights to the document
  • If rights exist, document is securely opened for the user

 

Before looking at the authentication, lets look at how the IRM Desktop determines rights to content. Each sealed document contains information about its classification and what server it was sealed against. When the user opens sealed content the IRM Desktop, after user authentication, does a rights lookup and tries to determine if the user has access to the content. If the IRM Desktop had to communicate to the IRM server, rights are then cached to the local encrypted offline storage. The IRM Desktop will then on subsequent opening of content use the offline cached right as long as the offline period is valid. Remember that each right given to a user in a classification can have a different offline period. This allows very sensitive information to have a short offline lease so that rights changes on the server can have impact on the users within short periods of time, e.g. hours. Other rights may have offline periods of days or sometimes weeks.

When rights are cached offline, so is the users identity. The identity describes the user and what server they are on. For the above rights lookup, the IRM Desktop must obtain a valid identity.

 

Technical detail of how Oracle IRM authenticates Windows users


So this is where we get the Windows authentication piece. For a valid identity for a user that is configured to use Windows authentication, we need to authenticate them. When the workstation is offline we use the same mechanism that allows a user log into their Windows desktop without having a direct connection to the domain. When the user is online, we must authenticate the users Windows credentials. When successful the users identity is then combined with any rights to determine access to content.

 

For successful Windows authentication the following must be true;

  • User is logged on to a Windows machine using their Windows account
  • User account on the IRM server is mapped to their Windows account
  • Windows machine must be part of the corporate domain
  • Oracle IRM server must have a valid authentication path to the corporate domain

 

 

Network communication for Windows authentication


The IRM Desktop uses Windows API's to get details of the logged in user. This takes the form of an NTLM package. This information is then sent from the IRM Desktop to the IRM Server using our own communications protocol. This is a very important point.

 

IRM Desktop communication to IRM server for Windows authentication does not use traditional Windows protocols, instead we simply pass the Windows user credentials inside our own encrypted protocol to the IRM server.

This has the great advantage that the same protocol for standard IRM authentication is also used for Windows authentication. Simplifying the deployment model whilst maintaining security. It also means you increase the chances of successful communication, because the IRM protocol communication will have already been enabled irrespective of what authentication model you use. This protocol is designed for effective communication no matter where the client is coming from. The encrypted protocol is tunneled inside HTTP packets marked with the mime type "application/octet-stream" and the IRM encrypted protocol is the binary payload in the HTTP packets.

IRM and Windows authentication details

Once the IRM server receives the data, a classic negotiate, challenge and response occurs with both the client and server using the Windows authentication API, but tunneling the results in our protocol. The IRM server therefore is using Windows authentication local to the server the IRM service is running on. This means the IRM server must have a valid path to the domain controllers for domain the user is a member of. More about ensuring this setup later, but at the end of this communication process the IRM server discovers the users Windows SID.

 

Windows user look up in IRM server


Now that the IRM server has been able to verify the Windows identity of the user opening content it has the unique identifier from Windows, the SID. This SID is what the IRM server uses to map IRM accounts to Windows accounts for authentication. The IRM server then performs a local look up in the database and if it finds that this Windows user has been mapped to an account, then the IRM server is able to return the identity to the IRM Desktop. At this point the Windows user has been fully authenticated, an IRM identity established and the IRM Desktop can continue to look up rights for the user.

 

 

Setting up an IRM server to authenticate Windows domain users


So how do you ensure the IRM server is able to complete the above steps for authenticating Windows accounts accessing sealed content? The IRM server runs on a Windows server, this Windows server must therefore be able to authenticate users against the domains which their accounts exist.

 

Now this presents a problem, because nearly every IRM server is deployed in the DMZ and therefore any connection from a publicly accessible server back to the corporate user directories presents a security risk. However because the IRM server is just calling standard Windows APIs to authenticate the users, there are many best practice solutions to reducing this risk and deploying an effective solution.

The following are the main methods I have seen customers use to ensure the IRM server can authenticate against the corporate domain.

 

  • Promote the IRM Windows server to a domain controller with its own forest/domain

    This is the most common scenario I have seen with our customers. Before installing any of the IRM services, the Windows server is promoted to create an Active Directory Domain. Then the IRM services (IRM Server, Management Website) are installed. Then a one way trust relationship needs to be created from this domain to the corporate domain, this lets the IRM domain authenticate and trust users from the corporate domain, yet the IRM domain itself is untrusted. This trust creation involves communication from the DMZ to the corporate network where the corporate domain controllers reside and therefore firewalls needs to be configured correctly.

     

    The pro's of this approach are that you have an entirely self contained environment which, if compromised, only affects the IRM service. The trust relationship ensures a compromised domain controller has no rights to the corporate network.

    The downside of this approach is that you need to open firewall access from the DMZ to domain controllers on the corporate network and sometimes this isn't possible due to network design or security policy.

    Also note that if you decide to promote a Windows server to a domain controller after you've installed the Oracle IRM Management Website I've seen problems with IIS and permissions as it runs on the newly configured domain controller. A re-installation of IIS and the Management Website does resolve the issues but if it can be avoided it would be wise.

  • Host another server as the IRM domain and make the IRM server a member of this domain

    This solution is very similar to the above, but some customers have already had to create a DMZ domain which trusts the corporate network for other DMZ services which require Windows authentication. In this instance making the IRM server a member of the existing domain is adequate.

     

    Pro's of this approach are you use an existing and proven setup, if it already exists. Also just changing the servers domain membership doesn't have the same impact on the existing IRM installation and therefore can be done after the IRM service has been fully configured.

    Problems with this solution are that you increase the infrastructure required for the solution and if the IRM server is compromised, it has a wider impact if that compromise affects the DMZ domain in anyway.

  • Host the IRM server on the corporate network and proxy all requests

    Finally another option, and this is a rare choice but sometimes the only choice. The IRM server is hosted on the corporate domain and all public requests are proxied from the DMZ facing firewall/routers to the IRM server. To proxy these requests you setup a reverse proxy server to take traffic the internet to the IRM server. Note that this only requires the proxy of the HTTP packets in which the IRM encrypted protocol is tunneled.

     

    The pro of this is you don't need to have any exposure of your corporate domain in the DMZ because the IRM service can be a member server directly to the corporate domain. Also the traffic you are forwarding to the IRM server is simple to manage and control. The IRM server has been through Oracle security validation and is heavily tested such that we've never had reported any compromise or security issue (read buffer overruns, SQL injection etc) as a result of communication with the IRM server.

    The downside is if the IRM server is somehow compromised, that server is sat on your corporate network.

Summary

With all the of the options above it is best practice to ensure that the Windows server is regularly updated with security patches from Microsoft, that it is monitored for availability and security purposes and that proper backups of the system are taken so that in the advent of a disaster either due to physical or software failure, or security compromise, the system can be returned to operation in a timely manner.

 

This implementation of enabling Windows authentication for access to sealed content works very nicely with the requirement of having the service accessed from the public internet.

This article only covers how to understand and enable the IRM service to authenticate Windows users. The next article in this guide actually walks through the steps of mapping IRM accounts to Windows accounts, testing the setup works and then how to configure the Oracle IRM Directory Gateway to manage the automation of synchronizing these accounts from Active Directory with the IRM server.

Thursday Aug 13, 2009

Complete guide to Oracle IRM (Part 3): Client configuration and basic system tests

Now the IRM Server and Management Website have been installed its time to install the IRM Desktop, create a classification and protect some documents to check the system works.

Currently the guide comprises of;

This article is assuming you have followed part 1 & 2 of this guide and that the Oracle IRM server is running and configured correctly. One good tip to checking if the server is alive is checking it's ping HTML page. This is a simple interface on the server which you can access using a web browser. Point your browser at the address http://irmserver.hostname:port/ping and you should get a response like below.

 

IRMServerPing.jpg

Install the Oracle IRM Desktop

The Oracle IRM Desktop is a small piece of software which provides support for all the IRM formats such as Microsoft Office documents, Adobe PDF's, email etc. The single install also allows not only for the opening and editing of sealed documents but provides functionality to create new documents and search inside them. For only an 8MB download it sure packs a lot of features. You can get the IRM Desktop from Oracle's OTN download pages.

 

Once downloaded just double click on the .exe to start the installation. It is wise to close any programs such as Microsoft Word, Outlook, Adobe Reader so that any files the installation wishes to update do not require a reboot.

10gDesktopInstall01.gif

Choose, or leave the default installation folder.

10gDesktopInstall02.gif

Then hit install! Very easy...

10gDesktopInstall03.gif

At the end of the installation you will see a new icon in your task tray, like the following... DesktopTrayIcon.gif

 

Create test classification


Now that we have all the software installed we need to create a classification to secure a document against. Oracle IRM calls classifications contexts and the best way to create them is using the Management Website. This way new contexts follow the standard rights model, the benefits of which will become obvious.



Fire up a browser and head to the home page of the Management Website, this is going to be http://yourirm.server.name/manage. Then hit the login button, top right of the web page.


10gManagementWebsiteLogin.gif

 

During the Management Website installation we created 2 new accounts, one called the System Manager. It is this account we will use to create our first context. Now if, when you installed the Management Website you set the default password creation to specified and passed in a value then this will be the password for your system manager. However if you left the default to random you have two options.

 

Getting the user password from email


When creating the system manager you gave the installer an email address. If this was a valid account and the Windows SMTP server is able to lookup the MX record for the domain of that user account and successfully deliver the email, then go check the inbox for that account and you should have an email like the following.


10gManagementWebsiteNewUserEmail.gif

Manually resetting a users email from the Management Console


When the Oracle IRM server was installed it also installed the Oracle IRM Management Console which was used to initially login to the server.

  • Start the Management Console from the Windows program group Oracle -> Information Rights Management.
  • Then login to the server using the administrator password you created at initial IRM server install.
  • Click on Users & Groups and you should see your system owner account. Right click and select Authentication from the menu.


    10gManagementConsoleChangeAuthentication.jpg

  • Leave the authentication type selected as Standard


    10gManagementConsoleAuthentication01.gif

  • Select reset and supply the new password for the user, de-select User must change password on next login and hit finish.


    10gManagementConsoleAuthentication02.gif


Login to Management Website and create context


Now that the system owner password is known, lets login to the Management Website. If you got the password from email you are going to be asked to change it on login. You should then see the homepage for the system owner.

 

10gManagementWebsiteSystemOwnerHome.jpg

Now switch to the Contexts tab and hit the Add Context button. Here you have a simple dialog asking for a name, description and a user to be the context manager. Note that we only have one person in the system right now that could be a classification manager.

10gManagementWebsiteAddContext.gif
This creates a context in the server based on a template using the standard rights model. It also sends an email to the new context manager which is going to be the same user you've logged in as. The email gives important information for new context managers to be able to work with the context.

10gManagementWebsiteContextManagerEmail.gif

By default the context manager is also given a role, Contributor, which allows them create, open, edit, print sealed content.

Add a user to the IRM server

To make this test a little more complete it would be wise to add another user to the server and give that account a slightly lower set of rights than the context manager so we can see the IRM technology working correctly. Whilst still logged into the Management Website click on the Users tab.

 

10gManagementWebsiteAddNewUser.gif
Notice that when business users can add new accounts, they can also give this new account a role in an existing context. So select Initial Role Assignment and choose the context and for this test choose the Reader (No Print> role.

Again to get this users password if you've set it to random you need to access their email inbox or reset it using the Management Console.

Sealing the first piece of content

Finally the time has come to protect a document! The server is running, we've got a context ready, a few users in the system but there is simple and obvious hoop left to jump through.

 

To seal a document we need to have the users rights cached to the local machine. For this to take place, the IRM Desktop needs to know where the Oracle IRM server is on the network so we can synchronize these rights and then be able to seal a document. The usual way for the IRM Desktop to know about the IRM server is to open an existing piece of content that someone has sent you... ack. Bit of a chicken or the egg dilemma. The simple solution is to manually tell the IRM Desktop the location of the IRM Server and then force a synchronization of rights.


  • Right click on the Oracle IRM Desktop icon in the system tray and select Options...

    DesktopTrayIconOptions.gif

  • The options dialog will default nicely to the Synchronization, hit Add and enter in the hostname to your server.

    DesktopAddServer.gif

  • Hit OK and then OK the IRM Desktop Options dialog.
  • Right click once more on the IRM Desktop tray icon and this time select Synchronize.
  • The IRM Desktop will then present you with the login dialog and you'll need to enter in the username and password for the context manager. The same account you logged into the Management Website as. It is worth also checking the Login Automatically option.

    DesktopLogin.gif

Now we are ready to seal a piece of content. In my guide i'm going to protect a Microsoft Word document. This mean's I have to have copy of Office installed and i'm using Microsoft Office 2003. You could also seal a PDF document, you'll need to download and install Adobe Acrobat Reader. A very simple test could be to seal a GIF/JPG/PNG or piece of HTML because this is rendered using Internet Explorer. But as I say, i'm going to protect a Word document.
  • Open a copy of Windows Explorer and locate the file you wish to seal.
  • Right click on the document and select Seal To -> Context
  • You are now presented with the Select Context dialog.

    10gContextSelectionDialog.gif
  • You can now select the context you created and hit OK

You'll now have a sealed copy of the document sat in the same location. Double click on this document and it will open using the system manager account credentials you asked the IRM Desktop to cache when selecting the login automatically option.

 

SealedWordDocument.jpg
As the context manager you have full access to the content. You can copy, edit print and as we've seen, create sealed content against the context.

Finally, lets login as the second user created. Double click on the Oracle IRM bar or the icon in the toolbar. This will display the IRM Desktop control panel and it will default to File Properties. Switch to the login tab and enter in the details of the other user you added to the server. The document will now open, yet this time because you only gave the user the role Reader (No Print) they cannot edit or print the content.

This completes a full installation and test of an Oracle IRM service. The next guide will walk through in a bit more detail the decisions around how to now use this system to start protecting real content in accordance with information protection policies.

Wednesday Aug 12, 2009

Complete guide to Oracle IRM (Part 2): Management Website installation

First part of this guide covered installing the Oracle IRM server. The server is core to an IRM deployment providing the centralized management of users, classifications, roles and rights. It provides the service for authorizing users and issuing rights/decryption keys allowing access to protected content. However after installing the server you still need to go through the process of configuring the classifications and roles, adding new users and then assigning roles to their accounts giving them rights to content protected against the classifications.

Currently the guide comprises of; In the early days of IRM deployments we would sit down with a customer and ask questions like, "How do your users need to access content? Do they need print rights? Do they need change tracking enabled when they edit?". This helped us define a classification and rights model which reflected their needs. After we had been through this loop several times we realized the same roles kept being created. There was also a use case which was constantly being addressed where business users who owned classifications and wanted to share sensitive documents outside the company, required a simple mechanism for adding external users to the system and giving them rights to the business users classifications.

This led to the development of the Oracle IRM Management Website and the Standard Rights Model. This is an out of the box, predefined set of roles that are based on our 10 years of best practice and feedback from customers. It includes a set of document roles, (Contributor, Reviewer, Reader, Reader (No Print) and Item Reader) and a set of administrative roles, (Service Owner, System Manager, Context Manager and Inspector) which facilitate appropriate segregation of business and technical duties. The Management Website then delivers some simple logic in the form of a web application to implement common use cases, such as adding users and creating contexts. The next part of this guide will go through the installation of this software. Part 3 of the guide will involve creating a classification and testing that everything works and the final part 4 will discuss further the decision making around applying your IRM service to your company's classification policies.

Preparation

As described in part one, it is best practice to run the Oracle IRM server on TCP port 80. Obviously the Management Website should also run on TCP port 80. When both are running on the same machine, as in this guided installation, you therefore need to stop IIS from listening on all available interfaces on port 80, a practice called socket pooling.

Disabling socket pooling in IIS

I'm going to run the IRM server on port 80 and also will be running the website on port 80. Therefore I have bound two IP addresses to the Ethernet interface which will handle my public server requests. However IIS has also been installed and this is currently listening on all available addresses on port 80. To disable this behavior you need to use a tool from Microsoft called httpcfg. It is found in the Windows Server Support Tools.

After installing these tools, run the link to the command prompt and type the following commands replacing the IP address with the one you want the IIS server to listen on. Don't put in the IP address you wish to use for the IRM server, the command below is telling IIS which addresses to listen on.

net stop http /y
httpcfg set iplisten -I 172.22.0.171
net start w3svc

To confirm that IIS is now listening on only the IP address specified above and that the IRM server is running and listening on another port, you can start a command prompt and run the command netstat -nao | find "80". This will return something akin to the following.

TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 2148
TCP 127.0.0.1:8080 0.0.0.0:0 LISTENING 1700
TCP 172.22.0.172:80 0.0.0.0:0 LISTENING 3640
TCP 172.22.0.171:80 0.0.0.0:0 LISTENING 4

Note that IIS, running under the process ID 4 is listening on port 80 with address 172.22.0.171. Also the previously installed IRM Server, running with the process id 3640 is listening again on TCP port 80 but bound to the address 172.22.0.172.

Ensuring the local Microsoft SMTP service is installed

Another aspect of the Management Website is that it sends out emails when users accounts are added, classifications created etc. These emails are a way to simplify communication to users introducing them to using Oracle IRM. The Management Website comes with a set of template emails which can be customized specific to your deployment. The website sends these emails out using the Microsoft SMTP service which is bundled as part of the IIS installation.
  • Go to the Control Panel and start the "Add or Remove Programs" applet
  • Select "Add/Remove Windows Components"
  • In the resulting wizard select "Application Server" and hit details
  • Select "Internet Information Services (IIS)" and hit details again
  • Make sure that the SMTP Service is selected
  • Click OK back through the wizard to install the service
You will now have in your C:\Inetpub folder a mailroot folder which we will reference during the website installation.

Setting up the local IRM user

The management website uses a Windows NT account when communicating from website to IRM server. This account must be pre created and in my case I'm doing it on an Active Directory Domain Controller.

10gIRMManagementWebsiteInstallADUser01.gif
So create a user and make it a member of the group IIS_WPG. Remember the password, it gets used during the installation. Also make sure you know what domain this user is a part of.

10gIRMManagementWebsiteInstallADUser02.gif

Getting the install files

Download the following zip file and extract to disk.http://www.oracle.com/technology/software/htdocs/devlic.html?url=http://download.oracle.com/otn/content_management/IRM%2010gR3%2020090326%20LicenseServer%20and%20Standard%20Rights%20Model.zip. All Oracle IRM software can be downloaded from OTN.

10gIRMManagementWebsiteInstall01.gif
Run the installer and hit next, now we can start installing the Management Website.

Installing the Oracle IRM Management Website

10gIRMManagementWebsiteInstall02.gif
The installer is split into two main activities. First the installation of the files to the local machine and the configuration of the website in IIS, then it launches a web browser connecting to the Management Website to complete configuration and setup.

10gIRMManagementWebsiteInstall03.gif
This dialog is a checklist, it doesn't actually check that you've done any of these so make sure you've read the install guide and following the preparation tasks described at the start of this article. Check all the items and continue.

10gIRMManagementWebsiteInstall04.gif
Next the installer asks for where to place the web files. I changed this location to remove the reference to SealedMedia, the company which originally developed the IRM technology.

10gIRMManagementWebsiteInstall05.gif
Choose a language to install. Note this will set the default language for the entire Management Website.

10gIRMManagementWebsiteInstall06.gif
Enter in the hostnames and ports to the IRM server, note the port and hostname must be the private port but this is usually the same as the public interface settings.

10gIRMManagementWebsiteInstall07.gif
Specify details of the NT user you created which will be used to run the Mangement Website in IIS and connect to the IRM server.

10gIRMManagementWebsiteInstall08.gif
Confirm the location of the STMP service pickup folder.

10gIRMManagementWebsiteInstall09.gif
Hit install to complete the first part of installation.

10gIRMManagementWebsiteInstall10.gif
Hitting next will then launch an instance of the browser to continue to the next phase of installation. But before you do this, its wise to ensure the web site it is about to browse to is correctly configured. The first part of the installation will have created an IIS website called "SealedMedia Management Website". To ensure the website is configured correctly do the following.
  • Go to Start\Programs\Administrative tools and start Internet Information Services (IIS) Manager
  • Open the Web Sites folder and you should see the "SealedMedia Management Website" instance. Right click and select properties.
  • Change the IP address that the web site listens on to the one which your hostname for the web site resolves to, in my example, irmweb.us.oracle.com resolves to 172.22.0.171. So I set the IP address for this website to that value.
  • Also just check in the Application Pools folder that the "SealedMedia MWA AppPool" instance is also started. Sometimes i've found this application pool stopped and the next step won't work.


10gIRMManagementWebsiteInstall11.gif
After hitting next your browser will start and access the installation page of the Management Website. Provide the administration account that was created during the initial IRM server installation.

10gIRMManagementWebsiteInstall12.gif
Once the Management Website authenticates with the IRM server you are asked for the settings for this web application.
  • System email address will be copied on every email sent out from the server. So actually I would use a mail box specifically for these emails.
  • Default password applies to when users are added to the system using the website. The business user doesn't set a password, instead the system can either create a secure random one or use the same password every time. This password ends up in the new user email and is only used the first time the end user accesses the system, they will be prompted to change the password on first login.
  • Don't set the export contexts check box, this can be changed later and is rare to be used out of the box.
  • Organization name is used only on the web site and is displayed on all pages.
  • The check boxes for email notifications allow you to configure what emails get sent automatically. These can also be changed later.


10gIRMManagementWebsiteInstall13.gif
You are now asked to create the first service owner account. This is typically a sevice named account, e.g. "serviceowner" in the same kin as root or administrator accounts. A service owner basically makes changes to the Management Website settings. The account is authorized for routine management tasks, such as user account creation, but these tasks are typically performed by the business users themselves. An important note is that the role of Service Owner does not include the assignment of rights to access sealed documents. The assignment of document rights is a Context Manager task. This is a good example of the separation of duties that is possible with Oracle IRM.

10gIRMManagementWebsiteInstall14.gif
Next comes the last account to be created, the first System Manager account. This in contrast to the Service Owner is typically a real user account and hence the requested information is slightly different. System Managers are primarily responsible for managing user accounts and user groups, and for creating classifications. The typical work flow is that a System Manager as part of the classification creation process, creates a classification and in doing so adds in the first manager. This generates an automated email to that new manager who then in turn logs into the Management Website and removes the account of the System Manager that created it. This is a nice example of the hand off from IT to the business of classifications and again how well separation of duties is played out.

Again the role of System Manager does not include the assignment of rights to access sealed documents. The assignment of document rights is a Context Manager task. It is possible for a System Manager to be a Context Manager for one or more contexts, but there is no requirement.

10gIRMManagementWebsiteInstall15.gif
And finally everything is installed and configured. You can now hit finish and be taken to the login page of the Management Website. The next steps are in guide 3 where i'll walk through the creation of a test classification, do some more configuration and check that the system can successfully create a sealed document and that a user can open it.

Friday Aug 07, 2009

Complete guide to Oracle IRM (Part 1): Server installation

This is the first of many articles I will be writing which walk you through downloading, installing, configuring and using Oracle IRM. From its very creation this technology has been designed to be simple to use from both the end user and the administrators perspective. In these articles I will go step by step, over every detail so you can, by following my instructions, have a fully working IRM system. When well prepared, you should be able to complete this within a few hours. If you have any problems following these steps please leave either a comment or contact me and i'll make an update.

Currently the guide comprises of;

 

This first article will describe attaining the software, preparing the installation environment and installing the server. The installation will be basic with no integration with user repositories and will use basic authentication instead of Windows authentication. The Oracle IRM Server installation document is very detailed and you may wish to have this available.

 

Windows and database server preparation


Oracle IRM uses a classic client-server architecture. The current 10g release requires that the server is installed on a Windows 2003 server. The 11g release will move the server into the Oracle Fusion Middleware platform allowing it to run on a much wider variety of platforms. But for now, you will need a Windows 2003 server. It is highly advisable to ensure all the latest service packs and patches are also installed. In this article I will be installing the IRM server against an Oracle 11g database, but Microsoft's SQL server is also supported.

Setting up server hostnames


All content protected against an IRM server contains a URL back to the service so that when content is accessed the client software knows where to authenticate the user and then validate rights. Therefore it is worth having a reliable hostname setup even if you are building a test/development server if you can create a record in a DNS server it will be worth it in the long run. In my installation guide I have two hostnames setup, one for the IRM server itself and one for the Management Website i'll be installing later.



irm.us.oracle.com 172.22.0.172

irmweb.us.oracle.com 172.22.0.171



These addresses have then been assigned to the local Ethernet interface.

Disabling socket pooling in IIS

I'm going to run the IRM server on port 80 and also will be running the Oracle IRM Management Website on port 80. Therefore I have bound two IP addresses to the Ethernet interface which will handle my public server requests. However IIS has also been installed and this is currently listening on all available addresses on port 80. To disable this behavior you need to use a tool from Microsoft called httpcfg. It is found in the Windows Server Support Tools.

 

After installing these tools, run the link to the command prompt and type the following commands replacing the IP address with the one you want the IIS server to listen on. Don't put in the IP address you wish to use for the IRM server, the command below is telling IIS which addresses to listen on.

net stop http /y
httpcfg set iplisten -I 172.22.0.171
net start w3svc

Preparing an Oracle database

My installation is going to be done against an Oracle 11g 11.1.07 database. I therefore created a tablespace and then a user who defaults to this table space.

 

10gIRMServerInstallDBTableSpace.gif

The installation document specifies the rights required by the IRM database user.

Using Oracle, the rights required by the license server during installation are:
CREATE, UPDATE, ALTER and DROP TABLE and create and modify CONSTRAINTs
CREATE and DROP SEQUENCE
CREATE and DROP INDEX
CREATE and DROP PROCEDURE
CREATE and DROP FUNCTION
CREATE and DROP PACKAGE

In the 11g database for the install it is sufficient enough to give the user the RESOURCE role.

10gIRMServerInstallDBUser.gif

The schema itself will be created as part of the IRM server install.

 

Getting the install files


Download the following zip file and extract to disk.

http://www.oracle.com/technology/software/htdocs/devlic.html?url=http://download.oracle.com/otn/content_management/IRM%2010gR3%2020090326%20LicenseServer%20and%20Standard%20Rights%20Model.zip

 

All the IRM software can be obtained via the Oracle Technology Network.

 

Oracle IRM server install files

 

 

Installing a 10g Oracle IRM server


Now that we have the OS and database ready, the final step is the IRM server itself. Double click on the MSI installer and you are presented with the following dialog.

 

 

Oracle IRM server install welcome dialog

 

Choose custom for the setup type, this will allow you to change the installation folder if you wish.

 

Oracle IRM server install setup type

 

By default custom will select all components, you can leave this in place. I switched my install location to C:\Oracle\IRMServer but the default is fine.

 

Oracle IRM server install custom setup

 

Choose Advanced for the wizard type, I rarely choose Standalone because I like to use Oracle for my database. The standalone option will create a database in either SQL Server or it will install the small MSDE components.

 

Oracle IRM server install database wizard type

 

Next we need to create the ODBC connection on the server. I've already installed the Oracle 11g client software and setup a TNS name pointing to my 11.1.0.7 Oracle database instance. I'm going to create the new ODBC connection from within the installer.

 

Oracle IRM server install data source selection

 

Clicking next will launch the relevant ODBC driver configuration dialog. In my case this is the Oracle ODBC Driver Configuration.

 

Oracle IRM server install ODBC configuration

 

I selected the TNS Service Name for my database and entered in the IRM user. Clicking OK took me back to the installation process asking for the following.

 

Oracle IRM server install database authentication

 

Here enter in the database username and password and hit next.

 

Oracle IRM server install database setup

 

The database name field isn't used with an Oracle database install. The prefix allows you to specify 3 letters that will prepend all new objects in the database. Useful if you are having to install against an existing schema.

 

Oracle IRM server install server details

 

The next dialog asks for a server name, sometimes this is referred to as the server's friendly name. It is a free text string for you to name the server whatever you wish. It gets used in the user interface so the user has a nice and easy to read name for the server. Instead of them being told they can't connect to irmsrv01.domain.com which doesn't mean anything to an end user, they get told they can't connect to the "ABC Corporation Information Rights Server" which is more understandable.

The other section of this dialog asks for a user name and password which will constitute the initial and only account in the server. It is the account that has total control over the server and must be managed appropriately.

 

Oracle IRM server install public interface

 

Now we get into the network settings of the server. First we need to enter in the fully qualified hostname to the IRM service for the public interface. This is a VERY important hostname, every single piece of content secured using Oracle IRM is going to have this hostname inserted into the content. It is how the content knows where to communicate when a user is attempting to gain access.

NEVER use an IP address, even if building a test server, make changes to your hostfile rather than enter an IP in here. Because we prepared the IIS server to listen on a specific IP for port 80, we can now setup the IRM server to listen on a different IP with the same port. Port 80 is a very good choice and the default.

Most production IRM servers sit in the datacenter DMZ and are therefore accessible from the public internet. People are going to be accessing secured content from a wide variety of networks such as hotels, corporate networks, home systems, free WiFi connections etc. Using port 80 drastically reduces problems for client to server communication from this array of networks over which you will have no control. Clicking next takes us to the configuration for the private port.

 

Oracle IRM server install private interface

 

In my installation I am going to leave the default and let it use the same settings as my public port. It can however be very useful to have this interface listen on a different address. The difference between the public and private port is that all requests for authentication and access to content go via the public port, all traffic for administering the server goes via the private port.

This allows you to increase security by allowing the server to accept requests to open content from the public internet but only allow requests to add users, assign rights etc from people connected either to a physical corporate network or from a VPN into the corporate network. This dialog allows the server to listen on a different IP address and therefore be available to a different network segment. But I'm leaving this alone and just clicking on next.

 

Oracle IRM server install API interface

 

This is the final network setting and for the API port. I won't go into any detail on this now but it refers to the low level API and object model that is available in the server. Some low level configuration uses it. If you are building a production system I would advise disabling this port, you can easily enable if needed at a later date. For a development environment I would leave this on.

 

Oracle IRM server install as service

 

Nearing the end of the installation tasks you can choose to install the server as a service. I would advise this and I've only needed to change the account the server is running as when it's communicating to an SQL database using NT auth or it is writing out log files to a location that the local service account has no rights to. Which brings us to the next two dialogs.

 

Oracle IRM server install log location
Oracle IRM server install audit location

 

There are two types of output, server logs and audit logs. Server logs contain information about clients connecting and server operations. Audit logs contain detailed information about people accessing content and making changes to rights on the server. Both of these logs are rolled every 24 hours by default. The default of storing server logs in text format, so you can easily read them, and storing the audit logs in binary format so you can programmatically manipulate them makes sense and so leave them alone for now.

 

Oracle IRM server install ready to start...

 

And at last, hit install to run through the installation process. The installer then copies over files, creates registry keys, runs the SQL to create the database schema and then installs the server (if you asked it to) as a service and attempts to start it. It finishes with the following confirmation.

 

Oracle IRM server install complete

 

Hitting finish will launch an instance of the Oracle IRM Management Console which is a good way to test the validity of the installation.

 

Oracle IRM Management Console - add new server

 

Once the console has started, select "New Server" and enter in the hostname for your server. If it is running on port 80 you don't need to specify the port, if you have it running on another port use the notation "server.domain.com:portnumber" for example, irm.us.oracle.com:8001. Hit next and enter in the account details you specified during the installation.

 

Oracle IRM Management Console - server connection credentials



Once connected you should then be able to see the following aspects of the server. So that's it! A fully working Oracle IRM server, the next step is to install the Management Website and the Standard Rights Model which will be covered in another article.

If you installed the server as a service it will start automatically on boot, note that the database server must be available at this time. If you didn't install as a service you can run the IRM server in a visible console by following the program group in the Start Menu.
Oracle IRM Management Console - Connected to server

 

About

Oracle IRM protects and tracks your sensitive information no matter where it goes. It combines business friendly encryption with role based usage rights and auditing.

11g quick guide

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today