6 Configuring Security

Oracle Fusion Middleware provides many security features, including accounts specifically for administrative purposes. This chapter describes how to create additional administrative accounts, create application roles, change passwords for those accounts, and how to configure SSL.

This chapter contains the following topics:

6.1 Creating Additional Administrative Users

During the Oracle Fusion Middleware installation and configuration, you must specify an administrative user and a password for the user. By default, the user name is weblogic. You can use this administrative account to log in to Fusion Middleware Control and the Oracle WebLogic Server Administration Console.

You can create additional administrative users using the Oracle WebLogic Server Administration Console.

To create a new administrative user with full privileges:

  1. Navigate to the Oracle WebLogic Server Administration Console. (For example, from the home page of the domain in Fusion Middleware Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)

  2. From the navigation pane, select Security Realms.

    The Summary of Security Realms page is displayed.

  3. Select a realm, such as myrealm.

    The Settings for the realm page is displayed.

  4. Select the Users and Groups tab, then the Users tab. Click New.

    The Create a New User page is displayed.

  5. For Name, enter the new user name. In this case, enter admin2.

  6. Optionally, add a description for the account.

  7. For Password, enter a password for the account. Then, for Confirm Password, reenter the password.

    Any passwords you assign to Oracle Fusion Middleware users:

    • Must contain at least five characters, but not more than 30 characters.

    • Must begin with an alphabetic character. It cannot begin with a number, the underscore (_), the dollar sign ($), or the number sign (#).

    • At least one of the characters must be a number.

    • Can contain only numbers, letters, and the following special characters: US dollar sign ($), number sign (#), or underscore (_).

    • Cannot contain any Oracle reserved words, such as VARCHAR.

  8. Click OK.

  9. Select the newly created user in the Users table.

    The Setting for user page is displayed.

  10. Select the Groups tab.

  11. From the Available groups, select the group. In this case, to give the new user full privileges, select Administrator and move it to the Chosen list, as shown in the following figure:

    Description of create_user.gif follows
    Description of the illustration create_user.gif

  12. Click Save.

You now have a user named admin2 that has the Administrator role for the Oracle WebLogic Server domain.

You may want to give only minimal privileges to another user, allowing the user to only monitor Oracle Fusion Middleware, not to change any of the configuration.

6.2 Creating Additional Users with Specific Roles

You can create additional users and give them limited access. For example, you can create a user with privileges to deploy applications.

To create an additional user who can deploy applications:

  1. Navigate to the Oracle WebLogic Server Administration Console. (For example, from the home page of the domain in Fusion Middleware Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)

  2. From the navigation pane, select Security Realms.

    The Summary of Security Realms page is displayed.

  3. Select a realm, such as myrealm.

    The Settings for the realm page is displayed.

  4. Select the Users and Groups tab, then the Users tab. Click New.

    The Create a New User page is displayed.

  5. For Name, enter the new user name. In this case, enter app_deployer.

  6. Optionally, add a description for the account.

  7. For Password, enter a password for the account. Then, for Confirm Password, reenter the password.

    Any passwords you assign to Oracle Fusion Middleware users:

    • Must contain at least five characters, but not more than 30 characters.

    • Must begin with an alphabetic character. It cannot begin with a number, the underscore (_), the dollar sign ($), or the number sign (#).

    • At least one of the characters must be a number.

    • Can contain only numbers, letters, and the following special characters: US dollar sign ($), number sign (#), or underscore (_).

    • Cannot contain any Oracle reserved words, such as VARCHAR.

  8. Click OK.

  9. Select the newly created user in the Users table.

    The Setting for user page is displayed.

  10. Select the Groups tab.

  11. From the Available groups, select the group. In this case, to give the new user privileges only to deploy applications, select Deployers and move it to the Chosen list.

  12. Click Save.

6.3 Changing the Administrative User Password

You can change the password of users using the Oracle WebLogic Server Administration Console.

To change the password of an administrative user:

  1. Navigate to the Oracle WebLogic Server Administration Console. (For example, from the home page of the domain in Fusion Middleware Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)

  2. From the navigation pane, select Security Realms.

    The Summary of Security Realms page is displayed.

  3. Select a realm, such as myrealm.

    The Settings for the realm page is displayed.

  4. Select the Users and Groups tab, then the Users tab. Select the user.

    The Settings for user page is displayed.

  5. Select the Passwords tab.

  6. Enter the new password, then enter it again to confirm it.

  7. Click Save.

6.4 Configuring SSL

Secure Sockets Layer (SSL) is the most widely used protocol for securing the Internet. It uses public key cryptography to enable authentication, encryption, and data integrity. Using these tools, SSL also enables secure session key management by encrypting a unique one-time session password for use by both server and client. After this password is securely sent and received, it is used to encrypt all subsequent communications between server and client, making it infeasible for others to decipher those messages.

You can configure components, such as Oracle Web Cache, Oracle HTTP Server, Oracle WebLogic Server, Oracle Internet Directory, Oracle Virtual Directory and the Oracle Database to enable secure communications over SSL.

This section describes the following topics:

6.4.1 Understanding Keystores and Wallets

In Oracle Fusion Middleware, all Java components and applications use the JKS keystore. Thus all Java components and applications running on Oracle WebLogic Server use the JKS-based KeyStore and TrustStore.

The Oracle Virtual Directory system component uses a JKS keystore to store keys and certificates. Configuring SSL for Oracle Virtual Directory thus requires setting up and using JKS keystores.

Other components use the Oracle wallet as their storage mechanism. An Oracle wallet is a container that stores your credentials, such as certificates, trusted certificates, certificate requests, and private keys. You can store Oracle wallets on the file system or in LDAP directories such as Oracle Internet Directory. Oracle wallets can be auto-login or password-protected wallets.

  • Oracle HTTP Server

  • Oracle Web Cache

  • Oracle Internet Directory

6.4.2 Enabling SSL Between a Browser and Oracle HTTP Server

You can enable SSL on the communication path between a client browser and a Web server. In this case, you configure the virtual host for Oracle HTTP Server to listen in SSL mode, as described in the following topics:

6.4.2.1 Enabling SSL for Inbound Traffic to Oracle HTTP Server Virtual Hosts

To enable SSL for inbound traffic to Oracle HTTP Server virtual hosts:

  1. Create an Oracle wallet:

    1. In the navigation pane, expand the farm, then Web Tier. Select an Oracle HTTP Server instance.

    2. From the Oracle HTTP Server menu, choose Security, then Wallets.

    3. Click Create.

      The Create Wallet page is displayed, as shown in the following figure:

      Description of create_wallet.gif follows
      Description of the illustration create_wallet.gif

    4. For Wallet Name, enter a descriptive wallet name.

    5. Check or uncheck Autologin, depending on whether your wallet is an auto-login wallet. The default is an auto-login wallet. If you do not check Autologin, for Wallet Password, enter a password, then enter the same password in Confirm Password.

    6. Click OK to create the wallet.

      A confirmation box is displayed.

    7. The confirmation box asks if you want to create a certificate request. Click Yes.

      The Create Wallet: Add Certificate Request page is displayed.

    8. For Common Name, enter a name for the certificate request.

    9. Enter information about your organization.

    10. For Key Size, select a size.

    11. Click OK.

    12. To get the certificate signed by a certificate authority (CA), you must export the certificate request out of the wallet and send it to your CA. After the issued certificate is returned, you must import it back into your wallet. Now your wallet is ready to use.

  2. From the HTTP Server menu, choose Administration, then Virtual Hosts.

  3. Select a virtual host and choose Configure, then SSL Configuration.

    The SSL Configuration page is displayed, as shown in the following figure:

    Description of ohsssl3.gif follows
    Description of the illustration ohsssl3.gif

  4. Select Enable SSL.

  5. For Server Wallet Name, select the wallet.

  6. From the Server SSL properties, select the SSL Authentication type, Cipher Suites to use, and the SSL protocol version.

  7. Click OK.

  8. Restart Oracle HTTP Server. (From the Oracle HTTP Server menu, choose Control, then Restart.)

  9. Now, you can test this by visiting the OHS page over SSL in a browser. Use a URL of the form https://host:port/, where you replace the host and port with values relevant to your own environment.

6.4.2.2 Enabling SSL for Outbound Traffic from Oracle HTTP Server Virtual Hosts

Outbound requests from Oracle HTTP Server are handled by configuring mod_wl_ohs.

To configure outbound requests for SSL:

  1. Generate a custom keystore for Oracle WebLogic Server containing a certificate, using the Oracle WebLogic Server Administration Console:

    1. In the left pane of the Console, expand Environment and select Servers.

    2. Select Configuration, then Keystores.

    3. Define the keystore. See the online help for information about each field.

  2. Import the certificate used by Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate. You can use any available utility such as WLST or Fusion Middleware Control for this task.

  3. Edit the Oracle HTTP Server configuration file ORACLE_INSTANCE/config/OHS/ohs1/ssl.conf and add the following line to the SSL configuration under mod_weblogic:

    WlSSLWallet  "ORACLE_INSTANCE}/config/COMPONENT_TYPE/COMPONENT_NAME/default"
    

    In the line, default is the name of the Oracle HTTP Server wallet in Step 2.

    Here is how the configuration should look:

    <IfModule mod_weblogic.c>
          WebLogicHost myhost.example.com
          WebLogicPort 7002
          Debug ALL
          WLLogFile /tmp/weblogic.log
          MatchExpression *.jsp
          SecureProxy On
          WlSSLWallet "$(ORACLE_INSTANCE)/config/OHS/ohs1/keystores/default"
    </IfModule>
    

    Save the file and exit.

  4. Restart Oracle HTTP Server to activate the changes.

  5. Ensure that your Oracle WebLogic Server instance is configured to use the custom keystore generated in Step 1, and that the alias points to the alias value used in generating the certificate. Restart the Oracle WebLogic Server instance.

6.5 Learn More

For more information about the topics covered in this chapter and other security topics, see:

  • Oracle Fusion Middleware Administrator's Guide for information about the following topics:

  • Oracle Fusion Middleware Security Guide for information about the following topics:

    • Oracle Platform Security, which is a security framework that runs on Oracle WebLogic Server. It provides application developers, system integrators, security administrators, and independent software vendors with a portable, integrated, and comprehensive security platform framework for Java SE and Java EE applications.

    • Common Audit Framework, which provides a uniform system for administering audits across a range of components, flexible audit policies, and prebuilt compliance-reporting features.

    • Identity, Policy, and Credential stores, which provide secure storage and management of user and role information, policies, and credentials.