The following sections describe how to set up and manage security for Oracle WebLogic Integration solution deployments:
Before you proceed with the remainder of this topic, be sure to read.
The foundation of every secure deployment of a Oracle WebLogic Integration solution is the set of security features provided by Oracle WebLogic Server. After you configure security for the underlying Oracle WebLogic Server layer of your environment, you need to configure and manage security for those Oracle WebLogic Server entities that are specific to Oracle WebLogic Integration:
As the security administrator for your environment, you need to focus your efforts on a set of predefined principals and resources that are created along with a Oracle WebLogic Integration domain.
This introduction presents the following topics to give you a high-level view of Oracle WebLogic Integration security:
|Note:||For a secure deployment, avoid running Oracle WebLogic Integration in the same Oracle WebLogic Server instance as any applications for which security is not provided. Internal Oracle WebLogic Integration API calls are not protected from such collocated applications.|
When you create a Oracle WebLogic Integration domain using the Domain Configuration Wizard, the domain is configured to include:
For information about using the Configuration Wizard, see.
All passwords are kept in encrypted form in the PasswordStore. Oracle WebLogic Integration does not require clear-text passwords. The PasswordStore the uses Sun JCE provider for password-based encryption. Access to passwords is controlled through an MBean API and passwords are accessed using password-aliases.
You use the Oracle WebLogic Integration Administration Console to manage passwords in the PasswordStore. For more information, see the following topics in Using the WebLogic Integration Administration Console:in
Oracle WebLogic Integration requires that you use keystores to store all private keys and certificates. A keystore is a protected database that holds keys and certificates. If you have keys and certificates and use message encryption, digital signatures, or SSL, you must use a keystore for storing those keys and certificates and make the keystore available to applications that might need it for authentication or signing purposes.
When you set up a Oracle WebLogic Integration domain for trading partner integration collaborations, the following keystores are configured.
Stores private keys for local trading partners and certificates for both the local trading partner and remote trading partners. Certificates are of the following types:
Oracle WebLogic Integration retrieves private keys and certificates from this keystore to use for SSL, message encryption, and digital signatures. For more information about certificates, see About Digital Certificates.
When you create a new domain using the Oracle WebLogic Configuration Wizard and the Oracle WebLogic Integration template, the new domain contains Demo Keystores of type JKS. The Demo KeyStores performs the following actions:
You can use the Demo keystores in a development or testing environment, but you must either create or use existing identity and trust keystores suitable for production environment. To create a keystore and make it available for trading partner integration:
For information about refreshing the keystore using the Oracle WebLogic Integration Administration Console, see “Refreshing the Keystore” in Using the WebLogic Integration Administration Console.in
In a clustered domain, you need to create and configure a separate keystore for each Oracle WebLogic Server.
Oracle WebLogic Integration supports role-based authorization. Although the specific users (principals) that require access to the components that make up your Oracle WebLogic Integration application may change depending on the deployment environment, the roles that require access are typically more stable. Authorization involves granting an entity permissions and rights to perform certain actions on a resource.
In role-based authorization, security policies define the roles that are authorized to access the resource. In addition to the built-in roles that are associated with certain administrative and monitoring privileges, security policies that control access to the following resources can be configured from the Oracle WebLogic Integration Administration Console:
Policies define the role required to invoke the process operations. For more information on the policies you can set, see “Process Security Policies” under “About Process Configuration” in in Using the WebLogic Integration Administration Console.
Once the roles required for access are set, the administrator can map users or groups to the roles as required.
Unlike membership in a group, which is directly assigned, membership in a security role is dynamically calculated based on the set of conditions that define the role statement. Each condition specifies user names, group names, or time of day. When a principal (user) is “in” a role based on the evaluation of the role statement, the access permissions of the role are conferred on the principal.
Before you configure the security for your Oracle WebLogic Integration domain, consider the following:
The following sections present a high-level discussion of these considerations and describe how they affect your Oracle WebLogic Integration security configuration.
Digital certificates are electronic documents used to identify principals and objects as unique entities over networks such as the internet. A digital certificate securely binds the identity of a user or object, as verified by a trusted third party known as a certificate authority, to a particular public key. The combination of the public key and the private key provides a unique identity for the owner of the digital certificate.
When you set up a Oracle WebLogic Integration environment as the foundation of your inter-enterprise commerce, using Trading Partner Integration capabilities, you need to obtain and configure a specific set of digital certificates and keys. This set includes the following:
Make sure that the formats and packaging standards of your digital certificates are compatible with Oracle WebLogic Server. Digital certificates have various encoding schemes, including the following:
The public key infrastructure (PKI) in Oracle WebLogic Server recognizes digital certificates that comply with either versions 1 and 3 of X.509, X.509v1 and X.509v3. We recommend obtaining digital certificates from a certificate authority, such as Verisign or Entrust.
|Note:||If a trading partner in a conversation uses Microsoft IIS as a proxy server, all the certificates used in the conversation must be trusted by a well-known Certificate Authority, such as Verisign or Entrust. The use of self-signed certificates will cause a request passed through the IIS proxy server to fail. This is a restriction in IIS, not Oracle WebLogic Integration.|
For more details, see “Transport-Level Security” inin Introducing Trading Partner Integration.
The SSL protocol provides secure connections by supporting two functions:
An SSL connection begins with a handshake during which the applications exchange digital certificates, agree on the encryption algorithms to be used, and generate encryption keys that are then used for the remainder of the session.
If you are using SSL for trading partner authentication and authorization, which we strongly recommend for Trading Partner Integration collaborations, you need to configure the following:
Not required by SSL, but strongly recommended, is the creation and use of identity and trust keystores for storing all the certificates and keys used in your Oracle WebLogic Integration domain. For more information about SSL, certificates, and keystores, seeSecuring WebLogic Server .in
This section discusses the implications of using either an outbound proxy server or the Oracle WebLogic proxy plug-in.
A proxy server allows trading partners to communicate across intranets or the Internet without compromising security. If you are using Oracle WebLogic Integration in a security-sensitive environment, you may want to use Oracle WebLogic Integration behind a proxy server. Specifically, a proxy server is used to:
When proxy servers are configured on the local network, network traffic (sent with the SSL and HTTP protocols) is tunneled through the proxy server to the external network.
If an outbound proxy server is used in your environment, be careful when specifying the transport URI endpoints for the local trading partner. If you are using an HTTPS proxy, then you need to specify the
ssl.ProxyPort Java system properties. For details, see “Configuring Trading Partner Integration to Use an Outbound HTTP Proxy Server” in in Introducing Trading Partner Integration.
As an alternative to using an outbound proxy server, you may want to configure Oracle WebLogic Integration with a Web server, such as an Apache server, that is programmed to handle business messages from a remote trading partner. The Web server can provide the following services:
The Web server then uses the WebLogic proxy plug-in, which you can configure to provide the following services:
To configure the WebLogic proxy plug-in, perform the following actions:
If your Oracle WebLogic Integration environment is configured with a firewall, make sure your firewall is configured properly so that business messages can flow freely to and from local trading partners via the HTTP or HTTPS protocols.
The following sections provide instructions for the tasks you must complete to set up a secure deployment:
Create the Oracle WebLogic Integration domain using the Domain Configuration Wizard, as described in Configuring a Single-Server Deployment or Configuring a Clustered Deployment.
|Note:||We recommend that you configure your domain with SSL enabled.|
The Oracle WebLogic Server Administration Console enables you to make additional customizations to your Oracle WebLogic Integration domain and default security realm.
For information about customizing security features using the Oracle WebLogic Server Administration Console, see “Customizing the Default Security Configuration” in.
For a description of how to add firewall information to your domain configuration file, see Adding Proxy Server or Firewall Information to Domain Configuration.
When configuring Oracle WebLogic Server security, be sure to do the following:
If the two names are not the same, then the local Oracle WebLogic Server instance must be configured with hostname verification disabled. This requirement applies to the server certificate for any trading partner in any Trading Partner Integration. You can disable hostname verification in the Oracle WebLogic Server Administration Console by checking the Hostname Verification Ignored attribute on the SSL tab for the Server node.
|Note:||We do not recommend configurations that require you to disable hostname verification. Hostname verification prevents some types of security attacks.|
About Digital Certificates lists the supported certificate formats. For server certificates, PEM encoded X.509 V1 or V3 is the most commonly accepted format by SSL servers.
You may specify one file containing all the intermediate and root CA certificates. (Note that if the file contains more than one CA certificate, Oracle WebLogic Server requires a PEM encoded file.) If you use the trust keystore to store trusted CA certificates, be sure to import the whole chain in to the trust keystore.
|Note:||Note the following considerations for using keystores:|
Using Oracle Workshop for WebLogic, a developer can edit web application settings and wb service security-related deployment descriptors in the following three XML files before building and packaging the EAR file that contains your Oracle WebLogic Integration application:
A system administrator at deployment time may have more information regarding the production environment and security requirements. Under these circumstances, you can reconfigure the Web application settings and Web service security-related deployment descriptors in your EAR file as necessary by performing the following procedure.
|Note:||A developer typically adds any Service Broker control, Process control or callback selector annotations that are necessary for security to
weblogic.xml, security-related deployment descriptors for Web applications that contain JPDs should be set to appropriate user credentials, method of authentication, and location of resources.
|WARNING:||Redeploying an application from Oracle Workshop for WebLogic causes a loss of security authorizations. Deploy the EAR file using the Oracle WebLogic Server Administration Console to preserve your security authorizations.|
For information about packaging and deploying EAR files, see.
Once the Oracle WebLogic Integration application has been deployed on your production hardware, you can use the Oracle WebLogic Integration Administration Console to configure security policies and manage users.
For the procedure to start the Oracle WebLogic Server Administration Console seein Managing WebLogic Integration Solutions.
The following sections provide instructions for the tasks you must complete to configure security policies and manage users:
On these pages, you can configure the client certificate or username/password settings used in outbound calls by the selected service broker or process control. For descriptions of these settings and the procedures to configure them, see “Adding or Changing Dynamic Control Selectors” in in Using The WebLogic Integration Administration Console.
The View and Edit Users page displays a list of all users within Oracle WebLogic Integration. From this page you can create new users, delete users, or access details—including group membership—for a selected user.
The View and Edit Groups page displays a list of all groups within Oracle WebLogic Integration. From this page you can create new groups, delete groups, or access details—including group membership—for a selected group.
The View and Edit Roles page displays a list of all roles within Oracle WebLogic Integration. From this page you can create new roles, delete roles, or access details—including role conditions—for a selected role.
Oracle WebLogic Integration domains includes the following default Oracle WebLogic Integration groups and roles that have access to worklist functionality:
The process of configuring worklist security is basically one of assigning users to groups, groups to roles, and ensuring that those roles have appropriate permission levels by defining policies. (For information on how to make these assignments, see Managing Production Users.) Once you have configured worklist security, you can manage owners for tasks in a worklist.
The Oracle WebLogic Integration Administration Console provides tools that allow you to manage users, groups, roles, and policies, along with worklist task ownership.
Oracle WebLogic Integration solutions that involve the exchange of messages between trading partners across firewalls have special security requirements, including trading partner authentication and authorization, as well as nonrepudiation.
To configure Trading Partner Integration security, you must perform the following tasks:
For detailed information and procedures regarding configuration of Trading Partner Integration, seein Introducing Trading Partner Integration.