6 Security Administration

This chapter introduces the tools available to an administrator and the typical tasks to manage application security; it is divided into the following sections:

For advanced administrator tasks, see Appendix E, "Administration with WLST Scripting and MBean Programming."

6.1 Choosing the Administration Tool According to Technology

The three basic tools available to a security administrator are Oracle Enterprise Manager Fusion Middleware Control, the Oracle WebLogic Administration Console, and the Oracle WebLogic Scripting Tool (WLST). For further details on these and other tools, see chapter 3, Getting Started Managing Oracle Fusion Middleware in Oracle Fusion Middleware Administrator's Guide.

The main criterion that determines the tool to use to administer an application is whether the application uses just container-managed security (JavaEE application) or it includes Oracle ADF security (Oracle ADF application).

Oracle-specific applications, such as Oracle Application Development Framework (Oracle ADF) applications, Oracle Server-Oriented Architecture (SOA) applications, and Web Center applications, are deployed, secured, and maintained with Fusion Middleware Control.

Other applications, such as those developed by third parties, JavaSE, and JavaEE applications, are typically deployed, secured, and administered with Oracle WebLogic Administration Console or with WLST.

The recommended tool to develop applications is Oracle JDeveloper 11g. This tool helps the developer configure file-based identity, policy, and credential stores through specialized editors and UI gadgets. In particular, when developing Oracle ADF applications, the developer can run a wizard to configure security for web pages associated with Oracle ADF resources (such as Oracle ADF task flows and page definitions), and define security artifacts using a specialized, visual editor for the file jazn-data.xml.

For details about procedures and related topics, see the following sections in the Oracle JDeveloper online help documentation:

  • Securing a Web Application Using Oracle ADF Security

  • Securing a Web Application Using Java EE Security

  • About Oracle ADF Security as an Alternative to Security Constraints

  • About Securing Web Applications

For further details about Oracle ADF Security and its integration with Oracle JDeveloper, see Accessing the Oracle ADF Security Design Time Tools, in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.

6.2 Basic Security Administration Tasks

Table 6-1 lists some basic security tasks and the tool(s) used to execute them. Recall that the tool chosen to configure and manage application security depends on the type of the application: for JavaEE applications, which use just container-managed security, use the Oracle WebLogic Administration Console; for Oracle ADF applications, which use fine-grained authorization, use Fusion Middleware Control.

Manual settings without the aid of the tools listed below are not recommended. For information about using the Oracle WebLogic Administration Console to perform the tasks marked with an X, see list of links following the table.

Table 6-1 Basic Administrative Security Tasks

Task Use Fusion Middleware Control Security Menu Use Oracle WebLogic Administration Console

Configure WebLogic Domains



Configure WebLogic Security Realms



Manage WebLogic Domain Authenticators



Enable SSO for MS clients, Web Browsers, and HTTP clients.



Manage Domain Administrative Accounts



Manage Credentials for Oracle ADF Application



Enable anonymous role in Oracle ADF Application

Security Provider Configuration


Enable authenticated role in Oracle ADF Application

Security Provider Configuration


Enable JAAS in Oracle ADF Application

Security Provider Configuration


Map application to enterprise groups for Oracle ADF Application

Application Roles or Application Policies


Manage systemwide policies for Oracle ADF Applications

System Policies


Configure OPSS Properties

Security Provider Configuration


Reassociate Domain Policy and Credential Stores

Security Provider Configuration


Details about using the Oracle WebLogic Administration Console for the tasks above are found in the following documents:


OPSS does not support automatic backup or cloning of server files. It is recommended that the server administrator periodically back up all server configuration files, as appropriate, using third-party tools.

6.2.1 Setting Up a Brand New Production Environment

A new production environment based on an existing environment can be set up in either of the following ways:

  • Replicating an established environment using Oracle Cloning utilities. For details, see section 17.5, Cloning a Middleware Home or an Oracle Home, in Oracle Fusion Middleware Administrator's Guide.

  • Reinstalling software and configuring the environment, as it was done to set up the established environment.

6.3 Typical Security Practices with Fusion Middleware Control

Fusion Middleware Control is a Web-based tool that allows the administration of a network of applications from a single point. Fusion Middleware Control is used to deploy, configure, monitor, diagnose, and audit Oracle SOA applications, Oracle ADF applications, Oracle WebCenter, and other Oracle applications using OPSS. Note that this section mentions only security-related operations.

In regards to security, it provides several administration tasks; using this tool, an administrator can:

For a summary of security administrative tasks and the tools used to execute them, see Basic Security Administration Tasks.

For further details about other functions, see the Fusion Middleware Control online help documentation.

6.4 Typical Security Practices with the Administration Console

This section addresses security-related operations and some basic administrative operations.

The Oracle WebLogic Administration Console is a Web-based tool that allows, among other functions, application deployment and redeployment, domain configuration, and monitoring of application status. Note that this section mentions only security-related operations.

Typical operations tasks performed with the Oracle WebLogic Administration Console include the following:

For details about Oracle WebLogic Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

6.5 Typical Security Practices with WLST Commands

WLST is a command-line interface that allows the scripting and automation of administration tasks, including domain configuration and application deployment.

The following is the complete lists of security-related WLST commands documented in this guide. For a complete list of all WLST commands, see Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

Policy-Related Commands

For details on the following commands, see Section 8.4.2, "Managing Policies with WLST Commands."

  • createAppRole

  • deleteAppRole

  • grantAppRole

  • revokeAppRole

  • listAppRoles

  • listAppRolesMembers

  • grantPermission

  • revokePermission

  • listPermissions

  • deleteAppPolicies

Credential-Related Commands

For details on the following commands, see Section 9.5.2, "Managing Credentials with WLST Commands."

  • listCred

  • updateCred

  • createCred

  • deleteCred

  • modifyBootStrapCredential

Other Commands