|Oracle® Fusion Middleware Security Overview
11g Release 1 (11.1.1)
Part Number E12889-04
This chapter provides a survey of security capabilities in Oracle Fusion Middleware and a road map for system administrators and application developers. It contains these topics:
We start by defining some common terms that are used in this document and throughout the related documents listed in the preface.
Some industry standards, such as SAML, are included for their relevance to later discussion. The list is not intended to be comprehensive.
An application can be provided by Oracle or by a third-party vendor, or it can be developed in-house. In all cases, applications are designed to run in an application server environment and to take advantage of Oracle Fusion Middleware features and capabilities.
The typical life cycle of an application includes these phases:
Migration (Test to Production)
Upgrade (for example, from Release 10.1.x to Release 11g)
ongoing maintenance tasks (for example, patching) in a production environment.
Security is an integral part of the application life cycle, although the scope and implementation details may vary.
For example, at development time user credentials can simply be stored in a file, whereas a deployed application is generally secured with an identity management solution using an LDAP directory at the back-end.
something one has, for example, credentials issued by a trusted authority such as a passport (real world) or a smart card (IT world),
something one knows, for example a shared secret such as a password,
something one is, for example, biometric information
Also known as access control, authorization is designed to grant access to specific resources based on an authenticated user's entitlements. Entitlements are defined by one or several attributes. An attribute is the property, characteristic, or role of a user; for example, if "Raj" is the user, "software engineer" is the attribute (or role).
In Oracle Fusion Middleware 11g Release 1 (11.1.1), the credential store is either file-based (Oracle wallet) or an LDAP-based repository for storing credentials such as passwords.
For details, see:
Enabling ADF Security in a Fusion Web Application in the Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework
The deployment phase is the second stage in the life cycle of an application. During this phase, administrators package the application and deploy it to the target environment (for example, an application server) to enable end user access.
In the deployment phase, administrators typically perform application role-to-enterprise group mappings. For more information, see
In Oracle Fusion Middleware 11g Release 1 (11.1.1), the default identity store is an embedded LDAP store maintained in the Oracle WebLogic Server process suitable for testing and small-scale deployments only. Enterprise LDAP servers (Oracle Internet Directory and third-party LDAP directories) are also supported.
See Section 2.3.1, "Authentication" for related information.
The infrastructure refers to the full range of system software required to deploy an application. Infrastructure hardening is the process of applying security to each component of the infrastructure, including web servers, application servers, identity and access management solutions, and database systems. Infrastructure hardening is the basis for end-to-end security across the multiple infrastructure components involved in a transaction.
Note:In the context of securing Oracle WebLogic Server, this task is referred to as "lockdown." However, in the broader context of Oracle Fusion Middleware, it is referred to as infrastructure hardening.
See Also:The WebLogic Security Service provides a powerful and flexible set of software tools for securing the subsystems and applications that run on a server instance. For details, see Oracle Fusion Middleware Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server
Java Authentication and Authorization Service (JAAS)
for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an application, an applet, a bean, or a servlet; and
for authorization of users to ensure they have the access control rights (permissions) required to do the actions performed.
For details, see the Java Authentication and Authorization Service (JAAS) Reference Guide at:
Oracle Fusion Middleware provides two types of keystores for keys and certificates:
JKS-based keystore and truststore, the default JDK implementation of Java keystores provided by Sun Microsystems. JKS keystores are used for Oracle Virtual Directory and other products.
Oracle wallet, a container for PKCS#12-based credentials. Oracle wallets are used for Oracle Internet Directory and other products.
For more information, see Section 4.2, "Keystores".
Oracle Application Development Framework (ADF)
Oracle Application Development Framework (Oracle ADF) is an innovative, comprehensive Java EE development framework that is directly supported and enabled by the Oracle JDeveloper 11g development environment.
Oracle ADF simplifies Java EE development by minimizing the code that implements the application's infrastructure, allowing the users to focus on the features of the actual application. Oracle ADF provides these infrastructure implementations as part of the framework. To recognize a set of run-time services is not enough, Oracle ADF is also focused on the development experience to provide a visual and declarative approach to Java EE development through the Oracle JDeveloper 11g development tool.
Oracle ADF is based upon Oracle Platform Security Services.
Oracle Access Manager is available for both 10g and 11g releases:
Oracle Access Manager 10g provides a full range of identity administration and security functions that include Web single sign-on; user self-service and self-registration; sophisticated workflow functionality; auditing and access reporting; policy management; dynamic group management; and delegated administration.
Oracle Access Manager 11g provides a full range of web perimeter security functions that include Web single sign-on; authentication and authorization; identity assertion; policy administration; and auditing.
Oracle Access Manager 11g differs from Oracle Access Manager 10g in that the identity administration features, including user self-service and self registration, sophisticated workflow functionality, dynamic group management, and delegated identity administration have been transferred to Oracle Identity Manager 11g. At the same time, Oracle Access Manager 11g provides access control to Oracle Identity Manager 11g.
See Also:"Oracle Identity Manager".
Rapid growth in online applications and services has brought increasing sophistication of internet fraud. Threats from Phishing, Pharming, Trojans, Key Logging, and Proxy Attacks, combined with regulations and mandates (such as FFIEC, HIPAA, PCI) governing online data privacy, place online security at a premium.
Oracle Adaptive Access Manager provides superior protection for businesses and their customers through strong yet easy-to-deploy authentication strengthening, multifactor authentication and proactive, real-time fraud prevention.
Formerly SUN Directory Server Enterprise Edition, Oracle Directory Server Enterprise Edition is the best known directory server with proven large deployments in carrier and enterprise environments. It is also the most supported directory by ISVs, so it is ideal for heterogeneous environments. ODSEE provides a core directory service with embedded database, directory proxy, Active Directory (AD) synchronization and a Web administration console.
See Also:"Oracle Internet Directory"
Oracle Enterprise Manager Fusion Middleware Control
Fusion Middleware Control is a JMX-based GUI management tool provided as part of Oracle Enterprise Manager.
Oracle Entitlements Server
Oracle Entitlements Server is a fine-grained entitlements management solution that externalizes and centralizes administration of enterprise entitlements, simplifies authorization policies, and enforces security decisions in distributed, heterogeneous applications.
Oracle Entitlements Server secures access to application resources and software components (such as URLs, EJBs, and JSPs) and to arbitrary business objects (such as customer accounts or patient records). Oracle Entitlements Server policies specify which users, groups, and roles can access application resources, allowing those roles to be dynamically resolved at run-time.
Oracle Entitlements Server can also evaluate specialized attributes to make more granular access control decisions through a unique, flexible architecture called Security Modules. The server's standalone administration service manages and distributes complex entitlements policies to policy decision and enforcement points. Security modules may run in a centralized mode or they can be embedded within an application, ensuring maximum flexibility and high performance authorizations for business critical applications.
Oracle Identity Analytics (formerly Sun Role Manager) enables enterprises to engineer and manage roles and automate critical identity-based controls. Its key features include a central repository of identity, access and audit data, optimized for complex analytical queries; automated attestation processes providing a 360-degree view of users' access; segregation of duties (SoD) enforcement; role lifecycle management; and various compliance and operational dashboards.
Oracle Identity Federation
Oracle Identity Federation is an industry-leading federation solution providing a self-contained and flexible multi-protocol federation server that can be rapidly deployed with your existing identity and access management systems. Support for leading standards-based protocols ensures interoperability to share identities across vendors, customers, and business partners without the increased costs of managing, maintaining, and administering additional identities and credentials.
Oracle Identity Manager
Oracle Identity Manager is a best-in-class user provisioning and administration solution that automates the process of adding, updating, and deleting user accounts from applications and directories; and improves regulatory compliance by providing granular reports and attestation support to report and certify user access.
Oracle Internet Directory is an LDAP v3 compliant directory with meta-directory capabilities. It is built on the industry leading Oracle database and is fully integrated into Oracle Fusion Middleware and Oracle Applications. Thus, it is ideally suited for Oracle environments or enterprises with Oracle database expertise.
Oracle Internet Directory provides security at every level from data in transit to storage and backups. In addition to LDAP security, it leverages Oracle database security features like Database Vault and Transparent Data Encryption. Database Vault enables separation of duty (SOD) while Transparent Data Encryption secures data in storage and backup.
Oracle Platform Security Services (OPSS)
Oracle Platform Security Services (OPSS) provides enterprise product development teams, systems integrators (SIs), and independent software vendors (ISVs) with a standards-based, portable, integrated, enterprise-grade security framework for Java Standard Edition (Java SE) and Java Enterprise Edition (Java EE) applications.
OPSS provides an abstraction layer in the form of standards-based application programming interfaces (APIs) that insulate developers from security and identity management implementation details. In-house developed applications, third-party applications, and integrated applications all benefit from the same uniform security, identity management, and audit services across the enterprise.
When they leverage OPSS, developers do not have to know the details of cryptographic key management or interfaces with user repositories and other identity management infrastructures.
Oracle Security Token Service brokers trust between a Web Service Consumer (WSC) and a Web Service Provider (WSP) and provides security token lifecycle management services to providers and consumers.
Oracle Security Token Service is compliant and co-exists with Oracle Access Manager (using Oracle Access Manager as the primary authenticator for Web clients requesting tokens).
Oracle Virtual Directory provides identity aggregation and virtualization without synchronization. It is not LDAP storage, but rather, a virtualization service. Key features include a single interface for identity, an LDAP interface for non-LDAP data including databases and Web services, data transformation features, and application-specific views of data.
For customers who also need directory storage, Oracle Virtual Directory shares a unified administration and management system with Oracle Internet Directory.
Oracle Web Services Manager
Oracle Web Services Manager is a comprehensive solution for adding policy-driven best practices to all your existing or new Web services and provides the key security and management capabilities necessary to deploy Service-Oriented Architectures across your line-of-business applications.
Oracle Web Services Manager is Oracle Fusion Middleware's policy model, based on WS-Policy. Oracle Web Services Manager provides security to many Oracle Fusion Middleware components such as Oracle WebCenter, Oracle ADF, and OSB.
Oracle Web Services Manager allows IT management to centrally define policies that govern Web services operations (such as access policy, logging policy, and load balancing), then wrap these policies around Web services without needing to modify those services.
Oracle Web Services Manager collects monitoring statistics to ensure quality of service, uptime, and security threats and displays them in a Web dashboard.
An Oracle wallet is a container that stores credentials such as certificates, trusted certificates, certificate requests, and private keys. You can store Oracle wallets on the file system or in LDAP directories such as Oracle Internet Directory. Oracle wallets can be auto-login or password-protected wallets.
You use an Oracle wallet for the following components:
Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory
A partner application is an Oracle Application Server-based application or a non-Oracle application that delegates the authentication function to the OracleAS SSO (OSSO) server. A partner application is responsible for determining whether a user authenticated by OSSO is authorized to use the application. Examples of partner applications include Oracle Portal, Oracle Discoverer, and Oracle Delegated Administration Services.
Note:Oracle recommends using Oracle Access Manager 11g. For details, see Introduction to Oracle Access Manager 11g SSO in the Oracle Fusion Middleware Application Security Guide.
Security Assertions Markup Language (SAML) is an XML-based framework for exchanging security information over the Internet. SAML enables the exchange of authentication and authorization information between various security services systems that otherwise would not be able to interoperate.
Web Services Security
Web services security includes authentication and authorization (described above), confidentiality and privacy (keeping information secret), and integrity / non repudiation (making sure that a message remains unaltered during transit by having an authority digitally sign that message; a digital signature also validates the sender and provides a time stamp ensuring that a transaction cannot be later repudiated by either the sender or the receiver). Web services security requirements are supported by industry standards both at the transport level (Secure Socket Layer) and at the application level relying on XML frameworks, for example XML encryption, XML signature, and Security Assertion Markup Language (SAML).
eXtensible Access Control Markup Language (XACML)
By Oracle Fusion Middleware security, we mean the full range of security options available to applications throughout their life cycle in 11g Release 1 (11.1.1). At the outset it is important to note that, beginning with this release, Oracle WebLogic Server is the application server for Oracle Fusion Middleware. Existing users can continue to use the security facilities provided by Oracle WebLogic Server, using the same configuration tools as before.
Oracle WebLogic Server security is unchanged in 11g Release 1 (11.1.1) and customers can use existing Oracle WebLogic Server tools for managing base container/JavaEE security.
See Also:Chapter 5, "Common Security Scenarios and Tasks" for more information about the different security options in Oracle Fusion Middleware.
Oracle Fusion Middleware supports a range of authentication and single sign-on options, including:
See "Identity Store" for information.
Support for 10g Oracle Single Sign-On and 10g Oracle Access Manager.
Note:Oracle Access Manager is the preferred solution. For more information, see Section 5.1, "Single Sign-On".
Oracle WebLogic Server contains authentication providers for both of these products.
As noted earlier (see Section 1.1, "Terminology"), Oracle Platform Security Services (OPSS) provides a standards-based, portable, integrated, enterprise-grade security framework for Java Standard Edition (Java SE) and Java Enterprise Edition (Java EE) applications.
OPSS provides security services to both Oracle WebLogic Server and such Oracle components as:
Oracle SOA Suite
Oracle Entitlement Server
Oracle Web Services Manager
For details, see Chapter 2, "About Oracle Platform Security Services".
At the transport level, Oracle SOA Suite relies primarily on the security features of Oracle WebLogic Server and Oracle Fusion Middleware. For example, you enable Secure Socket Layer (SSL) on Oracle SOA Suite connections into Oracle WebLogic Server by using the Oracle WebLogic Server Administration Console to configure listeners. At the message level, Oracle SOA Suite relies on Oracle Web Services Manager.
In addition, here are some suite-specific aspects of security:
SSL between Oracle SOA Suite and Oracle HTTP Server
automatic authentication when accessing a second Oracle BPM Worklist from a first Oracle BPM Worklist in Security Assertion Markup Language (SAML) single sign-on environments
automatic authentication of Oracle BPM Worklist users in Windows native authentication environment through Kerberos
Oracle BAM User Permissions
Oracle Internet Directory with Oracle BAM
Secure storage of sensitive driver properties like passwords in the credential store
transport-level security using SSL
At the message level, Oracle WebCenter relies on Oracle Web Services Manager for security.
The WebCenter Spaces application supports:
Application role management and privilege mapping
Group Space security management
Account and password management
The WebCenter Security Framework supports:
Service Security Extension Framework
Permission- and Role-mapping-based authorization
External applications and credential mapping
ADF Security supports:
Page and task flow authorization
Secure connection management
Credential mapping APIs
Oracle Platform Security Services (OPSS) supports:
Anonymous-role and Authenticated-role support
Identity store, policy store, and credential store
Identity Management Services
Oracle Web Services Manager Security
For details, see Managing Security in the Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter.
Security can be defined as controlled access to the Oracle Fusion Middleware infrastructure and to enterprise applications built upon that infrastructure.
Figure 1-1 shows how Oracle Fusion Middleware supports the classic three-tier enterprise environment:
In this model:
The Web tier consists of components like WebCache and Oracle HTTP Server, which protect resources and control access to applications.
The Middle tier runs Oracle WebLogic Server, which hosts the security Service Provider Interfaces (SPIs) and APIs. Oracle Fusion Middleware components such as Oracle SOA Suite, Oracle WebCenter, and Oracle Web Services Manager operate in the middle tier.
See Also :Section 2.1.2, "How Applications Can Use Oracle Platform Security Services" for a description of the SPI model.
The data tier is the repository for LDAP directories and databases, such as Oracle Internet Directory, Oracle Virtual Directory, and Oracle Database.
The following diagram is a high-level overview of the major elements of security in Oracle Fusion Middleware:
This figure shows the elements of security in Oracle Fusion Middleware: the Web tier on the left contains load balancers and other components outside the firewall; the middle tier hosts Oracle WebLogic Server and its applications; and on the right, the Data tier contains databases and directories. Different administration tools are shown at the top of the figure.
Key elements of this architecture are as follows:
Fusion Middleware Control, GUI-based administration tool for Oracle Fusion Middleware. You use Fusion Middleware Control to configure, manage and monitor components and applications, and to implement security for these components:
Oracle HTTP Server
Oracle Web Cache
Oracle Internet Directory
Oracle Virtual Directory
Oracle WebLogic Server is the application server for Oracle Fusion Middleware components such as Oracle SOA Suite, Oracle Identity Management, Oracle WebCenter, and applications developed by customers, system integrators, and third-party vendors.
The vertical broken lines represent firewalls
The circles represents listeners that can be SSL-enabled for secure communication
For details, see Chapter 4, "Infrastructure Hardening".
Oracle Fusion Middleware contains these graphical and command-line run-time tools:
Fusion Middleware Control enables you to configure Oracle applications running on the server, and to leverage security features that rely on the OPSS APIs.
The Oracle WebLogic Scripting Tool (
WLST) is a command-line scripting environment that you can use to create, manage, and monitor WebLogic Server domains, and administer Oracle Fusion Middleware security features