Skip Headers
Oracle® Fusion Middleware Security Overview
11g Release 1 (11.1.1)

Part Number E12889-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

5 Common Security Scenarios and Tasks

This chapter lists the most common security scenarios and tasks of interest to security administrators and developers. Links provide drill-down details on the concepts and how to implement security features in Oracle Fusion Middleware.

Topics include:

5.1 Single Sign-On

This section explains the products and deployment options for single sign-on in 11g Release 1 (11.1.1). Topics include:

5.1.1 Single Sign-On Options

Oracle Fusion Middleware supports many single sign-on options in 11g Release 1 (11.1.1). Oracle WebLogic Server provides single sign-on support through Security Assertion Markup Language (SAML) and Windows Native Authentication. In addition, identity assertion providers are also available for Oracle WebLogic Server to integrate with Oracle Access Manager which is the recommended enterprise-grade single sign-on solution from Oracle Identity Management. This offers a variety of choices for customers to choose from, depending on their needs.

See Also:

5.1.2 Deployment Scenarios

This section describes some common single sign-on scenarios in 11g Release 1 (11.1.1):

5.1.2.1 Setting up Oracle SOA or Oracle WebCenter 11g for the First Time

This scenario involves setting up Oracle SOA or Oracle WebCenter 11g Release 1 (11.1.1) for the first time with no previous Release 10g Application Server deployments.

In this scenario the customer has no previous Oracle Application Server deployment. The recommended single sign-on solution is Oracle Access Manager which allows customer to use Oracle Internet Directory or other LDAP servers of choice as the user and group repository.

5.1.2.2 Setting up Oracle SOA or Oracle WebCenter 11g with existing Oracle Application Server

This scenario involves setting up Oracle SOA or Oracle WebCenter 11g Release 1 (11.1.1) with existing Oracle Application Server Release 10g deployment where Oracle Internet Directory and Oracle Single Sign-On are used.

The customer is currently using Oracle Internet Directory as the user and group repository and Oracle Single Sign-On as the single sign-on solution in the 10g deployment. The 11g Release 1 (11.1.1) Oracle SOA or Oracle WebCenter deployment continues to rely on this Oracle Internet Directory and Oracle Single Sign-On infrastructure for single sign-on and user repository.

5.1.2.3 Setting up 11g Portal, Forms, Reports or Discover

Whether or not the customer has an existing 10g Oracle Application Server deployment, the 11g Release 1 (11.1.1) Portal, Forms, Reports and Discover only work with Oracle Internet Directory and Oracle Single Sign-On.

5.1.2.4 Setting up Oracle SOA or Oracle WebCenter 11g with 11g Portal, Forms, Reports or Discover

Because of the requirement in Section 5.1.2.3, "Setting up 11g Portal, Forms, Reports or Discover", this scenario also defaults to having Oracle Internet Directory and Oracle Single Sign-On as the recommended solution.

5.1.2.5 Setting up 11g Oracle Fusion Middleware with Oracle E-Business Suite

Oracle E-Business Suite 11/12 can integrate with Oracle Internet Directory and Oracle Single Sign-On. Where Oracle Internet Directory and Oracle Single Sign-On are used as an enterprise solution, they can continue to be used with 11g Release 1 (11.1.1) Oracle Fusion Middleware.

5.1.2.6 Delegating Authentication from Oracle Single Sign-On to Oracle Access Manager

While many of the scenarios mandate Oracle Single Sign-On to be the single sign-on solution, it is possible to delegate the authentication to an Oracle Access Manager instance. The scenario positions Oracle Access Manager as the enterprise solution while supporting components that only integrate with Oracle Single Sign-On - by having Oracle Single Sign-On delegating all authentication requests to Oracle Access Manager. This is also known as the "bridge" solution and is applicable to all scenarios where Oracle Single Sign-On is mandatory. Please note that Oracle Internet Directory is required to be the user and group repository in all cases.

5.2 Summary of Common Security Tasks

Table 5-1 lists the most common security tasks for the Oracle Fusion Middleware administrator, and the tool(s) used for each task.

Table 5-1 Common Security Tasks

Frequency Task Description Tools Notes

One-time

SSL enable Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, Oracle Virtual Directory and Oracle WebLogic Server

Fusion Middleware Control for:

  • Oracle HTTP Server

  • Oracle WebCache

  • Oracle Internet Directory

  • Oracle Virtual Directory

Keytool and WebLogic Server Administration Console for Oracle WebLogic Server

 
 

Change Policy Store and Credential Store to Oracle Internet Directory

Fusion Middleware Control, and Oracle Internet Directory commands

 
 

Configure Oracle Access Manager as Single Sign-On for Oracle Fusion Middleware

Fusion Middleware Control

 
 

Configure Authenticators

WebLogic Server Administration Console

 
 

Set up keystore for Oracle Web Services Manager

Java keytool utility

 
 

Configure OPSS login modules (like Kerberos) for Oracle Web Services Manager

Fusion Middleware Control

 
       

Frequent

Configure application security when deploying applications

When deploying Oracle ADF or OPSS-based applications, use Fusion Middleware Control

When deploying JavaEE applications, use WebLogic Server Administration Console

 
 

Manage application role-to-enterprise group mapping after deploying application

Fusion Middleware Control or WLST

Applicable to Oracle ADF or OPSS-based applications. Can be scripted using WLST for frequent operations.

 

Manage credentials used by the application

Fusion Middleware Control or WLST

Applicable to Oracle ADF or OPSS-based applications. Can be scripted using WLST for frequent operations.

 

Configure Oracle Web Services Manager policies for web services and clients

Fusion Middleware Control

 
 

Configure Oracle Web Services Manager client user credentials in OPSS Credential store

Fusion Middleware Control or WLST

 
 

Attach/Detach Oracle Web Services Manager policies to web services and clients

   
 

Configure Audit Store

   
 

Configure Audit Policies

Fusion Middleware Control or WLST for most components

 
 

View audit reports for Fusion Middleware components

Oracle Business Intelligence Publisher

 
       

5.3 Task-Based References

This section provides links to Oracle Fusion Middleware security documentation, including conceptual, administration, and development topics. Based on a develop-deploy-administer flow, it is organized in these sub-sections:

5.3.1 References for Security Tasks During Development

Developing with Oracle ADF

In the Oracle Fusion Middleware Documentation Library, see these items under Popular Tasks:

  • ADF Tasks

  • Security Tasks

Developing with Oracle Platform Security Services

Portlet Security

Securing Your WebCenter Application in the Oracle Fusion Middleware Developer's Guide for Oracle WebCenter

Programming Oracle WebLogic Server Security

Developing Security Providers for Oracle WebLogic Server

Developing applications for Oracle Internet Directory, Oracle Directory Integration Platform, and Oracle Single Sign-On

Developing Applications for Oracle Identity Management in the Oracle Fusion Middleware Application Developer's Guide for Oracle Identity Management

5.3.2 References for Security Tasks During Deployment

Deploying JavaEE Applications

Deploying Oracle Application Development Framework Applications

Securing Oracle WebLogic Server Web Services

Securing SOA Web Services

Directory Administration

Directory Integration and Provisioning

High Availability

Configuring High Availability for Identity Management Components in the Oracle Fusion Middleware High Availability Guide

5.3.3 References for Authentication

Java Applications

Oracle Identity Federation

5.3.4 References for Authorization

Coarse-Grained Authorization

OPSS Authorization and the Policy Store in the Oracle Fusion Middleware Application Security Guide

Fine-Grained Authorization

Creating an Entitlement Set in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

Creating an Application Role in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

Managing Delegated Applications in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

Delegating With Administrator Roles in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

Managing Application Resource Types in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

Finding Objects with a Simple Search in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

Mapping an External User to an Application Role in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

Mapping External Roles to an Application Role in the Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server

5.3.5 References for SSL

SSL communication is available for Oracle Fusion Middleware components and applications in each tier:

5.3.6 References for Auditing

Concepts and Administration

Audit Reporting

For enterprise deployments, especially those taking advantage of the extensive auditing capabilities of Oracle Identity Management, it is highly recommended that you deploy a dedicated enterprise-class reporting solution. Oracle Business Intelligence Publisher provides such a solution with the flexibility, automation, and performance required for large-scale operations.

Several Oracle Identity Management components provide reports to enable you to keep track of audited events. See the following documents for details:

See Also:

Oracle Business Intelligence Publisher Administrator's and Developer's Guide for details about about using and managing Oracle Business Intelligence Publisher.

5.3.7 References for Logging and Diagnostics