Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Service Bus
11g Release 1 (11.1.1.7)

Part Number E15867-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

17 Service Accounts

This chapter describes Service Accounts and provides steps on how to create, locate, edit, and delete Service Account resources using the Oracle Service Bus Administration Console.

A service account provides a user name and password that proxy services and business services use for outbound authentication or authentication to a local or remote resource, such as an FTP server or a JMS server. For example, if a business service is required to supply a user name and password for transport-level authentication with a Web Service, you create a service account that specifies the user name and password, then you configure the business service to include the service-account credentials in its outbound requests.

The user names and passwords that you enter in service accounts are used for outbound authentication or for providing credentials to local or remote resources. The user names and passwords that you enter in the Security Configuration module of the Oracle Service Bus Administration Console are used for inbound authentication and for authenticating administrative requests. See Section 17.1, "Specifying Service Accounts."

17.1 Specifying Service Accounts

You can use the same service account for multiple business services and proxy services. To specify the user name and password that a service account provides, you can use any of the following techniques:

Related Topics

17.1.1 Using Service Accounts Data and Sessions

Service accounts and their data participate fully in Oracle Service Bus sessions: you must be in a session to create or modify a service account, and if you discard the session, the service account and its data is also discarded. When you activate a session, Oracle Service Bus saves the user name, password, and other service account data in the user name/password credential mapping provider that is configured for the domain.

17.2 Locating Service Accounts

To locate Service Accounts:

  1. Do either of the following:

    • Select Project Explorer to display the Projects View page or the Project/Folder View page. Then navigate through projects and folders to find the service account.

    • Select Resource Browser > Service Accounts. The Summary of Service Accounts displays the information shown in Table 17-1.

  2. To search for a service account, enter part or all of the account name in the Name field. You can also enter part or all of the account project name and folder in the Path fields. Click Search.

    Click View All to remove the search filters and display all service accounts.

Table 17-1 Service Account Information

Property Description

Service Account Name

A unique name for the service account. Click the name to see the View Service Account Details page. See Section 17.4, "Editing Service Accounts."

Path

The project name and the name of the folder in which the service account resides. Click the name to see the project or folder that contains this resource. See Section 4.1.1, "Qualifying Resource Names Using Projects and Folders."

Options

Contains a Delete icon. If a business service or proxy service has been configured to use a service account, a Deletion Warning icon indicates that you can delete the service account with a warning confirmation. This might result in conflicts due to unresolved references from the service to the deleted service account. See Section 17.5, "Deleting Service Accounts."


17.3 Adding Service Accounts

To add a Service Account:

  1. If you have not already done so, click Create to create a new session or click Edit to enter an existing session. See Section 3.1, "Using the Change Center."

  2. Select Project Explorer, then select a project or folder in which to add the service account. The Project/Folder View page is displayed.

  3. From the Create Resource list, select Service Account to display the Create a New Service Account page.

  4. In the Resource Name field, enter a unique name for this service account.

    Follow the Section 2.3, "Resource Naming Restrictions" for naming guidance.

  5. In the Resource Description field, enter a description for the service account.

  6. Under Resource Type, do one of the following:

    • To create a service account that provides the user names and passwords that it receives from incoming client requests, select Pass Through.

    • To create a service account that provides a user name and password that you save with the service account configuration, select Static.

    • To create a service account that maps the user name from one or more authenticated clients to user names and passwords that you specify, select Mapping.

  7. Depending on the resource type you selected in the previous step, do one of the following steps described in Table 17-2.

    Table 17-2 Resource Type Options

    Selected Resource Type Complete These Steps

    Pass Through

    Click Last.

    Static

    1. Click Next.

    2. Enter the user name and password in the User Name field, Password, and Confirm Password fields.

    3. Click Last.

    Mapping

    To create a service account that maps the user name from one or more clients to user names and passwords that you specify, do the following:

    1. Click Next.

    2. In the Enter Authorized Remote User table, do the following:

      In the Remote User Name, Password, and Confirm Password fields, enter the user name and password that you want to send in outbound requests.

      Click Add. The user mapping is added to the Remote Users table.

      (Optional) Add additional remote users in the Enter Authorized Remote User table.

    3. Click Next.

    4. To map authorized clients to remote user names and passwords, do the following in the Enter Authorized Local User table:

      In the Local User Name field, enter the name that identifies a client that has been authenticated on its inbound request.

      If you have not already added this user in the Security Configuration module of the Oracle Service Bus Administration Console, do so before you use this mapping in a runtime environment. See Section 25.3, "Adding Users." Oracle Service Bus lets you create a mapping for a non-existent local user, but the mapping will never match an authenticated user and will never be used.

      From the Remote User Name list, select the user name that you want to send in outbound requests for the authenticated user you specified in the Local User Name field.

      Click Add.

    5. Click Last.


  8. Click Save. The service account is created and saved in the current session.

  9. To end the session and deploy the configuration to the runtime, click Activate under Change Center.

17.4 Editing Service Accounts

To edit a Service Account:

  1. If you have not already done so, click Create to create a new session or click Edit to enter an existing session. See Section 3.1, "Using the Change Center."

  2. Locate the service account, as described in Section 17.2, "Locating Service Accounts."

  3. Click the service account name. The View Service Account Details page displays the information shown in Table 17-3.

    Table 17-3 Service Account Details

    Property Description

    Last Modified By

    The user who created this service account or imported it into the configuration.

    Last Modified On

    The date and time that the user created this service account or imported it into the configuration. Click the date and time link to view the change history of this resource. See Section 4.23, "View Change History Page."

    References

    The number of objects that this service account references. If such references exist, click the numeric link to view a list of the objects. See Section 4.22, "Viewing References to Resources."

    Referenced by

    The number of objects that reference this service account. If such references exist, click the numeric link to view a list of the objects. For example, if you selected this service account as the JMS service account in a proxy service with a JMS transport protocol, the proxy service is listed as a reference when you click the link. See Section 4.22, "Viewing References to Resources."

    Description

    A description of this service account, if one exists.


  4. To make a change to the fields, click Edit. See Section 17.3, "Adding Service Accounts" for descriptions of the fields.

    You cannot change the Resource Name field.

  5. Click Save to commit the updates in the current session.

  6. To end the session and deploy the configuration to the runtime, click Activate under Change Center.

    Note:

    If the service account that you modified is used to authenticate with a WebLogic JMS server, the JMS server might not recognize your modification for up to 60 seconds. By default, WebLogic Server JMS checks permissions for each destination every 60 seconds. To change this behavior, modify the WebLogic Server startup command so that it sets the following system property to the frequency (in seconds) that you want WebLogic Server JMS to check permissions: weblogic.jms.securityCheckInterval.

    A value of 0 (zero) for this property ensures that a permissions check is performed for every send, receive, and getEnumeration action on a JMS resource.

Related Topics

See "Ensuring the Security of Your Production Environment" in Securing a Production Environment.

17.5 Deleting Service Accounts

When you delete a service account, the user name, password, or local-user to remote-user mapping data that the service account contains is also deleted.

  1. If you have not already done so, click Create to create a new session or click Edit to enter an existing session. See Section 3.1, "Using the Change Center."

  2. If any business service or proxy service is configured to use the service account, remove the service account from the business service or proxy service.

    See Section 19.5, "Editing Business Service Configurations" or Section 20.5, "Editing Proxy Service Configurations."

  3. Select Resource Browser > Service Accounts to display the Summary of Service Accounts page.

  4. Click the Delete icon in the Options field of the service account you want to delete.

    The service account is deleted in the current session. If a business service or proxy service has been configured to use a service account, a Deletion Warning icon indicates that you can delete the service account with a warning confirmation. This might result in conflicts due to unresolved references from the service to the deleted service account.

  5. To end the session and deploy the configuration to the runtime, click Activate under Change Center.