Skip Headers
Oracle® Fusion Middleware Application Security Guide
11g Release 1 (11.1.1)

Part Number E10043-11
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

5 Security Administration

This chapter introduces the tools available to an administrator and the typical tasks to manage application security. It is divided into the following sections:

For advanced administrator tasks, see Appendix E, "Administration with Scripting and MBean Programming."

5.1 Choosing the Administration Tool According to Technology

The four basic tools available to a security administrator are Oracle Enterprise Manager Fusion Middleware Control, Oracle WebLogic Administration Console, Oracle Entitlements Server, and the Oracle WebLogic Scripting Tool (WLST). For further details on these and other tools, see chapter 3, Getting Started Managing Oracle Fusion Middleware in Oracle Fusion Middleware Administrator's Guide.

The main criterion that determines the tool to use to administer application security is whether the application uses just container-managed security (Java EE application) or it includes Oracle ADF security (Oracle ADF application).

Oracle-specific applications, such as Oracle Application Development Framework (Oracle ADF) applications, Oracle Server-Oriented Architecture (SOA) applications, and Web Center applications, are deployed, secured, and maintained with Fusion Middleware Control and Oracle Entitlements Server.

Other applications, such as those developed by third parties, Java SE, and Java EE applications, are typically deployed, secured, and administered with Oracle WebLogic Administration Console or with WLST.

The recommended tool to develop Java applications is Oracle JDeveloper 11g. This tool helps the developer configure file-based identity, policy, and credential stores through specialized graphical editors. In particular, when developing Oracle ADF applications, the developer can run a wizard to configure security for web pages associated with Oracle ADF resources (such as Oracle ADF task flows and page definitions), and define security artifacts using a specialized, visual editor for the file jazn-data.xml.

For details about procedures and related topics, see the following sections in the Oracle JDeveloper online help documentation:

For further details about Oracle ADF Security and its integration with Oracle JDeveloper, see Accessing the Oracle ADF Security Design Time Tools, in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.

For further details about Oracle Entitlements Server, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

5.2 Basic Security Administration Tasks

Table 5-1 lists some basic security tasks and the tools used to execute them. Recall that the tool chosen to configure and manage application security depends on the type of the application: for Java EE applications, which use just container-managed security, use the Oracle WebLogic Administration Console; for Oracle ADF applications, which use OPSS authorization, use Fusion Middleware Control and Oracle Entitlements Server.

Manual settings without the aid of the tools listed below are not recommended. For information about using the Oracle WebLogic Administration Console, see the list of links following the table below. For details about Oracle Entitlements Server, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

Table 5-1 Basic Administrative Security Tasks and Tools

Task Use Fusion Middleware Control Security Menu Use Other Tool

Configure WebLogic Domains

 

WebLogic Admin Console

Configure WebLogic Security Realms

 

WebLogic Admin Console

Manage WebLogic Domain Authenticators

 

WebLogic Admin Console

Enable SSO for MS clients, Web Browsers, and HTTP clients.

 

WebLogic Admin Console

Manage Domain Administrative Accounts

 

WebLogic Admin Console

Configuring the identity store service

 

WebLogic Admin Console or the WebSphere command configureIdentityStore

Manage Credentials for Oracle ADF Application

Credentials

 

Enable anonymous role in Oracle ADF Application

Security Provider Configuration

 

Enable authenticated role in Oracle ADF Application

Security Provider Configuration

 

Enable JAAS in Oracle ADF Application

Security Provider Configuration

 

Map application to enterprise groups for Oracle ADF Application

Application Roles or
Application Policies

Oracle Entitlements Server

Manage system-wide policies for Oracle ADF Applications

System Policies

 

Configure OPSS Properties

Security Provider Configuration

 

Reassociate Policy and Credential Stores

Security Provider Configuration

 

Details about using the Oracle WebLogic Administration Console for the tasks above are found in the following documents:

Note:

OPSS does not support automatic backup or recovery of server files. It is recommended that the server administrator periodically back up all server configuration files, as appropriate.

For details about backing up and recovering Oracle Fusion Middleware, see chapter 15, Introducing Backup and Recovery, in Oracle Fusion Middleware Administrator's Guide.

5.2.1 Setting Up a Brand New Production Environment

A new production environment based on an existing environment can be set up in either of the following ways:

  • Replicating an established environment using Oracle Cloning utilities. For details, see section 9.5, Cloning Oracle Fusion Middleware Entities, in Oracle Fusion Middleware Administrator's Guide.

  • Reinstalling software and configuring the environment, as it was done to set up the established environment.

5.3 Typical Security Practices with Fusion Middleware Control

Fusion Middleware Control is a Web-based tool that allows the administration of a network of applications from a single point. Fusion Middleware Control is used to deploy, configure, monitor, diagnose, and audit Oracle SOA applications, Oracle ADF applications, Oracle WebCenter, and other Oracle applications using OPSS. Note that this section mentions only security-related operations.

Fusion Middleware Control provides several security-related administration tasks; using this tool, an administrator can:

For a summary of security administrative tasks and the tools used to execute them, see Basic Security Administration Tasks.

For further details about other functions, see the Fusion Middleware Control online help documentation.

For details about managing Oracle Fusion Middleware on WebSphere Application Server, see Oracle Fusion Middleware Third-Party Application Server Guide.

5.4 Typical Security Practices with the Administration Console

The Oracle WebLogic Administration Console is a Web-based tool that allows, among other functions, application deployment and redeployment, domain configuration, and monitoring of application status. Note that this section mentions only security-related operations.

Typical tasks performed with the Oracle WebLogic Administration Console include the following:

For details about Oracle WebLogic Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.

5.5 Typical Security Practices with Oracle Entitlements Server

Typical security tasks performed with Oracle Entitlements Server include the following:

For a list of some of the most frequent security tasks to administer application security with Oracle Entitlements Server, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.

5.6 Typical Security Practices with OPSS Scripts

Most of the security-related operations available in the Oracle WebLogic Administration Console can be carried out with OPSS scripts, a set of command-line interface that allows the scripting and automation of administration tasks, including domain configuration and application deployment.

Note:

A WLST shell session has associated with it a unique configuration file; more generally, a JVM instance can point to at most one configuration file.

This requirement of a unique jps-config.xml file per JVM instance has the following consequence: suppose that within a WLST shell you invoke an OPSS script, such as migrateSecurityStore, that takes a configuration file; then all subsequent commands invoked within that same WLST shell use the same configuration file regardless of the configuration location passed to a command.

For the list of security-related OPSS scripts, see Appendix I, "OPSS Scripts." For the complete list of WLST scripts, see Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

For details about managing Oracle Fusion Middleware on WebSphere Application Server, see Oracle Fusion Middleware Third-Party Application Server Guide.