|Oracle® Fusion Middleware Application Security Guide
11g Release 1 (11.1.1)
Part Number E10043-11
|PDF · Mobi · ePub|
This chapter describes the most important changes introduced in this and previous releases.
The features and documentation changes introduced in release 126.96.36.199.0 include the following:
Migration of keystore data within and across domains. For details, see Section 6.6.4.
An introduction to deploying applications with audit. For details, see Section 6.5.
Additional OPSS scripts for audit management. For details, see Section C.4.
The WSLT script
listCred has been decommissioned and is no longer available. An alternative to this OPSS script is explained at the end of Section 10.5.
New code examples have been added to describe how applications can access the Keystore Service. For details, see Section 27.6.2.
System components can now specify the audit log location in a flexible manner. For details, see Section L.1.1.7.
A detailed explanation of the procedure to create an audit schema. For details, see Section 13.2.1.
Updated procedure for audit policy configuration using Fusion Middleware Control. For details, see Section 13.3.
Audit records are written with UTC time-stamps by default. For details, see Section 13.4.
Data purge scripts are introduced. For details, see Section 188.8.131.52.
Bulk authorization for file-based stores with the method
Introduction of the audit administration service APIs. For details, see Section 28.5.
Requirement for audit clients to have certain system grants to invoke the audit APIs. For details, see Section 28.6.2.
New properties audit.timezone and audit.change.scanning.interval have been added for audit service configuration. For details, see Table F-9.
Compatibility Matrix for 11g Versions. For details, see Section 3.1.
The features introduced in release 184.108.40.206.0 include the following:
Trusted Header Assertion with the Oracle Access Manager Identity Assertion Provider.
Integrating application security with OPSS.
Developing applications using the Audit Service.
Using the Identity Directory API in your applications.
Administering the Keystore Service.
Developing applications using the Keystore Service.
Documentation updates include the following:
Updates to the discussion of the Common Audit Framework.
Procedures to enable SSL for the Identity Store Service.
The features introduced in release 220.127.116.11.0 include the following:
Support for DB-based stores.
Support for the IBM WebSphere Application Server.
Support for identity virtualization, which allows querying multiple identity stores.
Support for security administrative scripts on IBM WebSphere Application Server.
The OPSS script
Additional OPSS scripts.
Improved Fusion Middleware Control security pages.
Enhanced OAMCfgTool for OAM 10g SSO, with additional parameters.
User and Role API support for IBM Tivoli and Microsoft ADAM directories.
The features introduced in release 18.104.22.168.0 include the following:
The Resource Catalog, a way of specifying resource types, resources, actions, and entitlements in an application policy grant. Starting with this release, OPSS supports resource-based policies with the introduction of the resource catalog.
Instructions for developing custom User and Role providers.
Use of the class ResourcePermission in permissions.
New OPSS scripts to manage resource types.
The system property
jps.deployment.handler.disabled of the Oracle WebLogic Server has been introduced.
A new use of the OPSS script
A new argument to the OPSS script
migrateSecurityStore to control the migration behavior upon encountering duplicate items. It applies only when migrating application policies.
The features introduced in release 22.214.171.124.0 include the following:
The class Resource Permission.
Principal name comparison has been enhanced.
Manual settings for policy migration have been simplified. In particular, versioning the application is no longer required.
The OPSS script
migrateSecurityStore supports the embedded LDAP store as a target.
The configuration of the identity store has been simplified. For example, previously required properties such as username.attr and login.name.attr are no longer needed when configuring an LDAP identity store.
The OPSS script
reassociateSecurityStore supports an existing LDAP node as a target.
New and improved Oracle Fusion Middleware Control pages. In particular, using these pages, one can specify the SSO service to use in a domain.
The single most important new feature in this release is the Oracle WebLogic Server as the environment where applications run and where security is provisioned.
The features introduced in release 11gR1 include the following:
Support for application policies and roles, and the authenticated and anonymous users and roles
Credential Store Framework
Auditing framework for Oracle Platform Security Services (OPSS) events for credential and policy management, and authorization checks
Support for application lifecycle security integrated with JDeveloper
Enhanced authorization framework
Consolidation of code-based and subject-based policies in system-jazn-data.xml
Management of security with Oracle Fusion Middleware and OPSS scripts
New security-related OPSS scripts
The features de-supported in release 11gR1 include the following:
Jazn is replaced with OPSS.
Jazn Realm API is replaced by the User and Role API.
Migration of OSDT toolkit from proprietary objects to JCE is desupported.
The identity store, as previously configured in system-jazn-data.xml, is replaced by the use of WebLogic authenticators.
The functions of Oracle Jazn Administration Tool are replaced as follows:
User and Role CRUD operations are replaced by the use of the Embedded LDAP configured and operated with the Oracle WebLogic Administration Console
The configuration of login modules is replaced with the use of the Oracle WebLogic Administration Console to configure authenticators
JavaSSO is no longer supported. On a Oracle WebLogic Server domain, Single Sign-On (SSO) is automatic within clusters only when session replication is turned on.