Skip Headers
Oracle® Fusion Middleware 2 Day Administration Guide
11g Release 1 (11.1.1)

Part Number E10064-04
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

6 Configuring Security

Oracle Fusion Middleware provides many security features, including accounts specifically for administrative purposes. This chapter describes how to create additional administrative accounts, create application roles, change passwords for those accounts, and configure SSL.

This chapter contains the following topics:

6.1 Creating Additional Administrative Users

During the Oracle Fusion Middleware installation and configuration, you must specify an administrative user and a password for the user. You can use the default administrative account to log in to Fusion Middleware Control and the Oracle WebLogic Server Administration Console.

You can create additional administrative users using the Oracle WebLogic Server Administration Console.

To create a new administrative user with full privileges:

  1. Navigate to the Oracle WebLogic Server Administration Console. (For example, from the home page of the domain in Fusion Middleware Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)

  2. From the navigation pane, select Security Realms.

    The Summary of Security Realms page is displayed.

  3. Select a realm, such as myrealm.

    The Settings for the realm page is displayed.

  4. Select the Users and Groups tab, then the Users tab. Click New.

    The Create a New User page is displayed.

  5. For Name, enter the new user name. In this case, enter admin2.

  6. Optionally, add a description for the account.

  7. For Provider Authenticator, use the default, DefaultAuthenticator.

  8. For Password, enter a password for the account. Then, for Confirm Password, reenter the password.

    If you selected DefaultAuthenticator, any passwords you assign to Oracle Fusion Middleware users:

    • Must contain at least eight characters.

    • At least one of the characters must be a number or special character, such as US dollar sign ($), number sign (#), or underscore (_).

  9. Click OK.

  10. Select the newly created user in the Users table.

    The Settings for user page is displayed.

  11. Select the Groups tab.

  12. From the Available groups, select the group. In this case, to give the new user full privileges, select Administrators and move it to the Chosen list, as shown in the following figure:

    Description of create_user.gif follows
    Description of the illustration create_user.gif

  13. Click Save.

You now have a user named admin2 that has the Administrator role for the Oracle WebLogic Server domain.

6.2 Creating Additional Users with Specific Roles

You may want to give only minimal privileges to another user, allowing the user to only monitor Oracle Fusion Middleware, not to change any of the configuration. You can create additional users and give them limited access. For example, you can create a user with privileges to deploy applications.

To create an additional user who can deploy applications:

  1. Navigate to the Oracle WebLogic Server Administration Console. (For example, from the home page of the domain in Fusion Middleware Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)

  2. From the navigation pane, select Security Realms.

    The Summary of Security Realms page is displayed.

  3. Select a realm, such as myrealm.

    The Settings for the realm page is displayed.

  4. Select the Users and Groups tab, then the Users tab. Click New.

    The Create a New User page is displayed.

  5. For Name, enter the new user name. In this case, enter app_deployer.

  6. Optionally, add a description for the account.

  7. For Password, enter a password for the account. Then, for Confirm Password, reenter the password.

    If you selected DefaultAuthenticator, any passwords you assign to Oracle Fusion Middleware users:

    • Must contain at least eight characters.

    • At least one of the characters must be a number or special character, such as US dollar sign ($), number sign (#), or underscore (_).

  8. Click OK.

  9. Select the newly created user in the Users table.

    The Settings for user page is displayed.

  10. Select the Groups tab.

  11. From the Available groups, select the group. In this case, to give the new user privileges only to deploy applications, select Deployers and move it to the Chosen list.

  12. Click Save.

6.3 Changing the Administrative User Password

You can change the password of users using the Oracle WebLogic Server Administration Console.

To change the password of an administrative user:

  1. Navigate to the Oracle WebLogic Server Administration Console. (For example, from the home page of the domain in Fusion Middleware Control, select To configure and managed this WebLogic Domain, use the Oracle WebLogic Server Administration Console.)

  2. From the navigation pane, select Security Realms.

    The Summary of Security Realms page is displayed.

  3. Select a realm, such as myrealm.

    The Settings for the realm page is displayed.

  4. Select the Users and Groups tab, then the Users tab. Select the user.

    The Settings for user page is displayed.

  5. Select the Passwords tab.

  6. Enter the new password, then enter it again to confirm it.

  7. Click Save.

6.4 Configuring SSL

SSL secures communication by providing message encryption, integrity, and authentication. The SSL standard allows the involved components (such as browsers and HTTP servers) to negotiate which encryption, authentication, and integrity mechanisms to use.

This section describes the following topics:

6.4.1 Understanding Keystores and Wallets

In Oracle Fusion Middleware, all Java components and applications use the JKS keystore. Thus all Java components and applications running on Oracle WebLogic Server use the JKS-based KeyStore and TrustStore.

The Oracle Virtual Directory system component uses a JKS keystore to store keys and certificates. Configuring SSL for Oracle Virtual Directory thus requires setting up and using JKS keystores.

Other components use the Oracle wallet as their storage mechanism. An Oracle wallet is a container that stores your credentials, such as certificates, trusted certificates, certificate requests, and private keys. You can store Oracle wallets on the file system or in LDAP directories such as Oracle Internet Directory. Oracle wallets can be auto-login or password-protected wallets.

The following components use Oracle wallet:

  • Oracle HTTP Server

  • Oracle Web Cache

  • Oracle Internet Directory

6.4.2 Enabling SSL Between a Browser and Oracle HTTP Server

You can enable SSL on the communication path between a client browser and a Web server. In this case, you configure the virtual host for Oracle HTTP Server to listen in SSL mode, as described in the following topics:

6.4.2.1 Enabling SSL for Inbound Traffic to Oracle HTTP Server Virtual Hosts

To enable SSL for inbound traffic to Oracle HTTP Server virtual hosts:

  1. Create an Oracle wallet:

    1. In the navigation pane, expand the farm, then Web Tier. Select an Oracle HTTP Server instance.

    2. From the Oracle HTTP Server menu, choose Security, then Wallets.

      The Wallets page is displayed.

    3. Click Create.

      The Create Wallet page is displayed, as shown in the following figure:

      Description of create_wallet.gif follows
      Description of the illustration create_wallet.gif

    4. For Wallet Name, enter a descriptive wallet name.

    5. Check or uncheck Autologin, depending on whether your wallet is an auto-login wallet. The default is an auto-login wallet. If you do not check Autologin, for Wallet Password, enter a password, then enter the same password in Confirm Password.

    6. Click OK to create the wallet.

      A confirmation box is displayed.

    7. The confirmation box asks if you want to create a certificate request. Click Yes.

      The Create Wallet: Add Certificate Request page is displayed.

    8. For Common Name, enter a name for the certificate request.

    9. Enter information about your organization.

    10. For Key Size, select a size.

    11. Click OK.

    12. To get the certificate signed by a certificate authority (CA), you must export the certificate request out of the wallet and send it to your CA. After the issued certificate is returned, you must import it back into your wallet. Now your wallet is ready to use.

  2. From the HTTP Server menu, choose Administration, then Virtual Hosts.

    The Virtual Hosts page is displayed.

  3. Select a virtual host and choose Configure, then SSL Configuration.

    The SSL Configuration page is displayed, as shown in the following figure:

    Description of ohsssl3.gif follows
    Description of the illustration ohsssl3.gif

  4. Select Enable SSL.

  5. For Server Wallet Name, select the wallet.

  6. From the Server SSL properties, select the SSL Authentication type, Cipher Suites to use, and the SSL protocol version.

  7. Click OK.

  8. Restart Oracle HTTP Server. (From the Oracle HTTP Server menu, choose Control, then Restart.)

  9. Now, you can test this by visiting the Oracle HTTP Server page over SSL in a browser. Use a URL of the form https://host:port/, where you replace the host and port with values relevant to your own environment.

6.4.2.2 Enabling SSL for Outbound Traffic from Oracle HTTP Server Virtual Hosts

Outbound requests from Oracle HTTP Server are handled by configuring mod_wl_ohs.

To configure outbound requests for SSL:

  1. Generate a custom keystore for Oracle WebLogic Server containing a certificate, using the Oracle WebLogic Server Administration Console:

    1. In the left pane of the Console, expand Environment and select Servers.

    2. Select Configuration, then Keystores.

    3. Define the keystore. See the online help for information about each field.

  2. Import the certificate used by Oracle WebLogic Server into the Oracle HTTP Server wallet as a trusted certificate. You can use any available utility such as WLST or Fusion Middleware Control for this task.

  3. Edit the Oracle HTTP Server configuration file ORACLE_INSTANCE/config/OHS/ohs1/ssl.conf and add the following line to the SSL configuration under mod_weblogic:

    WlSSLWallet  "$(ORACLE_INSTANCE}/config/COMPONENT_TYPE/COMPONENT_NAME/default"
    

    In the line, default is the name of the Oracle HTTP Server wallet in Step 2.

    Here is an example of the configuration:

    <IfModule mod_weblogic.c>
          WebLogicHost myhost.example.com
          WebLogicPort 7002
          Debug ALL
          WLLogFile /tmp/weblogic.log
          MatchExpression *.jsp
          SecureProxy On
          WlSSLWallet "$(ORACLE_INSTANCE)/config/OHS/ohs1/keystores/default"
    </IfModule>
    

    Save the file and exit.

  4. Restart Oracle HTTP Server to activate the changes.

  5. Ensure that your Oracle WebLogic Server instance is configured to use the custom keystore generated in Step 1, and that the alias points to the alias value used in generating the certificate. Restart the Oracle WebLogic Server instance.

6.5 Learn More

For more information about the topics covered in this chapter and other security topics, see: