25 Oracle Platform Security Services

This chapter describes notes on topics associated with Oracle Platform Security Services (OPSS), in the following sections:

The following documents are relevant to topics included in this chapter:

25.1 Configuration Issues and Workarounds

This section describes configuration issues and their workarounds. It includes the following topics:

25.1.1 Oracle Fusion Middleware Audit Framework

This section describes configuration issues for the Oracle Fusion Middleware Audit Framework. It contains these topics:

25.1.1.1 Configuring Auditing for Oracle Access Manager

Although Oracle Access Manager appears as a component in Oracle Enterprise Manager Fusion Middleware Control, you cannot configure auditing for Oracle Access Manager using Fusion Middleware Control.

25.1.1.2 Audit Reports do not Display Translated Text in Certain Locales

The standard audit reports packaged with Oracle Business Intelligence Publisher support a number of languages for administrators. Oracle Business Intelligence Publisher can start in different locales; at start-up, the administrator can specify the language of choice by setting the preferred locale in Preferences.

Due to this bug, if Oracle Business Intelligence Publisher is started on any of these 3 locales:

  • zh_CN (simplified chinese)

  • zh_TW (traditional chinese)

  • pt_BR (portuguese brazilian)

then users cannot see the report in that locale (the entire report including labels, headers, titles and so on appears in English), while the other locales display the translated text as expected. For example, when Oracle Business Intelligence Publisher is started in zh_CN, the text cannot be seen in zh_CN even though the preferred locale is set to zh_CN; information is displayed in English.

This issue will be fixed in a future release of Oracle Business Intelligence Publisher.

25.1.1.3 Audit Reports Always Display in English

The standard audit reports packaged with Oracle Business Intelligence Publisher support a number of languages.

Due to this bug, report titles and descriptions are displayed in English even when they have been translated.

This issue will be fixed in a future release of Oracle Business Intelligence Publisher.

25.1.1.4 Audit Store Does not Support Reassociation through EM

In Release 11gR1 (11.1.1.6.0), if you reassociated security stores through the Fusion Middleware Control Enterprise Manager (EM) console, most stores (policy store, credential store and so on) moved except for the audit store. This is because the audit store did not support reassociation through the console, only through the WLST command reassociateSecurityStore.

In a situation where the original migration from Release 11gR1 (11.1.1.6.0) to Release 11gR1 (11.1.1.7.0) was done through EM, this leaves the audit repository as file-based. You can use the following workaround to move all security store data to LDAP/DB in order to enable audit:

In the PS5 environment, run WLST command reassociateSecurityStore with a different jpsroot node. This effects an OID-to-OID directory reassociation and any existing data also gets migrated to the new node. After you take this action, audit data will no longer be file based and jps-config will have the new node.

25.1.1.5 OWSM Audit Events not Audited

In Release 11.1.1.7, due to a bug, audit events are not logged for Web Services Manager (OWSM) after auditing is configured for the component.

To resolve this issue, proceed as follows:

  1. Register the OWSM components AGENT, PM-EJB with the audit service using the registerAudit WLST command:

    1. registerAudit(xmlFile="$ORACLE_COMMON/modules/oracle.iau_11.1.1/components/OWSM-AGENT/component_events.xml", componentType="AGENT")

    2. registerAudit(xmlFile="$ORACLE_COMMON/modules/oracle.iau_11.1.1/components/OWSM-PM-EJB/component_events.xml", componentType="PM-EJB")

  2. Get the list of components using the listAuditComponents WLST command; for example, this command writes the list of components to a file named complist.txt:

    listAuditComponents(fileName = "/tmp/complist.txt")
    
  3. For each component in the list, execute the WLST command setAuditPolicy as follows:

    setAuditPolicy(componentType="<component name from complist.txt>",  filterPreset="None") 
    

For details about syntax and usage of these commands, see Oracle Fusion Middleware Application Security Guide, part number E10043-11, Appendix C Oracle Fusion Middleware Audit Framework Reference.

25.1.2 Trailing '\n' Character in Bootstrap Key

In 11gR1, the process that reassociates XML to LDAP stores creates a bootstrap key with the trailing new line character '\n', or its equivalent code '&#xA'. This key value is written in the file jps-config.xml and stored in the wallet. In both places, the key value contains the trailing character '\n'.

When reusing that same wallet in 11gR1 PS1, upon retrieving the bootstrap key, the system trims out the trailing '\n' character; but the key value in the wallet, however, still contains the trailing character, a situation that leads to errors since the requested and stored key values no longer match.

To resolve this issue, proceed as follows:

  1. Use the WLST command modifyBootStrapCredential to reprovision wallet credentials without trailing '\n'. For details on the command usage, see section 9.5.2.5 in the Oracle Fusion Middleware Security Guide.

  2. Manually edit the file jps-config.xml and remove the trailing characters '&#xA' from any bootstrap key.

This problem arises only in the scenario above, namely, when an 11gR1 wallet is reused in 11gR1 PS1; in particular, when reassociating in an 11gR1 PS1 environment, the above trailing character is not an issue.

25.1.3 Users with Same Name in Multiple Identity Stores

If a user name is present in more than one LDAP repositories and the property virtualize is set to use LibOVD, then the data in only one of those repositories is returned by the User and Role API when that name is queried.

25.1.4 Script listAppRoles Outputs Wrong Characters

On Linux and Windows platforms, when the locale is set to non-UTF8 locales, such as fr_FR_iso88591, the OPSS script listAppRoles may wrongly output the character '?' instead of the expected character.

25.1.5 Propagating Identities over the HTTP Protocol

This section includes the following additions, corrections, and new information in the following sections:

25.1.5.1 Addition to Section Propagating Identities over the HTTP Protocol

The following new information belongs in section 19.3.1.2:

The out of box configuration assumes that the token issuer name and the key alias is based on the WebLogic server name. Note that the key alias server name on WebSphere is set based on the WebSphere server root. For example, if the server root is $T_WORK/middleware/was_profiles/DefaultTopology/was_as/JrfServer then the server name is set to JrfServer. To change the default value, use the procedures explained in section 19.3.12.

25.1.5.2 Correction to Section Client Application Code Sample

The following sample illustrates a client application; note that the file jps-api.jar and OSDT jars osdt_ws_sx.jar, osdt_core.jar, osdt_xmlsec.jar, osdt_saml2.jar must be included the class path for the code sample to compile.

25.1.5.3 Correction to Section Keystore Service Configuration

Assuming that the WebLogic server name is jrfServer_admin, the following command illustrates the creation of the keystore, represented by the generated file default-keystore.jks.

25.1.5.4 Updating the Trust Service Configuration Parameters

The information in this section is new and it explains how to modify the trust service configuration parameters in the file jps-config.xml with a script.

Out-of-the-box the values of the parameters trust.aliasName and trust.issuerName are set to the WebLogic server name. To modify their values to deployment-specific values, use a script like the following:

import sys
 
wlsAdmin = 'weblogic'
wlsPwd ='password_value'
wlUrl='t3://localhost:7001'
issuer= 'issuer'
alias = 'alias'
 
print "OPSS Trust Service provider configuration management script.\n"
 
instance = 'trust.provider'
name = 'trust.provider.embedded'
cfgProps = HashMap()
cfgProps.put("trust.issuerName", issuer)
cfgProps.put("trust.aliasName", alias)
pm = PortableMap(cfgProps);
 
connect(wlsAdmin, wlsPwd, wlUrl)
domainRuntime()
 
params = [instance, name, pm.toCompositeData(None)]
sign = ["java.lang.String", "java.lang.String", "javax.management.openmbean.CompositeData"]
on = ObjectName("com.oracle.jps:type=JpsConfig")
mbs.invoke(on, "updateTrustServiceConfig", params, sign)
mbs.invoke(on, "persist", None, None)
 
print "Done.\n"

25.1.6 Pool Configuration Missing in Identity Store

On the WebSphere Application Server, the out-of-the-box configuration file jps-config.xml is missing an entry for a property of the identity store. When the identity store, added at post-installation, is an LDAP-based identity store, the following property must be manually inserted in the jps-config.xml file within the identity store service instance element:

<property name="CONNECTION_POOL_CLASS" 
          value="oracle.security.idm.providers.stdldap.JNDIPool"/> 

To work around this issue, proceed as follows:

  1. Shut down the server.

  2. Open the file was_profile_dir/config/cells/cell_name/fmwconfig/jps-config.xml for edit, where was_profile_dir and cell_name stand for the profile directory name and cell name on your system.

  3. Insert the missing property CONNECTION_POOL_CLASS into the configuration of the identity store service instance.

  4. Save the file and restart the server.

25.2 Documentation Errata

This section contains corrections to documentation errors. It includes the topic:

25.2.1 Updated Configuration for Role Category

This note contains the correct configuration of a role category as described in Section 2.8 "The Role Category" in the Oracle Fusion Middleware Application Security Guide, part number E10043-10.

The configuration of the element <role-category> in the jazn-data.xml illustrated in section 2.8 should be replaced with the following:

<app-roles>
  <app-role>
    <name>AppRole_READONLY</name>
    <display-name>display name</display-name>
    <description>description</description>
    <class>oracle.security.jps.service.policystore.ApplicationRole</class>
    <extended-attributes>
      <attribute>
        <name>ROLE_CATEGORY</name>
        <values>
          <value>RC_READONLY</value>
        </values>
      </attribute>
    </extended-attributes>
  </app-role>
</app-roles>
<role-categories>
  <role-category>
    <name>RC_READONLY</name>
    <display-name>RC_READONLY display name</display-name>
    <description>RC_READONLY description</description>
  </role-category>
</role-categories>

The important point about this correction is the following:

  • The members of a role category are not configured within the <role-category> element but within the element <extended-attributes> of the corresponding application role.

25.2.2 Correct setAuditRepository Command Reference Example

This note corrects a typo in Section C.4.5 "setAuditRepository" in the Oracle Fusion Middleware Application Security Guide, part number E10043-11.

In the example line:

setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')

change 'jdbcAuditDB' to read 'jdbc/AuditDB'.

25.2.3 Demo CA Certificate not for Production Use

In the Oracle Fusion Middleware Application Security Guide, Part Number E10043-11, 11.1.3 Domain Trust Store, insert the following caution note at the top of the section:

Caution:

The Demo CA has a well known hard-coded private key, Care should be taken not to trust the certificates signed by the Demo CA. As such, the Demo CA certificate in the trust store should not be used in production. It should be removed from the domain trust store in production.

25.2.4 Incorrect Link to ILM Content

In the Oracle Fusion Middleware Application Security Guide, part number E10043-12, in the chapter Configuring and Managing Auditing, section titled "Tiered Archival" contains an incorrect link for Oracle Information Lifecycle Management (ILM).

Change the link to read:

http://www.oracle.com/technetwork/database/enterprise-edition/index-090321.html

25.2.5 Incorrect Table Title in Appendix C

In the Oracle Fusion Middleware Application Security Guide, part number E10043-11, in Appendix C Oracle Fusion Middleware Audit Framework Reference, Table C-4 is incorrectly titled. The correct title should be "Oracle Internet Directory Events."

25.2.6 Clarification of Note in Appendix C

In the Oracle Fusion Middleware Application Security Guide, part number E10043-11, in Appendix C Oracle Fusion Middleware Audit Framework Reference, the note at the beginning of section 12.3.3 is incomplete. The note should read:

Note:

The metadata store is separate from the audit data store which contains the actual audit data.

25.2.7 Notes Regarding Need for Server Restarts

In the Oracle Fusion Middleware Application Security Guide, part number E10043-11, Chapter 13 Configuring and Managing Auditing refers to the need to restart the server after audit policy changes. These references are in the following sections:

  • Section 13.3 Managing Audit Policies, under the heading 'How Policies are Configured,', second sentence.

  • Section 13.3.1 Manage Audit Policies for Java Components with Fusion Middleware Control, second bulleted note under Notes.

  • Section 13.3.2 Manage Audit Policies for System Components with Fusion Middleware Control, second bulleted note under Notes.

However, a restart is not necessary; the changes take effect on the managed server after a few minutes.