Skip Headers
Oracle® Fusion Applications Developer's Guide
11g Release 5 (11.1.5)

Part Number E15524-10
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

28 Configuring ECSF Security

This chapter describes how to configure security for ECSF.

This chapter includes the following sections:

28.1 Introduction to Configuring ECSF Security

ECSF secures credentials and searchable application data. The credentials are required for the ECSF engine to communicate with Oracle Secure Enterprise Search (Oracle SES) administration service, Oracle SES query service, and ECSF Security Service. ECSF also uses Secure Socket Layer (SSL) to secure the connections through which the credentials are transmitted. ECSF stores the credentials in the Credential Store Framework (CSF) of the Oracle WebLogic Server domain.

Configure the HTTP protocol to restrict the maximum post and message size in order to prevent denial-of-service (DoS) attacks, which makes the servlets unavailable. For information, see Oracle Fusion Middleware Configuring Server Environments for Oracle WebLogic Server.

28.2 Securing ECSF Credentials

Passwords are stored in the Credential Store Framework (CSF) of the Oracle WebLogic Server domain. These passwords are used to perform secure interaction between the ECSF engine and the Oracle SES server. For more information about CSF in Oracle WebLogic Server, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

28.2.1 How to Add the Permission Policy

When the ECSF Runtime Server or the ECSF Client library is added to the projects in Oracle JDeveloper, the permission policy, shown in Example 28-1, is automatically added within the <jazn-policy> tag of the application's jazn-data.xml file located in src/META-INF.

Example 28-1 Permission Policy

<grant>
    <grantee>
         <codesource>
               <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/oracle.ecsf/-</url>
         </codesource>
    </grantee>
    <permissions>
         <permission>
               <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
               <name>context=SYSTEM,mapName=oracle.ecsf,keyName=*</name>
               <actions>*</actions>
         </permission>
         <permission>
               <class>oracle.security.jps.JpsPermission</class>
               <name>IdentityAssertion</name>
               <actions>execute</actions>
         </permission>
    </permissions>
</grant>

Credentials are stored under mapName oracle.ecsf, oracle.apps.security, and oracle.wsm.security with a key in the format: username#engineInstanceId (for example, scott#1, where scott is the user on engine instance 1).

When the application is deployed, the policies in jazn-data.xml are merged into the system-jazn-data.xml file in WebLogic_domain/config/fmwconfig on Oracle WebLogic Server.

Note:

The following security deployment options for the application must be configured in JDeveloper for the policies to merge: policies, credentials, and users/groups.

Make sure that the policy migrates to the target Oracle WebLogic Server domain. For more information, see Oracle Fusion Middleware Application Security Guide.

28.2.2 How to Configure Application Identities for Search

Oracle Fusion Applications include six search-related application identities that are seeded and are stored in the identity store:

  • FUSION_APPS_CRM_SES_CRAWL_APPID

  • FUSION_APPS_FSCM_SES_CRAWL_APPID

  • FUSION_APPS_HCM_SES_CRAWL_APPID

  • FUSION_APPS_CRM_ECSF_SEARCH_APPID

  • FUSION_APPS_FSCM_ECSF_SEARCH_APPID

  • FUSION_APPS_HCM_ECSF_SEARCH_APPID

  • FUSION_APPS_ECSF_SES_ADMIN_APPID

Each pair of application identities, one pair for each product family, are used to integrate ECSF with Oracle Fusion Applications. The Credential Store Framework (CSF) stores the credentials to access the identities.

However, if you are developing applications on the Integrated WebLogic Server instance, then you must manually configure the application identities to integrate ECSF for the crawl users: SES_ADMIN_USERNAME, SES_QUERY_PROXY_USERNAME, and ECSF_SECURITY_USERNAME.

Note:

To prevent duplication of crawls, crawling and indexing of searchable object data into Oracle SES must be performed by one crawler user. The single crawler user, specified in the search engine instance parameter ECSF_SECURITY_USERNAME, must have access to all searchable object data to be indexed.

The required setup of a user depends on the application setup and is not controlled by ECSF. For example, Oracle Fusion Applications includes three application IDs that are created for crawling data: FUSION_APPS_CRM_SES_CRAWL_APPID, FUSION_APPS_FSCM_SES_CRAWL_APPID, and FUSION_APPS_HCM_SES_CRAWL_APPID. You must make sure that the proper roles, permissions, privileges, and so on are granted to the three application IDs so they have access to the data to be crawled.

To configure the application identities, you must complete the following tasks:

  1. Make sure the SearchContext is set to FusionSearchContextImpl.

  2. Create the application identities.

  3. Make sure the permission policies for the identity store and the JPS IdentityAssertion API are added to the jazn-data.xml file.

28.2.2.1 Setting the SearchContext to FusionSearchContextImpl

In order for ECSF to handle the application identities of Oracle Fusion applications, the SearchContext must be set to FusionSearchContextImpl. The SearchContext is automatically set at runtime based on the runtime environment. If the SearchContext is not set properly, then set the context using the oracle.ecsf.context system property, for example:

-Doracle.ecsf.context='oracle.ecsf.fusion.FusionSearchContextImpl'

For more information, see Section 30.2.4, "How to Modify the Run Configuration of the View-Controller Project."

28.2.2.2 Creating the Application Identities

Each of the crawl users (SES_ADMIN_USERNAME, SES_QUERY_PROXY_USERNAME, and ECSF_SECURITY_USERNAME) must correspond to an application identity. Use Oracle Enterprise Manager Fusion Applications Control for ECSF to set the crawl user names and their corresponding passwords. For information, see the "Managing Search with Oracle Enterprise Crawl and Search Framework" chapter in the Oracle Fusion Applications Administrator's Guide.

For example, set the user names for Oracle Fusion Customer Relationship Management to:

SES_ADMIN_USERNAME=eqsys

SES_QUERY_PROXY_USERNAME=FUSION_APPS_CRM_ECSF_SEARCH_APPID

ECSF_SECURITY_USERNAME=FUSION_APPS_CRM_SES_CRAWL_APPID

Once the user names are set, you can update the corresponding password parameters for those users to the key names for the application identities. The format of the key name is fullAPPID-KEY.

This creates entries in the cwallet with the correct map/key pairs for the users.

28.2.2.3 Adding the Permission Policy for the Application Identities

In order for ECSF to read and write to the application identity maps in the keystore and access the JPS IdentityAssertion API, permissions must be granted to the three crawl users. The permission policies, shown in Example 28-2, are seeded in the jazn-data.xml file for Oracle Fusion applications and can be managed in Fusion Applications Control.

Example 28-2 Permission Policies for Application Identities

<grant>
        <grantee>
            <codesource>
                <url>file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/oracle.ecsf/-</url>
            </codesource>
        </grantee>
        <permissions>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.ecsf,keyName=*</name>
                 <actions>*</actions>
            </permission>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.wsm.security,keyName=FUSION_APPS_FSCM_ECSF_SEARCH_APPID-KEY</name>
                 <actions>*</actions>
            </permission>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.wsm.security,keyName=FUSION_APPS_HCM_ECSF_SEARCH_APPID-KEY</name>
                 <actions>*</actions>
            </permission>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.wsm.security,keyName=FUSION_APPS_CRM_ECSF_SEARCH_APPID-KEY</name>
                 <actions>*</actions>
            </permission>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.apps.security,keyName=FUSION_APPS_CRM_SES_CRAWL_APPID-KEY</name>
                 <actions>*</actions>
            </permission>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.apps.security,keyName=FUSION_APPS_HCM_SES_CRAWL_APPID-KEY</name>
                 <actions>*</actions>
            </permission>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.apps.security,keyName=FUSION_APPS_FSCM_SES_CRAWL_APPID-KEY</name>
                 <actions>*</actions>
            </permission>
            <permission>
                 <class>oracle.security.jps.service.credstore.CredentialAccessPermission</class>
                 <name>context=SYSTEM,mapName=oracle.apps.security,keyName=FUSION_APPS_ECSF_SES_ADMIN_APPID-KEY</name>
                 <actions>*</actions>
            </permission>
            <permission>
                <class>oracle.security.jps.JpsPermission</class>
                <name>IdentityAssertion</name>
                <actions>execute</actions>
            </permission>
        </permissions>
    </grant>

The permissions allow ECSF to read and write credential store entries that are not part of the oracle.ecsf map.

28.3 Authorizing Users for Search Feeds

New grants are needed in order to authorize users for the search feeds. You must manually update the application's jazn-data.xml file located in src/META-INF to enable authorization for users. Add the grant, shown in Example 28-3, inside the <application> section in the <jazn-policy> section.

Example 28-3 Grant for Search Feeds User Authorization

<permission>
      <class>oracle.adf.share.security.authorization.MethodPermission</class>
      <name>ECSF_All_Services</name>
      <actions>execute</actions>
</permission>

The grantee should be the users or roles that you want to authorize to use the search feeds, as shown in Example 28-4.

Example 28-4 Granting Permission to a Role

<grant>
      <grantee>
            <principals>
                  <principal>
                        <class>oracle.security.jps.service.policystore.ApplicationRole</class>
                        <name>AuthorizedUserRole</name>
                  </principal>
            </principals>
     </grantee>
     <permissions>
           <permission>
                 <class>oracle.adf.share.security.authorization.MethodPermission</class>
                 <name>ECSF_All_Services</name>
                 <actions>execute</actions>
           </permission>
     </permissions>
</grant>

The example shows how jazn-data.xml is modified to grant the permission to a role.

28.4 Securing the Searchable Application Data

ECSF secures the searchable application data by authenticating and authorizing users who use ECSF to perform searches.

28.4.1 How to Secure the Searchable Application Data

Secure the searchable application data by enabling the use of the security model for authenticating and authorizing users.

To enable the use of the security model:

  1. Create users in Oracle WebLogic Server. The user credentials are stored in Oracle WebLogic Server and can be used for authentication and authorization to query Oracle SES. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

  2. Create a separate user and add it to the Operators group in order to assign that user the Oracle WebLogic Server security role of Operator to obtain execute privileges on ECSF MBean operations. For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

  3. Create an ECSF query proxy user. For more information, see the "Managing Search with Oracle Enterprise Crawl and Search Framework" chapter in the Oracle Fusion Applications Administrator's Guide.

  4. Set the search engine instance parameters SES_QUERY_PROXY_USERNAME and SES_QUERY_PROXY_PASSWORD. For more information, see the "Managing Search with Oracle Enterprise Crawl and Search Framework" chapter in the Oracle Fusion Applications Administrator's Guide.

Note:

ECSF also supports allowing authenticated users to search business objects with no security policies attached to them.