Home
/
Middleware
/
Oracle Platform Security Services
1/47
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New in This Guide
Updates in the June 2015 Document Refresh for 12.1.2.0.0
New Features in Release 12.1.2.0.0
Part I Understanding Security Concepts
1
Introduction to Oracle Platform Security Services
1.1
What is Oracle Platform Security Services?
1.1.1
OPSS Main Features
1.1.2
Supported Server Platforms
1.2
OPSS Architecture Overview
1.2.1
Benefits of Using OPSS
1.3
Oracle ADF Security Overview
1.4
OPSS for Administrators
1.5
OPSS for Developers
1.5.1
Scenario 1: Enhancing Security in a Java EE Application
1.5.2
Scenario 2: Securing an Oracle ADF Application
1.5.3
Scenario 3: Securing a Java SE Application
2
Understanding Users and Roles
2.1
Terminology
2.2
Role Mapping
2.2.1
Permission Inheritance and the Role Hierarchy
2.3
The Authenticated Role
2.4
The Anonymous User and Role
2.4.1
Anonymous Support and Subject
2.5
Administrative Users and Roles
2.6
Managing User Accounts
2.7
Principal Name Comparison Logic
2.7.1
How Does Principal Comparison Affect Authorization?
2.7.2
System Parameters Controlling Principal Name Comparison
2.8
The Role Category
3
Understanding Identities, Policies, Credentials, Keys, Certificates, and Auditing
3.1
Compatibility Matrix for 11g and 12c Versions
3.2
Authentication Basics
3.2.1
Identity Store Types and WebLogic Authenticators
3.2.2
WebLogic Authenticators
3.2.2.1
Multiple Authenticators
3.2.2.2
Additional Authentication Methods
3.3
Policy Store Basics
3.4
Credential Store Basics
3.5
Keystore Service Basics
3.5.1
Keystore Repository Types
3.5.2
Keystore Repository Scope and Reassociation
3.6
Audit Service Basics
4
About Oracle Platform Security Services Scenarios
4.1
Supported File-, LDAP-, and DB-Based Services
4.2
Management Tools
4.3
Packaging Requirements
4.4
Example Scenarios
4.5
Other Scenarios
Part II Basic OPSS Administration
5
Security Administration
5.1
Choosing the Administration Tool According to Technology
5.2
Basic Security Administration Tasks
5.2.1
Setting Up a Brand New Production Environment
5.3
Typical Security Practices with Fusion Middleware Control
5.4
Typical Security Practices with the Administration Console
5.5
Typical Security Practices with Oracle Entitlements Server
5.6
Typical Security Practices with WLST Commands
6
Deploying Secure Applications
6.1
Overview
6.2
Selecting the Tool for Deployment
6.2.1
Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control
6.3
Deploying Oracle ADF Applications to a Test Environment
6.3.1
Deploying to a Test Environment
6.3.1.1
Typical Administrative Tasks after Deployment in a Test Environment
6.4
Deploying Standard Java EE Applications
6.5
Deploying Applications with Auditing
6.5.1
Packaging Requirements for Auditing
6.5.2
Registration with the Audit Service
6.5.3
Migrating Audit Data
6.6
Migrating from a Test to a Production Environment
6.6.1
Migrating Identities
6.6.1.1
Migrating Identities with migrateSecurityStore
6.6.2
Migrating Policies and Credentials
6.6.2.1
Migrating Policies with migrateSecurityStore
6.6.2.2
Migrating Credentials with migrateSecurityStore
6.6.2.3
Migrating Large Volume Policy and Credential Stores
6.6.3
Migrating Audit Information
6.6.4
Migrating Keystore Service Artifacts
6.6.4.1
Background for Keystore Migration
6.6.4.2
Migrating Keystore Service Artifacts Within a Domain
6.6.4.3
Migrating Keystore Service Artifacts Across Domains
Part III OPSS Services
7
Lifecycle of Security Artifacts
7.1
Introduction
7.2
FMW Domains
7.3
Creating an FMW Domain
7.3.1
Using a New Database Instance
7.3.2
Sharing a Database Instance
7.4
Layered Component Security Artifacts
7.5
Upgrading to 12.1.2
7.5.1
Before Upgrading
7.5.2
Upgrading Procedure
7.6
Backing Up and Recovering the OPSS Security Store
7.6.1
Backing Up and Recovering a DB-Based Security Store
7.6.2
Backing Up and Recovering an OID-Based Security Store
7.6.3
Recommendations
8
Configuring the Identity Store Service
8.1
Introduction to the Identity Store Service
8.1.1
About the Identity Store Service
8.1.2
Service Architecture
8.1.3
Application Server Support
8.1.4
Java SE Support
8.2
Configuring the Identity Store Provider
8.3
Configuring the Identity Store Service
8.3.1
What is Configured?
8.3.1.1
Configuring Multi-LDAP Lookup
8.3.1.2
Global/Connection Parameters
8.3.1.3
Back-End/Connection Parameters
8.3.2
Configuration in WebLogic Server
8.3.2.1
Configuring the Service for Single LDAP
8.3.2.2
Configuring the Service for Multiple LDAP Without virtualize Property
8.3.2.3
Configuring the Service for Multiple LDAP using Fusion Middleware Control
8.3.2.4
Configuring the Service for Multiple LDAP using WLST
8.3.2.5
Configuring the Timeout Setting Using WLST
8.3.2.6
Configuring Other Parameters
8.3.2.7
Restarting Servers
8.3.2.8
Examples of the Configuration File
8.3.3
Configuring Split Profiles
8.3.4
Configuring Custom Authenticators
8.3.5
Configuration in Other Application Servers
8.3.5.1
Configuring the Service for Single LDAP
8.3.5.2
Configuring the Service for Multiple LDAP
8.3.6
Java SE Environments
8.4
Querying the Identity Store Programmatically
8.5
SSL for the Identity Store Service
8.5.1
Connections from Oracle WebLogic Server to Identity Store
8.5.2
Configuring SSL with Keystore Service
8.5.2.1
One-way SSL in a Multi-LDAP Scenario with Keystore Service
8.5.2.2
Two-way SSL in a Multi-LDAP Scenario with Keystore Service
8.5.3
Configuring SSL with JKS-Based Key Stores
8.5.3.1
One-way SSL in a Multi-LDAP Scenario with JKS-Based Keystore
8.5.3.2
Two-way SSL in a Multi-LDAP Scenario with JKS-Based Keystore
9
Configuring the OPSS Security Store
9.1
Introduction to the OPSS Security Store
9.1.1
Multi-Server Environments
9.2
Using an LDAP-Based OPSS Security Store
9.2.1
Prerequisites to Using an LDAP-Based Security Store
9.2.2
Setting Up a One- Way SSL Connection to the LDAP
9.3
Using a DB-Based OPSS Security Store
9.3.1
Prerequisites to Using a DB-Based Security Store
9.3.2
Maintaining a DB-Based Security Store
9.3.3
Setting Up an SSL Connection to the DB
9.4
Configuring the OPSS Security Store
9.5
Reassociating the OPSS Security Store
9.5.1
Reassociating with Fusion Middleware Control
9.5.1.1
Securing Access to Oracle Internet Directory Nodes
9.5.2
Reassociating with the Script reassociateSecurityStore
9.6
Migrating the OPSS Security Store
9.6.1
Migrating with Fusion Middleware Control
9.6.2
Migrating with the Script migrateSecurityStore
9.6.2.1
Migrating Audit Metadata
9.6.2.2
Examples of Use
9.7
Configuring Services Providers with Fusion Middleware Control
9.7.1
Configuring the Identity Store Provider
9.7.2
Configuring the Single Sign-On Provider
9.7.3
Configuring the Trust Service Provider
9.7.4
Configuring Properties and Property Sets
10
Managing the Policy Store
10.1
Managing the Policy Store
10.2
Managing Policies with Fusion Middleware Control
10.2.1
Managing Application Policies
10.2.2
Managing Application Roles
10.2.3
Managing System Policies
10.3
Managing Application Policies with WLST commands
10.3.1
reassociateSecurityStore
10.4
Caching and Refreshing the Cache
10.4.1
An Example
10.5
Granting Policies to Anonymous and Authenticated Roles with WLST commands
10.6
Application Stripe for Versioned Applications in WLST commands
10.7
Managing Application Policies with Oracle Entitlements Server
11
Managing the Credential Store
11.1
Credential Types
11.2
Encrypting Credentials
11.3
Managing Credentials with Fusion Middleware Control
11.4
Managing Credentials with WLST commands
12
Managing Keys and Certificates with the Keystore Service
12.1
About the Keystore Service
12.1.1
Structure of the Keystore Service
12.1.2
Types of Keystores
12.1.3
Domain Trust Store
12.1.4
Keystores for Domains with Multiple Servers
12.1.5
Troubleshooting Keystore Service
12.2
Keystore Management with the Keystore Service
12.2.1
About the Keystore Lifecycle
12.2.2
Common Keystore Operations
12.2.2.1
Creating a Keystore with Fusion Middleware Control
12.2.2.2
Creating a Keystore at the Command Line
12.2.2.3
Deleting a Keystore with Fusion Middleware Control
12.2.2.4
Deleting a Keystore at the Command Line
12.2.2.5
Changing Keystore Password with Fusion Middleware Control
12.2.2.6
Changing Keystore Password at the Command Line
12.2.2.7
Exporting a Keystore at the Command Line
12.2.2.8
Importing a Keystore at the Command Line
12.3
Certificate Management with the Keystore Service
12.3.1
About the Certificate Lifecycle
12.3.2
Common Certificate Operations
12.3.2.1
Generating a Keypair with Fusion Middleware Control
12.3.2.2
Generating a Keypair at the Command Line
12.3.2.3
Generating CSR for a Certificate with Fusion Middleware Control
12.3.2.4
Generating CSR for a Keypair at the Command Line
12.3.2.5
Importing a Certificate or Trusted Certificate with Fusion Middleware Control
12.3.2.6
Importing a Certificate at the Command Line
12.3.2.7
Exporting a Certificate or Trusted Certificate with Fusion Middleware Control
12.3.2.8
Exporting a Certificate or Trusted Certificate at the Command Line
12.3.2.9
Deleting a Certificate with Fusion Middleware Control
12.3.2.10
Deleting a Certificate at the Command Line
12.3.2.11
Changing Certificate Password with Fusion Middleware Control
12.3.2.12
Changing Certificate Password at the Command Line
12.4
How Oracle Fusion Middleware Components Use the Keystore Service
12.4.1
Using the syncKeyStores Command
12.4.1.1
syncKeyStores Command Usage
12.4.1.2
When to Use the syncKeyStores Command
12.4.2
Integrating with Oracle WebLogic Server
12.4.3
Integrating with Node Manager
12.4.4
Integrating with the Identity Store Service
12.5
About Keystore Service Commands
12.6
Getting Help for Keystore Service Commands
12.7
Keystore Service Command Reference
13
Introduction to Oracle Fusion Middleware Audit Service
13.1
Benefits and Features of the Oracle Fusion Middleware Audit Framework
13.1.1
Objectives of Auditing
13.1.2
Today's Audit Challenges
13.1.3
About the Oracle Fusion Middleware Audit Framework
13.2
Overview of Audit Features
13.3
Oracle Fusion Middleware Audit Framework Concepts
13.3.1
The Audit Architecture
13.3.1.1
The Audit Service Model
13.3.1.2
Audit APIs
13.3.1.3
Run-time Support and Audit Event Flow
13.3.2
Key Technical Concepts
13.3.3
The Audit Metadata Store
13.3.4
Audit Data Storage
13.3.5
Analytics
13.3.6
Understanding the Audit Lifecycle
13.4
The Audit Metadata Model
13.4.1
Naming Conventions for Audit Artifacts
13.4.2
Attribute Groups
13.4.2.1
Audit Attribute Data Types
13.4.2.2
Common Attribute Groups
13.4.2.3
Generic Attribute Groups
13.4.2.4
Custom Attribute Groups
13.4.3
Event Categories and Events
13.4.3.1
System Categories and Events
13.4.3.2
Component/Application Categories
13.5
About Audit Definition Files
13.5.1
The component_events.xml File
13.5.2
Translation Files
13.5.3
Understand Mapping and Versioning Rules
13.5.3.1
Version Numbers
13.5.3.2
Custom Attribute to Database Column Mappings
14
Configuring and Managing Auditing
14.1
Audit Administration Tasks
14.2
Managing the Audit Data Store
14.2.1
Create the Audit Schema using RCU
14.2.2
Set Up Audit Data Sources
14.2.2.1
Multiple Data Sources
14.2.3
Configure a Database Audit Data Store for Java Components
14.2.3.1
View Audit Data Store Configuration
14.2.3.2
Configure the Audit Data Store and Bus-Stop Storage
14.2.3.3
Deconfigure the Audit Data Store
14.2.4
Configure a Database Audit Data Store for System Components
14.2.4.1
Deconfigure the Audit Data Store
14.2.5
Tune the Bus-stop Files
14.2.6
Configure the Stand-alone Audit Loader
14.2.6.1
Configuring the Environment
14.2.6.2
Running the Stand-Alone Audit Loader
14.3
Managing Audit Policies
14.3.1
Manage Audit Policies for Java Components with Fusion Middleware Control
14.3.2
Manage Audit Policies for System Components with Fusion Middleware Control
14.3.3
Manage Audit Policies with WLST
14.3.3.1
View Audit Policies with WLST
14.3.3.2
Update Audit Policies with WLST
14.3.3.3
Example 1: Configuring an Audit Policy for Users with WLST
14.3.3.4
Example 2: Configuring an Audit Policy for Events with WLST
14.3.3.5
Custom Configuration is Retained when the Audit Level Changes
14.3.4
Manage Audit Policies Manually
14.3.4.1
Location of Configuration Files for Java Components
14.3.4.2
Audit Service Configuration Properties in jps-config.xml for Java Components
14.3.4.3
Switching from Database to File for Java Components
14.3.4.4
Audit Configuration File for System Components
14.4
Audit Timestamps
14.5
Audit Logs and Bus-stop Files
14.5.1
Location of Audit Logs
14.5.2
Audit Timestamps in Bus-stop Files
14.6
Advanced Management of Database Store
14.6.1
Schema Overview
14.6.2
Base and Component Table Attributes
14.6.3
Indexing Scheme
14.6.4
Backup and Recovery
14.6.5
Importing and Exporting Data
14.6.6
Partitioning
14.6.6.1
Partition Tables
14.6.6.2
Backup and Recovery of Partitioned Tables
14.6.6.3
Import and Export
14.6.6.4
Data Purge
14.6.6.5
Tiered Archival
15
Using Audit Analysis and Reporting
15.1
About Audit Reporting
15.2
Generate Reports of Audit Data
15.2.1
Configuring for Audit Reports
15.2.2
Using Oracle Business Intelligence Publisher
Part IV Developing with Oracle Platform Security Services APIs
16
Integrating Application Security with OPSS
16.1
Introduction
16.2
Security Integration Use Cases
16.2.1
Authentication
16.2.1.1
Java EE Application Requiring Authenticated Users
16.2.1.2
Java EE Application Requiring Programmatic Authentication
16.2.1.3
Java SE Application Requiring Authentication
16.2.2
Identities
16.2.2.1
Application Running in Two Environments
16.2.2.2
Application Accessing User Profiles in Multiple Stores
16.2.3
Authorization
16.2.3.1
Java EE Application Accessible by Specific Roles
16.2.3.2
ADF Application Requiring Fine-Grained Authorization
16.2.3.3
Web Application Securing Web Services
16.2.3.4
Java EE Application Requiring Codebase Permissions
16.2.3.5
Non-ADF Application Requiring Fine-Grained Authorization
16.2.4
Credentials
16.2.4.1
Application Requiring Credentials to Access System
16.2.5
Audit
16.2.5.1
Auditing Security-Related Activity
16.2.5.2
Auditing Business-Related Activity
16.2.6
Identity Propagation
16.2.6.1
Propagating the Executing User Identity
16.2.6.2
Propagating a User Identity
16.2.6.3
Propagating Identities Across Domains
16.2.6.4
Propagating Identities over HTTP
16.2.7
Administration and Management
16.2.7.1
Application Requiring a Central Store
16.2.7.2
Application Requiring Custom Management Tool
16.2.7.3
Application Running in a Multiple Server Environment
16.2.8
Integration
16.2.8.1
Application Running in Multiple Domains
16.3
The OPSS Trust Service
16.4
Propagating Identities over the HTTP Protocol
16.5
Propagating Identities with the OPSS Trust Service
16.5.1
Across Multiple WebLogic Domains
16.5.1.1
Token Generation on the Client-Side Domain
16.5.1.2
Server Side or Token Validation Domain
16.5.2
Across Containers in a Single WebLogic Domain
16.5.3
Embedded Trust Service Provider Properties
16.6
A Custom Graphical User Interface
16.6.1
Imports Assumed
16.6.2
Code Sample 1
16.6.3
Code Sample 2
16.6.4
Code Sample 3
16.6.5
Code Sample 4
16.6.6
Code Sample 5
16.6.7
Code Sample 6
16.7
Appendix - Security Lifecycle of an ADF Application
16.7.1
Development Phase
16.7.2
Deployment Phase
16.7.3
Management Phase
16.7.4
Summary of Tasks per Participant per Phase
16.8
Appendix - Code and Configuration Examples
16.8.1
Code Examples
16.8.2
Configuration Examples
16.8.3
Full Code Example of a Java EE Application with Integrated Security
16.9
Appendix - Propagating Identities with JKS-Based Key Stores
16.9.1
Single Domain Scenario
16.9.1.1
Client Application Code Sample
16.9.1.2
Configuring the Keystore Service
16.9.1.3
Configuring CSF
16.9.1.4
Configuring a Grant
16.9.1.5
Servlet Code Sample
16.9.1.6
Configuring web.xml
16.9.1.7
Configuring the webLogic Asserter and the Trust Service
16.9.1.8
Updating the Trust Service Configuration Parameters
16.9.2
Multiple Domain Scenario
16.9.3
Domains Using Both Protocols
16.9.3.1
Single Domain Scenario
16.9.3.2
Multiple Domain Scenario
17
The OPSS Policy Model
17.1
The Security Policy Model
17.2
Authorization Overview
17.2.1
Introduction to Authorization
17.2.2
The Java EE Authorization Model
17.2.2.1
Declarative Authorization
17.2.2.2
Programmatic Authorization
17.2.2.3
Java EE Code Example
17.2.3
The JAAS Authorization Model
17.3
The JAAS/OPSS Authorization Model
17.3.1
The Resource Catalog
17.3.2
Managing Policies
17.3.3
Checking Policies
17.3.3.1
Using the Method checkPermission
17.3.3.2
Using the Methods doAs and doAsPrivileged
17.3.3.3
Using the Method checkBulkAuthorization
17.3.3.4
Using the Method getGrantedResources
17.3.4
The Class ResourcePermission
18
Configuring Java EE Applications to Use OPSS
18.1
Links to Authentication Topics for Java EE Applications
18.2
Configuring the Servlet Filter and the EJB Interceptor
18.2.1
Interceptor Configuration Syntax
18.2.2
Summary of Filter and Interceptor Parameters
18.2.3
Configuring the Application Stripe for Application MBeans
18.3
Choosing the Appropriate Class for Enterprise Groups and Users
18.4
Packaging a Java EE Application Manually
18.4.1
Packaging Policies with Application
18.4.2
Packaging Credentials with Application
18.5
Configuring Applications to Use OPSS
18.5.1
Parameters Controlling Policy Migration
18.5.2
Policy Parameter Configuration According to Behavior
18.5.2.1
To Skip Migrating Policies
18.5.2.2
To Migrate Merging Policies
18.5.2.3
To Migrate Overwriting Policies
18.5.2.4
To Remove (or to Prevent Removing) Policies
18.5.2.5
To Migrate Policies in a Static Deployment
18.5.2.6
Recommendations
18.5.3
Using a Wallet-Based Credential Store
18.5.4
Parameters Controlling Credential Migration
18.5.5
Credential Parameter Configuration According to Behavior
18.5.5.1
To Skip Migrating Credentials
18.5.5.2
To Migrate Merging Credentials
18.5.5.3
To Migrate Overwriting Credentials
18.5.6
Supported Permission Classes
18.5.6.1
Policy Store Permission
18.5.6.2
Credential Store Permission
18.5.6.3
Generic Permission
18.5.7
Specifying Bootstrap Credentials Manually
18.5.8
Migrating Identities with migrateSecurityStore
18.5.9
Example of Configuration File jps-config.xml
18.6
Executing As an Asserted User
18.6.1
Use Cases
18.6.2
Programming Guidelines and Recommendations
18.6.3
A Code Example
19
Configuring Java SE Applications to Use OPSS
19.1
Using OPSS in Java SE Applications
19.2
Security Services in Java SE Applications
19.3
Authentication in Java SE Applications
19.3.1
The Identity Store
19.3.2
Configuring an LDAP Identity Store in Java SE Applications
19.3.3
Login Modules
19.3.3.1
The Identity Store Login Module
19.3.3.2
The User Authentication Login Module
19.3.3.3
The User Assertion Login Module
19.3.4
Using the OPSS API LoginService in Java SE Applications
19.4
Configuration Examples
20
Developing with the Authorization Service
20.1
Policy and Credential Stores in Java SE Applications
20.1.1
Configuring File-Based Policy and Credential Stores
20.1.2
Configuring LDAP-Based Policy and Credential Stores
20.1.3
Configuring DB-Based OPSS Security Stores
20.2
Unsupported Methods for File-Based Policy Stores
21
Developing with the Credential Store Framework
21.1
About the Credential Store Framework API
21.2
Overview of Application Development with CSF
21.3
Setting the Java Security Policy Permissions
21.3.1
Guidelines for Granting Permissions
21.3.2
Permissions Grant Example 1
21.3.3
Permissions Grant Example 2
21.4
Guidelines for the Map Name
21.5
Configuring the Credential Store
21.6
Using the CSF API
21.6.1
Using the CSF API in Java SE Applications
21.6.2
Using the CSF API in Java EE Applications
21.7
Examples
21.7.1
Common Code for CSF Operations
21.7.2
Example 1: Java SE Application with Wallet Store
21.7.3
Example 2: Java EE Application with Wallet Store
21.7.4
Example 3: Java EE Application with OID LDAP Store
21.7.5
Example 4: Java EE Application with Oracle DB Store
21.8
Best Practices
22
Developing with the User and Role API
22.1
Introduction to the User and Role API Framework
22.1.1
User and Role API and the Oracle WebLogic Server Authenticators
22.2
Summary of Roles and Classes
22.3
Working with Service Providers
22.3.1
Understanding Service Providers
22.3.2
Setting Up the Environment
22.3.2.1
Jar Configuration
22.3.2.2
User Classes in jps-config.xml (Oracle Virtual Directory only)
22.3.2.3
Read Privileges for Provider User (Oracle Internet Directory Only)
22.3.3
Selecting the Provider
22.3.4
Creating the Provider Instance
22.3.5
Properties for Provider Configuration
22.3.5.1
Start-time and Run-time Configuration
22.3.5.2
ECID Propagation
22.3.5.3
When to Pass Configuration Values
22.3.6
Configuring the Provider when Creating a Factory Instance
22.3.6.1
Oracle Internet Directory Provider
22.3.6.2
Using Existing Logger Objects
22.3.6.3
Supplying Constant Values
22.3.6.4
Configuring Connection Parameters
22.3.6.5
Configuring a Custom Connection Pool Class
22.3.7
Configuring the Provider when Creating a Store Instance
22.3.8
Runtime Configuration
22.3.9
Programming Considerations
22.3.9.1
Provider Portability Considerations
22.3.9.2
Considerations when Using IdentityStore Objects
22.3.10
Provider Lifecycle
22.4
Searching the Repository
22.4.1
Searching for a Specific Identity
22.4.2
Searching for Multiple Identities
22.4.3
Specifying Search Parameters
22.4.4
Using Search Filters
22.4.4.1
Operators in Search Filters
22.4.4.2
Handling Special Characters when Using Search Filters
22.4.4.3
Search Filter for Logged-In User
22.4.4.4
Examples of Using Search Filters
22.4.5
Searching by GUID
22.5
User Authentication
22.6
Creating and Modifying Entries in the Identity Store
22.6.1
Handling Special Characters when Creating Identities
22.6.2
Creating an Identity
22.6.3
Modifying an Identity
22.6.4
Deleting an Identity
22.7
Examples of User and Role API Usage
22.7.1
Example 1: Searching for Users
22.7.2
Example 2: User Management in an Oracle Internet Directory Store
22.7.3
Example 3: User Management in a Microsoft Active Directory Store
22.8
SSL Configuration for LDAP-based User and Role API Providers
22.8.1
Out-of-the-box Support for SSL
22.8.1.1
System Properties
22.8.1.2
SSL configuration
22.8.2
Customizing SSL Support for the User and Role API
22.8.2.1
SSL configuration
22.9
The User and Role API Reference
22.10
Developing Custom User and Role Providers
22.10.1
SPI Overview
22.10.2
Types of User and Role Providers
22.10.3
Developing a Read-Only Provider
22.10.3.1
SPI Classes Requiring Extension
22.10.3.2
oracle.security.idm.spi.AbstractIdentityStoreFactory
22.10.3.3
oracle.security.idm.spi.AbstractIdentityStore
22.10.3.4
oracle.security.idm.spi.AbstractRoleManager
22.10.3.5
oracle.security.idm.spi.AbstractUserManager
22.10.3.6
oracle.security.idm.spi.AbstractRoleProfile
22.10.3.7
oracle.security.idm.spi.AbstractUserProfile
22.10.3.8
oracle.security.idm.spi.AbstractSimpleSearchFilter
22.10.3.9
oracle.security.idm.spi.AbstractComplexSearchFilter
22.10.3.10
oracle.security.idm.spi.AbstractSearchResponse
22.10.4
Developing a Full-Featured Provider
22.10.5
Development Guidelines
22.10.6
Testing and Verification
22.10.7
Example: Implementing an Identity Provider
22.10.7.1
About the Sample Provider
22.10.7.2
Overview of Implementation
22.10.7.3
Configure jps-config.xml to use the Sample Identity Provider
22.10.7.4
Configure Oracle WebLogic Server
The User and Role SPI Reference
oracle.security.idm.spi.AbstractUserProfile
oracle.security.idm.spi.AbstractUserManager
oracle.security.idm.spi.AbstractUser
oracle.security.idm.spi.AbstractSubjectParser
oracle.security.idm.spi.AbstractStoreConfiguration
oracle.security.idm.spi. AbstractSimpleSearchFilter
oracle.security.idm.spi.AbstractSearchResponse
oracle.security.idm.spi.AbstractRoleProfile
oracle.security.idm.spi.AbstractRoleManager
oracle.security.idm.spi.AbstractRole
oracle.security.idm.spi.AbstractIdentityStoreFactory
oracle.security.idm.spi.AbstractIdentityStore
oracle.security.idm.spi.AbstractComplexSearchFilter
23
Developing with the Identity Directory API
23.1
About the Identity Directory API
23.1.1
Feature Overview
23.2
Summary of Classes
23.3
Identity Directory Configuration
23.4
Working with the Identity Directory API
23.4.1
Getting an Identity Directory API Instance
23.4.2
Performing CRUD Operations on Users and Groups
23.4.2.1
User Operations
23.4.2.2
Group Operations
23.5
Examples of Identity Directory API
23.5.1
Initialize and Obtain Identity Directory Handle
23.5.2
Create a User
23.5.3
Get a User
23.5.4
Modify a User
23.5.5
Simple Search for a User
23.5.6
Complex Search for Users
23.5.7
Create a Group
23.5.8
Get a Group
23.5.9
Get Group Using a Search Filter
23.5.10
Delete a Group
23.5.11
Add a Member to a Group
23.5.12
Delete a Member from a Group
23.6
SSL Configuration
24
Developing with the Keystore Service
24.1
About the Keystore Service API
24.2
Overview of Application Development with the Keystore Service
24.3
Setting the Java Security Policy Permission
24.3.1
Guidelines for Granting Permissions
24.3.2
Permissions Grant Example 1
24.3.3
Permissions Grant Example 2
24.3.4
Permissions Grant Example 3
24.4
Configuring the Keystore Service
24.5
Using the Keystore Service API
24.5.1
Using the Keystore Service API in Java SE Applications
24.5.2
Using the Keystore Service API in Java EE Applications
24.6
Example of Keystore Service API Usage
24.6.1
Java Program for Keystore Service Management Operations
24.6.2
Reading Keys at Runtime
24.6.2.1
Getting the Keystore Handle
24.6.2.2
Accessing Keystore Artifacts - Method 1
24.6.2.3
Accessing Keystore Artifacts - Method 2
24.6.3
Policy Store Setup
24.6.4
Configuration File
24.6.5
About Using the Keystore Service in the Java SE Environment
24.7
Best Practices
25
Developing with the Audit Service
25.1
Application Integration with Audit Flow
25.2
Integrating the Application with the Audit Framework
25.3
Create Audit Definition Files
25.4
Register Application with the Registration Service
25.4.1
Default Application Audit Registration
25.4.2
Custom Application Audit Registration
25.4.3
Programmatic Registration
25.5
Use the Administration Service APIs
25.5.1
Query Audit Metadata
25.5.2
View and Set Audit Run-time Policy
25.6
Add Application Code to Log Audit Events
25.6.1
Audit Client API
25.6.2
Set System Grants
25.6.3
Obtain Auditor Instance
25.7
Update and Maintain Audit Definitions
Part V Appendices
A
OPSS Configuration File Reference
A.1
Top- and Second-Level Element Hierarchy
A.2
Lower-Level Elements
<description>
<extendedProperty>
<extendedPropertySet>
<extendedPropertySetRef>
<extendedPropertySets>
<jpsConfig>
<jpsContext>
<jpsContexts>
<name>
<property>
<propertySet>
<propertySetRef>
<propertySets>
<serviceInstance>
<serviceInstanceRef>
<serviceInstances>
<serviceProvider>
<serviceProviders>
<value>
<values>
B
File-Based Identity and Policy Store Reference
B.1
Hierarchy of Elements in system-jazn-data.xml
B.2
Elements and Attributes of system-jazn-data.xml
<actions>
<actions-delimiter>
<app-role>
<app-roles>
<application>
<applications>
<attribute>
<class>
<codesource>
<credentials>
<description>
<display-name>
<extended-attributes>
<grant>
<grantee>
<guid>
<jazn-data>
<jazn-policy>
<jazn-realm>
<matcher-class>
<member>
<member-resource>
<member-resources>
<members>
<name>
<owner>
<owners>
<permission>
<permissions>
<permission-set>
<permission-sets>
<policy-store>
<principal>
<principals>
<provider-name>
<realm>
<resource>
<resources>
<resource-name>
<resource-type>
<resource-types>
<role>
<role-categories>
<role-category>
<role-name-ref>
<roles>
<type>
<type-name-ref>
<uniquename>
<url>
<user>
<users>
<value>
<values>
C
Oracle Fusion Middleware Audit Framework Reference
C.1
Audit Events
C.1.1
What Components Can be Audited?
C.1.2
What Events can be Audited?
C.1.2.1
Oracle Platform Security Services Events and their Attributes
C.1.3
OPSS Event Attribute Descriptions
C.2
Pre-built Audit Reports
C.2.1
Setting up Oracle Business Intelligence Publisher for Audit Reports
C.2.1.1
About Oracle Business Intelligence Publisher
C.2.1.2
Install Oracle Business Intelligence Publisher
C.2.1.3
Set Up Oracle Reports in Oracle Business Intelligence Publisher
C.2.1.4
Set Up Audit Report Templates
C.2.1.5
Set Up Audit Report Filters
C.2.1.6
Configure Scheduler in Oracle Business Intelligence Publisher
C.2.2
Organization of Audit Reports
C.2.3
View Audit Reports
C.2.4
Example of Oracle Business Intelligence Publisher Reports
C.2.5
Audit Report Details
C.2.5.1
List of Audit Reports in Oracle Business Intelligence Publisher
C.2.5.2
Attributes of Audit Reports in Oracle Business Intelligence Publisher
C.3
Customizing Audit Reports
C.3.1
Using Advanced Filters on Pre-built Reports
C.3.2
Creating Custom Reports
C.4
The Audit Schema
C.5
WLST Commands for Auditing
C.6
Audit Filter Expression Syntax
C.7
Naming and Logging Format of Audit Files
D
User and Role API Reference
D.1
Mapping User Attributes to LDAP Directories
D.2
Mapping Role Attributes to LDAP Directories
D.3
Default Configuration Parameters
D.4
Secure Connections for Microsoft Active Directory
E
Administration with Scripting and MBean Programming
E.1
Configuring OPSS Service Provider Instances with a Script
E.2
Configuring OPSS Services with MBeans
E.2.1
List of Supported OPSS MBeans
E.2.2
Invoking an OPSS MBean
E.2.3
Programming with OPSS MBeans
E.3
Access Restrictions
E.3.1
Annotation Examples
E.3.2
Mapping of Logical Roles to WebLogic Roles
E.3.3
Particular Access Restrictions
F
OPSS System and Configuration Properties
F.1
OPSS System Properties
F.2
OPSS Configuration Properties
F.2.1
Policy Store Properties
F.2.1.1
Policy Store Configuration
F.2.1.2
Runtime Policy Store Configuration
F.2.2
Credential Store Properties
F.2.3
LDAP Identity Store Properties
F.2.4
Properties Common to All LDAP-Based Instances
F.2.5
Anonymous and Authenticated Roles Properties
F.2.6
Trust Service Properties
F.2.7
Audit Service Properties
F.2.8
Keystore Service Properties
G
OPSS API References
G.1
OPSS API References
H
Using an OpenLDAP Identity Store
H.1
Using an OpenLDAP Identity Store
I
Adapter Configuration for Identity Virtualization
I.1
About Split Profiles
I.2
Configuring a Split Profile
I.3
Deleting a Join Rule
I.4
Deleting a Join Adapter
I.5
Changing Adapter Visibility
I.6
Enabling Access Logging for Identity Virtualization Library
J
Troubleshooting OPSS
J.1
Diagnosing Security Errors
J.1.1
Log Files and OPSS Loggers
J.1.1.1
Diagnostic Log Files
J.1.1.2
Generic Log Files
J.1.1.3
Authorization Loggers
J.1.1.4
Offline WLST Commands Loggers
J.1.1.5
Other OPSS Loggers
J.1.1.6
User and Role API Logger
J.1.1.7
Audit Loggers
J.1.1.8
Managing Loggers with Fusion Middleware Control
J.1.1.9
Managing Loggers with a Script
J.1.2
System Properties
J.1.2.1
jps.auth.debug
J.1.2.2
jps.auth.debug.verbose
J.1.2.3
Debugging the Authorization Process
J.1.3
Solving Security Errors
J.1.3.1
Understanding Sample Log Entries
J.1.3.2
Searching Logs with Fusion Middleware Control
J.1.3.3
Identifying a Message Context with Fusion Middleware Control
J.1.3.4
Generating Error Listing Files with Fusion Middleware Control
J.2
Troubleshooting Reassociation and Migration
J.2.1
Reassociation Failure
J.2.2
Unsupported Schema
J.2.3
Missing Policies in Reassociated Policy Store
J.2.4
Migration Failure
J.3
Troubleshooting Server Starting
J.3.1
Missing Required LDAP Authenticator
J.3.2
Missing Administrator Account
J.3.3
Missing Permission
J.3.4
Server Fails to Start
J.3.5
Other Server Start Issues
J.3.6
Permission Failure Before Server Starts
J.4
Troubleshooting Permissions
J.4.1
Troubleshooting Codesourse Grants
J.4.2
Failure to Grant or Revoke Permissions - Case Mismatch
J.4.3
Authorization Check Failure
J.4.4
User Gets Unexpected Permissions
J.4.5
Granting Permissions in Java SE Applications
J.4.6
Application Policies Not Seen in 12c HA Environment
J.5
Troubleshooting Connections and Access
J.5.1
Failure to Connect to the Embedded LDAP Authenticator
J.5.2
Failure to Connect to an LDAP Server
J.5.3
Failure to Access Data in the Credential Store
J.5.4
Security Access Control Exception
J.5.5
Failure to Establish an Anonymous SSL Connection
J.6
Troubleshooting Oracle Business Intelligence Reporting
J.6.1
Audit Templates for Oracle Business Intelligence Publisher
J.6.2
Oracle Business Intelligence Publisher Time Zone
J.7
Troubleshooting Searching
J.7.1
Search Failure when Matching Attribute in Policy Store
J.7.2
Search Failure with an Unknown Host Exception
J.8
Troubleshooting Versioning
J.8.1
Incompatible Versions of Binaries and Policy Store
J.8.2
Incompatible Versions of Policy Stores
J.9
Troubleshooting Other Errors
J.9.1
Runtime Permission Check Failure
J.9.2
Tablespace Needs Resizing
J.9.3
Oracle Internet Directory Exception
J.9.4
User and Role API Failure
J.9.5
Characters in Policies
J.9.5.1
Use of Special Characters in Oracle Internet Directory 10.1.4.3
J.9.5.2
XML Policy Store that Contains Certain Characters
J.9.5.3
Characters in Application Role Names
J.9.5.4
Missing Newline Characters in XML Policy Store
J.9.6
Invalid Key Size
J.10
Need Further Help?
Scripting on this page enhances content navigation, but does not change the content in any way.