This chapter introduces the tools available to a security administrator and the typical tasks required to manage application security.
These topics are presented in the following sections:
For advanced administrator tasks, see Appendix E, "Administration with Scripting and MBean Programming."
The four basic tools available to a security administrator are Oracle Enterprise Manager Fusion Middleware Control, Oracle WebLogic Administration Console, Oracle Entitlements Server, and the Oracle WebLogic Scripting Tool (WLST). For further details on these and other tools, see chapter 3, Getting Started Managing Oracle Fusion Middleware in Administering Oracle Fusion Middleware.
The main criterion that determines the tool to use to administer application security is whether the application uses just container-managed security (Java EE application) or it includes Oracle ADF security (Oracle ADF application).
Oracle-specific applications, such as Oracle Application Development Framework (Oracle ADF) applications, Oracle Server-Oriented Architecture (SOA) applications, and Web Center applications, are deployed, secured, and maintained with Fusion Middleware Control and Oracle Entitlements Server.
Other applications, such as those developed by third parties, Java SE, and Java EE applications, are typically deployed, secured, and administered with Oracle WebLogic Administration Console or with WLST.
The recommended tool to develop Java applications is Oracle JDeveloper 11g. This tool helps the developer configure file-based identity, policy, and credential stores through specialized graphical editors. In particular, when developing Oracle ADF applications, the developer can run a wizard to configure security for web pages associated with Oracle ADF resources (such as Oracle ADF task flows and page definitions), and define security artifacts using a specialized, visual editor for the file jazn-data.xml.
For details about procedures and related topics, see the following sections in the Oracle JDeveloper online help documentation:
Securing a Web Application Using Oracle ADF Security
Securing a Web Application Using Java EE Security
About Oracle ADF Security as an Alternative to Security Constraints
About Securing Web Applications
For further details about Oracle ADF Security and its integration with Oracle JDeveloper, see Accessing the Oracle ADF Security Design Time Tools, in Developing Fusion Web Applications with Oracle Application Development Framework.
For further details about Oracle Entitlements Server, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.
Table 5-1 lists some basic security tasks and the tools used to execute them. Recall that the tool chosen to configure and manage application security depends on the type of the application: for Java EE applications, which use just container-managed security, use the Oracle WebLogic Administration Console; for Oracle ADF applications, which use OPSS authorization, use Fusion Middleware Control and Oracle Entitlements Server.
Manual settings without the aid of the tools listed below are not recommended. For information about using the Oracle WebLogic Administration Console, see the list of links following the table below. For details about Oracle Entitlements Server, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.
Table 5-1 Basic Administrative Security Tasks and Tools
| Task | Use Fusion Middleware Control Security Menu | Use Other Tool |
|---|---|---|
|
Configure WebLogic Domains |
WebLogic Admin Console |
|
|
Configure WebLogic Security Realms |
WebLogic Admin Console |
|
|
Manage WebLogic Domain Authenticators |
WebLogic Admin Console |
|
|
Enable SSO for MS clients, Web Browsers, and HTTP clients. |
WebLogic Admin Console |
|
|
Manage Domain Administrative Accounts |
WebLogic Admin Console |
|
|
Configuring the identity store service |
WebLogic Admin Console |
|
|
Manage application users and groups |
Users and Groups |
|
|
Manage Credentials for Oracle ADF Application |
Credentials |
|
|
Enable anonymous role in Oracle ADF Application |
Security Provider Configuration |
|
|
Enable authenticated role in Oracle ADF Application |
Security Provider Configuration |
|
|
Enable JAAS in Oracle ADF Application |
Security Provider Configuration |
|
|
Map application to enterprise groups for Oracle ADF Application |
Application Roles or |
Oracle Entitlements Server |
|
Manage systemwide policies for Oracle ADF Applications |
System Policies |
|
|
Configure OPSS Properties |
Security Provider Configuration |
|
|
Reassociate Policy and Credential Stores |
Security Provider Configuration |
Details about using the Oracle WebLogic Administration Console for the tasks above are found in the following documents:
For general use of the Administration Console, see Oracle WebLogic Server Administration Console Online Help.
To configure WebLogic domains, see Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server.
To configure WebLogic security realms, see section Creating and Configuring a New Security Realm: Main Steps in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To manage WebLogic domain authenticators, see chapter 5 in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To configure Oracle Application Server Single Sign-On with MS clients, see chapter 6 in Administering Security for Oracle WebLogic Server.
To manage domain administrative accounts, see chapter 6 in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.
For details about configuring an LDAP identity store, see Section 3.2.2, "WebLogic Authenticators."
Note:
OPSS does not support automatic backup or recovery of server files. It is recommended that the server administrator periodically back up all server configuration files, as appropriate.For details about backing up and recovering Oracle Fusion Middleware, see chapter 15, Introducing Backup and Recovery, in Administering Oracle Fusion Middleware.
A new production environment based on an existing environment can be set up in either of the following ways:
Replicating an established environment using Oracle Cloning utilities. For details, see section 9.5, Cloning Oracle Fusion Middleware Entities, in Administering Oracle Fusion Middleware.
Reinstalling software and configuring the environment, as it was done to set up the established environment.
Fusion Middleware Control is a Web-based tool that allows the administration of a network of applications from a single point. Fusion Middleware Control is used to deploy, configure, monitor, diagnose, and audit Oracle SOA applications, Oracle ADF applications, Oracle WebCenter, and other Oracle applications using OPSS. This section mentions only security-related operations.
Fusion Middleware Control provides several security-related administration tasks; using this tool, an administrator can:
Post-installation and before deploying applications, reassociate the policy and credential stores. For details, see Section 9.5.1, "Reassociating with Fusion Middleware Control."
Post-installation and before deploying applications, define OPSS properties. For details, see Section 9.7, "Configuring Services Providers with Fusion Middleware Control."
At deploy time, configure the automatic migration of file-based application policies and credentials to LDAP-based domain policies and credentials.
For details see:
For each application after it is deployed:
Manage application policies. For details, see Section 10.2, "Managing the Policy Store."
Manage credentials. For details, see Chapter 11, "Managing the Credential Store."
Manage users and groups. For details, see Oracle Fusion Middleware Administering Oracle WebLogic Server with Fusion Middleware Control.
Specify the mapping from application roles to users, groups, and application roles. For details, see Section 10.3.2, "Managing Application Roles."
For the domain, manage system policies. For details see Section 10.3.3, "Managing System Policies."
For the domain, manage OPSS properties. For details see Section 9.7, "Configuring Services Providers with Fusion Middleware Control."
For a summary of security administrative tasks and the tools used to execute them, see Basic Security Administration Tasks.
For further details about other functions, see the Fusion Middleware Control online help documentation.
The Oracle WebLogic Administration Console is a Web-based tool that allows, among other functions, application deployment and redeployment, domain configuration, and monitoring of application status. This section mentions only security-related operations.
Typical tasks performed with the Oracle WebLogic Administration Console include the following:
Starting and stopping Oracle WebLogic Servers. For details see section Starting and Stopping Servers in Administering Server Startup and Shutdown for Oracle WebLogic Server.
Configuring Oracle WebLogic Servers and Domains. For details see section Configuring Existing Domains in Understanding the WebLogic Scripting Tool.
Deploying applications. For details, see Deploying Applications to Oracle WebLogic Server.
Configuring fail over support. For details see section Failover and Replication in a Cluster in Administering Clusters for Oracle WebLogic Server.
Configuring WebLogic domains and WebLogic realms.
Managing users and groups in domain authenticators.
Enabling the use of Single Sign-On for MS clients, Web browsers, and HTTP clients.
Managing administrative users and administrative policies.
For details about Oracle WebLogic Administration Console, see Oracle WebLogic Server Administration Console Online Help.
Typical security tasks performed with Oracle Entitlements Server include the following:
Searching application security artifacts.
Managing application security artifacts, including policies.
Viewing the external role hierarchy.
Managing the application role hierarchy.
For a list of some of the most frequent security tasks to administer application security with Oracle Entitlements Server, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.
Most of the security-related operations available in the Oracle WebLogic Administration Console can be carried out with WLST commands, a set of command-line interface that allows the scripting and automation of administration tasks, including domain configuration and application deployment.
Note:
A WLST shell session is associated with a unique configuration file; more generally, a JVM instance can point to at most one configuration file.This requirement of a unique jps-config.xml file per JVM instance has the following consequence: suppose that within a WLST shell you invoke a WLST command, such as migrateSecurityStore, that takes a configuration file; then all subsequent commands invoked within that same WLST shell use the same configuration file regardless of the configuration location passed to a command.