Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New in This Guide

• Updates in the June 2015 Document Refresh for 12.1.3.0.0
• Updates in the January 2015 Document Refresh for 12.1.3.0.0
• Updates in the October 2014 Document Refresh for 12.1.3.0.0
• New Features in Release 12.1.3.0.0
• New Features in Release 12.1.2.0.0

Part I Understanding Security Concepts

1 Introduction to Oracle Platform Security Services

• 1.1 What is Oracle Platform Security Services?
  • 1.1.1 OPSS Main Features
  • 1.1.2 Supported Server Platforms
• 1.2 OPSS Architecture Overview
  • 1.2.1 Benefits of Using OPSS
• 1.3 Oracle ADF Security Overview
• 1.4 OPSS for Administrators
• 1.5 OPSS for Developers
  • 1.5.1 Scenario 1: Enhancing Security in a Java EE Application
  • 1.5.2 Scenario 2: Securing an Oracle ADF Application
  • 1.5.3 Scenario 3: Securing a Java SE Application

2 Understanding Users and Roles

• 2.1 Terminology
• 2.2 Mapping Roles
  • 2.2.1 Permission Inheritance and the Role Hierarchy
• 2.3 About the Authenticated Role
• 2.4 About the Anonymous User and Role
  • 2.4.1 Anonymous Support and Subject
• 2.5 About Administrative Users and Roles
• 2.6 Managing User Accounts
• 2.7 About Principal Name Comparison Logic
  • 2.7.1 How Does Principal Comparison Affect Authorization?
  • 2.7.2 System Parameters Controlling Principal Name Comparison
• 2.8 About the Role Category

3 Understanding Identities, Policies, Credentials, Keys, Certificates, and Auditing

• 3.1 Compatibility Matrix for 11g and 12c Versions
• 3.2 Authentication Basics
  • 3.2.1 Identity Store Types and WebLogic Authenticators
  • 3.2.2 WebLogic Authenticators
    • 3.2.2.1 Multiple Authenticators
    • 3.2.2.2 Additional Authentication Methods
• 3.3 Policy Store Basics
• 3.4 Credential Store Basics
• 3.5 Keystore Service Basics
  • 3.5.1 Keystore Repository Types
  • 3.5.2 Keystore Repository Scope and Reassociation
• 3.6 Audit Service Basics

4 About Oracle Platform Security Services Scenarios

• 4.1 Supported File-, LDAP-, and DB-Based Services
• 4.2 Management Tools
• 4.3 Packaging Requirements
• 4.4 Example Scenarios
• 4.5 Other Scenarios
• 4.6 FIPS Support in Oracle Platform Security Services

Part II Basic OPSS Administration

5 Security Administration

• 5.1 Choosing the Administration Tool According to Technology
• 5.2 Basic Security Administration Tasks
  • 5.2.1 Setting Up a Brand New Production Environment
• 5.3 Typical Security Practices with Fusion Middleware Control
• 5.4 Typical Security Practices with the Administration Console
• 5.5 Typical Security Practices with Oracle Entitlements Server
• 5.6 Typical Security Practices with WLST Commands

6 Deploying Secure Applications

• 6.1 Overview
• 6.2 Selecting the Tool for Deployment
  • 6.2.1 Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control
• 6.3 Deploying Oracle ADF Applications to a Test Environment
  • 6.3.1 Deploying to a Test Environment
    • 6.3.1.1 Typical Administrative Tasks after Deployment in a Test Environment
• 6.4 Deploying Standard Java EE Applications
• 6.5 Deploying Applications with Auditing
  • 6.5.1 Packaging Requirements for Auditing
  • 6.5.2 Registration with the Audit Service
  • 6.5.3 Migrating Audit Data
• 6.6 Migrating from a Test to a Production Environment
  • 6.6.1 Migrating Identities
    • 6.6.1.1 Migrating Identities with migrateSecurityStore
  • 6.6.2 Migrating Policies and Credentials
    • 6.6.2.1 Migrating Policies with migrateSecurityStore
    • 6.6.2.2 Migrating Credentials with migrateSecurityStore
  • 6.6.3 Migrating Audit Information
  • 6.6.4 Migrating Keystore Service Artifacts
    • 6.6.4.1 About Keystore Migration
    • 6.6.4.2 Migrating Keystore Service Artifacts Within a Domain
    • 6.6.4.3 Migrating Keystore Service Artifacts Across Domains

Part III OPSS Services

7 Lifecycle of Security Artifacts

• 7.1 Introduction
• 7.2 FMW Domains
• 7.3 Creating an FMW Domain
  • 7.3.1 Using a New Database Instance
  • 7.3.2 Sharing a Database Instance
• 7.4 Layered Component Security Artifacts
• 7.5 Upgrading Security to 12.1.3
  • 7.5.1 Before Upgrading
  • 7.5.2 Upgrading a DB-Based Security Store
  • 7.5.3 Upgrading an OID-Based Security Store
  • 7.5.4 Upgrading a Shared Security Store
    • 7.5.4.1 Upgrading a Shared 12.1.2 Security Store
    • 7.5.4.2 Upgrading a Shared 11g Security Store
  • 7.5.5 Upgrading a File-Based Security Store
• 7.6 Backing Up and Recovering the OPSS Security Store
  • 7.6.1 Backing Up and Recovering a DB-Based Security Store
  • 7.6.2 Backing Up and Recovering an OID-Based Security Store
  • 7.6.3 Recommendations
• 7.7 Upgrading Component Audit Definitions to 12c

8 Configuring the Identity Store Service

• 8.1 Introduction to the Identity Store Service
  • 8.1.1 About the Identity Store Service
  • 8.1.2 Service Architecture
  • 8.1.3 Application Server Support
  • 8.1.4 Java SE Support
• 8.2 Configuring the Identity Store Provider
• 8.3 Configuring the Identity Store Service
  • 8.3.1 What is Configured?
    • 8.3.1.1 Configuring Multi-LDAP Lookup
    • 8.3.1.2 Global/Connection Parameters
    • 8.3.1.3 Back-End/Connection Parameters
  • 8.3.2 Understanding Configuration in WebLogic Server
    • 8.3.2.1 Configuring the Service for Single LDAP
    • 8.3.2.2 Configuring the Service for Multiple LDAP Without virtualize Property
    • 8.3.2.3 Configuring the Service for Multiple LDAP using Fusion Middleware Control
    • 8.3.2.4 Configuring the Service for Multiple LDAP Using WLST
    • 8.3.2.5 Configuring the Timeout Setting Using WLST
    • 8.3.2.6 Configuring Other Parameters
    • 8.3.2.7 Restarting Servers
    • 8.3.2.8 Viewing the Configuration File
  • 8.3.3 Configuring Split Profiles
  • 8.3.4 Configuring Custom Authenticators
  • 8.3.5 Understanding Configuration in Other Application Servers
    • 8.3.5.1 Configuring the Service for Single LDAP
    • 8.3.5.2 Configuring the Service for Multiple LDAP
  • 8.3.6 Defining Configuration in Java SE Environments
• 8.4 Querying the Identity Store Programmatically
• 8.5 Configuring SSL for the Identity Store Service
  • 8.5.1 Connections from Oracle WebLogic Server to Identity Store
  • 8.5.2 Configuring SSL with Keystore Service
    • 8.5.2.1 Configuring One-way SSL in a Multi-LDAP Scenario with Keystore Service
    • 8.5.2.2 Configuring Two-way SSL in a Multi-LDAP Scenario with Keystore Service
    • 8.5.2.3 Switching from JKS to KSS
  • 8.5.3 Configuring SSL with JKS-Based Key Stores
    • 8.5.3.1 Configuring One-way SSL in a Multi-LDAP Scenario with JKS-Based Keystore
    • 8.5.3.2 Configuring Two-way SSL in a Multi-LDAP Scenario with JKS-Based Keystore

9 Configuring the OPSS Security Store

• 9.1 Introduction to the OPSS Security Store
  • 9.1.1 Multi-Server Environments
• 9.2 Using an LDAP-Based OPSS Security Store
  • 9.2.1 Prerequisites to Using an LDAP-Based Security Store
  • 9.2.2 Setting Up a One- Way SSL Connection to the LDAP
• 9.3 Using a DB-Based OPSS Security Store
  • 9.3.1 Prerequisites to Using a DB-Based Security Store
  • 9.3.2 Maintaining a DB-Based Security Store
  • 9.3.3 Setting Up an SSL Connection to the DB
• 9.4 Configuring the OPSS Security Store
• 9.5 Reassociating the OPSS Security Store
  • 9.5.1 Reassociating with Fusion Middleware Control
    • 9.5.1.1 Securing Access to Oracle Internet Directory Nodes
  • 9.5.2 Reassociating with the Script reassociateSecurityStore
• 9.6 Migrating the OPSS Security Store
  • 9.6.1 Migrating with Fusion Middleware Control
  • 9.6.2 Migrating with the Script migrateSecurityStore
    • 9.6.2.1 Migrating Audit Metadata
    • 9.6.2.2 Examples of Use
• 9.7 Configuring Services Providers with Fusion Middleware Control
  • 9.7.1 Configuring the Security Store
  • 9.7.2 Configuring the Identity Store Provider
  • 9.7.3 Configuring the Single Sign-On Provider
  • 9.7.4 Configuring the Trust Service Provider
  • 9.7.5 Configuring Properties and Property Sets

10 Managing the Policy Store

• 10.1 Determining the Domain Security Store Characteristics
• 10.2 Managing the Policy Store
• 10.3 Managing Policies with Fusion Middleware Control
  • 10.3.1 Managing Application Policies
  • 10.3.2 Managing Application Roles
  • 10.3.3 Managing System Policies
• 10.4 Managing Application Policies with WLST commands
  • 10.4.1 reassociateSecurityStore
• 10.5 Caching and Refreshing the Cache
  • 10.5.1 An Example
• 10.6 Granting Policies to Anonymous and Authenticated Roles with WLST commands
• 10.7 Application Stripe for Versioned Applications in WLST commands
• 10.8 Managing Application Policies with Oracle Entitlements Server

11 Managing the Credential Store

• 11.1 Credential Types
• 11.2 Encrypting Credentials
• 11.3 Managing Credentials with Fusion Middleware Control
• 11.4 Managing Credentials with WLST commands

12 Managing Keys and Certificates with the Keystore Service

• 12.1 About the Keystore Service
  • 12.1.1 Structure of the Keystore Service
  • 12.1.2 Types of Keystores
  • 12.1.3 Domain Trust Store
  • 12.1.4 Keystores for Domains with Multiple Servers
  • 12.1.5 Troubleshooting Keystore Service
• 12.2 Keystore Management with the Keystore Service
  • 12.2.1 About the Keystore Lifecycle
  • 12.2.2 Common Keystore Operations
    • 12.2.2.1 Creating a Keystore with Fusion Middleware Control
    • 12.2.2.2 Creating a Keystore at the Command Line
    • 12.2.2.3 Deleting a Keystore with Fusion Middleware Control
    • 12.2.2.4 Deleting a Keystore at the Command Line
    • 12.2.2.5 Changing Keystore Password with Fusion Middleware Control
    • 12.2.2.6 Changing Keystore Password at the Command Line
    • 12.2.2.7 Exporting a Keystore at the Command Line
    • 12.2.2.8 Importing a Keystore at the Command Line
• 12.3 Certificate Management with the Keystore Service
  • 12.3.1 About the Certificate Lifecycle
  • 12.3.2 Common Certificate Operations
    • 12.3.2.1 Generating a Keypair with Fusion Middleware Control
    • 12.3.2.2 Generating a Keypair at the Command Line
    • 12.3.2.3 Generating CSR for a Certificate with Fusion Middleware Control
    • 12.3.2.4 Generating CSR for a Keypair at the Command Line
    • 12.3.2.5 Importing a Certificate or Trusted Certificate with Fusion Middleware Control
    • 12.3.2.6 Importing a Certificate at the Command Line
    • 12.3.2.7 Exporting a Certificate or Trusted Certificate with Fusion Middleware Control
    • 12.3.2.8 Exporting a Certificate or Trusted Certificate at the Command Line
    • 12.3.2.9 Deleting a Certificate with Fusion Middleware Control
    • 12.3.2.10 Deleting a Certificate at the Command Line
    • 12.3.2.11 Changing Certificate Password with Fusion Middleware Control
    • 12.3.2.12 Changing Certificate Password at the Command Line
• 12.4 How Oracle Fusion Middleware Components Use the Keystore Service
  • 12.4.1 Using the syncKeyStores Command
    • 12.4.1.1 syncKeyStores Command Usage
    • 12.4.1.2 When to Use the syncKeyStores Command
  • 12.4.2 Integrating with Oracle WebLogic Server
  • 12.4.3 Integrating with Node Manager
  • 12.4.4 Integrating with the Identity Store Service
• 12.5 About Keystore Service Commands
• 12.6 Getting Help for Keystore Service Commands
• 12.7 Keystore Service Command Reference

13 Introduction to Oracle Fusion Middleware Audit Service

• 13.1 Benefits and Features of the Oracle Fusion Middleware Audit Framework
  • 13.1.1 What are the Objectives of Auditing?
  • 13.1.2 Understanding Today's Audit Challenges
  • 13.1.3 About the Oracle Fusion Middleware Audit Framework
• 13.2 Overview of Audit Features
• 13.3 Understanding Oracle Fusion Middleware Audit Framework Concepts
  • 13.3.1 About the Audit Architecture
    • 13.3.1.1 The Audit Service Model
    • 13.3.1.2 About the Audit APIs
    • 13.3.1.3 Understanding Run-time Support and Audit Event Flow
  • 13.3.2 Understanding Key Technical Concepts of Auditing
  • 13.3.3 About the Audit Metadata Store
  • 13.3.4 How Audit Data is Stored
  • 13.3.5 About Audit Analytics
  • 13.3.6 Understanding the Audit Lifecycle
• 13.4 About the Audit Metadata Model
  • 13.4.1 Naming Conventions for Audit Artifacts
  • 13.4.2 About Attribute Groups
    • 13.4.2.1 About Audit Attribute Data Types
    • 13.4.2.2 About Common Attribute Groups
    • 13.4.2.3 About Generic Attribute Groups
    • 13.4.2.4 About Custom Attribute Groups
  • 13.4.3 Understanding Event Categories and Events
    • 13.4.3.1 About System Categories and Events
    • 13.4.3.2 About Component/Application Categories
• 13.5 About Audit Definition Files
  • 13.5.1 About the component_events.xml File
  • 13.5.2 Overview of Translation Files
  • 13.5.3 About Mapping and Versioning Rules
    • 13.5.3.1 What are Version Numbers?
    • 13.5.3.2 About Custom Attribute to Database Column Mappings

14 Configuring and Managing Auditing

• 14.1 Understanding Audit Administration Tasks
• 14.2 Managing the Audit Data Store
  • 14.2.1 About the Audit Schema
  • 14.2.2 About Audit Data Sources
  • 14.2.3 Tuning the Bus-stop Files
    • 14.2.3.1 Locating the Bus-Stop Files
    • 14.2.3.2 Sizing Bus-Stop Files
  • 14.2.4 Configuring the Stand-alone Audit Loader
    • 14.2.4.1 Configuring the Environment
    • 14.2.4.2 Running the Stand-Alone Audit Loader
• 14.3 Managing Audit Policies
  • 14.3.1 Managing Audit Policies for Java Components with Fusion Middleware Control
  • 14.3.2 Managing Audit Policies for System Components with Fusion Middleware Control
  • 14.3.3 Managing Audit Policies at the Command Line (WLST)
    • 14.3.3.1 Viewing Audit Policies at the Command Line (WLST)
    • 14.3.3.2 Updating Audit Policies at the Command Line (WLST)
    • 14.3.3.3 Example 1: Configuring an Audit Policy for Users with WLST
    • 14.3.3.4 Example 2: Configuring an Audit Policy for Events with WLST
    • 14.3.3.5 What Happens to Custom Configuration when the Audit Level Changes?
  • 14.3.4 Managing Audit Policies through API Programming
• 14.4 Understanding Audit Timestamps
• 14.5 About Audit Logs and Bus-stop Files
  • 14.5.1 Where are Audit Logs Located?
  • 14.5.2 About Audit Timestamps in Bus-stop Files
• 14.6 Advanced Administration of the Database Store
  • 14.6.1 Overview of the Audit Schema
  • 14.6.2 Table Sizing: Base and Component Table Attributes
  • 14.6.3 Performance Tuning
  • 14.6.4 Planning Backup and Recovery
  • 14.6.5 Importing and Exporting Data
  • 14.6.6 Partitioning
    • 14.6.6.1 Partitioning Tables
    • 14.6.6.2 Backing Up and Recovering Partitioned Tables
    • 14.6.6.3 Importing and Exporting Data
    • 14.6.6.4 Purging Data
    • 14.6.6.5 Performing Tiered Archival
• 14.7 Best Practices for Managing Audit Event Definitions
  • 14.7.1 General Naming Guidelines
  • 14.7.2 Naming of Events
  • 14.7.3 Optimizing Event Granularity
  • 14.7.4 Categorizing Events
  • 14.7.5 Using Generic Attributes
  • 14.7.6 Using Component Attributes
  • 14.7.7 Cross-Linking

15 Using Audit Analysis and Reporting

• 15.1 About Audit Reporting
• 15.2 Audit Reporting with the Dynamic Metadata Model
• 15.3 Audit Reporting with the Report Template Model

Part IV Developing with Oracle Platform Security Services APIs

16 Integrating Application Security with OPSS

• 16.1 Introduction
• 16.2 Security Integration Use Cases
  • 16.2.1 Authentication
    • 16.2.1.1 Java EE Application Requiring Authenticated Users
    • 16.2.1.2 Java EE Application Requiring Programmatic Authentication
    • 16.2.1.3 Java SE Application Requiring Authentication
  • 16.2.2 Identities
    • 16.2.2.1 Application Running in Two Environments
    • 16.2.2.2 Application Accessing User Profiles in Multiple Stores
  • 16.2.3 Authorization
    • 16.2.3.1 Java EE Application Accessible by Specific Roles
    • 16.2.3.2 ADF Application Requiring Fine-Grained Authorization
    • 16.2.3.3 Web Application Securing Web Services
    • 16.2.3.4 Java EE Application Requiring Codebase Permissions
    • 16.2.3.5 Non-ADF Application Requiring Fine-Grained Authorization
  • 16.2.4 Credentials
    • 16.2.4.1 Application Requiring Credentials to Access System
  • 16.2.5 Audit
    • 16.2.5.1 Auditing Security-Related Activity
    • 16.2.5.2 Auditing Business-Related Activity
  • 16.2.6 Identity Propagation
    • 16.2.6.1 Propagating the Executing User Identity
    • 16.2.6.2 Propagating a User Identity
    • 16.2.6.3 Propagating Identities Across Domains
    • 16.2.6.4 Propagating Identities over HTTP
  • 16.2.7 Administration and Management
    • 16.2.7.1 Application Requiring a Central Store
    • 16.2.7.2 Application Requiring Custom Management Tool
    • 16.2.7.3 Application Running in a Multiple Server Environment
  • 16.2.8 Integration
    • 16.2.8.1 Application Running in Multiple Domains
• 16.3 The OPSS Trust Service
• 16.4 Propagating Identities over the HTTP Protocol
• 16.5 Propagating Identities with the OPSS Trust Service
  • 16.5.1 Across Multiple WebLogic Domains
    • 16.5.1.1 Token Generation on the Client-Side Domain
    • 16.5.1.2 Server Side or Token Validation Domain
  • 16.5.2 Across Containers in a Single WebLogic Domain
  • 16.5.3 Embedded Trust Service Provider Properties
• 16.6 Implementing a Custom Graphical User Interface
  • 16.6.1 Imports Assumed
  • 16.6.2 Code Sample 1
  • 16.6.3 Code Sample 2
  • 16.6.4 Code Sample 3
  • 16.6.5 Code Sample 4
  • 16.6.6 Code Sample 5
  • 16.6.7 Code Sample 6
• 16.7 Securing an ADF Application
  • 16.7.1 Development Phase
  • 16.7.2 Deployment Phase
  • 16.7.3 Management Phase
  • 16.7.4 Summary of Tasks per Participant per Phase
• 16.8 Code and Configuration Examples
  • 16.8.1 Code Examples
  • 16.8.2 Configuration Examples
  • 16.8.3 Full Code Example of a Java EE Application with Integrated Security
• 16.9 Propagating Identities with JKS-Based Key Stores
  • 16.9.1 Single Domain Scenario
    • 16.9.1.1 Client Application Code Sample
    • 16.9.1.2 Configuring the Keystore Service
    • 16.9.1.3 Configuring CSF
    • 16.9.1.4 Configuring a Grant
    • 16.9.1.5 Servlet Code Sample
    • 16.9.1.6 Configuring web.xml
    • 16.9.1.7 Configuring the webLogic Asserter and the Trust Service
    • 16.9.1.8 Updating the Trust Service Configuration Parameters
  • 16.9.2 Multiple Domain Scenario
  • 16.9.3 Domains Using Both Protocols
    • 16.9.3.1 Single Domain Scenario
    • 16.9.3.2 Multiple Domain Scenario

17 The OPSS Policy Model

• 17.1 The Security Policy Model
• 17.2 Authorization Overview
  • 17.2.1 Introduction to Authorization
  • 17.2.2 The Java EE Authorization Model
    • 17.2.2.1 Declarative Authorization
    • 17.2.2.2 Programmatic Authorization
    • 17.2.2.3 Java EE Code Example
  • 17.2.3 The JAAS Authorization Model
• 17.3 The JAAS/OPSS Authorization Model
  • 17.3.1 The Resource Catalog
  • 17.3.2 Managing Policies
  • 17.3.3 Checking Policies
    • 17.3.3.1 Using the Method checkPermission
    • 17.3.3.2 Using the Methods doAs and doAsPrivileged
    • 17.3.3.3 Using the Method checkBulkAuthorization
    • 17.3.3.4 Using the Method getGrantedResources
  • 17.3.4 The Class ResourcePermission

18 Developing with the Authorization Service

• 18.1 Configuring the Security Store in Java SE Applications
  • 18.1.1 Configuring File-Based Policy and Credential Stores
  • 18.1.2 Configuring LDAP-Based Policy and Credential Stores
  • 18.1.3 Configuring DB-Based OPSS Security Stores
• 18.2 Unsupported Methods for File-Based Policy Stores

19 Developing with the Credential Store Framework

• 19.1 About the Credential Store Framework API
• 19.2 Overview of Application Development with CSF
• 19.3 Setting the Java Security Policy Permissions
  • 19.3.1 Guidelines for Granting Permissions
  • 19.3.2 Permissions Grant Example 1
  • 19.3.3 Permissions Grant Example 2
• 19.4 Guidelines for the Map Name
• 19.5 Configuring the Credential Store
• 19.6 Using the CSF API
  • 19.6.1 Using the CSF API in Java SE Applications
  • 19.6.2 Using the CSF API in Java EE Applications
• 19.7 Examples
  • 19.7.1 Common Code for CSF Operations
  • 19.7.2 Example 1: Java SE Application with Wallet Store
  • 19.7.3 Example 2: Java EE Application with Wallet Store
  • 19.7.4 Example 3: Java EE Application with OID LDAP Store
  • 19.7.5 Example 4: Java EE Application with Oracle DB Store
• 19.8 Best Practices

20 Developing with the User and Role API

• 20.1 Introduction to the User and Role API Framework
  • 20.1.1 Understanding User and Role API and the Oracle WebLogic Server Authenticators
• 20.2 Listing Roles and Classes
• 20.3 Working with Service Providers
  • 20.3.1 Understanding Service Providers
  • 20.3.2 Setting Up the Environment
    • 20.3.2.1 Jar Configuration
    • 20.3.2.2 User Classes in jps-config.xml (Oracle Virtual Directory only)
    • 20.3.2.3 Reading Privileges for Provider User (Oracle Internet Directory Only)
  • 20.3.3 Selecting the Provider
  • 20.3.4 Creating the Provider Instance
  • 20.3.5 Properties for Provider Configuration
    • 20.3.5.1 Start-time and Run-time Configuration
    • 20.3.5.2 ECID Propagation
    • 20.3.5.3 When to Pass Configuration Values
  • 20.3.6 Configuring the Provider When Creating a Factory Instance
    • 20.3.6.1 Oracle Internet Directory Provider
    • 20.3.6.2 Using Existing Logger Objects
    • 20.3.6.3 Supplying Constant Values
    • 20.3.6.4 Configuring Connection Parameters
    • 20.3.6.5 Configuring a Custom Connection Pool Class
  • 20.3.7 Configuring the Provider When Creating a Store Instance
  • 20.3.8 Runtime Configuration
  • 20.3.9 Programming Considerations
    • 20.3.9.1 Provider Portability Considerations
    • 20.3.9.2 Considerations when Using IdentityStore Objects
  • 20.3.10 Provider Lifecycle
• 20.4 Searching the Repository
  • 20.4.1 Searching for a Specific Identity
  • 20.4.2 Searching for Multiple Identities
  • 20.4.3 Specifying Search Parameters
  • 20.4.4 Using Search Filters
    • 20.4.4.1 Operators in Search Filters
    • 20.4.4.2 Handling Special Characters when Using Search Filters
    • 20.4.4.3 Search Filter for Logged-In User
    • 20.4.4.4 Examples of Using Search Filters
  • 20.4.5 Searching by GUID
• 20.5 Authenticating Users
• 20.6 Creating and Modifying Entries in the Identity Store
  • 20.6.1 Handling Special Characters when Creating Identities
  • 20.6.2 Creating an Identity
  • 20.6.3 Modifying an Identity
  • 20.6.4 Deleting an Identity
• 20.7 Examples of User and Role API Usage
  • 20.7.1 Example 1: Searching for Users
  • 20.7.2 Example 2: Understanding User Management in an Oracle Internet Directory Store
  • 20.7.3 Example 3: Understanding User Management in a Microsoft Active Directory Store
• 20.8 SSL Configuration for LDAP-based User and Role API Providers
  • 20.8.1 Out-of-the-box Support for SSL
    • 20.8.1.1 System Properties
    • 20.8.1.2 SSL configuration
  • 20.8.2 Customizing SSL Support for the User and Role API
    • 20.8.2.1 SSL configuration
• 20.9 User and Role API Reference
• 20.10 Developing Custom User and Role Providers
  • 20.10.1 SPI Overview
  • 20.10.2 Types of User and Role Providers
  • 20.10.3 Developing a Read-Only Provider
    • 20.10.3.1 SPI Classes Requiring Extension
    • 20.10.3.2 oracle.security.idm.spi.AbstractIdentityStoreFactory
    • 20.10.3.3 oracle.security.idm.spi.AbstractIdentityStore
    • 20.10.3.4 oracle.security.idm.spi.AbstractRoleManager
    • 20.10.3.5 oracle.security.idm.spi.AbstractUserManager
    • 20.10.3.6 oracle.security.idm.spi.AbstractRoleProfile
    • 20.10.3.7 oracle.security.idm.spi.AbstractUserProfile
    • 20.10.3.8 oracle.security.idm.spi.AbstractSimpleSearchFilter
    • 20.10.3.9 oracle.security.idm.spi.AbstractComplexSearchFilter
    • 20.10.3.10 oracle.security.idm.spi.AbstractSearchResponse
  • 20.10.4 Developing a Full-Featured Provider
  • 20.10.5 Development Guidelines
  • 20.10.6 Testing and Verification
  • 20.10.7 Example: Implementing an Identity Provider
    • 20.10.7.1 Working with the Sample Provider
    • 20.10.7.2 Setting Up the Sample Provider
    • 20.10.7.3 Configuring jps-config.xml to Use the Sample Identity Provider
    • 20.10.7.4 Configuring Oracle WebLogic Server
• The User and Role SPI Reference
  • oracle.security.idm.spi.AbstractUserProfile
  • oracle.security.idm.spi.AbstractUserManager
  • oracle.security.idm.spi.AbstractUser
  • oracle.security.idm.spi.AbstractSubjectParser
  • oracle.security.idm.spi.AbstractStoreConfiguration
  • oracle.security.idm.spi. AbstractSimpleSearchFilter
  • oracle.security.idm.spi.AbstractSearchResponse
  • oracle.security.idm.spi.AbstractRoleProfile
  • oracle.security.idm.spi.AbstractRoleManager
  • oracle.security.idm.spi.AbstractRole
  • oracle.security.idm.spi.AbstractIdentityStoreFactory
  • oracle.security.idm.spi.AbstractIdentityStore
  • oracle.security.idm.spi.AbstractComplexSearchFilter

21 Developing with the Identity Directory API

• 21.1 About the Identity Directory API
  • 21.1.1 Feature Overview
• 21.2 Listing the Classes
• 21.3 Understanding Identity Directory Configuration
• 21.4 Working with the Identity Directory API
  • 21.4.1 Getting an Identity Directory API Instance
  • 21.4.2 Performing CRUD Operations on Users and Groups
    • 21.4.2.1 User Operations
    • 21.4.2.2 Group Operations
• 21.5 Using the Identity Directory API
  • 21.5.1 Initializing and Obtaining Identity Directory Handle
  • 21.5.2 Creating a User
  • 21.5.3 Obtaining a User
  • 21.5.4 Modifying a User
  • 21.5.5 Performing a Simple Search for a User
  • 21.5.6 Performing a Complex Search for Users
  • 21.5.7 Creating a Group
  • 21.5.8 Obtaining a Group
  • 21.5.9 Obtaining a Group Using a Search Filter
  • 21.5.10 Deleting a Group
  • 21.5.11 Adding a Member to a Group
  • 21.5.12 Deleting a Member from a Group
• 21.6 Configuring SSL Using Identity Directory API

22 Developing with the Keystore Service

• 22.1 About the Keystore Service API
• 22.2 Overview of Application Development with the Keystore Service
• 22.3 Setting the Java Security Policy Permission
  • 22.3.1 Guidelines for Granting Permissions
  • 22.3.2 Permissions Grant Example 1
  • 22.3.3 Permissions Grant Example 2
  • 22.3.4 Permissions Grant Example 3
• 22.4 Configuring the Keystore Service
• 22.5 Using the Keystore Service API
  • 22.5.1 Using the Keystore Service API in Java SE Applications
  • 22.5.2 Using the Keystore Service API in Java EE Applications
• 22.6 Example of Keystore Service API Usage
  • 22.6.1 Java Program for Keystore Service Management Operations
  • 22.6.2 Reading Keys at Runtime
    • 22.6.2.1 Getting the Keystore Handle
    • 22.6.2.2 Accessing Keystore Artifacts - Method 1
    • 22.6.2.3 Accessing Keystore Artifacts - Method 2
  • 22.6.3 Policy Store Setup
  • 22.6.4 Configuration File
  • 22.6.5 About Using the Keystore Service in the Java SE Environment
• 22.7 Best Practices

23 Developing with the Audit Service

• 23.1 Understanding How Applications Integrate with Audit Flow
• 23.2 Integrating the Application with the Audit Framework
• 23.3 Creating Audit Definition Files
  • 23.3.1 Creating the component-events.xml File
  • 23.3.2 Creating Translation Files
• 23.4 Registering the Application with the Audit Service
  • 23.4.1 Performing Declarative Audit Registration
  • 23.4.2 Invoking Registration Programmatically
  • 23.4.3 Performing Registration at the Command Line
  • 23.4.4 Using Domain Extension Templates for Audit Artifacts
• 23.5 Managing Audit Policies with the Administration Service APIs
  • 23.5.1 Querying Audit Metadata
  • 23.5.2 Viewing and Setting Audit Run-time Policy
• 23.6 Adding Application Code to Log Audit Events
  • 23.6.1 Using the Audit Client API
  • 23.6.2 Setting System Grants
  • 23.6.3 Obtaining the Auditor Instance
• 23.7 Updating and Maintaining Audit Definitions

24 Configuring Java EE Applications to Use OPSS

• 24.1 Authenticating Java EE Applications
• 24.2 Programming Authentication in Java EE Applications
• 24.3 Configuring the Servlet Filter and the EJB Interceptor
  • 24.3.1 Interceptor Configuration Syntax
  • 24.3.2 Summary of Filter and Interceptor Parameters
  • 24.3.3 Configuring the Application Stripe for Application MBeans
• 24.4 Choosing the Appropriate Class for Enterprise Groups and Users
• 24.5 Packaging a Java EE Application Manually
  • 24.5.1 Packaging Policies with Application
  • 24.5.2 Packaging Credentials with Application
• 24.6 Configuring Applications to Use OPSS
  • 24.6.1 Controlling Policy Migration
  • 24.6.2 Configuring Parameters According to Behavior
    • 24.6.2.1 Skiping Migrating Policies
    • 24.6.2.2 Migrating Merging Policies
    • 24.6.2.3 Migrating Overwriting Policies
    • 24.6.2.4 Removing or Not Removing Policies
    • 24.6.2.5 Migrating Policies in a Static Deployment
    • 24.6.2.6 Recommendations
  • 24.6.3 Using a Wallet-Based Credential Store
  • 24.6.4 Controlling Credential Migration
  • 24.6.5 Credential Parameter Configuration According to Behavior
    • 24.6.5.1 Skipping Migrating Credentials
    • 24.6.5.2 Migrating Merging Credentials
    • 24.6.5.3 Migrating Overwriting Credentials
  • 24.6.6 Using Supported Permission Classes
    • 24.6.6.1 Policy Store Permission
    • 24.6.6.2 Credential Store Permission
    • 24.6.6.3 Generic Permission
  • 24.6.7 Specifying Bootstrap Credentials Manually
  • 24.6.8 Migrating Identities with migrateSecurityStore
  • 24.6.9 Example of Configuration File jps-config.xml

25 Configuring Java SE Applications to Use OPSS

• 25.1 Using OPSS in Java SE Applications
  • 25.1.1 The Class JpsStartup
    • 25.1.1.1 JpsStartup.start States
    • 25.1.1.2 Run-Time Options to JpsStartup
    • 25.1.1.3 A New Class Constructor
    • 25.1.1.4 The Method JpsStartup.getState
    • 25.1.1.5 OPSS Starting Examples
• 25.2 Implementing Security Services in Java SE Applications
• 25.3 Authenticating Java SE Applications
  • 25.3.1 The Identity Store
  • 25.3.2 Configuring an LDAP Identity Store in Java SE Applications
  • 25.3.3 Login Modules
    • 25.3.3.1 The Identity Store Login Module
    • 25.3.3.2 The User Authentication Login Module
    • 25.3.3.3 The User Assertion Login Module
    • 25.3.3.4 Executing As an Asserted User
  • 25.3.4 Using the OPSS API LoginService in Java SE Applications
• 25.4 Auditing in Java SE Applications
  • 25.4.1 About Auditing in the Java SE Environment
  • 25.4.2 Configuring the Audit Bus-stop Directory
  • 25.4.3 Configuring Audit Loaders
  • 25.4.4 Implementing Common Audit Scenarios in JavaSE
    • 25.4.4.1 Auditing by JavaSE Clients, with co-located WebLogic Server
    • 25.4.4.2 Auditing by JavaSE Clients, without co-located WebLogic Server
• 25.5 Configuration Examples

Part V Appendices

A OPSS Configuration File Reference

• A.1 Top- and Second-Level Element Hierarchy
• A.2 Lower-Level Elements
• <description>
• <extendedProperty>
• <extendedPropertySet>
• <extendedPropertySetRef>
• <extendedPropertySets>
• <jpsConfig>
• <jpsContext>
• <jpsContexts>
• <name>
• <property>
• <propertySet>
• <propertySetRef>
• <propertySets>
• <serviceInstance>
• <serviceInstanceRef>
• <serviceInstances>
• <serviceProvider>
• <serviceProviders>
• <value>
• <values>

B File-Based Identity and Policy Store Reference

• B.1 Hierarchy of Elements in system-jazn-data.xml
• B.2 Elements and Attributes of system-jazn-data.xml
• <actions>
• <actions-delimiter>
• <app-role>
• <app-roles>
• <application>
• <applications>
• <attribute>
• <class>
• <codesource>
• <credentials>
• <description>
• <display-name>
• <extended-attributes>
• <grant>
• <grantee>
• <guid>
• <jazn-data>
• <jazn-policy>
• <jazn-realm>
• <matcher-class>
• <member>
• <member-resource>
• <member-resources>
• <members>
• <name>
• <owner>
• <owners>
• <permission>
• <permissions>
• <permission-set>
• <permission-sets>
• <policy-store>
• <principal>
• <principals>
• <provider-name>
• <realm>
• <resource>
• <resources>
• <resource-name>
• <resource-type>
• <resource-types>
• <role>
• <role-categories>
• <role-category>
• <role-name-ref>
• <roles>
• <type>
• <type-name-ref>
• <uniquename>
• <url>
• <user>
• <users>
• <value>
• <values>

C Oracle Fusion Middleware Audit Framework Reference

• C.1 Audit Events
  • C.1.1 What Components Can be Audited?
  • C.1.2 What Events can be Audited?
    • C.1.2.1 Oracle Platform Security Services Events and their Attributes
  • C.1.3 OPSS Event Attribute Descriptions
• C.2 The Audit Schema
• C.3 WLST Commands for Auditing
• C.4 Audit Filter Expression Syntax
• C.5 Naming and Logging Format of Audit Files

D User and Role API Reference

• D.1 Mapping User Attributes to LDAP Directories
• D.2 Mapping Role Attributes to LDAP Directories
• D.3 Default Configuration Parameters
• D.4 Secure Connections for Microsoft Active Directory

E Administration with Scripting and MBean Programming

• E.1 Configuring OPSS Service Provider Instances with a Script
• E.2 Configuring OPSS Services with MBeans
  • E.2.1 List of Supported OPSS MBeans
  • E.2.2 Invoking an OPSS MBean
  • E.2.3 Programming with OPSS MBeans
• E.3 Restricting Access
  • E.3.1 Annotation Examples
  • E.3.2 Mapping of Logical Roles to WebLogic Roles
  • E.3.3 Particular Access Restrictions

F OPSS System and Configuration Properties

• F.1 OPSS System Properties
• F.2 OPSS Configuration Properties
  • F.2.1 Common Properties
  • F.2.2 Policy Store Properties
    • F.2.2.1 Policy Store Configuration
    • F.2.2.2 Runtime Policy Store Configuration
  • F.2.3 Credential Store Properties
  • F.2.4 LDAP Identity Store Properties
  • F.2.5 Properties Common to All OID-Based Instances
  • F.2.6 Anonymous and Authenticated Roles Properties
  • F.2.7 Trust Service Properties
  • F.2.8 Audit Service Properties
  • F.2.9 Keystore Service Properties

G OPSS API References

• G.1 OPSS API References

H Using an OpenLDAP Identity Store

• H.1 Using an OpenLDAP Identity Store

I Adapter Configuration for Identity Virtualization

• I.1 About Split Profiles
• I.2 Configuring a Split Profile
• I.3 Deleting a Join Rule
• I.4 Deleting a Join Adapter
• I.5 Changing Adapter Visibility
• I.6 Enabling Access Logging for Identity Virtualization Library

J Troubleshooting OPSS

• J.1 Diagnosing Security Errors
  • J.1.1 About Log Files and OPSS Loggers
    • J.1.1.1 About Diagnostic Log Files
    • J.1.1.2 About Generic Log Files
    • J.1.1.3 About Authorization Loggers
    • J.1.1.4 Offline WLST Commands Loggers
    • J.1.1.5 Other OPSS Loggers
    • J.1.1.6 About User and Role API Logger
    • J.1.1.7 About Audit Loggers
    • J.1.1.8 Managing Loggers with Fusion Middleware Control
    • J.1.1.9 Managing Loggers with a Script
  • J.1.2 System Properties
    • J.1.2.1 jps.auth.debug
    • J.1.2.2 jps.auth.debug.verbose
    • J.1.2.3 Debugging the Authorization Process
  • J.1.3 Solving Security Errors
    • J.1.3.1 Understanding Sample Log Entries
    • J.1.3.2 Searching Logs with Fusion Middleware Control
    • J.1.3.3 Identifying a Message Context with Fusion Middleware Control
    • J.1.3.4 Generating Error Listing Files with Fusion Middleware Control
• J.2 The OPSS Diagnostic Framework
• J.3 Troubleshooting Reassociation and Migration
  • J.3.1 Reassociation Failure
  • J.3.2 Unsupported Schema
  • J.3.3 Missing Policies in Reassociated Policy Store
  • J.3.4 Migration Failure
• J.4 Troubleshooting Server Starting
  • J.4.1 Missing Required LDAP Authenticator
  • J.4.2 Missing Administrator Account
  • J.4.3 Missing Permission
  • J.4.4 Server Fails to Start
  • J.4.5 Other Server Start Issues
  • J.4.6 Permission Failure Before Server Starts
• J.5 Troubleshooting Permissions
  • J.5.1 Troubleshooting System Policy Failures
  • J.5.2 Failure to Grant or Revoke Permissions - Case Mismatch
  • J.5.3 Authorization Check Failure
  • J.5.4 User Gets Unexpected Permissions
  • J.5.5 Granting Permissions in Java SE Applications
  • J.5.6 Application Policies Not Seen in 12c HA Environment
• J.6 Troubleshooting Connections and Access
  • J.6.1 Failure to Connect to the Embedded LDAP Authenticator
  • J.6.2 Failure to Connect to an OID Server
  • J.6.3 Failure to Access Data in the Credential Store
  • J.6.4 Security Access Control Exception
  • J.6.5 Failure to Establish an Anonymous SSL Connection
• J.7 Troubleshooting Oracle Business Intelligence Reporting
  • J.7.1 Audit Templates for Oracle Business Intelligence Publisher
  • J.7.2 Oracle Business Intelligence Publisher Time Zone
• J.8 Troubleshooting Searching
  • J.8.1 Search Failure when Matching Attribute in Policy Store
  • J.8.2 Search Failure with an Unknown Host Exception
• J.9 Troubleshooting Versioning
  • J.9.1 Incompatible Versions of Binaries and Policy Store
  • J.9.2 Incompatible Versions of Policy Stores
• J.10 Troubleshooting Other Errors
  • J.10.1 Runtime Permission Check Failure
  • J.10.2 Tablespace Needs Resizing
  • J.10.3 Oracle Internet Directory Exception
  • J.10.4 User and Role API Failure
  • J.10.5 Characters in Policies
    • J.10.5.1 Use of Special Characters in Oracle Internet Directory 10.1.4.3
    • J.10.5.2 XML Policy Store that Contains Certain Characters
    • J.10.5.3 Characters in Application Role Names
    • J.10.5.4 Missing Newline Characters in XML Policy Store
  • J.10.6 Invalid Key Size
• J.11 Need Further Help?