8 Oracle Managed File Transfer Security

This chapter describes how to keep Oracle Managed File Transfer and its embedded FTP and sFTP servers secure.

This chapter includes the following sections:

• User Authentication and Authorization

• Embedded Server Security

• Integrating with Oracle Access Manager 11g for Single Sign-On

• FIPS 140 Compliance

• Message Encryption Using PGP

• Managing Keystores

• Enabling Security Audit Logging

• OWSM Security Policy Attachment

• Configuring SSL only Domain for Oracle Managed File Transfer

8.1 User Authentication and Authorization

Users can be configured, granted access to Oracle Managed File Transfer, and given permissions to embedded FTP and sFTP server directories and transfer payloads.

Note:

If a user’s permissions have changed when the user is already logged in, the changes will be effective only on the next login. Once a user is authenticated, the permissions of the user will not change until the user logs out and logs in again. This is applicable for all the console, WLST, RESTful, and embedded server operations such as deploy, enable/disable, import/export or read/write embedded server operations.

8.1.1 Configuring Users

You configure Oracle Managed File Transfer users and assign them to groups in the Oracle WebLogic Server Administration Console.

Note:

Oracle Managed File Transfer interacts with Oracle Enterprise Scheduler Service through the OracleSystemUser. Do not delete this user. If you do, clicking add schedule in a transfer configuration will result in an OracleSystemUser does not exist message, and Schedule Details may be blank in monitoring reports. For more information about transfer schedules, see Setting Up Schedules.

The steps for this process are:

1. Access the Oracle WebLogic Server console using a URL that includes the Oracle WebLogic Server hostname and the console port:

   http://wls-hostname:console-port/console
   

   For example:

   http://localhost:7011/console
   

2. Log in using the Oracle WebLogic Server admin username and password.
3. In the left pane of the Oracle WebLogic Server Administration Console, select Security Realms.
4. On the Summary of Security Realms page, select the name of the realm (for example, myrealm).
5. On the Settings for Realm Name page, select Users and Groups > Users.
6. Click New.
7. In the Name field of the Create New User page, enter a unique alphanumeric name for the user.
8. In the Description field, enter a description. The description might be the user's full name. This is optional.
9. In the Provider drop-down list, select DefaultAuthenticator.
10. In the Password field, enter a password for the user.

    The minimum password length is 8 characters. Do not use the username/password combination weblogic/welcome1 in production.

11. Re-enter the password for the user in the Confirm Password field.
12. Click OK to save your changes.
13. Click the name of the new user in the User table.
14. On the Settings for User Name page, select Groups.
15. Select a group or groups from the Available list box and move them to the Chosen list box. A user can be a member of more than one group.

    See Table 8-1 for MFT console access groups and Table 8-2 for MFT embedded server access groups.

16. Click Save.

For complete details, see Create Users and Add Users to Groups in the Oracle WebLogic Server Administration Console Online Help.

8.1.2 Oracle Managed File Transfer Console Access

Users log in to the Oracle Managed File Transfer console using the name and password assigned to them through the process described in Configuring Users. The Oracle Managed File Transfer page on which the user starts depends on the user's group:

• Administrators start on the Administration page.

• Deployers start on the Designer page.

• Monitors start on the Monitoring page.

A user assigned to both the Deployers and Monitors groups starts on the Designer page.

Table 8-1 lists the roles, groups, and permitted actions for user access to the MFT console. Console access is based only on roles. Embedded server access roles and groups do not determine console access.

Table 8-1 MFT Console Roles, Groups, and Permissions

Role	Groups with Role	Console Actions Permitted
MFTAdmin	Administrators, OracleSystemGroup	Import, Export, Purge, Design, Deploy, Monitor, Resubmit, Pause-Resume, Retry, Disable, Enable, StartES, StopES (all actions)
MFTMonitor	Monitors	Monitor, Resubmit, Pause-Resume, Retry, Disable, Enable, StartES, StopES
MFTDesigner	Deployers	Design, Deploy

8.1.3 Embedded Server User Access

You can grant users access to embedded FTP and sFTP server directories.

To use WLST to configure embedded server user access, see Oracle Managed File Transfer Utilities and MFT Embedded Server Commands in WLST Command Reference for SOA Suite.

The steps for this process are:

1. On the left pane of the Administration page, click the arrow to the left of Embedded Server.

   The Ports and User Access items appear.

2. Click User Access.

   The Embedded Server User Access tab opens.

3. Select User, Group, or Role, then type a user, group, or role name in the text field. You must type at least three letters. Any matches are displayed below the text field. Click the match you want to add.

   You configure users, groups, and roles using the process described in Configuring Users.

   Note:

   If Enable screen reader mode is selected in Accessibility Preferences, you must type the full user, group, or role name. See Setting Language_ Time Zone_ and Accessibility Preferences for more information.

4. Click the Add Folder (+) icon.

   The user's default folder is added to the table with Set As Home Folder selected.

5. To add other folders, click the Search icon.

   1. Type a directory under which to search in the Available Folders text box.

   2. Click the arrow to the right of the Available Folders text box.

      Subdirectories of the search directory are displayed.

   3. Click the arrow to the left of a directory to display further subdirectories.

   4. To select a directory, check its box.

   5. Click Add Selected.

6. Select Set As Home Folder to assign a different home folder. This is optional.

   If Set as Home Folder is selected, the user is place in the Home Folder when they log on to the embedded server. If the home folder does not exist, it is created at login.

7. Set the following permissions for each row. To set a permission for all rows, check or uncheck the box in the column header.

   • Access Subfolders: Applies the same permission settings to all subfolders.

   • Read: Allows viewing of file contents.

   • Write: Allows modification of file contents.

   • Delete: Allows file deletion.

   • List: Allows viewing of directory contents.

8. Click Save.

To undo all permission changes for a specific user since the last Save, click Reset All. To undo all changes for all users since the last Save, click Revert.

Table 8-2 lists the groups and default permitted actions for user access to MFT embedded server directories. Console access roles and groups do not determine embedded server access.

Table 8-2 MFT Embedded Server Groups and Permissions

Group	Members	Actions Permitted	Additional Notes
Administrators	Any Enterprise user. By default the user named weblogic is a member.	Read, Write, Delete, List (file operations) createDir, renameDir, deleteDir, changeDir (directory operations)	By default all permissions are granted to any member.
MFTESAdmin	Any Enterprise user. By default the Administrators group is a member.	Read, Write, Delete, List (file operations) createDir, renameDir, deleteDir, changeDir (directory operations)	This group is specifically for granting access to MFT embedded servers. By default all permissions are granted to any member.
OracleSystemGroup	Any Enterprise user. By default the user named OracleSystemUser is a member.	Read, Write, Delete, List (file operations)	Using this group for access provisioning is not recommended, because this group is intended for internal applications and system management.
Other preexisting groups	Any Enterprise user.	Read, Write, Delete, List (file operations)	Examples of these groups are Monitors and Deployers. These groups and users belonging to them are listed in the Embedded Server User Access tab.
User-created groups	Any Enterprise user.	Read, Write, Delete, List (file operations)	These groups and users belonging to them are listed in the Embedded Server User Access tab.
User-created roles	Any Enterprise user or group.	Based on member groups. If a role has the Administrators group as a member, all operations are allowed. Otherwise only file operations are allowed.	There is no preexisting role for embedded server access provisioning. You can create a role, assign members, and provision access.

8.1.4 Granting Payload Access

You can grant users, groups, and roles access to the payloads of transfers with these characteristics:

• A SOAP, SOA, Service Bus, or ODI target type

• A Delivery Method value of Reference

• A Reference Type value of FTP

If you grant no specific access, then all users, groups, and roles have access to the transfer payloads.

The steps for this process are:

1. Click the arrow to the left of Transfers in the left pane navigator.

   The transfers are listed.

2. Click the transfer name or right-click it and then select the Open menu item.

   The transfer tab opens.

3. Click the arrow to the left of Payload Access.

   The Payload Access section opens.

4. Click add users, groups, and roles.

   The Add Users dialog opens.

5. Select a category: User, Role, or Group.
6. Type part or all of a user, role, or group name in the Search field.

   You must type at least three letters. Any matches are displayed below the Search field.

7. Select the matching name you want to add.

   The selected name appears in the search field.

8. Click Add to List.

   The name appears in the Selected Users, Groups, and Roles list.

   To delete a user, role, or group from the list, click the red X to the right of it.

9. Repeat steps 5 through 8 for each user, role, or group you want to add.
10. Click Add Users.

    To cancel adding users, click Cancel.

    The Add Users dialog closes.

11. Verify that each user, role, or group you wanted to add is displayed in the Payload Access section of the transfer tab.

    To delete a user, role, or group from the list, click the red X to the right of it.

12. Save and optionally Deploy the transfer.

For more information about configuring transfers, see Configuring a Transfer.

8.2 Embedded Server Security

Secure embedded servers are of two types: sFTP (SSH-FTP) or FTPS (FTP over SSL).

The embedded servers support the following protocols: FTP RFC959, FTP RFC2228, sFTP, FTPS, SSH-2, TLS 1.1, and TLS 1.2.The SSH-1 protocol and SSHD (secure shell) are not supported.

8.2.1 sFTP (SSH-FTP)

Table 8-3 lists the sFTP embedded server settings related to security. These settings are on the Administration page, Embedded Servers tab, and sFTP subtab. After changing any of these settings, you must Stop and Start the sFTP server to activate the settings.

Table 8-3 sFTP Embedded Server Security Settings

Setting	Description
Authentication Type	Specifies the authentication type: Password (default), Public Key, or Both.
Host Key Alias	Specifies the alias of the SSH private key for authentication. To create SSH keys, see Configuring the SSH Keystore.

8.2.2 FTPS (FTP Over SSL)

Table 8-4 lists the FTP embedded server settings related to security. These settings are on the Administration page, Embedded Servers tab, and FTP subtab. After changing any of these settings, you must Stop and Start the FTP server to activate the settings.

Table 8-4 FTP Embedded Server Security Settings

Setting	Description
Plain FTP	Enables plain FTP, without Implicit or Explicit SSL support, on the FTP server. You can enable implicit or explicit SSL support, or both, in addition to plain FTP. The default is enabled (checked).
Implicit	Requires the client to immediately challenge the FTPS server with a TLS/SSL ClientHello message. A non-FTPS aware client cannot connect to an implicit SSL-enabled server. The default is enabled (checked).
Explicit	Allows clients to explicitly request that the FTP server encrypt the session and mutually agree to an encryption method. This is known as explicit FTPS or FTPES. Explicit mode is legacy-compatible, so plain FTP clients can still connect to the FTP server. Common commands for invoking FTPS security include AUTH TLS and AUTH SSL. The default is enabled (checked).
Client Authentication	Specifies the level of client authentication: Need, Want, or None. Applies only if Implicit or Explicit is checked. Need - The FTP server's SSL engine requires client authentication during the handshake. Want - The FTP server's SSL engine requests client authentication during the handshake. None - No client authentication is performed (default).
Protocol	Specifies the security protocol: TLS (default) or SSL. Applies only if Implicit or Explicit is checked.
Cipher Suite	Specifies the cipher suites to use. To use all available cipher suites, check All. Checking none uses a default list. Applies only if Implicit or Explicit is checked.
Certificate Alias	Specifies the alias of the SSL private key for authentication. Applies only if Implicit or Explicit is checked. To create SSL keys, see Configuring the SSL Keystore.

Note:

The message shown below is not an issue and is information logged to indicate that the FTPS service will not be started when there is no valid port available. This error information is not shown when implicit FTPS service is enabled.

{APP: mft-app] [partition-name: DOMAIN]
oracle.mft.COMMON.<MFTServer.initFTPServer>:Invalid value for FTPS Port: [-1]. FTPS Service will fail to start.

8.3 Integrating with Oracle Access Manager 11g for Single Sign-On

You can integrate the Oracle Managed File Transfer console URL with Oracle Access Manager 11g to achieve single-sign-on with other Enterprise web applications.

For general information about installing and configuring Oracle Access Manager, see "Configuring Oracle Access Manager (OAM)" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal.

To protect the MFT console URL, follow the steps described in "Configuring the WebLogic Server Administration Console and Enterprise Manager for OAM" in Oracle Fusion Middleware Administrator's Guide for Oracle WebCenter Portal, except specify /mftconsole /mftconsole/* /mftconsole/.../* as the Resource URL.

8.4 Message Encryption Using PGP

You can encrypt or decrypt a file that is being transferred. For more information, see Encryption and Decryption at the Source or Encryption and Decryption Preprocessing.

For encryption, you must reference the public PGP key alias. For decryption, you must reference the private PGP key alias.

To set up PGP keys and key aliases in the Oracle Managed File Transfer keystore, see Configuring the PGP Keystore.

8.5 FIPS 140 Compliance

FIPS 140-2 specifies the security requirements that must be met by a cryptographic module to protect sensitive information. The standard provides four increasing, qualitative levels of security to cover the wide range of potential applications and environments in which cryptographic modules may be employed.

Oracle Fusion Middleware Release 12c (12.2.1.x) supports the use of FIPS 140-2 enabled cryptographic libraries. The ability to operate in FIPS 140 mode is specific to a defined set of scenarios and transactions supported by Oracle Managed File Transfer. It applies where validated cryptography is used to support or enforce security-sensitive tasks such as authentication, authorization, confidentiality, integrity, and so on.

For more information about FIPS 140–2 use in Oracle Managed File Transfer, see FIPS 140 Support in Oracle Fusion Middleware in Administering Oracle Fusion Middleware.

In MFT, FIPS 140-2 certification involves certifying:

• Embedded SFTP Server

• Embedded FTP over SSL Server

• PGP Encrypt/Decrypt Actions

• Checksum generation

• SFTPRemote

Enabling FIPS 140–2 Mode from Java Options

To enable FIPS 140-2 mode from Java options, follow these steps:

1. Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK. These Java policy JAR files affect cipher key sizes greater than 128 bits.

   http://www.oracle.com/technetwork/java/javase/downloads/index.html
   

   Open the .ZIP distribution and update local_policy.jar and US_export_policy.jar in JAVA_HOME/jre/lib/ security. See the README.txt file in the .ZIP distribution for more information and installation instructions.

2. Create your own java.security file. You can use the one that comes with the installed JDK as a guide

   Add both the RSA JCE provider and the RSA JSSE provider as the first two Java security providers listed in your java.security properties file:

   #
   security.provider.1=com.rsa.jsafe.provider.JsafeJCE
   security.provider.2=com.rsa.jsse.JsseProvider
    
   security.provider.3=sun.security.provider.Sun
   :
   

3. Start WebLogic Server.

For complete details about enabling FIPS mode in WebLogic Server, see Enabling FIPS Mode

SFTP

When FIPS is enabled at SFTP server, RSA and DSA keys are not supported. Oracle MFT supports only ECDSA keys of size 256, 384 bits.

Type	Non-FIPS Algorithms	FIPS Algorithms
KeyExchange	DHG1	DHG14
Ciphers	BlowfishCBC	AES128CBC, TripleDESCBC, AES192CBC, AES256CBC
Message Authentication	HMACMD5, HMACMD596, HMACSHA196	HMACSHA1
Signature	RSA, DSA	ECDSA

Note:

When FIPS is enabled at Oracle WebLogic Server, MD5 and Blowfish encryption algorithms are not supported.

FTP-SSL

When FIPS is enabled at FTPS server, keys of size equals to or above 2048 bits are supported. When enabled, by default, the ciphers listed in the Cipher suites list are FIPS compliant. So MFT SSL server supports only those selected in that list.

Any ciphers with MD2, MD4, MD5, RC2, RC4, RC5, DH algorithms in it are not FIPS approved algorithms.

Note:

MFT SSL supports many ciphers in both non-FIPS and FIPS mode. But not all ciphers supported by MFT are supported by the FTP clients. FTP clients may support only subset of the MFT ciphers. Before using any cipher make sure that the FTP client has the support for selected cipher. It is recommended that you use a combination of ciphers which are common across providers along with the specific ones.

PGP

Type	Non-FIPS Algorithm	FIPS Algorithm
Encryption	CAST, BLOWFISH, SAFER, DES, TWOFISH, IDEA (not supported due to licensing)	AES_128, AES_192, AES_256

Note:

In FIPS mode, TRIPLE_DES algorithm is not supported.

Algorithm	MBean Value
NULL	0
IDEA (not supported due to licensing)	1
TRIPLE_DES	2
CAST5	3
BLOWFISH	4
SAFER (not applicable for PGP symmetric keys)	5
DES	6
AES_128	7
AES_192	8
AES_256	9
TWOFISH	10

Checksum Generation

Type	Non-FIPS Algorithm	FIPS Algorithm
Message Digest	MD5	SHA-1, SHA-224, SHA-256, SHA-384, SHA-512

Note:

Only MD5, SHA-1, SHA–256 are available with default provider, that is, in non-FIPS mode.

JCA Transports

Type	Non-FIPS Algorithm	FIPS Algorithm
Data Integrity Algorithm	Hmac-md5	Hmac-sha1, Hmac-sha256, Hmac-sha256@ssh.com
Key Exchange Algorithm	Diffie-hellman-group1-sha1,  Diffie-hellman-group-exchange-sha1	Diffie-hellman-group14-sha1
Cipher Suite	Cast128, Twofish256, Twofish128, Blowfish	3Des, Aes128, Aes192, Aes256
PKI Algorithm	DSS	3Des, Aes128, Aes192, Aes256

Note:

When FIPS is enabled at the WebLogic level by adding FIPS jars, MD5/blowfish is not supported even when FIPS at the MFT level is not enabled.

For more information about FIPS 140–2 use in Oracle Managed File Transfer, see FIPS 140 Support in Oracle Fusion Middleware in Administering Oracle Fusion Middleware..

8.6 Managing Keystores

Oracle Managed File Transfer uses SSL and SSH keys for embedded server security and PGP keys for message encryption. To manage keys in the Oracle Managed File Transfer keystores, use the Oracle WebLogic Scripting Tool (WLST) and the Oracle Managed File Transfer console, described in the following sections:

• Configuring the SSL Keystore

• Configuring the SSH Keystore

• Configuring the PGP Keystore

You can use the MFT WLST keystore management commands to generate, import, export, delete, list, and update SSL, SSH, and PGP keys. For more information, see the WLST Command Reference for SOA Suite.

Note:

SSL keys in binary (DER) format are not supported. Use keys in BASE64 (PEM or CER) format. You can convert key formats using the openssl command.

Key lengths greater than 1024 bit are supported. However, there are some export restrictions on key lengths greater than 1024 bit. These restrictions are mostly specified at the JRE level in the JAVA_HOME\jre7\lib\security directory.

Note:

To create additional keystores, you can use WLST commands or the Oracle Enterprise Manager Fusion Middleware Control console. See Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services, Managing Keystores, Wallets, and Certificates in Administering Oracle Fusion Middleware, and Managing the Credential Store in Securing Applications with Oracle Platform Security Services for more information about Fusion Middleware Control.

8.6.1 Configuring the SSL Keystore

The default keystore is used for storing Oracle MFT SSL keys and certificates. To configure the default keystore, use WLST and the Oracle Managed File Transfer console.

The steps for this process are:

1. Start WLST using the steps described in Running WLST Commands.
2. Access the Oracle Platform Security Services key store service:

   svc = getOpssService(name='KeyStoreService')
   

3. Create the SSL keystore:

   svc.createKeyStore(appStripe='<StripeName>', name='<StoreName>',   password='<StorePassword>', permission=false/true)
   

4. Create the SSL keys:

   svc.generateKeyPair(appStripe='StripeName', name='StoreName', password='StorePassword', dn='cn=CompanyURL', keysize='1024',
   alias='Alias', keypassword='KeyPassword')
   

   For example:

   svc.generateKeyPair(appStripe='mft', name='mftDefaultStore', password='P@s$W0rd', dn='cn=www.mycompany.org', keysize='1024',
   alias='mftssl', keypassword='P@s$W0rd2')
   

   Specify mft as the stripe name and mftDefaultStore as the store name. Oracle Managed File Transfer uses these names by default. The store and key passwords are optional.

   When securing the FTP server, you reference the SSL private key alias configured in this step. See the Certificate Alias description in FTPS (FTP Over SSL).

5. Exit WLST using the steps described in Running WLST Commands.
6. In the Oracle Managed File Transfer console, on the left pane of the Administration page, click Keystores.
7. If you specified key and store passwords in previous steps, you must enter them on this page.

   Enter the key password in the Private Key Password field and the store password in the Key Password field.

8. Click Save.

8.6.2 Configuring the SSH Keystore

To configure the SSH keystore, use WLST and the Oracle Managed File Transfer console.

The steps for this process are:

1. Start WLST using the steps described in Running WLST Commands.
2. Use the generateKeys WLST command to create a password-protected private SSH key. The key type is RSA and the key size is 1024 bits. For example:

   generateKeys('SSH', 'P@s$W0rd','/export/ssh/ssh-pvt-keys.ppk')
   

   If you are an advanced user and want to set additional key parameters, you can use the ssh-keygen command instead. For example:

   ssh-keygen -t rsa -b 2048 -f /export/ssh/ssh-pvt-keys.ppk -N P@a$W0rd
   

   For more information about ssh-keygen, see ssh-keygen(1) - Linux man page.

   The password is optional for either command.

3. Use the importCSFKey WLST command to import and create an alias for the key. For example:

   importCSFKey('SSH', 'PRIVATE', 'mftssh', '/export/ssh/ssh-pvt-keys.ppk')
   

   When securing the sFTP server, you reference the SSH private key alias configured in this step. See the Host Key Alias description in sFTP (SSH-FTP).

4. Exit WLST using the steps described in Running WLST Commands.
5. In the Oracle Managed File Transfer console, on the left pane of the Administration page, click Keystores.
6. If you specified a password in step 2, you must enter it in the SSH Private Key Password field.
7. Click Save.

8.6.3 Configuring the PGP Keystore

To configure the PGP keystore, use WLST and the Oracle Managed File Transfer console.

Note:

If a payload is encrypted by a PGP tool outside of MFT using a key length or algorithm that is restricted, MFT decryption will fail. These restrictions are mostly specified at the JRE level in the JAVA_HOME\jre7\lib\security directory.

The steps for this process are:

1. Start WLST using the steps described in Running WLST Commands.
2. Use the generateKeys WLST command to create a password-protected PGP key pair. For example:

   generateKeys('PGP', 'P@s$W0rd','/export/pgp', 'example<example@example.com>')
   

   The password is optional.

3. Use the importCSFKey WLST command to import and create an alias for each key. For example:

   importCSFKey('PGP', 'PUBLIC', 'mftpgppub', '/export/pgp/pub.asc')
   importCSFKey('PGP', 'PRIVATE', 'mftpgppri', '/export/pgp/secret.asc')
   

   For encryption, you must reference the public PGP key alias. For decryption, you must reference the private PGP key alias. For more information, see Encryption and Decryption at the Source or Encryption and Decryption Preprocessing.

4. Exit WLST using the steps described in Running WLST Commands.
5. In the Oracle Managed File Transfer console, on the left pane of the Administration page, click Keystores.
6. If you specified a password in step 2, you must enter it in the PGP Private Key Password field.
7. Click Save.

8.7 Enabling Security Audit Logging

You can enable audit logging for Oracle Managed File Transfer using Oracle Enterprise Manager Fusion Middleware Control or the Oracle WebLogic Scripting Tool (WLST).

To generate reports of audit data, see Using Audit Analysis and Reporting in Securing Applications with Oracle Platform Security Services.

8.7.1 Using Fusion Middleware Control to Enable Audit Logging

The steps for this process are:

1. Log in to the Fusion Middleware Control console.
2. In the Target Navigation pane, expand the Weblogic Domain node.
3. Select the domain on which the Oracle WebLogic Server managed server dedicated to Oracle Managed File Transfer is installed.

   For example, the domain might be soainfra or base_domain.

4. Right-click on the domain and select Security > Audit Policy.
5. Select MFT from the Audit Component Name drop-down list.

   If you do not see the MFT component, then restart the Oracle WebLogic Server admin server and managed servers. For more information, see Oracle WebLogic Server Startup and Shutdown.

6. Change the Audit Level to Medium.
7. Click Apply.
8. Restart the Oracle WebLogic Server admin server and managed servers. For more information, see Oracle WebLogic Server Startup and Shutdown.

8.7.2 Using WLST to Enable Audit Logging

The steps for this process are:

1. Start WLST using the steps described in Running WLST Commands.
2. Use the following WLST command to enable audit logging for MFT:

   setAuditPolicy(componentType="MFT",filterPreset="None")
   

   You can specify a filterPreset of Custom or Medium instead of None.

3. Exit WLST using the steps described in Running WLST Commands.

For more information about WLST commands for audit policies, see Manage Audit Policies with WLST in Securing Applications with Oracle Platform Security Services.

8.8 OWSM Security Policy Attachment

Oracle Managed File Transfer supports securing web service sources and targets with Oracle Web Services Manager (OWSM) policies. Web service sources and targets include those of type SOAP, SOA, Service Bus, and ODI.

Note:

WS-Security compliant policies are not supported.

You can attach one policy file per source or target. The policy file holds the attached policies and overridden attributes.

You can attach policies globally using Oracle Enterprise Manager Fusion Middleware Control or the Oracle WebLogic Scripting Tool (WLST). You can attach policies locally using the MFT console or WLST.

Web services security can be divided into the following parts:

• Design time — when policies are attached and registered for the source or target.

• Runtime — when the policies are enforced upon invoking the secured source or target.

• Life cycle — how policies are managed regarding the life cycle of the source or target.

This section includes the following topics:

• Using Fusion Middleware Control for Global Policy Attachment

• Using WLST for Global Policy Attachment

• Using the MFT Console for Local Policy Attachment

• Using WLST for Local Policy Attachment

• How the Policy Is Applied at Runtime

• Policies and Artifact Life Cycle Management

• Verifying Policy Registration

8.8.1 Using Fusion Middleware Control for Global Policy Attachment

How you attach a policy depends on whether the policy is inbound (for sources) or outbound (for targets). In addition, some client policies require credentials.

8.8.1.1 Managing Policy Credentials

Some client policies, such as the user name token policy, require credentials. Before you can attach such a policy using Oracle Enterprise Manager Fusion Middleware Control, you must create a map and key. For more information, see Managing the Credential Store in Securing Applications with Oracle Platform Security Services.

The steps for this process are:

1. Log in to the Fusion Middleware Control console.
2. In the Target Navigation pane, expand the Weblogic Domain node.
3. Select the domain on which the Oracle WebLogic Server managed server dedicated to Oracle Managed File Transfer is installed.

   For example, the domain might be soainfra or base_domain.

4. Right-click on the domain and select Security > Credentials.

   The Credentials table appears.

5. Click Create Map.
6. In the Create Map dialog, type oracle.wsm.security in the Map Name field. Click OK.

   The oracle.wsm.security credential appears in the Credentials table.

7. Select the oracle.wsm.security credential and click Create Key.
8. In the Create Key dialog, type basic.credentials in the Key field. Type the user information in the User Name, Password, and Confirm Password fields. Click OK.

   An expand arrow appears to the left of the oracle.wsm.security credential. Clicking this arrow displays the basic.credentials key.

8.8.1.2 Creating a Policy Set for a Source

You can create a policy set and attach a policy for a source. For more information, see Managing Web Service Policies with Fusion Middleware Control in Securing Web Services and Managing Policies with Oracle Web Services Manager.

The steps for this process are:

1. Log in to the Fusion Middleware Control console.
2. In the Target Navigation pane, expand the Weblogic Domain node.
3. Select the domain on which the Oracle WebLogic Server managed server dedicated to Oracle Managed File Transfer is installed.

   For example, the domain might be soainfra or base_domain.

4. Right-click on the domain and select Web Services > WSM Policy Sets.

   The WSM Policy Set Summary table appears.

5. Click Create.
6. On the Create Policy Set: Enter General Information page, enter a Name, check Enabled, and select SOAP Web Service from the Type of Resource drop-down list. Click Next.
7. On the Create Policy Set: Enter Resource Scope page, type the following information:

   • Domain Name: Type the name of the domain on which the Oracle WebLogic Server managed server dedicated to Oracle Managed File Transfer is installed.

     For example, the domain might be soainfra or base_domain.

   • Application Name: Type *. or mftapp

   • Application Module Name or Connection Name: Type *. or mftapp

   • RESTful Application, Service, or Web Service Endpoint Name: This can be a SOA composite endpoint or an Oracle Managed File Transfer source. For a source, type {http://xmlns.oracle.com/fmw/mft/soap}MFTService_source-name.

   • Port Name: Type MFTServicePort or the port name of a SOA composite (for example submit_ptt).

8. Click Next. On the Create Policy Set: Enter Constraint page, click Next again.
9. On the Create Policy Set: Add Policy References page, select one or more policies from the Available Policies list and click Attach. Click Next.
10. On the Create Policy Set: Summary page, click Save.

8.8.1.3 Creating a Policy Set for a Target

You can create a policy set and attach a policy for a target. For more information, see Managing Web Service Policies with Fusion Middleware Control in Securing Web Services and Managing Policies with Oracle Web Services Manager.

The steps for this process are:

1. Log in to the Fusion Middleware Control console.
2. In the Target Navigation pane, expand the Weblogic Domain node.
3. Select the domain on which the Oracle WebLogic Server managed server dedicated to Oracle Managed File Transfer is installed.

   For example, the domain might be soainfra or base_domain.

4. Right-click on the domain and select Web Services > WSM Policy Sets.

   The WSM Policy Set Summary table appears.

5. Click Create.
6. On the Create Policy Set: Enter General Information page, enter a Name, check Enabled, and select SOAP Web Service Client from the Type of Resource drop-down list. Click Next.
7. On the Create Policy Set: Enter Resource Scope page, type the following information:

   • Domain Name: Type the name of the domain on which the Oracle WebLogic Server managed server dedicated to Oracle Managed File Transfer is installed.

     For example, the domain might be soainfra or base_domain.

   • Application Name: Type *

   • Application Module Name or Connection Name: Type *

   • RESTful Application, Service, or Web Service Endpoint Name: Specify a SOA composite endpoint name.

   • Port Name: Port Name of the target SOA composite.

8. Click Next. On the Create Policy Set: Enter Constraint page, click Next again.
9. On the Create Policy Set: Add Policy References page, select one or more policies from the Available Policies list and click Attach. Click Next.
10. On the Create Policy Set: Summary page, click Save.

8.8.2 Using WLST for Global Policy Attachment

Using WLST, you can attach a policy to all web service endpoints in Oracle Managed File Transfer.

The steps for this process are:

1. Start WLST using the steps described in Running WLST Commands.

2. Use the following WLST commands to create and attach a policy set:

   beginRepositorySession())
   createPolicySet('mft', 'ws-service', 'Domain("*")')
   attachPolicySetPolicy('oracle/wss_username_token_service_policy')
   validatePolicySet()
   commitRepositorySession()
   displayPolicySet('mft')
   

   The wss_username_token_service_policy is an example. You can attach a different policy.

3. Exit WLST using the steps described in Running WLST Commands.

You can also attach a policy to a specific web service endpoint, either a source or target.

The steps for this process are:

1. Start WLST using the steps described in Running WLST Commands.
2. Use the following WLST commands to create and attach a policy set:

   beginRepositorySession())
   createPolicySet('mft', 'ws-service', 'Service("{http://xmlns.oracle.com/fmw/mft/soap}MFTService_SOAPSource")')
   attachPolicySetPolicy('oracle/wss_username_token_service_policy')
   validatePolicySet()
   commitRepositorySession()
   displayPolicySet('mft')
   

   The SOAPSource is an example. You can create a policy set for a different source or target.

   The wss_username_token_service_policy is an example. You can attach a different policy.

3. Exit WLST using the steps described in Running WLST Commands.

For more information about WLST commands for managing policy sets, see Policy Set Management Commands in WLST Command Reference for Infrastructure Components.

8.8.3 Using the MFT Console for Local Policy Attachment

The steps for this process are:

1. Create and deploy the SOAP, SOA, Service Bus, or ODI application corresponding to the MFT source or target. For a target, you must attach a policy to the application.

   See Integrating Oracle Managed File Transfer with Other Products for more information.

2. Create or open the source or target as described in Creating a Source or Creating a Target.
3. Before clicking Save, click the arrow to the left of Policies.

   The Selected Policies and Available Policies tables are displayed.

4. To search the Available Policies by name, type a full or partial name in the Search field and click the Search icon.
5. Select one or more policies from the Available Policies list.
6. Click Attach.

   The selected policies move to the Selected Policies list.

   To detach one or more policies, select them and click Detach.

7. Click Save.
8. Add the source or target to a transfer as described in Configuring a Transfer.
9. Deploy the transfer as described in Deploying and Testing Transfers.

   The attached policies are automatically registered in OWSM. To verify the registration, see Verifying Policy Registration.

8.8.4 Using WLST for Local Policy Attachment

You can attach a policy to a specific web service endpoint, either a source or target.

The steps for attaching a policy are:

1. Start WLST using the steps described in Running WLST Commands.

2. Use the following WLST commands to create and attach a policy set:

   beginWSMSession()
   listWSMPolicySubjects('mft-app')
   selectWSMPolicySubject('/weblogic/soainfra/mft-app', '#SOAPSource', 
   'WSService({http://xmlns.oracle.com/fmw/mft/soap}MFTService_SOAPSource#MFTServicePort)')
   attachWSMPolicy('oracle/binding_authorization_denyall_policy')
   attachWSMPolicy('oracle/wss_username_token_service_policy')
   previewWSMEffectivePolicySet()
   commitWSMSession()
   

   The SOAPSource is an example. You can create a policy set for a different source or target.

   The wss_username_token_service_policy is an example. You can attach a different policy.

3. Exit WLST using the steps described in Running WLST Commands.

The steps for detaching a policy are:

1. Start WLST using the steps described in Running WLST Commands.
2. Use the following WLST commands to create and attach a policy set:

   beginWSMSession()
   listWSMPolicySubjects('mft-app')
   selectWSMPolicySubject('/weblogic/soainfra/mft-app', '#SOAPSource', 
   'WSService({http://xmlns.oracle.com/fmw/mft/soap}MFTService_SOAPSource#MFTServicePort)')
   detachWSMPolicy('oracle/binding_authorization_denyall_policy')
   detachWSMPolicy('oracle/wss_username_token_service_policy')
   previewWSMEffectivePolicySet()
   commitWSMSession()
   

   The SOAPSource is an example. You can create a policy set for a different source or target.

   The wss_username_token_service_policy is an example. You can attach a different policy.

3. Exit WLST using the steps described in Running WLST Commands.

For more information about WLST commands for managing policy sets, see Policy Set Management Commands in WLST Command Reference for Infrastructure Components.

8.8.5 How the Policy Is Applied at Runtime

For a source, the sending user must specify the policy and its required credentials with the file to be transferred. Otherwise the file transfer will not succeed.

For a target, the receiving user does not need to specify the policy. This is the responsibility of the sending user in the transfer. However, if the sending user does not specify the policy attached to the target and its required credentials, the file transfer will not succeed.

Credentials that the policy requires can include a username, password, certificate, or other security information. See Managing Policy Credentials for more information.

8.8.6 Policies and Artifact Life Cycle Management

A policy file is persisted in the MFT metadata store (MDS) and follows the exact life cycle pattern of its parent source or target artifact, including the version.

• Create an artifact, and the policy file is created in the MDS and referenced by the artifact.

• Deploy an artifact, and the policy file is automatically registered in OWSM.

• Undeploy an artifact, and the policy file is de-registered.

• Enable an artifact, and the policy file is automatically registered in OWSM.

• Disable an artifact, and the policy file is de-registered.

• Delete an artifact, and the policy file is deleted from the MDS.

• Export an artifact, and the policy file is exported and linked to by the artifact export file.

• Import an artifact, and the linked policy file is also imported.

8.8.7 Verifying Policy Registration

After you attach policies globally or locally, you can use WLST to verify that these policies are registered in the OWSM repository as part of the effective policy set.

The steps for this process are:

1. Start WLST using the steps described in Running WLST Commands.
2. Use the following WLST commands to specify the MFT policy subject and display the effective policy set:

   beginWSMSession()
   listWSMPolicySubjects('mft-app')
   selectWSMPolicySubject('/weblogic/soainfra/mft-app', '*', '*')
   displayWSMEffectivePolicySet()
   commitWSMSession()
   

   The output of the displayWSMEffectivePolicySet command should list the policies you attached.

3. Exit WLST using the steps described in Running WLST Commands.

For more information about the WLST commands for policy subjects, see Policy Subject Commands in WLST Command Reference for Infrastructure Components.

For general information about the OWSM repository, see Overview of Web Services Administration in Administering Web Services.

8.9 Configuring SSL only Domain for Oracle Managed File Transfer

Create a SSL only domain in Oracle Managed File Transfer.

To configure SSL only domain:

1. Go to $DOMAIN_HOME/oracle_common/bin/ directory and run the following command:
   sh libovdconfig.sh -host <host> -port <port> -userName <wlsadminusername> -domainPath <AbsolutePathOfDomainHome> -createKeystore
2. Extract the certificate of AdminServer by connecting to http://host:port/console from the web browser and export the certificate to a file. Enter the certificate details.
   The file format should be "Base 64 Encoded x.509".

   Note:

   The above step is applicable only for integrated Weblogic LDAP (Default Authenticator). For other LDAPs, the certificate has to be exported by using the appropriate LDAP commands.
3. Import the certificate exported in the above step to the created keystore by executing the following command.
   keytool -importcert -keystore <DOMAIN_HOME>/config/fmwconfig/ovd/default/keystores/adapters.jks -storepass <password> -alias <alias> -file <filePath> -noprompt
   The password is specified while generating the keystore and filepath is the file containing the exported certificate.
4. Choose any alias of your choice.
5. Perform the SSL related changes to create SSL only domain.
6. Restart the Weblogic Admin and Managed Servers.
   After restarting the server, you will be able to login to MFT console and embedded servers in SSL only domain.

After creating the domain, you need to enable the SSL domain. To enable SSL domain, see Enabling SSL only Domain.

8.9.1 Enabling SSL only Domain

After creating the SSL only domain, enable the domain by configuring SSL in different use cases by following the steps below:

Enabling SSL only Domain

Follow the steps below to set up Oracle MFT in an SSL only WebLogic domain.

1. Enable the SSL listening port at the time of domain creation, in case of new domains.

2. For existing domain, extend the domain and select the SSL listening port.

3. Start the AdminServer and disable the non-SSL listening port of the managed Server and AdminServer.

4. Start the managed server.

Invoking Webservice over SSL (HTTPS service)

Follow the steps below to invoke the SOA/SOAP targets over HTTP SSL protocol.

1. Export the SSL certificate of remote SSL webservice, for example, from Web browser to File.

2. Import the certificate to below stores:

   1. jdk_home/jre/lib/security/cacerts

   2. /wlserver/server/lib/cacerts

   3. EM > Security > Keystore > System > Trust store, CA store

3. Restart the server.

Configuring remote SSL FTP server

Follow the steps below to connect from a Remote FTP(S) Source or Target to a remote FTP Server. The remote FTP Server can be non-MFT FTP Server, or it could be MFT Embedded FTP Server within another deployment of MFT.

1. Export the trusted certificate used for remote SSL FTP server to a file using appropriate tools. In case of MFT FTPS remote server, do it via WLST with below command:

   svc.exportKeyStoreCertificate(appStripe='<stripe>',name='<store>',password='<storePassword>',alias='<certalias>',type='Certificate',filepath='<filePath>')

2. Import the trusted certificate to MFT using the below WLST command:

   svc.importKeyStoreCertificate(appStripe='<Stripe>',name='<Store>', password='<StorePassword>',alias='<certAlias>',keypassword='<keyPassword>',type='TrustedCertificate',filepath='<filepath>')