Contents

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New in This Guide

• Changes in This Document for Release 12.2.1.2.0
• Changes in This Document for Release 12.2.1.1.0
• New Features in Release 12.2.1.0.0

Part I Understanding Security Concepts

1 Introduction to Oracle Platform Security Services

• 1.1 What Is OPSS?
  • 1.1.1 OPSS Main Features
  • 1.1.2 Supported Server Platforms
• 1.2 OPSS Architecture Overview
  • 1.2.1 Benefits of Using OPSS
• 1.3 OPSS for Developers
  • 1.3.1 About Java EE Application Security
  • 1.3.2 About Java SE Application Security
• 1.4 ADF Security Overview
  • 1.4.1 Oracle ADF Application Security

2 Understanding Users and Roles

• 2.1 Terminology
• 2.2 Role Mapping
  • 2.2.1 Permission Inheritance and the Role Hierarchy
    • 2.2.1.1 Role Hierarchy Example
• 2.3 About the Role Category
• 2.4 About the Authenticated Role
• 2.5 About the Anonymous User and Role
• 2.6 About Administrative Users and Roles
• 2.7 Managing User Accounts

3 Understanding Identities, Policies, Credentials, Keys, Certificates, and Audit

• 3.1 Compatibility Table for 11g and 12c Versions
• 3.2 Authentication Basics
  • 3.2.1 WebLogic Server Authentication Providers
    • 3.2.1.1 Support for Multiple Authentication Providers
    • 3.2.1.2 Additional Authentication Methods
  • 3.2.2 Identity Store Types and WebLogic Server Authentication Providers
• 3.3 Policies Basics
• 3.4 Credentials Basics
• 3.5 Keys and Certificates Basics
• 3.6 Audit Basics

4 About the Security Store

• 4.1 Supported File, LDAP, and Database Stores
• 4.2 Packaging Requirements
• 4.3 FIPS Support in OPSS

Part II Basic OPSS Administration

5 Security Administration

• 5.1 OPSS Administration: Main Steps
• 5.2 Security Management Tools
• 5.3 Security Practices with Fusion Middleware Control
• 5.4 Security Practices with WebLogic Server Administration Console
  • 5.4.1 Security Practices with WLST
• 5.5 Security Practices with OES

6 Deploying Secure Applications

• 6.1 Developing Oracle ADF Applications
• 6.2 Choosing the Tool for Deployment
  • 6.2.1 Deploying Secure Applications with Fusion Middleware Control
• 6.3 Deploying Oracle ADF Applications to a New Environment
  • 6.3.1 Deploying to a Test Environment
    • 6.3.1.1 Typical Administrative Tasks after Deployment
• 6.4 Deploying Standard Java EE Applications
• 6.5 Deploying Audit-Aware Applications
• 6.6 Migrating from a Test to a Production Environment
  • 6.6.1 Migrating Identities
    • 6.6.1.1 Migrating Identities with migrateSecurityStore
  • 6.6.2 Migrating Policies and Credentials
    • 6.6.2.1 Migrating Policies with migrateSecurityStore
    • 6.6.2.2 Migrating Credentials with migrateSecurityStore
  • 6.6.3 Migrating Audit Data
  • 6.6.4 Migrating Keys and Certificates with migrateSecurityStore
    • 6.6.4.1 Migrating Keys and Certificates in the Same Domain
    • 6.6.4.2 Migrating Keys and Certificates across Different Domains

Part III OPSS Services

7 Life Cycle of Security Artifacts

• 7.1 How Security Artifacts Are Seeded
• 7.2 About Fusion Middleware Domains
• 7.3 Creating Fusion Middleware Domains
  • 7.3.1 Using a New Database Instance
  • 7.3.2 Sharing a Database Instance
• 7.4 Layered Component Security Artifacts
• 7.5 Upgrading Security to 12.2.1.x
  • 7.5.1 Before Upgrading the Security Store
  • 7.5.2 Upgrading Security: Main Steps
  • 7.5.3 Reconfiguring Domains with the Fusion Middleware Reconfiguration Wizard
  • 7.5.4 Upgrading a Shared Security Store
    • 7.5.4.1 Upgrading a Shared 12.1.2 or 12.1.3 Security Store
    • 7.5.4.2 Upgrading a Shared 11g Security Store
• 7.6 Backing Up and Recovering the Security Store
  • 7.6.1 Backing Up and Recovering a Database-Based Security Store
  • 7.6.2 Backing Up and Recovering LDAP Security Stores
  • 7.6.3 Recommendations
• 7.7 Upgrading Component Audit Definitions to 12c

8 Configuring the Identity Store

• 8.1 About the Identity Store
• 8.2 Configuring the Identity Store Provider
• 8.3 Configuring the Identity Store
  • 8.3.1 Identity Store Parameters
    • 8.3.1.1 Query Parameters
    • 8.3.1.2 Global Connection Parameters
    • 8.3.1.3 Back-End Connection Parameters
  • 8.3.2 Understanding the Service Configuration
    • 8.3.2.1 Configuring the Service for a Single LDAP
    • 8.3.2.2 Configuring the Service for Multiple LDAPs without Virtualization
    • 8.3.2.3 Configuring the Service for Multiple LDAPs with Fusion Middleware Control
    • 8.3.2.4 Configuring the Service with WLST
    • 8.3.2.5 Configuring the Timeout Setting with WLST
    • 8.3.2.6 Configuring Other Parameters
    • 8.3.2.7 Restarting Servers
    • 8.3.2.8 Configuring Single and Multiple LDAPs
  • 8.3.3 Configuring Split Profiles
  • 8.3.4 Configuring Custom Authentication Providers
  • 8.3.5 Configuring Virtualization in Java SE Applications
• 8.4 Querying the Identity Store Programmatically
• 8.5 Configuring SSL for the Identity Store

9 Configuring the Security Store

• 9.1 About the Security Store
  • 9.1.1 Environments with Multiple Servers
• 9.2 Using an LDAP Security Store
  • 9.2.1 Prerequisites to Using the LDAP Security Store
  • 9.2.2 Resetting the LDAP User Password
• 9.3 Using a Database Security Store
  • 9.3.1 Prerequisites to Using the Database Security Store
  • 9.3.2 Maintaining a Database Security Store
  • 9.3.3 Resetting the OPSS Schema Password
  • 9.3.4 Setting Up an SSL Connection to the Database Security Store
• 9.4 Reassociating the Security Store
  • 9.4.1 Reassociating the Security Store with Fusion Middleware Control
    • 9.4.1.1 Securing Access to LDAP Nodes
  • 9.4.2 Reassociating the Security Store with reassociateSecurityStore
• 9.5 Migrating the Security Store
  • 9.5.1 Migrating the Security Store with Fusion Middleware Control
  • 9.5.2 Migrating the Security Store with migrateSecurityStore
    • 9.5.2.1 Migrating All Policies with migrateSecurityStore
    • 9.5.2.2 Migrating System Policies with migrateSecurityStore
    • 9.5.2.3 Migrating Application Policies with migrateSecurityStore
    • 9.5.2.4 Migrating All Credentials with migrateSecurityStore
    • 9.5.2.5 Migrating One Credential Map with migrateSecurityStore
    • 9.5.2.6 Migrating Audit Data with migrateSecurityStore
    • 9.5.2.7 migrateSecurityStore Usage Examples
• 9.6 Configuring Security Providers with Fusion Middleware Control

10 Managing Policies

• 10.1 Determining the Security Store Characteristics
• 10.2 Managing the Policy Store
• 10.3 Managing Policies with Fusion Middleware Control
  • 10.3.1 Managing Application Policies
  • 10.3.2 Managing Application Roles
  • 10.3.3 Managing System Policies
• 10.4 Managing Policies with WLST
  • 10.4.1 reassociateSecurityStore
• 10.5 Refreshing the Policy Cache
  • 10.5.1 Authorization Scenarios Using Policy Refreshing
• 10.6 Principals and Roles in WLST Commands
• 10.7 Application Stripe in WLST Commands
• 10.8 Managing Application Policies with OES

11 Managing Credentials

• 11.1 Credential Types
• 11.2 Encrypting Credentials
• 11.3 Managing Credentials with Fusion Middleware Control
• 11.4 Managing Credentials with WLST

12 Managing Keys and Certificates

• 12.1 About the Keystore Service
  • 12.1.1 Structure of the Keystore Service
  • 12.1.2 Types of Keystores
  • 12.1.3 The Truststore
• 12.2 About Keystore Service Commands
  • 12.2.1 Getting Help for Keystore Service Commands
  • 12.2.2 Keystore Service Command Reference
• 12.3 Managing Keystores with Fusion Middleware Control
• 12.4 Managing Keystores with WLST
• 12.5 About Certificates
• 12.6 Managing Certificates with Fusion Middleware Control
• 12.7 Managing Certificates with WLST
• 12.8 Replacing Demonstration CA Signed Certificates
  • 12.8.1 Replacing Demo CA Certificates With Domain CA Signed Certificates
  • 12.8.2 Replacing Demo CA Certificates With Third-Party CA Signed Certificates
  • 12.8.3 Replacing the Demo CA Trust Service Certificate
• 12.9 How Fusion Middleware Components Use the Keystore Service
  • 12.9.1 Synchronizing the Local Keystore with the Security Store
    • 12.9.1.1 syncKeyStores Usage
    • 12.9.1.2 When to Synchronize the Keystores

13 Introduction to Oracle Fusion Middleware Audit Framework

• 13.1 What Are the Audit Objectives?
• 13.2 Audit Terminology
• 13.3 About Auditing with Oracle Fusion Middleware Audit Framework
  • 13.3.1 Overview of Oracle Fusion Middleware Audit Framework
  • 13.3.2 About Components and Applications
• 13.4 Understanding Audit
  • 13.4.1 The Audit Model
  • 13.4.2 About the Audit Store
  • 13.4.3 How Audit Data Is Stored
  • 13.4.4 About the Oracle Fusion Middleware Audit Framework
  • 13.4.5 Audit Setup: Main Steps
  • 13.4.6 Understanding the Runtime Audit Event Flow
• 13.5 About Audit Attributes, Events, and Event Categories
  • 13.5.1 Audit Attribute Groups
    • 13.5.1.1 About Generic Attribute Groups
    • 13.5.1.2 About Custom Attribute Groups
    • 13.5.1.3 About Audit Attribute Data Types
  • 13.5.2 Audit Events and Event Categories
    • 13.5.2.1 About System Categories and Events
    • 13.5.2.2 About Component and Application Categories
  • 13.5.3 Audit Artifact Naming Requirements
• 13.6 About Audit Definition Files
  • 13.6.1 About the component_events.xml File
• 13.7 About Mapping and Version Rules
  • 13.7.1 What Are Version Numbers?
  • 13.7.2 About Custom Attribute to Database Column Mappings

14 Managing Audit

• 14.1 Audit Administration Tasks
• 14.2 Managing the Audit Store
  • 14.2.1 About Audit Data Sources
  • 14.2.2 Managing Bus-Stop Files
  • 14.2.3 Configuring Standalone Audit Loader
    • 14.2.3.1 Configuring the Environment
    • 14.2.3.2 Running Standalone Audit Loader
• 14.3 Managing Audit Policies
  • 14.3.1 Managing Audit Policies with Fusion Middleware Control
  • 14.3.2 Managing Audit Policies with WLST
    • 14.3.2.1 Viewing Audit Policies with WLST Commands
    • 14.3.2.2 Updating Audit Policies with WLST Commands
    • 14.3.2.3 Configuring Audit Policies Example
    • 14.3.2.4 Configuring Audit Events Example
    • 14.3.2.5 What Happens to Custom Configuration when the Audit Level Changes?
  • 14.3.3 Managing Audit Policies Programmatically
• 14.4 Understanding Audit Time Stamps
• 14.5 About Audit Logs and Bus-stop Files
• 14.6 Audit Database Administration
  • 14.6.1 Overview of the Audit Schema
  • 14.6.2 Base and Component Table Attributes
  • 14.6.3 Tuning Performance
  • 14.6.4 Planning Backup and Recovery
  • 14.6.5 Importing and Exporting Data
  • 14.6.6 Purging Data
  • 14.6.7 Partitioning
  • 14.6.8 Performing Tiered Archival
  • 14.6.9 Creating Indexes on Custom Table Attributes Using Materialized Views
• 14.7 Best Practices for Audit Event Definitions
  • 14.7.1 Guidelines for Naming Events
  • 14.7.2 Differentiating Events
  • 14.7.3 Event Categorization
  • 14.7.4 Use of Generic Attributes
  • 14.7.5 Use of Component Attributes
  • 14.7.6 Guidelines for Linking Across Components
  • 14.7.7 Updating Event Definitions

15 Using Audit Analysis and Reporting

• 15.1 About Audit Reporting
• 15.2 Audit Reporting with the Dynamic Metadata Model
  • 15.2.1 Audit Views Created at Registration
  • 15.2.2 Manually Created Audit Views

Part IV Developing with OPSS APIs

16 Integrating Application Security with OPSS

• 16.1 About Security Challenges
• 16.2 Security Integration Use Cases
  • 16.2.1 Authentication
    • 16.2.1.1 Java EE Application Requiring Authenticated Users
    • 16.2.1.2 Java EE Application Requiring Programmatic Authentication
    • 16.2.1.3 Java SE Application Requiring Authentication
  • 16.2.2 Identities
    • 16.2.2.1 Application Running in Two Environments
    • 16.2.2.2 Application Accessing User Profiles in Multiple Stores
  • 16.2.3 Authorization
    • 16.2.3.1 Java EE Application Accessible by Specific Roles
    • 16.2.3.2 Oracle ADF Application Requiring Fine-Grained Authorization
    • 16.2.3.3 Application Securing Web Services
    • 16.2.3.4 Java EE Application Requiring Codesource Permissions
    • 16.2.3.5 Non-Oracle ADF Application Requiring Fine-Grained Authorization
  • 16.2.4 Credentials
    • 16.2.4.1 Application Requiring Credentials to Access System
  • 16.2.5 Audit
    • 16.2.5.1 Auditing Security-Related Activity
    • 16.2.5.2 Auditing Business-Related Activity
  • 16.2.6 Identity Propagation
    • 16.2.6.1 Propagating the Executing User Identity
    • 16.2.6.2 Propagating a User Identity
    • 16.2.6.3 Propagating Identities Across Domains
    • 16.2.6.4 Propagating Identities over HTTP
  • 16.2.7 Administration and Management
    • 16.2.7.1 Application Requiring a Centralized Store
    • 16.2.7.2 Application Requiring a Custom Management Tool
    • 16.2.7.3 Application Running in a Multiple Server Environment
  • 16.2.8 Integration
• 16.3 The OPSS Trust Service
• 16.4 Propagating Identities over HTTP
• 16.5 Propagating Identities with the OPSS Trust Service
  • 16.5.1 Propagating Identities Across Multiple WebLogic Server Domains
    • 16.5.1.1 Token Generation on the Client-Side Domain
    • 16.5.1.2 Server Side or Token Validation Domain
  • 16.5.2 Propagating Identities Across Containers in a Single WebLogic Server Domain
  • 16.5.3 Trust Provider Properties
• 16.6 Implementing a Custom Graphical User Interface
  • 16.6.1 Imports Assumed
  • 16.6.2 Query Identity Store Example
  • 16.6.3 Create Role Example
  • 16.6.4 Query Roles Example
  • 16.6.5 Map Roles Example
  • 16.6.6 Get Roles that Contain a User Example
  • 16.6.7 Delete Role Mapping Example
• 16.7 Securing Oracle ADF Applications
  • 16.7.1 Developing Phase
  • 16.7.2 Deployment Phase
  • 16.7.3 Administration Phase
  • 16.7.4 Summary of Tasks per Participant per Phase
• 16.8 Code and Configuration Examples
  • 16.8.1 Programming Examples
  • 16.8.2 Configuration Examples
• 16.9 Propagating Identities with JKS
  • 16.9.1 Single Domain Scenario
    • 16.9.1.1 Create the Client Application
    • 16.9.1.2 Configure the Keystore
    • 16.9.1.3 Configure Maps and Keys
    • 16.9.1.4 Configure a Grant
    • 16.9.1.5 Create the Java Servlet
    • 16.9.1.6 Configure web.xml
    • 16.9.1.7 Configure the Asserter
    • 16.9.1.8 Update Trust Parameters
  • 16.9.2 Multiple Domain Scenario
  • 16.9.3 Domains Using Both Protocols
    • 16.9.3.1 Single Domain Scenario
    • 16.9.3.2 Multiple Domain Scenario

17 The Security Model

• 17.1 About the OPSS Authorization and Policy Models
• 17.2 Authorization Models
  • 17.2.1 The Java EE Authorization Model
    • 17.2.1.1 Declarative Authorization
    • 17.2.1.2 Programmatic Authorization
    • 17.2.1.3 Java EE Application Example
  • 17.2.2 The JAAS Authorization Model
• 17.3 The JAAS/OPSS Authorization Model
  • 17.3.1 The Resource Catalog
  • 17.3.2 Managing Policies
  • 17.3.3 Checking Policies Programmatically
    • 17.3.3.1 Using checkPermission
    • 17.3.3.2 Using doAs and doAsPrivileged
    • 17.3.3.3 Using checkBulkAuthorization
    • 17.3.3.4 Using getGrantedResources
  • 17.3.4 The Class ResourcePermission

18 Developing with the Credential Store Framework

• 18.1 About the Credential Store Framework API
• 18.2 Guidelines for Using the Credential Store Framework API
• 18.3 About Map and Key Names
• 18.4 Provisioning Access Permissions
  • 18.4.1 Permission to Access a Key Example
  • 18.4.2 Permission to Access a Map Example
• 18.5 Using the Credential Store Framework API
  • 18.5.1 Using the Credential Store Framework API in Java SE Applications
  • 18.5.2 Using the Credential Store Framework API in Java EE Applications
• 18.6 Credential Store Framework API Examples
  • 18.6.1 Credential Store Framework Operations Example
  • 18.6.2 Java SE Application with File Credentials Example
  • 18.6.3 Java EE Application with File Credentials Example
  • 18.6.4 Java EE Application with LDAP Store Example
  • 18.6.5 Java EE Application with DB Store Example

19 Developing with the User and Role API

• 19.1 About the User and Role API
  • 19.1.1 Authentication Providers and the User and Role API
• 19.2 Working with Service Providers
  • 19.2.1 Setting Up the Environment
  • 19.2.2 Choosing the Provider Repository
  • 19.2.3 Creating the Provider Instance
  • 19.2.4 Configuring the Provider Start-Time and Runtime Properties
    • 19.2.4.1 Configuring Start-Time and Runtime
    • 19.2.4.2 Enabling Execution Context ID
  • 19.2.5 Configuring the Provider when Creating a Factory Instance
    • 19.2.5.1 Configuring Common Properties
    • 19.2.5.2 Configuring Constants, Number of Connections, and Pool Connection
  • 19.2.6 Configuring the Provider when Creating a Store Instance
  • 19.2.7 Configuring the Provider at Runtime
  • 19.2.8 Programming Guidelines
    • 19.2.8.1 Switching Providers
    • 19.2.8.2 Using Identity Store Objects
  • 19.2.9 The Provider's Lifetime
• 19.3 Searching the Identity Store
  • 19.3.1 Searching for a Specific Identity
  • 19.3.2 Searching for Multiple Identities
  • 19.3.3 Using Search Filters
    • 19.3.3.1 Filter Operators
    • 19.3.3.2 Filter for Logged-In User and Role
    • 19.3.3.3 Filters Examples
• 19.4 Creating and Modifying Entries in the Identity Store
  • 19.4.1 Creating Identities and Roles
  • 19.4.2 Modifying an Identity
  • 19.4.3 Deleting an Identity
• 19.5 User and Role API Examples
  • 19.5.1 Searching Users Example
  • 19.5.2 Managing Users Example
• 19.6 Configuring SSL for LDAP Providers
  • 19.6.1 Setting Up SSL to Providers
  • 19.6.2 Customizing SSL to Providers

20 Developing with the Identity Governance Framework

• 20.1 About the Identity Governance Framework
  • 20.1.1 Identity Directory API Overview
• 20.2 About the Identity Directory API Configuration
• 20.3 Using the Identity Directory API
  • 20.3.1 Initializing and Obtaining the Identity Directory Handle
  • 20.3.2 Creating and Deleting a User
  • 20.3.3 Obtaining and Modifying a User
  • 20.3.4 Simple and Complex User Search
  • 20.3.5 Creating and Deleting a Group
  • 20.3.6 Obtaining a Group
  • 20.3.7 Group Search Filter
  • 20.3.8 Adding and Deleting a Member to a Group
• 20.4 Configuring SSL Using the Identity Directory API

21 Developing with the Keystore Service

• 21.1 About the Keystore Service API
• 21.2 Setting Policy Permissions
  • 21.2.1 Permission for a Keystore Example
  • 21.2.2 Permission for a Map Example
  • 21.2.3 Permission for a Key Alias Example
• 21.3 Using the Keystore Service API in Java EE Applications
• 21.4 Using the Keystore Service API in Java SE Applications
• 21.5 Keystore Service API Examples
  • 21.5.1 Keystore Service Management Example
  • 21.5.2 Reading Keys at Runtime Example
    • 21.5.2.1 Getting a Handle to the Keystore
    • 21.5.2.2 Accessing Keystore Artifacts - Method 1
    • 21.5.2.3 Accessing Keystore Artifacts - Method 2

22 Developing with Oracle Fusion Middleware Audit Framework

• 22.1 Integrating Applications with the Oracle Fusion Middleware Audit Framework
• 22.2 Creating Audit Definition Files
  • 22.2.1 The component-events.xml File
  • 22.2.2 Translation Files
• 22.3 Registering the Application with the Service
  • 22.3.1 Performing Declarative Audit Registration
    • 22.3.1.1 Application Audit Registration
    • 22.3.1.2 Custom Audit Registration
  • 22.3.2 Programmatic Registration
  • 22.3.3 Registering with WLST Commands
  • 22.3.4 Using Domain Extension Templates for Audit Artifacts
• 22.4 Managing Policies Programmatically
  • 22.4.1 Querying Audit Data
  • 22.4.2 Viewing and Setting Audit Policies
• 22.5 Logging Audit Events Programmatically
  • 22.5.1 Oracle Fusion Middleware Audit Framework Interfaces
  • 22.5.2 Setting System Grants
  • 22.5.3 Obtaining the Auditor Instance
• 22.6 Updating and Maintaining Audit Definitions

23 Configuring Java EE Applications to Use OPSS

• 23.1 About Authentication in Java EE Applications
• 23.2 Developing Authentication in Java EE Applications
• 23.3 Configuring the Filter and the Interceptor
  • 23.3.1 Setting the Application Stripe
  • 23.3.2 Setting Application Role Support
  • 23.3.3 Setting the Anonymous User and Role
  • 23.3.4 Setting Authenticated Role Support
  • 23.3.5 Setting JAAS Mode
  • 23.3.6 Interceptor Configuration Requirements
  • 23.3.7 Summary of Filter and Interceptor Parameters
• 23.4 Choosing the Appropriate Class for Enterprise Groups and Users
• 23.5 Packaging a Java EE Application Manually
  • 23.5.1 Packaging Policies with the Application
  • 23.5.2 Packaging Credentials with the Application
• 23.6 Configuring Java EE Applications to Use OPSS
  • 23.6.1 Controlling Policy Migration
    • 23.6.1.1 jps.policystore.migration
    • 23.6.1.2 jps.policystore.applicationid
    • 23.6.1.3 jps.apppolicy.idstoreartifact.migration
    • 23.6.1.4 jps.policystore.removal
    • 23.6.1.5 jps.policystore.migration.validate.principal
    • 23.6.1.6 JpsApplicationLifecycleListener
  • 23.6.2 Configuring Policy Migration According to Behavior
    • 23.6.2.1 Recommendations
    • 23.6.2.2 Skipping Migrating Policies
    • 23.6.2.3 Migrating Merging Policies
    • 23.6.2.4 Migrating Overwriting Policies
    • 23.6.2.5 Removing or Not Removing Policies
    • 23.6.2.6 Migrating Policies in a Static Deployment
  • 23.6.3 Using File Credential Stores
  • 23.6.4 Controlling Credential Migration
    • 23.6.4.1 jps.credstore.migration
  • 23.6.5 Configuring Credential Migration According to Behavior
    • 23.6.5.1 Skipping Migrating Credentials
    • 23.6.5.2 Migrating Merging Credentials
    • 23.6.5.3 Migrating Overwriting Credentials
  • 23.6.6 Using Supported Permission Classes
    • 23.6.6.1 Security Store Permission Class
    • 23.6.6.2 Credential Store Permission Class
    • 23.6.6.3 Generic Permission Class
  • 23.6.7 Specifying Bootstrap Credentials Manually

24 Configuring Java SE Applications to Use OPSS

• 24.1 Using OPSS in Java SE Applications
  • 24.1.1 The JpsStartup Class
    • 24.1.1.1 JpsStartup.start States
    • 24.1.1.2 JpsStartup Constructor
    • 24.1.1.3 JpsStartup runtime Options
    • 24.1.1.4 OPSS Starting Examples
• 24.2 Implementing Security Services in Java SE Applications
• 24.3 Authentication in Java SE Applications
  • 24.3.1 Configuring the LDAP Identity Store in Java SE Applications
  • 24.3.2 Using Login Modules in Java Applications
    • 24.3.2.1 The User Authentication Login Module
    • 24.3.2.2 The User Assertion Login Module
    • 24.3.2.3 The Identity Store Login Module
    • 24.3.2.4 The Asserted User
  • 24.3.3 Using the Login Modules in Java SE Applications
• 24.4 Authorization in Java SE Applications
  • 24.4.1 Configuring Policy and Credential File Stores
  • 24.4.2 Configuring Policy and Credential LDAP Stores
  • 24.4.3 Configuring DB Security Stores
  • 24.4.4 File Store Unsupported Methods
• 24.5 Audit in Java SE Applications
  • 24.5.1 About Audit in Java SE Applications
  • 24.5.2 Configuring the Audit Bus-stop Directory
  • 24.5.3 Configuring Audit Loaders
  • 24.5.4 Common Audit Scenarios in Java SE Applications
    • 24.5.4.1 Audit with a Collocated WebLogic Server
    • 24.5.4.2 Audit Without a Collocated WebLogic Server

Part V Appendixes

A OPSS Configuration File Reference

• A.1 First and Second Hierarchy Levels
• A.2 Third and Lower Hierarchy Levels
• <description>
• <extendedProperty>
• <extendedPropertySet>
• <extendedPropertySetRef>
• <extendedPropertySets>
• <jpsConfig>
• <jpsContext>
• <jpsContexts>
• <name>
• <property>
• <propertySet>
• <propertySetRef>
• <propertySets>
• <serviceInstance>
• <serviceInstanceRef>
• <serviceInstances>
• <serviceProvider>
• <serviceProviders>
• <value>
• <values>

B File Store References

• B.1 File Store Hierarchy
• B.2 File Store Elements and Attributes
• <actions>
• <actions-delimiter>
• <app-role>
• <app-roles>
• <application>
• <applications>
• <attribute>
• <class>
• <codesource>
• <credentials>
• <description>
• <display-name>
• <extended-attributes>
• <grant>
• <grantee>
• <guid>
• <jazn-data>
• <jazn-policy>
• <jazn-realm>
• <matcher-class>
• <member>
• <member-resource>
• <member-resources>
• <members>
• <name>
• <owner>
• <owners>
• <permission>
• <permissions>
• <permission-set>
• <permission-sets>
• <policy-store>
• <principal>
• <principals>
• <provider-name>
• <realm>
• <resource>
• <resources>
• <resource-name>
• <resource-type>
• <resource-types>
• <role>
• <role-categories>
• <role-category>
• <role-name-ref>
• <roles>
• <type>
• <type-name-ref>
• <uniquename>
• <url>
• <user>
• <users>
• <value>
• <values>

C Oracle Fusion Middleware Audit Framework Reference

• C.1 Audit Events
  • C.1.1 What Components Can Be Audited?
  • C.1.2 System Categories and Events
  • C.1.3 OPSS Event Attributes
• C.2 The Audit Schema
• C.3 Audit Filter Expression Syntax
• C.4 Naming and Logging Audit Files

D User and Role API Reference

• D.1 Mapping User Attributes to LDAP Directories
• D.2 Mapping Role Attributes to LDAP Directories
• D.3 Default Configuration Parameters

E Administration with Scripts and MBeans

• E.1 Configuring Services with Scripts
• E.2 Configuring Services with MBeans
  • E.2.1 Supported OPSS MBeans
  • E.2.2 Using OPSS MBeans
  • E.2.3 Programming with OPSS MBeans
• E.3 Restricting Access to MBeans
  • E.3.1 Annotation Examples
  • E.3.2 Mapping Logical Roles to Enterprise Groups
  • E.3.3 Particular Access Restrictions

F OPSS System and Configuration Properties

• F.1 OPSS System Properties
• F.2 OPSS Configuration Properties
  • F.2.1 Properties Common to OPSS Services
  • F.2.2 Policy Service Properties
    • F.2.2.1 Policy Service Configuration
    • F.2.2.2 Runtime Policy Configuration
  • F.2.3 Credential Service Properties
  • F.2.4 LDAP Identity Properties
  • F.2.5 Properties Common to All LDAP Servers
  • F.2.6 Trust Service Properties
  • F.2.7 Audit Service Properties
  • F.2.8 Keystore Service Properties
  • F.2.9 Anonymous and Authenticated Roles Properties

G OPSS API References

• G.1 OPSS API References

H Using an OpenLDAP Identity Store

• H.1 Using an OpenLDAP Identity Store

I Adapter Configuration for Identity Virtualization

• I.1 About Split Profiles
• I.2 Configuring Split Profiles
• I.3 Implementing Split Profiles
• I.4 Logging Identity Virtualization Library

J Troubleshooting OPSS

• J.1 The OPSS Diagnostic Framework
• J.2 Diagnosing Security Errors
  • J.2.1 About OPSS Loggers
    • J.2.1.1 About Diagnostic Log Files
    • J.2.1.2 Offline WLST Loggers
  • J.2.2 Loggers by Service
    • J.2.2.1 Logging Authorization
    • J.2.2.2 Logging Audit
    • J.2.2.3 Logging the User and Role API
    • J.2.2.4 Logging Other Components
  • J.2.3 System Properties
  • J.2.4 Understanding Log Entries
• J.3 Troubleshooting Reassociation and Migration
  • J.3.1 Reassociation Failure
  • J.3.2 Unsupported Schema
  • J.3.3 Missing Policies in Reassociated Security Store
  • J.3.4 Migration Failure
• J.4 Troubleshooting Server Starting
  • J.4.1 Missing Required LDAP Authentication Provider
  • J.4.2 Missing Administrator Account
  • J.4.3 Missing Permission
  • J.4.4 Server Fails to Start
  • J.4.5 Other Server Start Issues
  • J.4.6 Permission Failure Before Server Starts
• J.5 Troubleshooting Permissions
  • J.5.1 Troubleshooting System Policy Failures
  • J.5.2 Failure to Get Permissions - Case Mismatch
  • J.5.3 Authorization Check Failure
  • J.5.4 User Gets Unexpected Permissions
  • J.5.5 Granting Permissions in Java SE Applications
  • J.5.6 Application Policies Not Seen in 12c HA Domain
• J.6 Troubleshooting Connections and Access
  • J.6.1 Database Connection Exception
  • J.6.2 Other Database Exceptions
  • J.6.3 JNDI Connection Exception
  • J.6.4 Failure to Connect to the Embedded LDAP Server
  • J.6.5 Failure to Connect to LDAP Server
  • J.6.6 Failure to Access Data in the Credential Store
  • J.6.7 Security Access Control Exception
  • J.6.8 Failure to Establish an Anonymous SSL Connection
• J.7 Oracle Business Intelligence Publisher Time Zone
• J.8 Troubleshooting Searching
  • J.8.1 Search Failure when Matching Attribute in Security Store
  • J.8.2 Search Failure with an Unknown Host Exception
• J.9 Troubleshooting Versions
  • J.9.1 Incompatible Versions of Binaries and Security Store
  • J.9.2 Incompatible Versions of Security Stores
• J.10 Troubleshooting Other Errors
  • J.10.1 Runtime Permission Check Failure
  • J.10.2 Tablespace Needs Resizing
  • J.10.3 Oracle Internet Directory Exception
  • J.10.4 User and Role API Failure
  • J.10.5 Characters in Policies
    • J.10.5.1 Special Characters in Oracle Internet Directory 10.1.4.3
    • J.10.5.2 Characters in File Security Stores
    • J.10.5.3 Characters in Application Role Names
    • J.10.5.4 Missing Newline Characters in File Store
  • J.10.6 Invalid Key Size
• J.11 Need Further Help?