Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New

• Changes Since Release 10.1.2

1 Standard Security Concepts

• Introducing the Java 2 Security Model and JAAS
• Authentication and Authorization
• Authentication and Authorization Concepts
• Capability Model of Access Control
• JAAS Security Model Versus J2EE Security Model
• About Principals and Subjects
• About Permissions, Policies, and Realms
• Security Permissions
• Security Policies
• Protection Domains
• Security Managers and Access Control
• Security Realms
• Login Module Authentication
• Role-Based Access Control: Roles and Role Hierarchy
• Secure Communications
• Secure Sockets Layer and HTTPS
• Certificates
• Key Encryption and Exchange
• Identity Propagation
• Developing Secure J2EE Applications

2 Overview of OC4J Security

• Introducing the OracleAS JAAS Provider and Security Providers
• Overview of the OracleAS JAAS Provider
• Summary of JAAS Framework Features
• Supported Security Providers
• Support for DataSourceUserManager
• Authentication in the OC4J Environment
• Authorization in the OC4J Environment
• J2EE Authorization
• JAAS Authorization and JAAS Mode
• Introduction to JAAS Mode
• OracleAS JAAS Provider Realm and Policy Features
• Features for Granting Permissions
• Features for Checking Permissions
• OracleAS JAAS Provider Permission Classes
• Implementation of Java Authorization Contract for Containers
• Overview of Security Role Mapping

3 Overview of Security Administration and Configuration

• General OC4J Deployment and Configuration Features
• Tools for Oracle Application Server and OracleAS JAAS Provider
• Overview of Enterprise Manager
• Overview of the OracleAS JAAS Provider Admintool
• Overview of Oracle Identity Management and Oracle Internet Directory Tools
• Overview of Delegated Administration Services
• Overview of Oracle Directory Manager
• JMX and MBeans Administration
• Overview of Configuration Files and Key Elements
• The orion-application.xml File (<jazn> and <jazn-web-app> Elements)
• The system-application.xml File
• The system-jazn-data.xml File
• Application-Specific jazn-data.xml File (Optional)
• The jazn.xml File
• OC4J System Application
• Summary of OC4J Accounts
• Predefined OC4J Accounts
• Activation of the oc4jadmin Account
• Configuring a New Administration Account
• Configuring an Anonymous User
• Summary of Configuration Repositories and Security Management Tools

4 Java VM Security Settings for OC4J

• Specifying an Alternate JAAS Policy Provider
• Specifying a Java 2 Security Manager and Policy File
• Creating a Java 2 Policy File
• Using PrintingSecurityManager to Debug Java 2 Policy
• Enabling Subject Propagation for ORMI

5 Tasks and Guidelines in Setting Security

• Guidelines for Password Management
• Creating an Indirect Password
• Specifying a Password Manager in system-application.xml
• Password Obfuscation in OC4J Configuration Files
• Tasks and Guidelines for Using Security Realms in OC4J
• Default Realm with the File-Based Provider or Oracle Identity Management
• Evaluation of the Default Realm for File-Based Provider or Oracle Identity Management
• Using the Default Realm
• Using a Nondefault Realm
• Using Multiple Realms
• Omitting the Realm Name When Retrieving an Authenticated Principal
• Tasks for JAAS Mode and Authorization
• Use J2EE Authorization
• Use OracleAS JAAS Provider Policy Management
• Use OracleAS JAAS Provider JAAS Mode
• Using the Java Authorization Contract for Containers
• System Properties to Enable Java ACC Features
• System Properties to Specify the Java ACC Provider
• Packaging Considerations for OC4J Configuration Files
• Configuration Tasks and Considerations in the Deployment Descriptors
• Configuration to Use the Instance-Level File-Based Provider
• Configuration to Automatically Create jazn-data.xml
• Supplying an Application-Specific jazn-data.xml File
• Deployment Tasks and Guidelines for Security
• Overview of Deployment Considerations
• Deploying an Application
• Deploying an Application through Application Server Control
• Specifying a Security Provider
• Considering the File-Based Provider Versus Oracle Identity Management
• Specifying the Security Provider through Application Server Control
• Mapping J2EE Security Roles to JAAS Roles
• Application Role Definitions and References
• Specifying Security Role Mapping through Application Server Control
• Mapping J2EE Roles to JAAS Roles in OC4J Configuration Files
• Using the OC4J PUBLIC Role to Allow General Access by Authenticated Users
• Post-Deployment Considerations
• Navigating to the Security Provider Page for Your Application
• Tasks for DataSourceUserManager
• DataSourceUserManager Properties
• Configuring an Application to Use DataSourceUserManager

6 Oracle Identity Management Security Provider

• Realm Management in LDAP-Based Environments
• LDAP-Based Realm Types
• About Distinguished Names
• LDAP-Based Realm Data Storage
• Realm Hierarchy
• Access Control Lists and OracleAS JAAS Provider Directory Entries
• Overview of Oracle Identity Management Key Components
• Overview of Oracle Internet Directory
• Overview of Oracle Application Server Single Sign-On
• SSO-Enabled J2EE Environment: Typical Scenario
• Prerequisites: Oracle Application Server Infrastructure
• Supported Versions for Oracle Internet Directory and OracleAS Single Sign-On
• Considerations for 9.0.4.x Infrastructure: Access Control List Settings
• Steps to Use the Oracle Identity Management Security Provider
• Associate Oracle Internet Directory with OC4J
• Associating Oracle Internet Directory with OC4J
• Changing the Oracle Internet Directory Association
• Required OC4J Accounts Created in Oracle Internet Directory
• Oracle Internet Directory Association in jazn.xml
• Associating the OC4J System Application with Oracle Internet Directory
• Configure Oracle Identity Management as the Security Provider
• Specifying Oracle Identity Management during Deployment
• Changing to Oracle Identity Management after Deployment
• Configure SSO (Optional)
• Run the SSO Registration Tool
• Transfer the osso.conf File to the OC4J Instance
• Run the osso1013 Script
• Synchronization of OracleAS JAAS Provider User Context with Servlet Sessions
• Restart the Oracle HTTP Server and OC4J Instances
• LDAP-Based Provider Settings in OC4J Configuration Files
• Configuring LDAP User and SSL Properties
• Configuring LDAP Connection Properties
• Configuring LDAP Caching Properties

7 File-Based Security Provider

• Tools for File-Based Provider Policy and Realm Management
• Configuring the File-Based Provider in Application Server Control
• Configuring the File-Based Provider during Application Deployment
• Changing to the File-Based Provider after Deployment
• Managing Application Realms through Application Server Control
• Search for a Realm
• Create a Realm
• Delete a Realm
• Managing Application Users through Application Server Control
• Search for a User
• Create a User
• Delete a User
• Edit a User
• Managing Application Roles through Application Server Control
• Search for a Role
• Create a Role
• Delete a Role
• Edit a Role
• Administering Instance-Level Security through Application Server Control
• File-Based Provider Settings in OC4J Configuration Files
• Scenarios for <jazn> Settings in orion-application.xml
• Realm Configuration in the Repository File
• Policy Configuration in the Repository File
• Predefined OC4J Accounts in system-jazn-data.xml
• OracleAS JAAS Provider Migration Tool
• Overview of the Migration Tool
• Migration Tool Command Syntax
• Migration Tool APIs
• Migrating Principals from the principals.xml File

8 Login Modules

• Configuring RealmLoginModule
• Introducing Custom JAAS Login Modules
• Packaging and Deploying Login Modules
• Deploying Login Modules within the J2EE Application
• Deploying Login Modules as Optional Packages
• Using Login Modules as OC4J Shared Libraries
• Configuring the Custom Security Provider in Application Server Control
• Specifying and Configuring a Custom Security Provider during Deployment
• Editing a Custom Login Module Configuration during Deployment
• Adding a Custom Login Module during Deployment
• Changing to a Custom Security Provider after Deployment
• Adding a Login Module to the Custom Security Provider
• Updating a Login Module in the Custom Security Provider
• Deleting a Login Module in the Custom Security Provider
• Configuring Login Modules through the Admintool
• Login Module Configuration in OC4J Configuration Files
• Login Module Settings in system-jazn-data.xml
• Login Modules Settings in orion-application.xml
• Settings in <jazn-loginconfig> in orion-application.xml
• Settings in <jazn> for Login Modules
• Settings in <namespace-access> for Login Modules
• Configuring oc4j-ra.xml for Login Modules (J2EE Connector Architecture)
• Simple Login Module J2EE Integration
• Development of Simple Login Module
• Packaging of Simple Login Module
• Deployment of Simple Login Module
• Custom Login Module Example

9 External LDAP Security Providers

• Overview of External LDAP Provider Configuration and Administration
• Configuring External LDAP Providers in Application Server Control
• Specifying and Configuring an External LDAP Provider during Deployment
• Changing to an External LDAP Provider after Deployment
• External LDAP Provider Settings in system-jazn-data.xml
• Granting RMI Permission to an LDAP Principal
• Sample Configuration for Sun Java System Directory Server
• Sample LDIF Description
• Sample Entries in OC4J Configuration Files
• Settings in system-jazn-data.xml for Sun Java System Directory Server
• Settings in orion-application.xml for External LDAP Server

10 COREid Access Security Provider

• Getting Started with Oracle COREid Access and Identity
• Overview of Oracle COREid Access and Identity
• COREid Prerequisites
• COREid Architecture
• Top-Level Summary of Configuration Stages
• Running the Access Manager
• Oracle COREid Access and Identity Concepts
• About COREid Resource Types
• About COREid Authentication
• About the COREid Single Sign-On Cookie
• About Using HTTP Header Variables for Authentication
• Configuring COREid Access
• Configure COREid Form-Based Authentication
• Create a Login Form
• Define Form-Based Authentication in Access Manager
• Configure the credential_mapping Plug-In for Form-Based Authentication
• Configure the validate_password Plug-In for Form-Based Authentication
• Configure COREid Basic Authentication
• Define Basic Authentication in Access Manager
• Configure the credential_mapping Plug-In for Basic Authentication
• Configure the Resource Type
• Configure the Name and Operation of the Resource Type
• Configure and Protect the URL of the Configured Resource Type
• Configure the Return Action Attributes
• Protect the Action URL
• Configuring OC4J with the Access SDK
• Create OC4J Instances as Needed
• Configure the Access SDK to Each OC4J Instance
• Configure the Access SDK Library Path for Each OC4J Instance
• Configuring the Application
• Protect the Application URLs in web.xml
• Settings for Application Deployment
• Configure COREid SSO in orion-application.xml
• Protect the Application URLs in COREid Access
• Configure the COREid JAAS Login Module
• Test the Application
• COREid Examples for J2EE Applications
• Web Application Using HTTP Header Variables through COREid
• Configure HTTP Header Variables in Access Manager
• Configure HTTP Header Variables for the COREid Login Module
• Secure the Web Application
• Web Application Using the COREid ObSSOCookie
• Configure User Name and Password for the COREid Login Module
• Secure the Web Application
• EJB Application Using COREid
• COREid Support and Examples for Web Services
• Web Service with Username Token Authentication for COREid
• Web Service with X.509 Token Authentication for COREid
• Web Service with SAML Token Authentication for COREid
• Troubleshooting the Oracle COREid Access and Identity Setup

11 Integration with SSL and ORMIS

• Using Keys and Certificates with OC4J and Oracle HTTP Server
• Integrating the Security Provider with SSL-Enabled Applications
• Using SSL with Standalone OC4J
• Using SSL with OC4J in Oracle Application Server
• Configure OC4J with SSL
• Use Oracle HTTP Server with SSL
• Configure AJP over SSL
• Configure OPMN to Enable HTTPS and Use SSL
• Sample Configuration Files for SSL
• Requesting Client Authentication
• Resolving Common SSL Problems
• Common SSL Errors and Solutions
• General SSL Debugging
• Enabling ORMIS for OC4J
• Configuring ORMIS for Standalone OC4J
• Configure server.xml for the RMI Configuration File Location
• Configure rmi.xml for ORMIS
• Disabling ORMI with ORMIS Enabled
• Configuring ORMIS for OC4J in an Oracle Application Server Environment
• Configuring ORMIS Access Restrictions
• Configuring Clients to Use ORMIS
• Specify the Appropriate Java Naming Provider URL
• Specify the Keystore and Password

12 Oracle HTTPS for Client Connections

• Oracle HTTPS and Clients
• HTTPConnection Class
• OracleSSLCredential Class
• Overview of Oracle HTTPS Features
• SSL Cipher Suites
• Choosing a Cipher Suite
• SSL Cipher Suites Supported by OracleSSL
• SSL Cipher Suites Supported by JSSE
• Accessing Information for Established SSL Connections
• Security-Aware Applications Support
• Support for java.net.URL Framework
• Specifying Default System Properties
• Property javax.net.ssl.KeyStore
• Property javax.net.ssl.KeyStorePassword
• Potential Security Risk with Storing Passwords in System Properties
• Property Oracle.ssl.defaultCipherSuites
• Oracle HTTPS Example
• Initializing SSL Credentials In OracleSSL
• Verifying Connection Information
• Transferring Data through HTTPS
• Using HTTPClient with JSSE

13 Web Application Security Configuration

• Specifying the Authentication Method (auth-method)
• Specifying auth-method in web.xml
• Configuring OC4J for OracleAS Single Sign-On
• Using Digest Authentication with Oracle Internet Directory
• Using Form-Based Authentication
• Setting Standard Configuration for Form-Based Authentication
• Setting the OC4J Flag for Client-Side Redirects
• Using Client-Cert Authentication
• Configuring OC4J for Client-Cert Authentication
• Client-Cert Execution Flow in OC4J
• Web Application Security Role Configuration
• J2EE Security Roles
• Mapping of Application Roles to J2EE Roles
• Definition of JAAS Roles and Users
• OC4J Mapping of J2EE Roles to JAAS Roles

14 EJB Security Configuration

• EJB JNDI Security Properties
• JNDI Properties in jndi.properties
• JNDI Properties within Implementation
• Configuring EJB Security
• Granting Permissions in the Browser
• Authenticating and Authorizing EJB Applications
• Specifying Logical Roles in the EJB Deployment Descriptor
• Specifying Unchecked Security for EJB Methods
• Specifying the Run-As Security Identity
• Mapping Logical Roles to Users and Roles
• Specifying a Default Role Mapping for Undefined Methods
• Specifying Credentials in EJB Clients
• Credentials in JNDI Properties
• Credentials in the InitialContext
• Configuring Anonymous EJB Lookup
• Permitting EJB RMI Client Access
• Enabling and Configuring Subject Propagation for ORMI
• Overview of Subject Propagation in OC4J
• Enabling Subject Propagation for ORMI
• Sharing Principal Classes for Subject Propagation
• Removing and Configuring Subject Propagation Restrictions

15 Common Secure Interoperability Protocol

• EJB Server Security Properties in internal-settings.xml
• EJB Client Security Properties in ejb_sec.properties
• Introduction to CSIv2 Security Properties
• CSIv2 Security Properties in internal-settings.xml
• CSIv2 Security Properties in ejb_sec.properties
• CSIv2 Security Properties in orion-ejb-jar.xml
• The <transport-config> element
• The <as-context> element
• The <sas-context> element
• Example: <ior-security-config>

16 Security Support for Resource Adapters

• Overview of Security and Authentication Setup for EIS Connections
• Summary of J2EE Connector Architecture Security Contract
• Summary of Component-Managed Versus Container-Managed Sign-On
• Summary of Security-Related Resource Adapter Configuration Elements
• The oc4j-ra.xml File <security-config> Element
• The oc4j-connectors.xml File <security-permission> Element
• Understanding Component-Managed Sign-On
• Understanding Container-Managed Sign-On
• Authentication in Container-Managed Sign-On
• Using Declarative Container-Managed Sign-On
• Using Programmatic Container-Managed Sign-On
• Using a Principal Mapping Class
• Understanding the PrincipalMapping Interface APIs
• Extending the AbstractPrincipalMapping Class
• Configuring a Principal Mapping Class
• Using a JAAS Login Module for an EIS Connection
• The InitiatingPrincipal and InitiatingGroup Classes
• JAAS and the <connector-factory> Element

A Tips and Troubleshooting for OC4J Security

• Best Practices for OC4J Security
• HTTPS Best Practices
• Overall Security Best Practices
• JAAS Best Practices
• OC4J Security Issues and Hints
• File jazn.xml Not Found
• Issues for Custom Login Modules
• Subject-Based Authorization
• J2EE Security Integration
• Issues for Oracle Identity Management
• Checking Configuration (JAZN-LDAP)
• Using ldapsearch to Retrieve Realm Names from Oracle Internet Directory
• Avoiding OC4J Restart for Oracle Internet Directory Changes to Take Effect
• Failure to Specify OracleAS JAAS Provider as the JAAS Provider
• Realm Issues
• Realm Names Omitted from User Names
• Specifying Default Realm to Solve Authentication Failure
• Logging
• Using Oracle Diagnostic Logging with OracleAS JAAS Provider
• Using Standard JDK Logging with the OracleAS JAAS Provider Admintool

B OracleAS JAAS Provider Samples

• Security Configuration for Sample Servlet
• Configuration in system-jazn-data.xml
• Configuration in web.xml
• Configuration in orion-application.xml
• Sample Servlet: Invoking J2EE Security APIs
• Sample Servlet: Granting Permissions
• Sample Servlet: Checking Permissions
• JAAS Mode Configuration in orion-application.xml
• Servlet Code for Authorization

C OracleAS JAAS Provider Admintool Reference

• Authentication to Run the Admintool
• Summary of Admintool Command-Line Syntax and Options
• Admintool Shell
• Shell Support for Admintool Command-Line Options
• Admintool Shell Directory Structure
• Summary of Admintool Special Shell Commands
• add, mkdir, and mk: Creating Provider Data
• cd: Navigating Provider Data
• clear: Clearing the Screen
• exit: Exiting the Admintool Shell
• help: Listing Admintool Shell Commands
• ls: Listing Data
• man: Viewing Admintool man Pages
• pwd: Displaying the Working Directory
• rm: Removing Provider Data
• set: Updating Values
• Admintool Administrative Functions
• Adding and Removing Login Modules
• Adding and Removing Realms
• Adding and Removing Roles (File-Based Provider)
• Adding and Removing Users (File-Based Provider)
• Checking Passwords (File-Based Provider)
• Administrative Operations
• Granting and Revoking Permissions
• Granting and Revoking Roles
• Listing Login Modules
• Listing Permissions
• Listing Realms
• Listing Roles
• Listing Users
• Converting from the principals.xml File to JAAS
• Setting Passwords (File-Based Provider)

D Third Party Licenses

• Apache
• The Apache Software License
• Apache SOAP
• Apache SOAP License
• mod_mm and mod_ssl
• OpenSSL
• OpenSSL License
• Perl
• Perl Kit Readme
• mod_perl 1.29 License
• mod_perl 1.99_16 License
• Perl Artistic License
• Preamble
• Definitions

Index