1/41
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New in This Guide
New Features in Release 11gR1+
New Features in Release 11gR1 PS2
New Features in Release 11gR1 PS1
New Features in Release 11gR1
Desupported Features from 10.1.3.x
Links to Upgrade Documentation
Part I Understanding Security Concepts
1
Introduction to Oracle Platform Security Services
1.1
What is Oracle Platform Security Services?
1.1.1
OPSS Main Features
1.2
OPSS Architecture Overview
1.2.1
Benefits of Using OPSS
1.3
Oracle ADF Security Overview
1.4
OPSS for Administrators
1.5
OPSS for Developers
1.5.1
Scenario 1: Securing a JavaEE Application
1.5.2
Scenario 2: Securing an Oracle ADF Application
1.5.3
Scenario 3: Securing a JavaSE Application
2
Understanding Users and Roles
2.1
Terminology
2.2
Role Mapping
2.2.1
Permission Inheritance and the Role Hierarchy
2.3
The Authenticated Role
2.4
The Anonymous User and Role
2.4.1
Anonymous Support and Subject
2.5
Administrative Users and Roles
2.6
Managing User Accounts
2.7
Principal Name Comparison Logic
2.7.1
How Does Principal Comparison Affect Authorization?
2.7.2
System Parameters Controlling Principal Name Comparison
2.8
Role Categories
3
Understanding Identities, Policies, and Credentials
3.1
Authentication Basics
3.1.1
Oracle WebLogic Authenticators
3.1.2
Supported LDAP Identity Store Types
3.1.3
Additional Authentication Methods
3.1.4
Using an LDAP Authenticator
3.1.4.1
Configuring the Identity Store Service
3.2
Policy Store Basics
3.3
Credential Store Basics
4
About Oracle Platform Security Services Scenarios
4.1
Supported LDAP- and File-Based Servers
4.2
Management Tools
4.3
Packaging Requirements
4.4
Example Scenarios
4.5
Other Scenarios
Part II Basic OPSS Administration
5
Security Administration
5.1
Choosing the Administration Tool According to Technology
5.2
Basic Security Administration Tasks
5.2.1
Setting Up a Brand New Production Environment
5.3
Typical Security Practices with Fusion Middleware Control
5.4
Typical Security Practices with the Administration Console
5.5
Typical Security Practices with Oracle Authorization Policy Manager
5.6
Typical Security Practices with WLST Commands
6
Deploying Secure Applications
6.1
Overview
6.2
Selecting the Tool for Deployment
6.2.1
Deploying JavaEE and Oracle ADF Applications with Fusion Middleware Control
6.3
Deploying Oracle ADF Applications to a Test Environment
6.3.1
Deploying to a Test Environment
6.3.1.1
Typical Administrative Tasks after Deployment in a Test Environment
6.4
Deploying Standard JavaEE Applications
6.5
Migrating from a Test to a Production Environment
6.5.1
Migrating Providers other than Policy and Credential Providers
6.5.1.1
Migrating Identities Manually
6.5.2
Migrating Policies and Credentials at Deployment
6.5.2.1
Migrating Policies Manually
6.5.2.2
Migrating Credentials Manually
6.5.2.3
Migrating Large Volume Policy and Credential Stores
6.5.3
Migrating Audit Policies
Part III Advanced OPSS Administration
7
OPSS Authorization and the Policy Store
7.1
Configuring a Domain to Use an LDAP-Based Policy Store
7.1.1
Multiple-Node Server Environments
7.1.2
Prerequisites to Using an LDAP-Based Policy Store
7.2
Reassociating the Domain Policy Store
7.2.1
Reassociating Domain Stores with Fusion Middleware Control
7.2.1.1
Setting Up a One- Way SSL Connection
7.2.1.2
Securing Access to Oracle Internet Directory Nodes
7.2.2
Reassociating Domain Stores with the Command reassociateSecurityStore
7.2.3
Cataloging Oracle Internet Directory Attributes
7.3
Migrating Policies to the Domain Policy Store
7.3.1
Migrating Application Policies with Fusion Middleware Control
7.3.2
Migrating Policies with the Command migrateSecurityStore
7.3.2.1
Examples of Use
7.4
Managing the Domain Policy Store
7.4.1
Managing Policies with Fusion Middleware Control
7.4.1.1
Managing Application Policies
7.4.1.2
Managing Application Roles
7.4.1.3
Managing System Policies
7.4.2
Managing Policies with WLST Commands
7.4.2.1
createAppRole
7.4.2.2
deleteAppRole
7.4.2.3
grantAppRole
7.4.2.4
revokeAppRole
7.4.2.5
listAppRoles
7.4.2.6
listAppRolesMembers
7.4.2.7
grantPermission
7.4.2.8
revokePermission
7.4.2.9
listPermissions
7.4.2.10
deleteAppPolicies
7.4.2.11
createResourceType
7.4.2.12
getResourceType
7.4.2.13
deleteResourceType
7.4.2.14
reassociateSecurityStore
7.4.2.15
Granting Policies to Anonymous and Authenticated Roles with WLST Commands
7.4.2.16
Application Stripe for Versioned Applications in WLST Commands
7.4.3
Managing Policies with Oracle Authorization Policy Manager
7.5
Configuring Other Artifacts with Oracle Fusion Middleware Control
7.5.1
Configuring the Identity Store Provider
7.5.2
Configuring Properties and Property Sets
7.5.3
Specifying a Single Sign-On Solution
7.5.3.1
The OPSS SSO Framework
7.5.3.2
Configuring an SSO Solution with Fusion Middleware Control
7.5.3.3
OAM Configuration Example
7.6
Configuring LDAP-Based Policy Stores
7.6.1
OPSS System Properties for JVM
7.6.2
LDAP Policy Store Property Configuration for Maximum performance
7.6.3
Profiling LDAP Policy Store APIs
8
Configuring the Credential Store
8.1
Credential Types
8.2
Configuring a Domain to Use an LDAP-Based Credential Store
8.3
Reassociating the Domain Credential Store
8.4
Migrating Credentials to the Domain Credential Store
8.4.1
Migrating Application Credentials with Fusion Middleware Control
8.4.2
Migrating Credentials with the Command migrateSecurityStore
8.5
Managing the Domain Credential Store
8.5.1
Managing Credentials with Fusion Middleware Control
8.5.1.1
Managing Credentials
8.5.2
Managing Credentials with WLST Commands
8.5.2.1
listCred
8.5.2.2
updateCred
8.5.2.3
createCred
8.5.2.4
deleteCred
8.5.2.5
modifyBootStrapCredential
9
Configuring Single Sign-On in Oracle Fusion Middleware
9.1
Choosing the Right SSO Solution for Your Deployment
9.2
Introduction to the OAM Authentication Provider
9.2.1
About Using the Identity Asserter for SSO with OAM 11g and 11g WebGates
9.2.2
About Using Identity Asserter for SSO with OAM 11g and 10g WebGates
9.2.3
About Using the Authenticator with Oracle Access Manager
9.2.4
Applications for Oracle Access Manager SSO Scenarios and Solutions
9.2.4.1
Applications Using Oracle Access Manager for the First TIme
9.2.4.2
Applications Migrating from Oracle Application Server to Oracle WebLogic Server
9.2.4.3
Applications Using OAM Security Provider for WebLogic SSPI
9.2.5
Implementation: Authentication Provider with OAM 11g versus OAM 10g
9.2.6
Requirements for Using the Authentication Provider with Oracle Access Manager
9.3
Deploying the Oracle Access Manager 11g SSO Solution
9.3.1
Introduction to Oracle Access Manager 11g SSO
9.3.2
Installing the Authentication Provider with Oracle Access Manager 11g
9.3.3
Reviewing Pre-Seeded OAM 11g Policies for Use by the OAM 10g AccessGate
9.3.4
Provisioning an OAM Agent with Oracle Access Manager 11g
9.3.4.1
About WebGate Provisioning Methods for Oracle Access Manager 11g
9.3.4.2
Provisioning a WebGate with Oracle Access Manager 11g
9.3.5
Configuring Identity Assertion for SSO with Oracle Access Manager 11g
9.3.5.1
Establishing Trust with Oracle WebLogic Server
9.3.5.2
Configuring Providers in the WebLogic Domain
9.3.5.3
Reviewing the Login Page for the Oracle Access Manager Identity Asserter
9.3.5.4
Testing Oracle Access Manager Identity Assertion for Single Sign-on
9.3.6
Configuring the Authenticator for Oracle Access Manager 11g
9.3.6.1
Configuring Providers for the Authenticator in a WebLogic Domain
9.3.6.2
Configuring the Application Authentication Method for the Authenticator
9.3.6.3
Mapping the Authenticated User to a Group in LDAP
9.3.6.4
Testing the Oracle Access Manager Authenticator Implementation
9.3.7
Configuring Identity Assertion for Oracle Web Services Manager and OAM 11g
9.3.7.1
Configuring Oracle Web Services Manager Policies for Web Services
9.3.7.2
Configuring Providers in a WebLogic Domain for Oracle Web Services Manager
9.3.7.3
Testing the Identity Asserter with Oracle Web Services Manager
9.3.8
Configuring Centralized Log Out for Oracle Access Manager 11g
9.3.8.1
Logout for 11g WebGate and OAM 11g
9.3.8.2
Logout for 10g WebGate with Oracle Access Manager 11g
9.4
Deploying SSO Solutions with Oracle Access Manager 10g
9.4.1
Installing and Setting Up Authentication Providers for OAM 10g
9.4.1.1
About Oracle Access Manager 10g Installation and Setup
9.4.1.2
Installing Components and Files for Authentication Providers and OAM 10g
9.4.1.3
Creating Resource Types in Oracle Access Manager 10g
9.4.2
Configuring OAM Identity Assertion for SSO with Oracle Access Manager 10g
9.4.2.1
Establishing Trust with Oracle WebLogic Server
9.4.2.2
Configuring the Authentication Scheme for the Identity Asserter
9.4.2.3
Configuring Providers in the WebLogic Domain
9.4.2.4
Setting Up the Login Form for the Identity Asserter and OAM 10g
9.4.2.5
Testing Identity Assertion for SSO with OAM 10g
9.4.3
Configuring the Authenticator for Oracle Access Manager 10g
9.4.3.1
Creating an Authentication Scheme for the Authenticator
9.4.3.2
Configuring a Policy Domain for the Oracle Access Manager Authenticator
9.4.3.3
Configuring Providers for the Authenticator in a WebLogic Domain
9.4.3.4
Configuring the Application Authentication Method for the Authenticator
9.4.3.5
Mapping the Authenticated User to a Group in LDAP
9.4.3.6
Testing the Oracle Access Manager Authenticator Implementation
9.4.4
Configuring Identity Assertion for Oracle Web Services Manager and OAM 10g
9.4.4.1
Creating an Policy Domain for Use with Oracle Web Services Manager
9.4.4.2
Configuring Oracle Web Services Manager Policies for Web Services
9.4.4.3
Configuring Providers in a WebLogic Domain for Oracle Web Services Manager
9.4.4.4
Testing the Identity Asserter with Oracle Web Services Manager
9.4.5
Oracle Access Manager Authentication Provider Parameter List
9.4.6
Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates
9.4.6.1
Recommended Process for Configuring Logout
9.4.6.2
Alternative Process for Configuring Logout
9.4.7
Known Issues: JAR Files and OAMCfgTool
9.4.8
Troubleshooting Tips for OAM Provider Deployments
9.4.8.1
About Using IPv6
9.4.8.2
Apache Bridge Failure: Timed Out
9.4.8.3
Authenticated User with Access Denied
9.4.8.4
Browser Back Button Results in Error
9.4.8.5
Cannot Reboot After Adding OAM and OID Authenticators
9.4.8.6
Client in Cluster with Load-Balanced WebGates
9.4.8.7
Error 401: Unable to Access the Application
9.4.8.8
Error 403: Unable to Access the Application
9.4.8.9
Error 404: Not Found ... Anything Matching the Request URI
9.4.8.10
Error Issued with the Action URL in Form Login Page
9.4.8.11
Error or Failure on Oracle WebLogic Server Startup
9.4.8.12
JAAS Control Flag
9.4.8.13
Login Form is Shown Repeatedly Upon Credential Submission: No Error
9.4.8.14
Logout and Session Time Out Issues
9.4.8.15
Not Found: The requested URL or Resource Was Not Found
9.4.8.16
Oracle WebLogic Server Fails to Start
9.4.8.17
Oracle ADF Integration and Cert Mode
9.4.8.18
URL Rewriting and JSESSIONID
9.5
Deploying the OracleAS 10g Single Sign-On (OSSO) Solution
9.5.1
Using the OSSO Identity Asserter
9.5.1.1
Oracle WebLogic Security Framework
9.5.1.2
OSSO Identity Asserter Processing
9.5.1.3
Consumption of Headers with OSSO Identity Asserter
9.5.2
New Users of the OSSO Identity Asserter
9.5.2.1
Configuring mod_weblogic
9.5.2.2
Registering Oracle HTTP Server mod_osso with OSSO Server 10.1.4
9.5.2.3
Configuring mod_osso to Protect Web Resources
9.5.2.4
Adding Providers to a WebLogic Domain for OSSO
9.5.2.5
Establishing Trust Between Oracle WebLogic Server and Other Entities
9.5.2.6
Configuring the Application for the OSSO Identity Asserter
9.5.3
Troubleshooting for an OSSO Identity Asserter Deployment
9.5.3.1
SSO-Related Problems
9.5.3.2
OSSO Identity Asserter-Related Problems
9.5.3.3
URL Rewriting and JSESSIONID
9.5.3.4
About mod_osso, OSSO Cookies, and Directives
9.5.3.5
About Using IPv6
9.6
Synchronizing the User and SSO Sessions: SSO Synchronization Filter
9.7
Setting Up Debugging in the WebLogic Administration Console
10
Introduction to Oracle Fusion Middleware Audit Framework
10.1
Benefits and Features of the Oracle Fusion Middleware Audit Framework
10.1.1
Objectives of Auditing
10.1.2
Today's Audit Challenges
10.1.3
Oracle Fusion Middleware Audit Framework in 11
g
10.2
Overview of Audit Features
10.3
Oracle Fusion Middleware Audit Framework Concepts
10.3.1
Audit Architecture
10.3.2
Key Technical Concepts
10.3.3
Audit Record Storage
10.3.4
Analytics
11
Configuring and Managing Auditing
11.1
Audit Administration Tasks
11.2
Managing the Audit Store
11.2.1
Create the Audit Schema using RCU
11.2.2
Set Up Audit Data Sources
11.2.2.1
Multiple Data Sources
11.2.3
Configure a Database Audit Store for Java Components
11.2.3.1
View Audit Store Configuration
11.2.3.2
Configure the Audit Store
11.2.3.3
Deconfigure the Audit Store
11.2.4
Configure a Database Audit Store for System Components
11.2.4.1
Deconfigure the Audit Store
11.2.5
Tuning the Bus-stop Files
11.3
Managing Audit Policies
11.3.1
Manage Audit Policies for Java Components with Fusion Middleware Control
11.3.2
Manage Audit Policies for System Components with Fusion Middleware Control
11.3.3
Manage Audit Policies with WLST
11.3.3.1
View Audit Policies with WLST
11.3.3.2
Update Audit Policies with WLST
11.3.3.3
Example 1: Configuring an Audit Policy for Users with WLST
11.3.3.4
Example 2: Configuring an Audit Policy for Events with WLST
11.3.3.5
Custom Configuration is Retained when the Audit Level Changes
11.3.4
Manage Audit Policies Manually
11.3.4.1
Location of Configuration Files for Java Components
11.3.4.2
Audit Service Configuration Properties in jps-config.xml for Java Components
11.3.4.3
Switching from Database to File for Java Components
11.3.4.4
Manually Configuring Audit for System Components
11.4
Audit Logs
11.4.1
Location of Audit Logs
11.4.2
Audit Log Timestamps
11.5
Advanced Management of Database Store
11.5.1
Schema Overview
11.5.2
Table Attributes
11.5.3
Indexing Scheme
11.5.4
Backup and Recovery
11.5.5
Importing and Exporting Data
11.5.6
Partitioning
11.5.6.1
Partition Tables
11.5.6.2
Backup and Recovery of Partitioned Tables
11.5.6.3
Import, Export, and Data Purge
11.5.6.4
Tiered Archival
12
Using Audit Analysis and Reporting
12.1
Setting up Oracle Business Intelligence Publisher for Audit Reports
12.1.1
About Oracle Business Intelligence Publisher
12.1.2
Install Oracle Business Intelligence Publisher
12.1.3
Set Up Oracle Reports in Oracle Business Intelligence Publisher
12.1.4
Set Up Audit Report Templates
12.1.5
Set Up Audit Report Filters
12.1.6
Configure Scheduler in Oracle Business Intelligence Publisher
12.2
Organization of Audit Reports
12.3
View Audit Reports
12.4
Example of Oracle Business Intelligence Publisher Reports
12.5
Audit Report Details
12.5.1
List of Audit Reports in Oracle Business Intelligence Publisher
12.5.2
Attributes of Audit Reports in Oracle Business Intelligence Publisher
12.6
Customizing Audit Reports
12.6.1
Using Advanced Filters on Pre-built Reports
12.6.2
Creating Custom Reports
Part IV Developing with Oracle Platform Security Services APIs
13
Overview of Developing Secure Applications with Oracle Platform Security Services
13.1
About Oracle Platform Security Services for Developers
13.1.1
The Development Cycle
13.1.2
Challenges of Securing Java Applications
13.1.3
Meeting the Challenges with Oracle Platform Security Services
13.1.4
OPSS Architecture
13.2
The Oracle Platform Security Services APIs
13.2.1
The LoginService API
13.2.2
The User and Role API
13.2.3
JAAS Authorization and the JpsAuth.checkPermission API
13.2.4
The Credential Store Framework API
13.3
Common Uses for Oracle Platform Security Services
13.3.1
A JavaEE Application using OPSS APIs
13.3.2
Authentication with OPSS APIs
13.3.3
Programmatic Authorization
13.3.4
Credential Store Framework
13.3.5
User and Role
13.3.6
Oracle ADF Authorization
13.3.7
JavaSE Application
13.4
Using OPSS with Oracle Application Development Framework
13.4.1
About Oracle ADF
13.4.2
How Oracle ADF Uses OPSS
13.4.3
The Oracle ADF Development Life Cycle
13.5
Using the Oracle Security Developer Tools
13.6
Using OPSS Outside Oracle JDeveloper/Oracle ADF
14
Manually Configuring JavaEE Applications to Use OPSS
14.1
Configuring the Servlet Filter and the EJB Interceptor
14.1.1
Interceptor Configuration Syntax
14.1.2
Summary of Filter and Interceptor Parameters
14.2
Choosing the Appropriate Class for Enterprise Groups and Users
14.3
Packaging a JavaEE Application Manually
14.3.1
Packaging Policies with Application
14.3.2
Packaging Credentials with Application
14.4
Configuring a JavaEE Application to Use OPSS
14.4.1
Parameters Controlling Policy Migration
14.4.2
Policy Parameter Configuration According to Behavior
14.4.2.1
To Skip Migrating All Policies
14.4.2.2
To Migrate All Policies with Merging
14.4.2.3
To Migrate All Policies with Overwriting
14.4.2.4
To Remove (or Prevent the Removal of) Application Policies
14.4.2.5
To Migrate Policies in a Static Deployment
14.4.2.6
Recommendations
14.4.3
Using a Wallet-Based Credential Store
14.4.4
Parameters Controlling Credential Migration
14.4.5
Credential Parameter Configuration According to Behavior
14.4.5.1
To Skip Migrating Credentials
14.4.5.2
To Migrate Credentials with Merging
14.4.5.3
To Migrate Credentials with Overwriting
14.4.6
Supported Permission Classes
14.4.6.1
Policy Store Permission
14.4.6.2
Credential Store Permission
14.4.6.3
Generic Permission
14.4.7
Specifying Bootstrap Credentials Manually
14.4.8
Migrating Identities with the Command migrateSecurityStore
14.4.9
Example of Configuration File jps-config.xml
15
Developing Authentication
15.1
Links to Authentication Topics for JavaEE Applications
15.2
Developing Authentication for JavaSE Applications
15.2.1
The Identity Store
15.2.2
Configuring an LDAP Identity Store in JavaSE Applications
15.2.3
Supported Login Modules for JavaSE Applications
15.2.3.1
The Identity Store Login Module
15.2.3.2
Using the Identity Store Login Module for Authentication
15.2.3.3
Using the Identity Login Module for Assertion
15.2.4
Using the OPSS API LoginService in JavaSE Applications
16
Developing with the Credential Store Framework
16.1
About the Credential Store Framework API
16.2
Overview of Application Development with CSF
16.3
Setting the Java Security Policy Permissions
16.3.1
Guidelines for Granting Permissions
16.3.2
Permissions Grant Example 1
16.3.3
Permissions Grant Example 2
16.4
Guidelines for the Map Name
16.5
Configuring the Credential Store
16.6
Steps for Using the API
16.6.1
Using the CSF API in a Standalone Environment
16.6.2
Using the CSF API in Oracle WebLogic Server
16.7
Examples
16.7.1
Code for CSF Operations
16.7.2
Example 1: JavaSE Application with Wallet Store
16.7.3
Example 2: JavaEE Application with Wallet Store
16.7.4
Example 3: JavaEE Application with LDAP Store
16.8
Best Practices
17
Developing Authorization
17.1
Authorization Overview
17.1.1
Introduction to Developing Authorization
17.1.2
The JavaEE Authorization Model
17.1.2.1
Declarative Authorization
17.1.2.2
Programmatic Authorization
17.1.2.3
JavaEE Code Example
17.1.3
The JAAS Authorization Model
17.2
The JAAS/OPSS Authorization Model
17.2.1
The Resource Catalog
17.2.1.1
Benefits of Using the Resource Catalog
17.2.1.2
Logical Model and Configuration Examples
17.2.2
Managing Policies
17.2.3
Checking Policies
17.2.3.1
Using the Method checkPermission
17.2.3.2
Using the Methods doAs and doAsPrivileged
17.2.3.3
Using the Method checkBulkAuthorization
17.2.3.4
Using the Method getGrantedResources
17.3
Unsupported Methods in PS2 for File-Based Policy Stores
17.4
Configuring Policy and Credential Stores for JavaSE Applications
17.4.1
Configuring LDAP-Based Policy and Credential Stores
17.4.2
Configuring File-Based Policy and Credential Stores
18
Developing with the User and Role API
18.1
Introduction to the User and Role API Framework
18.1.1
User and Role API and the Oracle WebLogic Server Authenticators
18.2
Summary of Roles and Classes
18.3
Working with Service Providers
18.3.1
Understanding Service Providers
18.3.2
Setting Up the Environment
18.3.3
Selecting the Provider
18.3.4
Creating the Provider Instance
18.3.5
Properties for Provider Configuration
18.3.5.1
Start-time and Run-time Configuration
18.3.5.2
ECID Propagation
18.3.5.3
When to Pass Configuration Values
18.3.6
Configuring the Provider when Creating a Factory Instance
18.3.6.1
Oracle Internet Directory Provider
18.3.6.2
Using Existing Logger Objects
18.3.6.3
Supplying Constant Values
18.3.6.4
Configuring Connection Parameters
18.3.6.5
Configuring a Custom Connection Pool Class
18.3.7
Configuring the Provider when Creating a Store Instance
18.3.8
Runtime Configuration
18.3.9
Programming Considerations
18.3.9.1
Provider Portability Considerations
18.3.9.2
Considerations when Using IdentityStore Objects
18.3.10
Provider Life cycle
18.4
Searching the Repository
18.4.1
Searching for a Specific Identity
18.4.2
Searching for Multiple Identities
18.4.3
Specifying Search Parameters
18.4.4
Using Search Filters
18.4.4.1
Operators in Search Filters
18.4.4.2
Handling Special Characters when Using Search Filters
18.4.4.3
Examples of Using Search Filters
18.4.5
Searching by GUID
18.5
User Authentication
18.6
Creating and Modifying Entries in the Identity Store
18.6.1
Handling Special Characters when Creating Identities
18.6.2
Creating an Identity
18.6.3
Modifying an Identity
18.6.4
Deleting an Identity
18.7
Examples of User and Role API Usage
18.7.1
Example 1: Searching for Users
18.7.2
Example 2: User Management in an Oracle Internet Directory Store
18.7.3
Example 3: User Management in a Microsoft Active Directory Store
18.8
SSL Configuration for LDAP-based User and Role API Providers
18.8.1
Out-of-the-box Support for SSL
18.8.1.1
System Properties
18.8.1.2
SSL configuration
18.8.2
Customizing SSL Support for the User and Role API
18.8.2.1
SSL configuration
18.9
The User and Role API Reference
18.10
Developing Custom User and Role Providers
18.10.1
SPI Overview
18.10.2
Types of User and Role Providers
18.10.3
Developing a Read-Only Provider
18.10.3.1
SPI Classes Requiring Extension
18.10.3.2
oracle.security.idm.spi.AbstractIdentityStoreFactory
18.10.3.3
oracle.security.idm.spi.AbstractIdentityStore
18.10.3.4
oracle.security.idm.spi.AbstractRoleManager
18.10.3.5
oracle.security.idm.spi.AbstractUserManager
18.10.3.6
oracle.security.idm.spi.AbstractRoleProfile
18.10.3.7
oracle.security.idm.spi.AbstractUserProfile
18.10.3.8
oracle.security.idm.spi.AbstractSimpleSearchFilter
18.10.3.9
oracle.security.idm.spi.AbstractComplexSearchFilter
18.10.3.10
oracle.security.idm.spi.AbstractSearchResponse
18.10.4
Developing a Full-Featured Provider
18.10.5
Development Guidelines
18.10.6
Testing and Verification
18.10.7
Example: Implementing an Identity Provider
18.10.7.1
About the Sample Provider
18.10.7.2
Overview of Implementation
18.10.7.3
Configure jps-config.xml to use the Sample Identity Provider
18.10.7.4
Configure Oracle WebLogic Server
The User and Role SPI Reference
oracle.security.idm.spi.AbstractUserProfile
oracle.security.idm.spi.AbstractUserManager
oracle.security.idm.spi.AbstractUser
oracle.security.idm.spi.AbstractSubjectParser
oracle.security.idm.spi.AbstractStoreConfiguration
oracle.security.idm.spi. AbstractSimpleSearchFilter
oracle.security.idm.spi.AbstractSearchResponse
oracle.security.idm.spi.AbstractRoleProfile
oracle.security.idm.spi.AbstractRoleManager
oracle.security.idm.spi.AbstractRole
oracle.security.idm.spi.AbstractIdentityStoreFactory
oracle.security.idm.spi.AbstractIdentityStore
oracle.security.idm.spi.AbstractComplexSearchFilter
Part V Appendices
A
OPSS Configuration File Reference
A.1
Top- and Second-Level Element Hierarchy
A.2
Lower-Level Elements
<description>
<extendedProperty>
<extendedPropertySet>
<extendedPropertySetRef>
<extendedPropertySets>
<jpsConfig>
<jpsContext>
<jpsContexts>
<name>
<property>
<propertySet>
<propertySetRef>
<propertySets>
<serviceInstance>
<serviceInstanceRef>
<serviceInstances>
<serviceProvider>
<serviceProviders>
<value>
<values>
B
File-Based Identity and Policy Store Reference
B.1
Hierarchy of Elements in system-jazn-data.xml
B.2
Elements and Attributes of system-jazn-data.xml
<actions>
<actions-delimiter>
<app-role>
<app-roles>
<application>
<applications>
<attribute>
<class>
<codesource>
<credentials>
<description>
<display-name>
<extended-attributes>
<grant>
<grantee>
<guid>
<jazn-data>
<jazn-policy>
<jazn-realm>
<matcher-class>
<member>
<member-resource>
<member-resources>
<members>
<name>
<owner>
<owners>
<permission>
<permissions>
<permission-set>
<permission-sets>
<policy-store>
<principal>
<principals>
<provider-name>
<realm>
<resource>
<resources>
<resource-name>
<resource-type>
<resource-types>
<role>
<role-categories>
<role-category>
<role-name-ref>
<roles>
<type>
<type-name-ref>
<uniquename>
<url>
<user>
<users>
<value>
<values>
C
Oracle Fusion Middleware Audit Framework Reference
C.1
Audit Events
C.1.1
What Components Can be Audited?
C.1.2
What Events can be Audited?
C.1.2.1
Oracle Directory Integration Platform Events and their Attributes
C.1.2.2
Oracle Platform Security Services Events and their Attributes
C.1.2.3
Oracle HTTP Server Events and their Attributes
C.1.2.4
Oracle Internet Directory Events and their Attributes
C.1.2.5
Oracle Identity Federation Events and their Attributes
C.1.2.6
Oracle Virtual Directory Events and their Attributes
C.1.2.7
OWSM-Agent Events and their Attributes
C.1.2.8
OWSM-PM-EJB Events and their Attributes
C.1.2.9
Reports Server Events and their Attributes
C.1.2.10
WS-Policy Attachment Events and their Attributes
C.1.2.11
Oracle Web Cache Events and their Attributes
C.1.2.12
Oracle Web Services Manager Events and their Attributes
C.1.3
Event Attribute Descriptions
C.2
Pre-built Audit Reports
C.2.1
Common Audit Reports
C.2.2
Component-Specific Audit Reports
C.3
The Audit Schema
C.4
WLST Commands for Auditing
C.4.1
getNonJavaEEAuditMBeanName
C.4.1.1
Description
C.4.1.2
Syntax
C.4.1.3
Example
C.4.2
getAuditPolicy
C.4.2.1
Description
C.4.2.2
Syntax
C.4.2.3
Example
C.4.3
setAuditPolicy
C.4.3.1
Description
C.4.3.2
Syntax
C.4.3.3
Example
C.4.4
getAuditRepository
C.4.4.1
Description
C.4.4.2
Syntax
C.4.4.3
Example
C.4.5
setAuditRepository
C.4.5.1
Description
C.4.5.2
Syntax
C.4.5.3
Example
C.4.6
listAuditEvents
C.4.6.1
Description
C.4.6.2
Syntax
C.4.6.3
Example
C.4.7
exportAuditConfig
C.4.7.1
Description
C.4.7.2
Syntax
C.4.7.3
Example
C.4.8
importAuditConfig
C.4.8.1
Description
C.4.8.2
Syntax
C.4.8.3
Example
C.5
Audit Filter Expression Syntax
C.6
Naming and Logging Format of Audit Files
D
User and Role API Reference
D.1
Mapping User Attributes to LDAP Directories
D.2
Mapping Role Attributes to LDAP Directories
D.3
Default Configuration Parameters
D.4
Secure Connections for Microsoft Active Directory
E
Administration with WLST Scripting and MBean Programming
E.1
Configuring OPSS Service Provider Instances with a WLST Script
E.2
Configuring OPSS Services with MBeans
E.2.1
List of Supported OPSS MBeans
E.2.2
Invoking an OPSS MBean
E.2.3
Programming with OPSS MBeans
E.3
Access Restrictions
E.3.1
Annotation Examples
E.3.2
Mapping of Logical Roles to WebLogic Roles
E.3.3
Particular Access Restrictions
F
OPSS System and Configuration Properties
F.1
OPSS System Properties
F.2
OPSS Configuration Properties
F.2.1
LDAP Policy Store Properties
F.2.2
LDAP Credential Store Properties
F.2.3
LDAP Identity Store Properties
F.2.4
Generic LDAP Properties
F.2.5
Anonymous and Authenticated Roles Properties
F.2.6
Policy Provider Framework Properties
F.2.7
Keystore Properties
G
Upgrading Security Data
G.1
Upgrading Security Data
G.1.1
Examples of Use
G.1.1.1
Example 1 - Upgrading Identities
G.1.1.2
Example 3 - Upgrading to Oracle Internet Directory LDAP-Based Policies
G.1.1.3
Example 2 - Upgrading to File-Based Policies
G.1.1.4
Example 4 - Upgrading File-Based Policies to Use the Resource Catalog
H
References
H.1
OPSS API References
I
WLST Security Commands
I.1
WLST Commands
I.1.1
Policy-Related Commands
I.1.2
Credential-Related Commands
I.1.3
Other Security Commands
I.1.4
Audit Commands
J
Troubleshooting Security in Oracle Fusion Middleware
J.1
Diagnosing Security Errors
J.1.1
Log Files
J.1.1.1
Diagnostic Log Files
J.1.1.2
Generic Log Files
J.1.1.3
Audit Diagnostic Log Files
J.1.1.4
Using Fusion Middleware Control Logging Support
J.1.2
System Properties
J.1.2.1
jps.auth.debug
J.1.2.2
jps.auth.debug.verbose
J.1.3
Solving Security Errors
J.1.3.1
Understanding Sample Log Entries
J.1.3.2
Searching Logs with Fusion Middleware Control
J.1.3.3
Identifying a Message Context with Fusion Middleware Control
J.1.3.4
Generating Error Listing Files with Fusion Middleware Control
J.2
Reassociation Failure
J.2.1
Missing Policies in Reassociated Policy Store
J.3
Server Fails to Start - Missing Required LDAP Authenticator
J.4
Server Fails to Start - Missing Administrator Account
J.5
Server Fails to Start - Missing Permission
J.6
Failure to Grant or Revoke Permissions - Case Mismatch
J.7
Failure to Connect to an LDAP Server
J.8
User and Role API Failure
J.9
Failure to Access Data in the Domain Credential Store
J.10
Failure to Establish an Anonymous SSL Connection
J.11
Authorization Check Failure
J.12
User Gets Unexpected Permissions
J.13
Security Access Control Exception
J.14
Permission Check Failure
J.15
Policy Migration Failure
J.16
Characters in Policies
J.16.1
Use of Special Characters in Oracle Internet Directory 10.1.4.3
J.16.2
XML Policy Store that Contains Certain Characters
J.16.3
Missing Newline Characters in XML Policy Store
J.17
Granting Permissions in J2SE Applications
J.18
Troubleshooting Oracle Business Intelligence Publisher Reporting
J.18.1
Audit Templates for Oracle Business Intelligence Publisher
J.18.2
Oracle Business Intelligence Publisher Time Zone
J.18.3
Audit Reports do not Display Translated Text in Certain Locales
J.19
Need Further Help?
Index
Scripting on this page enhances content navigation, but does not change the content in any way.