Index

A B C D E F G H I J K L M N O P R S T U V W X

A

access control

access control context (AccessControlContext), 2.2.5, 2.2.5

access control lists and OracleAS JAAS Provider directory entries, 8.6.1.3

access control lists, definition, 1.1.2.1

access controller (AccessController), 2.2.5

capability model, 1.1.2.1

defined, 1.1.2

Access Manager SDK, Oracle Access Manager, 11.4.3

Access SDK, Oracle Access Manager, 11.4.2

AccessGate vs. WebGate (Oracle Access Manager), 11.1.1

accounts

creating and configuring new administrator account, 4.6.3

accounts, OC4J

accounts created in OID, 8.4.1.3

predefined and required, 4.6.1

predefined for file-based provider, 7.3.4

ACLs--see access control lists

actions element, system-jazn-data.xml, D.4.1

activateadmin Admintool command, C.4.7

activated user (file-based provider), 4.6.1

active directory

user account, 21.4

add command, Admintool shell, C.3.3.1

addloginmodule option, Admintool, 9.6.1, C.4.1

addrealm option, Admintool, C.4.2

addrole option, Admintool, C.4.3

adduser option, Admintool, C.4.4

administration

Admintool, 4.2.2

configuation files and key elements, 4.4

creating and configuring new administrator account, 4.6.3

Enterprise Manager, Application Server Control, 4.2.1

JSR-77 support, 4.1

MBean browser and administration, 4.3

MBeans, definition, 4.1

Oracle Identity Management and Oracle Internet Directory tools, 4.2.3

standards for managing applications, 4.1

tools for administration, 4.2

administrator account

activate in Admintool, C.4.7

creating and configuring new administrator account, 4.6.3

oc4jadmin account, 4.6.2

AdminPermission class, 5.2.1.3

Admintool

activate administrator user, C.4.7

add shell command, C.3.3.1

adding and removing login modules, 9.6.1, C.4.1

adding and removing realms, C.4.2

adding and removing roles (file-based provider), C.4.3

adding and removing users (file-based provider), C.4.4

cd shell command, C.3.3.2

checking passwords (file-based provider), C.4.6

clear shell command, C.3.3.3

command-line syntax and options, C.2

exit shell command, C.3.3.4

granting and revoking permissions, C.4.8

granting and revoking roles, C.4.9

granting permissions, 5.3.1

granting RMI permission, 9.6.2

help shell command, C.3.3.5

invoking, 4.2.2, C.2

listing login modules, 9.6.1, C.4.10

listing permissions, C.4.11

listing realms, C.4.12

listing roles, C.4.13

listing users, C.4.14

ls shell command, C.3.3.6

man shell command, C.3.3.7

migrating from principals.xml, 7.5, C.4.15

mk shell command, C.3.3.1

mkdir shell command, C.3.3.1

overview, 4.2.2

pwd shell command, C.3.3.8

rm shell command, C.3.3.9

set shell command, C.3.3.10

setting passwords (file-based provider), C.4.5

shell commands, C.3.3

starting shell, C.3

anonymous lookup, EJBs, 18.5

anonymous user

activating/deactivating (file-based provider), 4.6.1

configuring, 4.6.4

application element, system-jazn-data.xml, D.4.2

application roles, 3.4

Application Server Control

configuring Java SSO, 14.2.1

configuring security provider, 6.3.3.2

configuring security role mappings, 6.3.4.2

overview, 4.2.1

as-context element, orion-ejb-jar.xml, 19.3.2

authentication

authenticating EJB applications, 18.1

authentication methods for Web applications, 17.1

basic method, 16.1.1, 17.1.1

client-cert method, 17.1.5

definition, 1.1.1

digest method, 16.1.2, 17.1.1

digest method, with Oracle Internet Directory, 8.5.2

failure, specify default realm, A.2.4.2

form-based method, 17.1.4

in OC4J, introduction, 3.2

NTLM method, 16.1.3

OracleAS Single Sign-On, 3.1.2

RealmLoginModule class, 3.1.2

SSL authentication, 1.2.2

SSO method, 8.5.1

supported authentication methods, 2.1.1.1

authorization

authorization APIs and JAAS mode, 5.2

authorizing EJB applications, 18.1

coarse-grained vs. fine-grained, 2.4.1

comparing models--overview, 2.4.1

definition, 1.1.2

enabling Java Authorization Contract for Containers, 5.4.5

J2EE authorization APIs, 5.4.1

Java 2 code-based policy management, 5.1

obtaining a subject, 5.4.2

policy configuration, OracleAS JAAS Provider, 5.3.3

policy management, OracleAS JAAS Provider, 5.3

strategies, 5.5

to any authenticated user (PUBLIC role), 6.3.4.4

using checkPermission(), 5.4.3

authorization--also see access control

B

basic authentication, 16.1.1

as fallback in digest authentication mode, 17.1.3

configuring in web.xml, 17.1.1

definition, 2.1.1.1

in Oracle Access Manager, 11.3.2

best practices for security, A.1

bootstrap accounts, 4.6.1

bootstrap jazn.xml, 4.4.5

C

caching, LDAP

caching properties, 8.7.3

disabling, 8.7.3

callback handler

identity callback handler interface, identity management framework, 13.2.4

identity callback handler, identity management framework, 13.1.2

standard definition, 2.3.2.1

capability model of access control, 1.1.2.1

case-sensitivity for roles

custom login modules, 9.1.2

external LDAP providers, 10.1

file-based provider, 7

LDAP-based provider, 8.1

cd command, Admintool shell, C.3.3.2

certificates and certificate authorities (SSL)

introduction, 1.2.4

trust points, 1.2.3

truststores, 19.1

using certificates with OC4J and Oracle HTTP Server, 15.2

checkpasswd option, Admintool, C.4.6

cipher suites

definition, 16.3.4

specify in Web site XML file, 15.3

supported by JSSE, 16.3.4

class element, system-jazn-data.xml, D.4.3

class loading, sharing libraries, 6.5

clear command, Admintool shell, C.3.3.3

client authentication

basic, 16.1.1

digest, 16.1.2

NTLM, 16.1.3

client-cert authentication

definition, 2.1.1.1

in OC4J, 17.1.5

Cluster MBean Browser, 7.6.2

CN (common name), 8.2.2

coarse-grained authorization, 2.4.1

codebase, 2.2.1

code-based security, 2.2.1

codesource, 2.2.1

codesource element, system-jazn-data.xml, D.4.4

common name (CN), 8.2.2

Common Secure Interoperability version 2--see CSIv2

component-managed sign-on (J2CA)

understanding, 20.2

vs. container-managed sign-on, 20.1.2

confidentiality element, orion-ejb-jar.xml, 19.3.1

connection properties, LDAP, 8.7.2

connector-factory element, oc4j-ra.xml (J2CA), 9.7.3

container-managed sign-on (J2CA)

authentication, 20.4

declarative, 20.5

programmatic, 20.6

understanding, 20.3

vs. component-managed sign-on, 20.1.2

control-flag element, system-jazn-data.xml, D.4.5

convert option, Admintool, 7.5, C.4.15

cookie domain for shared Web application, 15.3

COREid--see Oracle Access Manager

credential_mapping plug-in, Oracle Access Manager, 11.3.1.3, 11.3.2.2

credentials element, system-jazn-data.xml, D.4.6

credentials, specifying in EJB clients, 18.2

CSIv2

ejb_sec.properties settings, 19.2

internal-settings.xml settings, 19.1

introduction, 19

properties in orion-ejb-jar.xml, 19.3

custom login modules--see login modules

custom security providers (custom login modules), 3.1.4

D

DAS (Delegated Administration Services for OID), 4.2.3.1

data source

TCPS, 15.10

database login module, 9.2.2

DataSourceUserManager (deprecated), 9.2.2.7

DBTableOraDataSourceLoginModule (database login module), 9.2.2

deactivated user (file-based provider), 4.6.1

debugging

general SSL debugging, 15.7.2

logging, A.3

PrintingSecurityManager, 5.1.2

default realm, file-based or LDAP-based provider, 6.2.1

default-method-access element, orion-ejb-jar.xml, 18.1.6

Delegated Administration Services (DAS for OID), 4.2.3.1

deployment

configuring the security provider through Application Server Control, 6.3.3.2

deploying an application through Application Server Control, 6.3.2.1

deploying login modules, 9.8.4

deployment plan, 4.1

deployment plan editor, 4.2.1

JSR-88 support, 4.1

standards for deploying applications, 4.1

tasks and guidelines, 6.3

deployment roles, 3.4

description element, system-jazn-data.xml, D.4.7

digest authentication, 16.1.2

basic authentication fallback, 17.1.3

configuring in web.xml, 17.1.1

definition, 2.1.1.1

with Oracle Internet Directory, 8.5.2

digest.auth.basic.fallback property, 17.1.3

digital certificates, 1.2.3

display-name element, system-jazn-data.xml, D.4.8

distinguished name (DN), 8.2.2

DN (distinguished name), 8.2.2

doAs() and doAsPrivileged()

method descriptions, 2.3.4

with JAAS mode, 5.2.1.1

doasprivileged-mode (obsolete setting), 5.2.1.1

doPrivileged() method, AccessController, 2.2.5

E

EJB

anonymous lookup, 18.5

authenticating and authorizing EJB applications, 18.1

client security properties for CSIv2, 19.2

granting permissions in browser, 18.4

JNDI security providers, 18.2

namespace access, 18.1.5

RMI client access, 18.3

server security properties for CSIv2, 19.1

troubleshooting, 18.1

ejb_sec.properties, CSIv2 security properties (EJB client-side), 19.2

ejb-jar.xml

configuring J2EE security roles, 3.4

Enterprise Manager--see Application Server Control

establish-trust-in-client element, orion-ejb-jar.xml, 19.3.1

establish-trust-in-target element, orion-ejb-jar.xml, 19.3.1

exit command, Admintool shell, C.3.3.4

external LDAP providers

administrator user and roles, creating, 10.4.1

configuring in Application Server Control, after deployment, 10.2.2

configuring in Application Server Control, during deployment, 10.2.1

granting RMI permission to LDAP principal, 10.4.2

introduction, 3.1.4

overview, configuration and administration, 10.1

Sun Java System Directory Server (example), 10.5

system-jazn-data.xml, login-module element options, 10.3

troubleshooting, 10.1

external.synchronization property (no longer supported), Preface

F

file-based provider

activating/deactivating users, 4.6.1

administering instance-level security, 7.2.6

configuring as security provider after deployment, 7.2.2

configuring as security provider during deployment, 7.2.1

configuring in Application Server Control, 7.2

default realm, 6.2.1

introduction, 3.1.4

migrating from principals.xml, 7.5

migration tool, migrating from file-based provider (to LDAP-based or alternative file-based), 7.4

policy management, 7.1

realm management, 7.1, 7.3.2

settings in OC4J configuration files, 7.3

fine-grained authorization, 2.4.1

form-based authentication

configuration in web.xml, 17.1.4

definition, 2.1.1.1

in Oracle Access Manager, 11.3.1

G

globally unique identifier (GUID), D.4.11

grant element, system-jazn-data.xml, D.4.9

grantee element, system-jazn-data.xml, D.4.10

grantperm option, Admintool, C.4.8

grantrole option, Admintool, C.4.9

Group class (deprecated), 5.2.1.3, 12.2

groups, OC4J instances

adding, administering, 7.6.1

J2EEServerGroup MBean, 7.6.2

GUID (globally unique identifier), D.4.11

guid element, system-jazn-data.xml, D.4.11

H

help command, Admintool shell, C.3.3.5

host name verifier (HTTPClient), 16.6

HTTPClient

basic authentication, 16.1.1

digest authentication, 16.1.2

divergence from open source version, 16.2

NTLM authentication, 16.1.3

SSL host name verification, 16.6

using with JSSE, 16.5

HTTPConnection class, 16.2

HTTPS for client connections

HTTPClient example, JSSE, 16.5.2

Oracle HTTPS features, 16.3

Oracle HTTPS system properties, 16.4

I

identity callback handler interface, identity management framework, 13.2.4

identity callback handler, identity management framework, 13.1.2

identity management API framework for users and roles--see user and role APIs

identity management framework

callback types, 13.2.5

configuration, 13.3

enabling an application to use, 13.3.3

identity callback handler, 13.1.2

identity callback handler interface, 13.2.4

identity token, 13.1.2

identity token interface, 13.2.1

multiple OC4J instances, considerations, 13.3.4

overview, 13.1

packaging implementation classes, 13.2.8

programmatic interfaces, 13.2

properties, 13.3.1

sample, header-based ID token, 13.5

subject asserter, 13.1.2

subject asserter interface, 13.2.7

summary of how to use, 13.4

token asserter, 13.1.2

token asserter interface, 13.2.3

token collector, 13.1.2

token collector interface, 13.2.2

identity management realms (OID)

introduction, 8.6.1

managing, 8.6.2.1

relation to JAAS Provider realms, 8.6.1.2

using multiple realms, 8.6.2.3

identity propagation, 2.1.3

identity store, 13.1.2

identity token interface, identity management framework, 13.2.1

identity token, identity management framework, 13.1.2

indirect passwords, 6.1.1

instance-level security, file-based provider, 7.2.6

integrity element, orion-ejb-jar.xml, 19.3.1

internal-settings.xml

CSIv2 security properties (EJB server-side), 19.1

DTD, 19.1

sep-property element, 19.1

J

J2CA, J2EE Connector Architecture--see resource adapters

J2EE roles, 3.4

J2EEServerGroup MBean (OC4J groups), 7.6.2

JAAS (Java Authentication and Authorization Service), 2.3

JAAS mode

configuring and using, 5.4.4

introduction, 5.2.1.1

required for subject propagation, 18.6.2.2

JAAS provider

integration with SSL-enabled applications, 15.1

integration with SSO-enabled applications, 8.2.4

overview, 3.1.1

JAAS roles (deployment roles), 3.4

jaas.username.simple property, 6.2.6

JACC--see Java Authorization Contract for Containers

Java 2 Security Model, 2.2

Java Authentication and Authorization Service (JAAS), 2.3

Java Authorization Contract for Containers (Java ACC)

enabling, 5.4.5.1

introduction, 5.2.3

specifying Java ACC provider, 5.4.5.2

Java Key Store (JKS), 19.1

Java single sign-on--see Java SSO

Java SSO

configuration and setup, details, 14.2

configuration for 10.1.3.1 patch over 10.1.3.0.0, 14.2.4.3

configuration, summary, 14.1.4

configuring through Application Server Control, 14.2.1

deployment scenarios, 14.1.3

file-based provider and two OC4J instances, 14.2.4.1

logout API, 14.3.1

multiple OC4J instances, 14.2.4.2

overview, 14.1

properties, 14.2.2

summary of how to use, 14.4

troubleshooting, 14.5

java.net.URL framework, 16.3.3

java.security.manager property, 5.1.1

java.security.policy property, 5.1.1

javax.net.ssl.keyStore property, 16.4.1

javax.net.ssl.keyStorePassword property, 16.4.2

javax.net.ssl.keyStoreType property, 16.4.3

javax.net.ssl.trustStore property, 16.4.4

javax.net.ssl.trustStorePassword property, 16.4.5

javax.net.ssl.trustStoreType property, 16.4.6

JAZN (term no longer used), 3.1.1

jazn element, jazn.xml, D.2.1

jazn subelement of password-manager element, system-application.xml, 6.1.2

jaznadmin user (OID), 8.4.1.3, 8.6.1.3

JAZNAdminGroup (OID), 8.4.1.3, 8.6.1.3

jazn-data element, system-jazn-data.xml, D.4.13

jazn-data.xml

overview, 4.4.4

persistence mode, 4.4.3

supplying for deployment, 7.3.1.3

jazn-loginconfig element, system-jazn-data.xml, 9.7.1, D.4.14

JAZNPermission class, 5.2.1.3

jazn-policy element, system-jazn-data.xml, D.4.16

jazn-realm element, system-jazn-data.xml, D.4.18

JAZNUserManager, 3.1.2

jazn-web-app element, orion-application.xml, 17.1.2

jazn.xml

bootstrap, 4.4.5

element hierarchy, D.1

elements and attributes, reference, D.2

file not found, A.2.1

locations, 4.4.5

overview, 4.4.5

samples, 4.4.5

JCA--see resource adapters

JMX (MBeans), 4.3

JNDI

connection properties, 8.7.2

EJB JNDI security properties, 18.2

with a custom login module, 9.8.6

JSR-77 support, 4.1

JSR-88 support, 4.1

JSSE

supported cipher suites, 16.3.4

using HTTPClient with JSSE, 16.5

K

kerberos, 21.1

kerberos client configuration, 21.3

Key Distribution Center (KDC), 21.1

keys and keystores (SSL)

introduction, 1.2.4

Java Key Store (JKS), 19.1

javax.net.ssl.keyStore property, 16.4.1

javax.net.ssl.keyStorePassword property, 16.4.2

javax.net.ssl.keyStoreType property, 16.4.3

keystore for CSIv2, 19.1

keystore for ORMIS, 15.8.4.2

keystore, definition, 15.2

keytool utility, 15.2

wallet, equivalent to keystore, 15.2

keytab file, 21.5

keytool utility

example, 15.3

for keystores, 15.2

L

LDAP

external LDAP providers, 10

LDAP-based provider, 8

LDAP principal, 10.4.2

LDAP-based provider

caching properties, 8.7.3

connection properties, 8.7.2

creating users with OID DAS, 8.7

default realm, 6.2.1

Oracle Identity Management with Oracle Internet Directory, 3.1.4

Oracle Identity Management, steps to use, 8.4

overview of Oracle Identity Management key components, 8.2

realm management, 8.6

settings in OC4J configuration files, 8.7

troubleshooting, 8.8

user, password, and SSL properties, 8.7.1

LDAPLoginModule, 3.1.4

ldapsearch utility, to retrieve realm names from OID, 8.8.2

libraries

importing shared library into application, 6.5.2

loading library as OC4J shared library, 6.5.1

Lightweight Directory Access Protocol--see LDAP

listloginmodules option, Admintool, 9.6.1, C.4.10

listperms option, Admintool, C.4.11

listrealms option, Admintool, C.4.12

listroles option, Admintool, C.4.13

listusers option, Admintool, C.4.14

logging, A.3

adding and removing in Admintool, 9.6.1, C.4.1

configuration in OC4J configuration files, 9.7

configuring as security provider after deployment, 9.5.2

configuring as security provider during deployment, 9.5.1

configuring in oc4j-ra.xml (J2CA), 9.7.3

configuring the custom security provider in Application Server Control, 9.5

configuring with different applications, 2.3.2

CoreIDLoginModule (Oracle Access Manager), 11.7.5

database login module, 9.2.2

definition, 2.3.2

deploying, 9.8.4

EIS connections (J2CA), using for, 20.6.2

granting RMI permission, 9.6.2

in identity management framework, 13.1.2, 13.2.6

introducing custom login modules, usage, 9.3

jazn-loginconfig configuration element, D.4.14

LDAPLoginModule, 3.1.4, 10.3

listing in Admintool, 9.6.1, C.4.10

optional packages, deployed as, 9.4.2

packaging, 9.4

RealmLoginModule, 9.2.1

sample, 9.9

stacking, 2.3.2.2

step by step, 9.8

troubleshooting, 9.1.2

LoginContext class, 2.3.2.1

for external LDAP providers, 10.3

ls command, Admintool shell, C.3.3.6

M

man command, Admintool shell, C.3.3.7

MBeans

definition, 4.1

MBean browser and administration, 4.3

member element, system-jazn-data.xml, D.4.21

members element, system-jazn-data.xml, D.4.22

method-permission element, ejb-jar.xml, 18.1.1

migration

migrating from principals.xml, 7.5, C.4.15

migration tool, migrating from file-based provider (to LDAP-based or alternative file-based), 7.4

mk command, Admintool shell, C.3.3.1

mkdir command, Admintool shell, C.3.3.1

N

name element, system-jazn-data.xml, D.4.23, D.4.24

namespace access (EJBs), 18.1.5

needs-client-auth (SSL client authentication), 15.6

NTLM authentication, 16.1.3

O

ObSSOCookie, Oracle Access Manager SSO cookie, 11.2.3

oc4jadmin account, 4.6.2

oc4j-connectors.xml (J2CA), security-permission element, 20.1.3.2

oc4j-ra.xml (J2CA)

security-config element, 20.1.3.1

oidadmin (Oracle Directory Manager), 4.2.3.2

OID--see Oracle Internet Directory

omitting realm names from principals, 6.2.6

OPMN (Oracle Process Manager and Notification Server), 15.8.2

option element, system-jazn-data.xml, D.4.25

optional packages, used for login modules, 9.4.2

options element, system-jazn-data.xml, D.4.26

Oracle Access Manager

Access Manager SDK, 11.4.3

Access SDK, 11.4.2

action URL, protecting, 11.3.4

application, protecting, 11.7.4

architecture, 11.1.3

auth-method setting, 11.7.3

basic authentication, 11.3.2

credential_mapping plug-in, 11.3.1.3, 11.3.2.2

EJB application, use case, 11.10.3

form-based authentication, 11.3.1

granting permissions to Oracle Access Manager principals, 11.8

granting RMI permission to Oracle Access Manager principal, 11.8.1

overview, 11.1.1

plug-ins, overview, 11.2.2

Policy Manager, introduction, 11.1.1

Policy Manager, running, 11.1.5

prerequisites, 11.1.2

resource types, configuration, 11.3.3

resource types, overview, 11.2.1

sample use cases for J2EE applications, 11.10

sample use cases for Web services, 11.11

single sign-on cookie, 11.2.3

troubleshooting, 11.12

validate_password plug-in, 11.3.1.4

Web app using HTTP header variables, use case, 11.10.1

Web app using SSO cookie, use case, 11.10.2

Web service with SAML token, use case, 11.11.3

Web service with username token, use case, 11.11.1

Web service with X.509 token, use case, 11.11.2

Oracle COREid Access and Identity--see Oracle Access Manager

Oracle Directory Manager (oidadmin), 4.2.3.2

Oracle Enterprise Manager--see Application Server Control

Oracle HTTPS (client-side)

example, JSSE, 16.5.2

overview, 16.3

system properties, 16.4

Oracle Identity Management

configuring as security provider after deployment, 8.4.3.2

configuring as security provider during deployment, 8.4.3.1

default realm, 6.2.1

LDAP-based provider (with Oracle Internet Directory), 3.1.4

overview, key components, 8.2

troubleshooting, 8.8

using, steps to use, 8.4

Oracle Internet Directory

Delegated Administration Services (DAS), 4.2.3.1

jaznadmin user, JAZNAdminGroup, 8.4.1.3, 8.6.1.3

LDAP-based provider (with Oracle Identity Management), 3.1.4

Oracle Directory Manager (oidadmin), 4.2.3.2

overview, 8.2.1

ports, with or without SSL, 8.4.1.1, 8.7.1

realm names, retrieving with ldapsearch, 8.8.2

supported versions, 8.3

Oracle Java SSL (deprecated), 16.8

Oracle Wallet

auto-login wallet, SSO wallet, 15.5.2

usage by Oracle HTTP Server, 15.2

OracleAS JAAS Provider

introduction, 3.1

permissions, checking, 5.2.1.4

permissions, granting, 5.2.1.3

policy APIs, 5.2.1.2

policy configuration, 5.3.3

policy management, 5.3

realm APIs, 5.2.1.2

specifying as login configuration provider, 9.1.1

specifying as policy provider, 5.3.4

OracleAS Single Sign-On

integration, 3.1.2

overview, 8.2.3

servlet session synchronization, 8.4.2.4

supported versions, 8.3

oracle.home property, 5.1.3

oracle.j2ee.home property, 4.4.5

oracle.security.jazn.config property, 4.4.5

OracleSSLCredential, Oracle Java SSL package, 16.8.2

Oracle.ssl.defaultCipherSuites property (Oracle Java SSL), 16.8.6.1

orion-application.xml

configuring SSO, 8.5.1

jazn and jazn-web-app elements, 4.4.1

mapping J2EE roles to deployment roles, 17.2.5

orion-ejb-jar.xml

CSIv2 properties, 19.3

default security role, 18.1.6

security role mapping configuration, 18.1.4

ORMI tunneling over HTTPS, 15.9

ORMIS

configuring access restrictions, 15.8.3

configuring clients to use ORMIS, 15.8.4

configuring for OC4J in OAS, 15.8.2

configuring for standalone OC4J, 15.8.1

P

packaging

identity management framework implementation classes, 13.2.8

password-manager element, system-application.xml, 6.1.2

passwords

checking in Admintool (file-based provider), C.4.6

clear (human-readable) (file-based provider), 6.1.3

indirect passwords, 6.1.1

obfuscated passwords for LDAP user, 8.7.1

password indirection, 6.1

password obfuscation, 6.1, 6.1.3

setting in Admintool (file-based provider), C.4.5

Permission class, subclasses, characteristics, 2.2.2

permission element, system-jazn-data.xml, D.4.27

permissions

capability model of access control, 1.1.2.1

granting and revoking in Admintool, C.4.8

granting EJB permissions in browser, 18.4

in Java 2 Security Model, 2.2.2

listing in Admintool, C.4.11

OracleAS JAAS Provider APIs for checking, 5.2.1.4

OracleAS JAAS Provider APIs for granting, 5.2.1.3

permissions element, system-jazn-data.xml, D.4.28

persistence mode, system-jazn-data.xml or jazn-data.xml, 4.4.3

plug-ins (Oracle Access Manager)

credential_mapping, 11.3.1.3, 11.3.2.2

overview, 11.2.2

validate_password, 11.3.1.4

policies

definition, JAAS policy, 2.3.3

definition, Java 2 policy, 2.2.4

file-based provider, policy management, 7.1

grant configuration element, D.4.9

granting permissions, Admintool, 5.3.1

Java 2 policy file, creating, 5.1.3

Java 2 policy file, specifying, 5.1.1

jazn-policy configuration element, D.4.16

OracleAS JAAS Provider policy APIs, 5.2.1.2

package for policy management, 3.1.2

policy cache, LDAP, 8.7.3

policy configuration, OracleAS JAAS Provider, 5.3.3

policy management, OracleAS JAAS Provider, 5.3

policy provider, 3.1.1

policy provider, specification, 5.3.4

Policy Manager, Oracle Access Manager

introduction, 11.1.1

running, 11.1.5

policy provider, specification, 5.3.4

ports, for Oracle Internet Directory, with or without SSL, 8.4.1.1, 8.7.1

principal element, system-jazn-data.xml, D.4.29

principals

in JAAS, definition, 2.3.1

Principal interface, 2.3.1

sample principal class, 9.9.2

principals element, system-jazn-data.xml, D.4.30

principals.xml

migrating from, in Admintool, C.4.15

principals.xml, migrating from, in Admintool, 7.5

PrintingSecurityManager, 5.1.2

property element, jazn.xml, D.2.2

PropertyPermission, 18.4

protection domains, 2.2.3

PUBLIC role (for access by any authenticated user), 6.3.4.4

pwd command, Admintool shell, C.3.3.8

R

realm element, system-jazn-data.xml, D.4.31

RealmLoginModule class

configuring, 9.2.1

introduction, 3.1.2

realm-name element, system-jazn-data.xml, D.4.32

RealmPermission class, 5.2.1.3

realms

adding and removing in Admintool, C.4.2

default realm, file-based or LDAP-based provder, 6.2.1

file-based provider, realm management, 7.1

hierarchy for OracleAS JAAS Provider, 8.6.1.1

jazn-realm configuration element, D.4.18

listing in Admintool, C.4.12

managing identity management realms (OID), 8.6.2.1

managing in file-based provider, 7.3.2

managing in LDAP-based environments, 8.6

multiple realms, 6.2.5

nondefault realm, 6.2.4

omitting realm name from principals, 6.2.6

OracleAS JAAS Provider realm APIs, 5.2.1.2

overview, 3.1.3

package for realm management, 3.1.2

realm cache, LDAP, 8.7.3

realm configuration element, D.4.31

relation of JAAS Provider realms to OID realms, 8.6.1.2

retrieving from OID using ldapsearch, 8.8.2

tasks and guidelines in OC4J, 6.2

troubleshooting, A.2.4

using multiple identity management realms (OID), 8.6.2.3

remloginmodule option, Admintool, 9.6.1, C.4.1

remrealm option, Admintool, C.4.2

remrole option, Admintool, C.4.3

remuser option, Admintool, C.4.4

resource adapters

authentication in container-managed sign-on, 20.4

component-managed sign-on, 20.2

component-managed vs. container-managed sign-on, 20.1.2

container-managed sign-on, 20.3

declarative container-managed sign-on, 20.5

overview of security and authentication setup, 20.1

overview of security-related configuration elements, 20.1.3

programmatic container-managed sign-on, 20.6

sample, programmatic container-managed sign-on, 20.6.1.2

security contract, 20.1.1

resource types (Oracle Access Manager)

configuration, 11.3.3

overview, 11.2.1

revokeperm option, Admintool, C.4.8

revokerole option, Admintool, C.4.9

rm command, Admintool shell, C.3.3.9

RMI permission

granting for login modules, 9.6.2

granting to administrator roles, external LDAP provider, 10.4.1

granting to appropriate role for EJB, 18.3

granting to LDAP principal, 10.4.2

granting to Oracle Access Manager principal, 11.8.1

role and user APIs

model/framework, 12.3

overview, 12.1

properties file, 12.5.4

replacement of UserManager, User, Group features, 12.2

sample, basic, 12.6

sample, OC4J integration, 12.7

steps and samples, 12.5

summary of classes and interfaces, 12.4

role element, system-jazn-data.xml, D.4.33

RoleAdminPermission class, 5.2.1.3

roles

adding and removing in Admintool (file-based provider), C.4.3

application roles, 3.4

case-sensitivity, custom login modules, 9.1.2

case-sensitivity, external LDAP providers, 10.1

case-sensitivity, file-based provider, 7

case-sensitivity, LDAP-based provider, 8.1

creating, editing, deleting (file-based provider), 7.2.5

definition, 1.1.2.2

deployment roles, 3.4

granting and revoking in Admintool, C.4.9

J2EE roles, 3.4

listing in Admintool, C.4.13

mapping J2EE roles to deployment roles, 17.2.5

mapping logical roles to users and roles, EJBs, 18.1.4

mapping, overview, 3.4

methods unchecked for security roles, EJBs, 18.1.2

role configuration element, D.4.33

role-based access control, 1.1.2.2

roles configuration element, D.4.34

roles element, system-jazn-data.xml, D.4.34

run-as element, ejb-jar.xml, 18.1.3

run-as security identity

for EJBs, 18.1.3

for Web applications, 17.2.4

runas-mode (obsolete setting), 5.2.1.1

RuntimePermission, 18.4

S

samples

identity management framework, header-based ID token, 13.5

jazn-loginconfig configuration, D.4.14

jazn-policy configuration, D.4.16

jazn-realm configuration, D.4.18

JSSE with HTTPClient, 16.5.2

Oracle Access Manager use cases for J2EE applications, 11.10

Oracle Access Manager use cases for Web services, 11.11

programmatic container-managed sign-on (resource adapters), 20.6.1.2

sample servlet, various features, B

Sun Java System Directory Server configuration, 10.5

user and role APIs, basic example, 12.6

user and role APIs, OC4J integration, 12.7

sas-context element, orion-ejb-jar.xml, 19.3.3

Secure Sockets Layer--see SSL

security managers

overview, 2.2.5

PrintingSecurityManager for debug, 5.1.2

specifying, enabling, 5.1.1

security provider

definition, 1.1.1

supported providers, 3.1.4

security-identity element, ejb-jar.xml, 18.1.3

SecurityManager class, 2.2.5

security-role element, ejb-jar.xml, 18.1.1

security-role-mapping element, orion-ejb-jar.xml, 18.1.4

security-role-ref element, ejb-jar.xml, 18.1.1

sep-property element, internal-settings.xml, 19.1

servlet session synchronization (with SSO), 8.4.2.4

session cache, LDAP, 8.7.3

session synchronization for servlets (with SSO), 8.4.2.4

session-tracking element, orion-web.xml, 15.3

set command, Admintool shell, C.3.3.10

setpasswd option, Admintool, C.4.5

setSSLEnabledCipherSuites() method, Oracle Java SSL, 16.8.6.2

shared libraries

importing, 6.5.2

loading, 6.5.1

shared Web applications, 15.3

shell commands, Admintool, C.3.3

shell option, Admintool, C.3

single sign-on

alternatives in Oracle Application Server, 3.2.3

configuring in orion-application.xml, 8.5.1

definition, 3.2.3, 3.2.3

integration with JAAS provider, 8.2.4

Java SSO, 14

Oracle Access Manager SSO cookie, 11.2.3

Oracle Access Manager SSO, configure Web apps, 11.7.3

OracleAS Single Sign-On overview, 8.2.3

SocketPermission, 18.4

SPNEGO, 21.1

SSL

authentication in SSL, 1.2.2

client authentication, 15.6

debugging, 15.7.2

enabling SSL in OC4J, 15.3

enabling/disabling for LDAP-based provider, 8.7.1

host name verification for HTTPClient, 16.6

integration with JAAS provider, 15.1

introduction, 1.2.1

ORMI over SSL, 15.8

ORMI tunneling over HTTPS, 15.9

port for Oracle Internet Directory with SSL, 8.4.1.1, 8.7.1

troubleshooting, 15.7

truststores, 19.1

using certificates with OC4J and Oracle HTTP Server, 15.2

ssl-config element, Web site XML file, 15.3

SSO--see single sign-on

stacking login modules, 2.3.2.2

subject asserter interface, identity management framework, 13.2.7

subject asserter, identity management framework, 13.1.2

subject propagation

enabling, 18.6.2

overview in OC4J, 18.6.1

removing/configuring restrictions, 18.6.4

sharing principal classes, 18.6.3

Subject.doAs() and Subject.doAsPrivileged()

method descriptions, 2.3.4

with JAAS mode, 5.2.1.1

subjects

in JAAS, definition, 2.3.1

Subject class, 2.3.1

Sun Java System Directory Server (external LDAP provider, example), 10.5

system application

overview, 4.5

system-application.xml, 4.4.2

system-jazn-data.xml

and Admintool, 4.2.2

element hierarchy, D.3

elements and attributes, reference, D.4

for policy data, 7.3.3

overview, 4.4.3

persistence mode, 4.4.3

settings for login modules, 9.7.1

T

TCPS, 15.10

third-party LDAP providers--see external LDAP providers

token asserter interface, identity management framework, 13.2.3

token asserter, identity management framework, 13.1.2

token collector interface, identity management framework, 13.2.2

token collector, identity management framework, 13.1.2

transport-config element, orion-ejb-jar.xml, 19.3.1

troubleshooting

EJBs, 18.1

external LDAP providers, 10.1

general OC4J security troubleshooting, A.2

Java SSO, 14.5

JAZN not properly configured, A.2.1

LDAP-based provider, 8.8

logging, A.3

Oracle Access Manager, 11.12

Oracle Identity Management, 8.8

realms, A.2.4

SSL, 15.7

unable to locate login configuration, A.2.3

trust points, 1.2.3

truststores (SSL)

introduction, 1.2.4

javax.net.ssl.trustStore property, 16.4.4

javax.net.ssl.trustStorePassword property, 16.4.5

javax.net.ssl.trustStoreType property, 16.4.6

truststore for CSIv2, 19.1

tunneling, ORMI over HTTPS, 15.9

type element, system-jazn-data.xml, D.4.35, D.4.36

U

unchecked element, ejb-jar.xml, 18.1.2

url element, system-jazn-data.xml, D.4.37

use-caller-identity element, ejb-jar.xml, 18.1.3

user and role APIs

model/framework, 12.3

overview, 12.1

properties file, 12.5.4

replacement of UserManager, User, Group features, 12.2

sample, basic, 12.6

sample, OC4J integration, 12.7

steps and samples, 12.5

summary of classes and interfaces, 12.4

User class (deprecated), 9.2.2, 12.2

user element, system-jazn-data.xml, D.4.38

user repository, 1.1.1

UserManager class (deprecated), 12.2

users

activating/deactivating (file-based provider), 4.6.1

adding and removing in Admintool (file-based provider), C.4.4

creating, editing, deleting (file-based provider), 7.2.4

creating, with OID DAS for LDAP-based provider, 8.7

ldap.user and ldap.password properties for LDAP, 8.7.1

listing in Admintool, C.4.14

user configuration element, D.4.38

users configuration element, D.4.39

users element, system-jazn-data.xml, D.4.39

V

validate_password plug-in, Oracle Access Manager, 11.3.1.4

value element, system-jazn-data.xml, D.4.40

W

wallet, equivalent to keystore, 15.2

wallets--see Oracle Wallet

Web services, use cases with Oracle Access Manager, 11.11

web-app element, Web site XML file, 15.3

WebGate vs. AccessGate (Oracle Access Manager), 11.1.1

web.xml

configuring authentication method, 17.1.1

configuring J2EE security roles, 3.4

Windows Native Authentication See WNA

WNA, 21.1

configure OC4J, 21.6

prerequisites, 21.2

testing, 21.7

X

XML-based provider--see file-based provider