1/51
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New in This Guide
New Features in Release 11gR1 PS3
New Features in Oracle Identity Management 11gR1
New Features in Release 11gR1 PS2
New Features in Release 11gR1 PS1
New Features in Release 11gR1
Desupported Features from 10.1.3.x
Links to Upgrade Documentation
Part I Understanding Security Concepts
1
Introduction to Oracle Platform Security Services
1.1
What is Oracle Platform Security Services?
1.1.1
OPSS Main Features
1.1.2
Supported Server Platforms
1.2
OPSS Architecture Overview
1.2.1
Benefits of Using OPSS
1.3
Oracle ADF Security Overview
1.4
OPSS for Administrators
1.5
OPSS for Developers
1.5.1
Scenario 1: Enhancing Security in a JavaEE Application
1.5.2
Scenario 2: Securing an Oracle ADF Application
1.5.3
Scenario 3: Securing a JavaSE Application
2
Understanding Users and Roles
2.1
Terminology
2.2
Role Mapping
2.2.1
Permission Inheritance and the Role Hierarchy
2.3
The Authenticated Role
2.4
The Anonymous User and Role
2.4.1
Anonymous Support and Subject
2.5
Administrative Users and Roles
2.6
Managing User Accounts
2.7
Principal Name Comparison Logic
2.7.1
How Does Principal Comparison Affect Authorization?
2.7.2
System Parameters Controlling Principal Name Comparison
2.8
The Role Category
3
Understanding Identities, Policies, and Credentials
3.1
Authentication Basics
3.1.1
Supported LDAP Identity Store Types
3.1.2
Oracle WebLogic Authenticators
3.1.2.1
Using an LDAP Authenticator
3.1.2.2
Configuring the LDAP Identity Store Service
3.1.2.3
Additional Authentication Methods
3.1.3
WebSphere Identity Stores
3.2
Policy Store Basics
3.3
Credential Store Basics
4
About Oracle Platform Security Services Scenarios
4.1
Supported LDAP-, DB-, and File-Based Services
4.2
Management Tools
4.3
Packaging Requirements
4.4
Example Scenarios
4.5
Other Scenarios
Part II Basic OPSS Administration
5
Security Administration
5.1
Choosing the Administration Tool According to Technology
5.2
Basic Security Administration Tasks
5.2.1
Setting Up a Brand New Production Environment
5.3
Typical Security Practices with Fusion Middleware Control
5.4
Typical Security Practices with the Administration Console
5.5
Typical Security Practices with Oracle Authorization Policy Manager
5.6
Typical Security Practices with OPSS Scripts
6
Deploying Secure Applications
6.1
Overview
6.2
Selecting the Tool for Deployment
6.2.1
Deploying JavaEE and Oracle ADF Applications with Fusion Middleware Control
6.3
Deploying Oracle ADF Applications to a Test Environment
6.3.1
Deploying to a Test Environment
6.3.1.1
Typical Administrative Tasks after Deployment in a Test Environment
6.4
Deploying Standard JavaEE Applications
6.5
Migrating from a Test to a Production Environment
6.5.1
Migrating Providers other than Policy and Credential Providers
6.5.1.1
Migrating Identities Manually
6.5.2
Migrating Policies and Credentials at Deployment
6.5.2.1
Migrating Policies Manually
6.5.2.2
Migrating Credentials Manually
6.5.2.3
Migrating Large Volume Policy and Credential Stores
6.5.3
Migrating Audit Policies
Part III Advanced OPSS Administration
7
Configuring the Identity Store Service
7.1
Introduction to the Identity Store Service
7.1.1
About the Identity Store Service
7.1.2
Service Architecture
7.1.3
Application Server Support
7.1.4
JavaSE Support
7.2
Configuring the Identity Store Provider
7.3
Configuring the Identity Store Service
7.3.1
What is Configured?
7.3.1.1
Configuring Multi-LDAP Lookup
7.3.1.2
Global/Connection Parameters
7.3.1.3
Back-End/Connection Parameters
7.3.2
Configuration in WebLogic Server
7.3.2.1
Configuring the Service for Single LDAP
7.3.2.2
Configuring the Service for Multiple LDAP using Fusion Middleware Control
7.3.2.3
Configuring the Service for Multiple LDAP using WLST
7.3.2.4
Configuring Other Parameters
7.3.2.5
Restarting Servers
7.3.2.6
Examples of the Configuration File
7.3.3
Configuring Split Profiles
7.3.4
Configuration in Other Application Servers
7.3.4.1
Configuring the Service for Single LDAP
7.3.4.2
Configuring the Service for Multiple LDAP
7.3.5
JavaSE Environments
7.4
Querying the Identity Store Programmatically
8
Configuring the OPSS Security Store
8.1
Introduction to the OPSS Security Store
8.2
Using an LDAP-Based OPSS Security Store
8.2.1
Multiple-Node Server Environments
8.2.2
Prerequisites to Using an LDAP-Based Security Store
8.3
Using a DB-Based OPSS Security Store
8.3.1
Prerequisites to Using a DB-Based Security Store
8.3.1.1
Creating the OPSS Schema in an Oracle Database
8.3.1.2
Dropping the OPSS Schema in an Oracle Database
8.3.1.3
Creating a Data Source Instance
8.3.2
Maintaining a DB-Based Security Store
8.3.3
Setting Up an SSL Connection to the DB
8.3.3.1
Configuring SSL on an Oracle DB Server
8.3.3.2
Configuring SSL on a Client
8.4
Configuring the OPSS Security Store
8.5
Reassociating the OPSS Security Store
8.5.1
Reassociating with Fusion Middleware Control
8.5.1.1
Setting Up a One- Way SSL Connection
8.5.1.2
Securing Access to Oracle Internet Directory Nodes
8.5.2
Reassociating with the Script reassociateSecurityStore
8.6
Migrating the OPSS Security Store
8.6.1
Migrating with Fusion Middleware Control
8.6.2
Migrating with the Script migrateSecurityStore
8.6.2.1
Examples of Use
8.7
Configuring the Identity Provider, Property Sets, and SSO
8.7.1
Configuring the Identity Store Provider
8.7.2
Configuring Properties and Property Sets
8.7.3
Specifying a Single Sign-On Solution
8.7.3.1
The OPSS SSO Framework
8.7.3.2
Configuring an SSO Solution with Fusion Middleware Control
8.7.3.3
OAM Configuration Example
8.8
Cataloging Oracle Internet Directory Attributes
9
Managing the Policy Store
9.1
Managing the Policy Store
9.2
Managing Policies with Fusion Middleware Control
9.2.1
Managing Application Policies
9.2.2
Managing Application Roles
9.2.3
Managing System Policies
9.3
Managing Application Policies with OPSS Scripts
9.3.1
listAppStripes
9.3.1.1
Running listAppStripes after Reassociating to a DB-Based Store
9.3.2
createAppRole
9.3.3
deleteAppRole
9.3.4
grantAppRole
9.3.5
revokeAppRole
9.3.6
listAppRoles
9.3.7
listAppRolesMembers
9.3.8
grantPermission
9.3.9
revokePermission
9.3.10
listPermissions
9.3.11
deleteAppPolicies
9.3.12
createResourceType
9.3.13
getResourceType
9.3.14
deleteResourceType
9.3.15
createResource
9.3.16
deleteResource
9.3.17
listResources
9.3.18
listResourceActions
9.3.19
createEntitlement
9.3.20
getEntitlement
9.3.21
deleteEntitlement
9.3.22
addResourceToEntitlement
9.3.23
revokeResourceFromEntitlement
9.3.24
listEntitlements
9.3.25
grantEntitlement
9.3.26
revokeEntitlement
9.3.27
listEntitlement
9.3.28
listResourceTypes
9.3.29
reassociateSecurityStore
9.4
Caching and Refreshing the Cache
9.4.1
An Example
9.5
Granting Policies to Anonymous and Authenticated Roles with WLST Scripts
9.6
Application Stripe for Versioned Applications in WLST Scripts
9.7
Managing Application Policies with Oracle Authorization Policy Manager
9.8
Guidelines for Configuring the Policy Store
10
Managing the Credential Store
10.1
Credential Types
10.2
Managing the Credential Store
10.3
Managing Credentials with Fusion Middleware Control
10.4
Managing Credentials with OPSS Scripts
10.4.1
listCred
10.4.2
updateCred
10.4.3
createCred
10.4.4
deleteCred
10.4.5
modifyBootStrapCredential
10.4.6
addBootStrapCredential
11
Introduction to Oracle Fusion Middleware Audit Framework
11.1
Benefits and Features of the Oracle Fusion Middleware Audit Framework
11.1.1
Objectives of Auditing
11.1.2
Today's Audit Challenges
11.1.3
Oracle Fusion Middleware Audit Framework in 11
g
11.2
Overview of Audit Features
11.3
Oracle Fusion Middleware Audit Framework Concepts
11.3.1
Audit Architecture
11.3.2
Key Technical Concepts
11.3.3
Audit Record Storage
11.3.4
Analytics
12
Configuring and Managing Auditing
12.1
Audit Administration Tasks
12.2
Managing the Audit Store
12.2.1
Create the Audit Schema using RCU
12.2.2
Set Up Audit Data Sources
12.2.2.1
Multiple Data Sources
12.2.3
Configure a Database Audit Store for Java Components
12.2.3.1
View Audit Store Configuration
12.2.3.2
Configure the Audit Store
12.2.3.3
Deconfigure the Audit Store
12.2.4
Configure a Database Audit Store for System Components
12.2.4.1
Deconfigure the Audit Store
12.2.5
Tuning the Bus-stop Files
12.3
Managing Audit Policies
12.3.1
Manage Audit Policies for Java Components with Fusion Middleware Control
12.3.2
Manage Audit Policies for System Components with Fusion Middleware Control
12.3.3
Manage Audit Policies with WLST
12.3.3.1
View Audit Policies with WLST
12.3.3.2
Update Audit Policies with WLST
12.3.3.3
Example 1: Configuring an Audit Policy for Users with WLST
12.3.3.4
Example 2: Configuring an Audit Policy for Events with WLST
12.3.3.5
Custom Configuration is Retained when the Audit Level Changes
12.3.4
Manage Audit Policies Manually
12.3.4.1
Location of Configuration Files for Java Components
12.3.4.2
Audit Service Configuration Properties in jps-config.xml for Java Components
12.3.4.3
Switching from Database to File for Java Components
12.3.4.4
Manually Configuring Audit for System Components
12.4
Audit Logs
12.4.1
Location of Audit Logs
12.4.2
Audit Log Timestamps
12.5
Advanced Management of Database Store
12.5.1
Schema Overview
12.5.2
Table Attributes
12.5.3
Indexing Scheme
12.5.4
Backup and Recovery
12.5.5
Importing and Exporting Data
12.5.6
Partitioning
12.5.6.1
Partition Tables
12.5.6.2
Backup and Recovery of Partitioned Tables
12.5.6.3
Import, Export, and Data Purge
12.5.6.4
Tiered Archival
13
Using Audit Analysis and Reporting
13.1
Setting up Oracle Business Intelligence Publisher for Audit Reports
13.1.1
About Oracle Business Intelligence Publisher
13.1.2
Install Oracle Business Intelligence Publisher
13.1.3
Set Up Oracle Reports in Oracle Business Intelligence Publisher
13.1.4
Set Up Audit Report Templates
13.1.5
Set Up Audit Report Filters
13.1.6
Configure Scheduler in Oracle Business Intelligence Publisher
13.2
Organization of Audit Reports
13.3
View Audit Reports
13.4
Example of Oracle Business Intelligence Publisher Reports
13.5
Audit Report Details
13.5.1
List of Audit Reports in Oracle Business Intelligence Publisher
13.5.2
Attributes of Audit Reports in Oracle Business Intelligence Publisher
13.6
Customizing Audit Reports
13.6.1
Using Advanced Filters on Pre-built Reports
13.6.2
Creating Custom Reports
Part IV Single Sign-On Configuration
14
Introduction to Single Sign-On in Oracle Fusion Middleware
14.1
Choosing the Right SSO Solution for Your Deployment
14.2
Introdution: OAM Authentication Provider for WebLogic Server
14.2.1
About Using the Identity Asserter Function with Oracle Access Manager
14.2.2
About Using the Authenticator Function with Oracle Access Manager
14.2.3
Choosing Applications for Oracle Access Manager SSO Scenarios and Solutions
14.2.3.1
Applications Using Oracle Access Manager for the First TIme
14.2.3.2
Applications Migrating from Oracle Application Server to Oracle WebLogic Server
14.2.3.3
Applications Using OAM Security Provider for WebLogic SSPI
14.2.4
Implementation: Using the Provider with OAM 11g versus OAM 10g
14.2.5
Requirements for the Provider with Oracle Access Manager
14.3
Setting Up Debugging in the WebLogic Administration Console
15
Configuring Single Sign-On with Oracle Access Manager 11g
15.1
Introduction to Oracle Access Manager 11g SSO
15.1.1
Previewing Pre-Seeded OAM 11g Policies for Use by the OAM 10g AccessGate
15.2
Deploying the Oracle Access Manager 11g SSO Solution
15.2.1
Installing the Authentication Provider with Oracle Access Manager 11g
15.2.2
Provisioning an OAM Agent with Oracle Access Manager 11g
15.2.2.1
About WebGate Provisioning Methods for Oracle Access Manager 11g
15.2.2.2
Provisioning a WebGate with Oracle Access Manager 11g
15.2.3
Configuring Identity Assertion for SSO with Oracle Access Manager 11g
15.2.3.1
Establishing Trust with Oracle WebLogic Server
15.2.3.2
Configuring Providers in the WebLogic Domain
15.2.3.3
Reviewing the Login Page for the Oracle Access Manager Identity Asserter
15.2.3.4
Testing Oracle Access Manager Identity Assertion for Single Sign-on
15.2.4
Configuring the Authenticator Function for Oracle Access Manager 11g
15.2.4.1
Configuring Providers for the Authenticator in a WebLogic Domain
15.2.4.2
Configuring the Application Authentication Method for the Authenticator
15.2.4.3
Mapping the Authenticated User to a Group in LDAP
15.2.4.4
Testing the Oracle Access Manager Authenticator Implementation
15.2.5
Configuring Identity Assertion for Oracle Web Services Manager and OAM 11g
15.2.5.1
Configuring Oracle Web Services Manager Policies for Web Services
15.2.5.2
Configuring Providers in a WebLogic Domain for Oracle Web Services Manager
15.2.5.3
Testing the Identity Asserter with Oracle Web Services Manager
15.3
Configuring Centralized Log Out for Oracle Access Manager 11g
15.3.1
Logout for 11g WebGate and OAM 11g
15.3.2
Logout for 10g WebGate with Oracle Access Manager 11g
15.4
Synchronizing the User and SSO Sessions: SSO Synchronization Filter
15.5
Troubleshooting Tips
16
Configuring Single Sign-On using Oracle Access Manager 10g
16.1
Deploying SSO Solutions with Oracle Access Manager 10g
16.1.1
Installing and Setting Up Authentication Providers for OAM 10g
16.1.1.1
About Oracle Access Manager 10g Installation and Setup
16.1.1.2
Installing Components and Files for Authentication Providers and OAM 10g
16.1.1.3
Creating Resource Types in Oracle Access Manager 10g
16.1.2
Configuring Global Logout for Oracle Access Manager 10g and 10g WebGates
16.1.2.1
Recommended Process for Configuring Logout
16.1.2.2
Alternative Process for Configuring Logout
16.2
Oracle Access Manager Authentication Provider Parameter List
16.3
Introduction to OAMCfgTool
16.3.1
OAMCfgTool Process Overview
16.3.2
OAMCfgTool Parameters and Values
16.3.2.1
Create Mode Parameters and Values
16.3.2.2
Validate Mode Parameters and Values
16.3.2.3
Delete Mode Parameters and Values
16.3.3
Sample Policy Domain and AccessGate Profile Created with OAMCfgTool
16.3.4
Known Issues: JAR Files and OAMCfgTool
16.4
Configuring OAM Identity Assertion for SSO with Oracle Access Manager 10g
16.4.1
Establishing Trust with Oracle WebLogic Server
16.4.1.1
Setting Up the Application Authentication Method for SSO
16.4.1.2
Confirming mod_weblogic for Oracle Access Manager Identity Asserter
16.4.1.3
Establishing Trust between Oracle WebLogic Server and Other Entities
16.4.2
Configuring the Authentication Scheme for the Identity Asserter
16.4.2.1
Creating an Authentication Scheme, Policy Domain, and a WebGate Profile
16.4.3
Configuring Providers in the WebLogic Domain
16.4.3.1
About Oracle WebLogic Server Authentication and Identity Assertion Providers
16.4.3.2
About the Oracle WebLogic Scripting Tool (WLST)
16.4.3.3
Setting Up Providers for Oracle Access Manager Identity Assertion
16.4.4
Setting Up the Login Form for the Identity Asserter and OAM 10g
16.4.5
Testing Identity Assertion for SSO with OAM 10g
16.5
Configuring the Authenticator for Oracle Access Manager 10g
16.5.1
Creating an Authentication Scheme for the Authenticator
16.5.2
Configuring a Policy Domain for the Oracle Access Manager Authenticator
16.5.2.1
About Creating a Policy Domain
16.5.2.2
Creating a Policy Domain and Access Policies for the Authenticator
16.5.3
Configuring Providers for the Authenticator in a WebLogic Domain
16.5.4
Configuring the Application Authentication Method for the Authenticator
16.5.5
Mapping the Authenticated User to a Group in LDAP
16.5.6
Testing the Oracle Access Manager Authenticator Implementation
16.6
Configuring Identity Assertion for Oracle Web Services Manager and OAM 10g
16.6.1
Creating an Policy Domain for Use with Oracle Web Services Manager
16.6.2
Configuring Oracle Web Services Manager Policies for Web Services
16.6.3
Configuring Providers in a WebLogic Domain for Oracle Web Services Manager
16.6.4
Testing the Identity Asserter with Oracle Web Services Manager
16.7
Synchronizing the User and SSO Sessions: SSO Synchronization Filter
16.8
Troubleshooting Tips for OAM Provider Deployments
16.8.1
About Using IPv6
16.8.2
Apache Bridge Failure: Timed Out
16.8.3
Authenticated User with Access Denied
16.8.4
Browser Back Button Results in Error
16.8.5
Cannot Reboot After Adding OAM and OID Authenticators
16.8.6
Client in Cluster with Load-Balanced WebGates
16.8.7
Error 401: Unable to Access the Application
16.8.8
Error 403: Unable to Access the Application
16.8.9
Error 404: Not Found ... Anything Matching the Request URI
16.8.10
Error Issued with the Action URL in Form Login Page
16.8.11
Error or Failure on Oracle WebLogic Server Startup
16.8.12
JAAS Control Flag
16.8.13
Login Form is Shown Repeatedly Upon Credential Submission: No Error
16.8.14
Logout and Session Time Out Issues
16.8.15
Not Found: The requested URL or Resource Was Not Found
16.8.16
Oracle WebLogic Server Fails to Start
16.8.17
Oracle ADF Integration and Cert Mode
16.8.18
About Protected_JSessionId_Policy
17
Configuring Single Sign-On using OracleAS SSO 10g
17.1
Deploying the OracleAS 10g Single Sign-On (OSSO) Solution
17.1.1
Using the OSSO Identity Asserter
17.1.1.1
Oracle WebLogic Security Framework
17.1.1.2
OSSO Identity Asserter Processing
17.1.1.3
Consumption of Headers with OSSO Identity Asserter
17.1.2
New Users of the OSSO Identity Asserter
17.1.2.1
Configuring mod_weblogic
17.1.2.2
Registering Oracle HTTP Server mod_osso with OSSO Server 10.1.4
17.1.2.3
Configuring mod_osso to Protect Web Resources
17.1.2.4
Adding Providers to a WebLogic Domain for OSSO
17.1.2.5
Establishing Trust Between Oracle WebLogic Server and Other Entities
17.1.2.6
Configuring the Application for the OSSO Identity Asserter
17.2
Synchronizing the User and SSO Sessions: SSO Synchronization Filter
17.3
Troubleshooting for an OSSO Identity Asserter Deployment
17.3.1
SSO-Related Problems
17.3.2
OSSO Identity Asserter-Related Problems
17.3.3
URL Rewriting and JSESSIONID
17.3.4
About mod_osso, OSSO Cookies, and Directives
17.3.4.1
New OssoHTTPOnly Directive in mod_osso
17.3.4.2
OssoSecureCookies Directive in mod_osso
17.3.4.3
Mod_osso Does Not Encode the Return URL
17.3.4.4
mod_osso: "Page Not found" error After Default Installation
17.3.5
About Using IPv6
Part V Developing with Oracle Platform Security Services APIs
18
Developing Secure Applications with Oracle Platform Security Services
18.1
OPSS for Developers
18.1.1
The Development Cycle
18.1.2
Challenges of Securing Java Applications
18.1.3
Meeting the Challenges with Oracle Platform Security Services
18.1.4
OPSS Architecture
18.2
OPSS APIs
18.2.1
The LoginService API
18.2.2
The User and Role API
18.2.3
JAAS Authorization and the JpsAuth.checkPermission API
18.2.4
The Credential Store Framework API
18.3
Common Uses of OPSS
18.3.1
JavaEE Application using OPSS APIs
18.3.2
Authenticating with OPSS APIs
18.3.3
Programmatic Authorization
18.3.4
Credential Store Framework
18.3.5
User and Role
18.3.6
Oracle ADF Authorization
18.3.7
JavaSE Application Using OPSS APIs
18.4
Using OPSS with Oracle Application Development Framework
18.4.1
About Oracle ADF
18.4.2
How Oracle ADF Uses OPSS
18.4.3
The Oracle ADF Development Life Cycle
18.5
Using the Oracle Security Developer Tools
18.6
Using OPSS Outside Oracle JDeveloper/Oracle ADF
19
The OPSS Policy Model
19.1
The Security Policy Model
19.2
Authorization Overview
19.2.1
Introduction to Authorization
19.2.2
The JavaEE Authorization Model
19.2.2.1
Declarative Authorization
19.2.2.2
Programmatic Authorization
19.2.2.3
JavaEE Code Example
19.2.3
The JAAS Authorization Model
19.3
The JAAS/OPSS Authorization Model
19.3.1
The Resource Catalog
19.3.2
Managing Policies
19.3.3
Checking Policies
19.3.3.1
Using the Method checkPermission
19.3.3.2
Using the Methods doAs and doAsPrivileged
19.3.3.3
Using the Method checkBulkAuthorization
19.3.3.4
Using the Method getGrantedResources
19.3.4
The Class ResourcePermission
20
Integrating JavaEE Application Security with OPSS
20.1
Introduction
20.2
Terminology
20.3
Oracle Identity and Access Management Suite
20.3.1
OID for Identity and Policy Stores
20.3.2
OAM and OSSO for User Authentication and Web SSO
20.3.3
OIM for User and Role Provisioning
20.3.4
OPSS for User and Role Profiling
20.3.5
OPSS for User Authorization
20.3.6
OAPM for Application Policy Management
20.3.7
OPSS for Cryptography
20.4
Security Life Cycle of an Application
20.4.1
Development Phase
20.4.2
Deployment Phase
20.4.3
Management Phase
20.4.4
Summary of Tasks per Participant per Phase
20.5
Getting Started with Application Security Integration
20.5.1
Oracle Platform Security Services
20.5.2
Use Case 1 - J2EE Application
20.6
Required Security Features
20.6.1
Credentials
20.6.2
Authentication
20.6.3
Authorization
20.6.4
User and Role Management
20.7
Integrating Authentication
20.7.1
Container-Based Authentication
20.7.2
Oracle WebLogic Server Authentication Providers
20.7.3
Programmatic Authentication
20.7.4
Single Sign-On through OPSS
20.8
Integrating Authorization
20.8.1
Functional Security
20.8.1.1
The Functional Security Model
20.8.1.2
Checking Permissions with CheckPermission
20.8.2
Functional Security with ADF
20.9
Integrating the Credential Store
20.9.1
Guidelines for Using CSF
20.9.2
Cryptography
21
Manually Configuring JavaEE Applications to Use OPSS
21.1
Configuring the Servlet Filter and the EJB Interceptor
21.1.1
Interceptor Configuration Syntax
21.1.2
Summary of Filter and Interceptor Parameters
21.1.3
The JMX Interceptor
21.2
Choosing the Appropriate Class for Enterprise Groups and Users
21.3
Packaging a JavaEE Application Manually
21.3.1
Packaging Policies with Application
21.3.2
Packaging Credentials with Application
21.4
Configuring Applications to Use OPSS
21.4.1
Parameters Controlling Policy Migration
21.4.2
Policy Parameter Configuration According to Behavior
21.4.2.1
To Skip Migrating All Policies
21.4.2.2
To Migrate All Policies with Merging
21.4.2.3
To Migrate All Policies with Overwriting
21.4.2.4
To Remove (or Prevent the Removal of) Application Policies
21.4.2.5
To Migrate Policies in a Static Deployment
21.4.2.6
Recommendations
21.4.3
Using a Wallet-Based Credential Store
21.4.4
Parameters Controlling Credential Migration
21.4.5
Credential Parameter Configuration According to Behavior
21.4.5.1
To Skip Migrating Credentials
21.4.5.2
To Migrate Credentials with Merging
21.4.5.3
To Migrate Credentials with Overwriting
21.4.6
Supported Permission Classes
21.4.6.1
Policy Store Permission
21.4.6.2
Credential Store Permission
21.4.6.3
Generic Permission
21.4.7
Specifying Bootstrap Credentials Manually
21.4.8
Migrating Identities with migrateSecurityStore
21.4.9
Example of Configuration File jps-config.xml
22
Developing Authentication
22.1
Links to Authentication Topics for JavaEE Applications
22.2
Developing Authentication for JavaSE Applications
22.2.1
The Identity Store
22.2.2
Configuring an LDAP Identity Store in JavaSE Applications
22.2.3
Supported Login Modules for JavaSE Applications
22.2.3.1
The Identity Store Login Module
22.2.3.2
Using the Identity Store Login Module for Authentication
22.2.3.3
Using the Identity Login Module for Assertion
22.2.4
Using the OPSS API LoginService in JavaSE Applications
23
Developing with the Credential Store Framework
23.1
About the Credential Store Framework API
23.2
Overview of Application Development with CSF
23.3
Setting the Java Security Policy Permissions
23.3.1
Guidelines for Granting Permissions
23.3.2
Permissions Grant Example 1
23.3.3
Permissions Grant Example 2
23.4
Guidelines for the Map Name
23.5
Configuring the Credential Store
23.6
Steps for Using the API
23.6.1
Using the CSF API in a Standalone Environment
23.6.2
Using the CSF API in Oracle WebLogic Server
23.7
Examples
23.7.1
Code for CSF Operations
23.7.2
Example 1: JavaSE Application with Wallet Store
23.7.3
Example 2: JavaEE Application with Wallet Store
23.7.4
Example 3: JavaEE Application with LDAP Store
23.8
Best Practices
24
Developing Authorization
24.1
Configuring Policy and Credential Stores in JavaSE Applications
24.1.1
Configuring File-Based Policy and Credential Stores
24.1.2
Configuring LDAP-Based Policy and Credential Stores
24.1.3
Configuring DB-Based OPSS Security Stores
24.2
Unsupported Methods for File-Based Policy Stores
25
Developing with the User and Role API
25.1
Introduction to the User and Role API Framework
25.1.1
User and Role API and the Oracle WebLogic Server Authenticators
25.2
Summary of Roles and Classes
25.3
Working with Service Providers
25.3.1
Understanding Service Providers
25.3.2
Setting Up the Environment
25.3.3
Selecting the Provider
25.3.4
Creating the Provider Instance
25.3.5
Properties for Provider Configuration
25.3.5.1
Start-time and Run-time Configuration
25.3.5.2
ECID Propagation
25.3.5.3
When to Pass Configuration Values
25.3.6
Configuring the Provider when Creating a Factory Instance
25.3.6.1
Oracle Internet Directory Provider
25.3.6.2
Using Existing Logger Objects
25.3.6.3
Supplying Constant Values
25.3.6.4
Configuring Connection Parameters
25.3.6.5
Configuring a Custom Connection Pool Class
25.3.7
Configuring the Provider when Creating a Store Instance
25.3.8
Runtime Configuration
25.3.9
Programming Considerations
25.3.9.1
Provider Portability Considerations
25.3.9.2
Considerations when Using IdentityStore Objects
25.3.10
Provider Life cycle
25.4
Searching the Repository
25.4.1
Searching for a Specific Identity
25.4.2
Searching for Multiple Identities
25.4.3
Specifying Search Parameters
25.4.4
Using Search Filters
25.4.4.1
Operators in Search Filters
25.4.4.2
Handling Special Characters when Using Search Filters
25.4.4.3
Examples of Using Search Filters
25.4.5
Searching by GUID
25.5
User Authentication
25.6
Creating and Modifying Entries in the Identity Store
25.6.1
Handling Special Characters when Creating Identities
25.6.2
Creating an Identity
25.6.3
Modifying an Identity
25.6.4
Deleting an Identity
25.7
Examples of User and Role API Usage
25.7.1
Example 1: Searching for Users
25.7.2
Example 2: User Management in an Oracle Internet Directory Store
25.7.3
Example 3: User Management in a Microsoft Active Directory Store
25.8
SSL Configuration for LDAP-based User and Role API Providers
25.8.1
Out-of-the-box Support for SSL
25.8.1.1
System Properties
25.8.1.2
SSL configuration
25.8.2
Customizing SSL Support for the User and Role API
25.8.2.1
SSL configuration
25.9
The User and Role API Reference
25.10
Developing Custom User and Role Providers
25.10.1
SPI Overview
25.10.2
Types of User and Role Providers
25.10.3
Developing a Read-Only Provider
25.10.3.1
SPI Classes Requiring Extension
25.10.3.2
oracle.security.idm.spi.AbstractIdentityStoreFactory
25.10.3.3
oracle.security.idm.spi.AbstractIdentityStore
25.10.3.4
oracle.security.idm.spi.AbstractRoleManager
25.10.3.5
oracle.security.idm.spi.AbstractUserManager
25.10.3.6
oracle.security.idm.spi.AbstractRoleProfile
25.10.3.7
oracle.security.idm.spi.AbstractUserProfile
25.10.3.8
oracle.security.idm.spi.AbstractSimpleSearchFilter
25.10.3.9
oracle.security.idm.spi.AbstractComplexSearchFilter
25.10.3.10
oracle.security.idm.spi.AbstractSearchResponse
25.10.4
Developing a Full-Featured Provider
25.10.5
Development Guidelines
25.10.6
Testing and Verification
25.10.7
Example: Implementing an Identity Provider
25.10.7.1
About the Sample Provider
25.10.7.2
Overview of Implementation
25.10.7.3
Configure jps-config.xml to use the Sample Identity Provider
25.10.7.4
Configure Oracle WebLogic Server
The User and Role SPI Reference
oracle.security.idm.spi.AbstractUserProfile
oracle.security.idm.spi.AbstractUserManager
oracle.security.idm.spi.AbstractUser
oracle.security.idm.spi.AbstractSubjectParser
oracle.security.idm.spi.AbstractStoreConfiguration
oracle.security.idm.spi. AbstractSimpleSearchFilter
oracle.security.idm.spi.AbstractSearchResponse
oracle.security.idm.spi.AbstractRoleProfile
oracle.security.idm.spi.AbstractRoleManager
oracle.security.idm.spi.AbstractRole
oracle.security.idm.spi.AbstractIdentityStoreFactory
oracle.security.idm.spi.AbstractIdentityStore
oracle.security.idm.spi.AbstractComplexSearchFilter
Part VI Appendices
A
OPSS Configuration File Reference
A.1
Top- and Second-Level Element Hierarchy
A.2
Lower-Level Elements
<description>
<extendedProperty>
<extendedPropertySet>
<extendedPropertySetRef>
<extendedPropertySets>
<jpsConfig>
<jpsContext>
<jpsContexts>
<name>
<property>
<propertySet>
<propertySetRef>
<propertySets>
<serviceInstance>
<serviceInstanceRef>
<serviceInstances>
<serviceProvider>
<serviceProviders>
<value>
<values>
B
File-Based Identity and Policy Store Reference
B.1
Hierarchy of Elements in system-jazn-data.xml
B.2
Elements and Attributes of system-jazn-data.xml
<actions>
<actions-delimiter>
<app-role>
<app-roles>
<application>
<applications>
<attribute>
<class>
<codesource>
<credentials>
<description>
<display-name>
<extended-attributes>
<grant>
<grantee>
<guid>
<jazn-data>
<jazn-policy>
<jazn-realm>
<matcher-class>
<member>
<member-resource>
<member-resources>
<members>
<name>
<owner>
<owners>
<permission>
<permissions>
<permission-set>
<permission-sets>
<policy-store>
<principal>
<principals>
<provider-name>
<realm>
<resource>
<resources>
<resource-name>
<resource-type>
<resource-types>
<role>
<role-categories>
<role-category>
<role-name-ref>
<roles>
<type>
<type-name-ref>
<uniquename>
<url>
<user>
<users>
<value>
<values>
C
Oracle Fusion Middleware Audit Framework Reference
C.1
Audit Events
C.1.1
What Components Can be Audited?
C.1.2
What Events can be Audited?
C.1.2.1
Oracle Directory Integration Platform Events and their Attributes
C.1.2.2
Oracle Platform Security Services Events and their Attributes
C.1.2.3
Oracle HTTP Server Events and their Attributes
C.1.2.4
Oracle Internet Directory Events and their Attributes
C.1.2.5
Oracle Identity Federation Events and their Attributes
C.1.2.6
Oracle Virtual Directory Events and their Attributes
C.1.2.7
OWSM-Agent Events and their Attributes
C.1.2.8
OWSM-PM-EJB Events and their Attributes
C.1.2.9
Reports Server Events and their Attributes
C.1.2.10
WS-Policy Attachment Events and their Attributes
C.1.2.11
Oracle Web Cache Events and their Attributes
C.1.2.12
Oracle Web Services Manager Events and their Attributes
C.1.3
Event Attribute Descriptions
C.2
Pre-built Audit Reports
C.2.1
Common Audit Reports
C.2.2
Component-Specific Audit Reports
C.3
The Audit Schema
C.4
WLST Commands for Auditing
C.4.1
getNonJavaEEAuditMBeanName
C.4.1.1
Description
C.4.1.2
Syntax
C.4.1.3
Example
C.4.2
getAuditPolicy
C.4.2.1
Description
C.4.2.2
Syntax
C.4.2.3
Example
C.4.3
setAuditPolicy
C.4.3.1
Description
C.4.3.2
Syntax
C.4.3.3
Example
C.4.4
getAuditRepository
C.4.4.1
Description
C.4.4.2
Syntax
C.4.4.3
Example
C.4.5
setAuditRepository
C.4.5.1
Description
C.4.5.2
Syntax
C.4.5.3
Example
C.4.6
listAuditEvents
C.4.6.1
Description
C.4.6.2
Syntax
C.4.6.3
Example
C.4.7
exportAuditConfig
C.4.7.1
Description
C.4.7.2
Syntax
C.4.7.3
Example
C.4.8
importAuditConfig
C.4.8.1
Description
C.4.8.2
Syntax
C.4.8.3
Example
C.5
Audit Filter Expression Syntax
C.6
Naming and Logging Format of Audit Files
D
User and Role API Reference
D.1
Mapping User Attributes to LDAP Directories
D.2
Mapping Role Attributes to LDAP Directories
D.3
Default Configuration Parameters
D.4
Secure Connections for Microsoft Active Directory
E
Administration with WLST Scripting and MBean Programming
E.1
Configuring OPSS Service Provider Instances with a WLST Script
E.2
Configuring OPSS Services with MBeans
E.2.1
List of Supported OPSS MBeans
E.2.2
Invoking an OPSS MBean
E.2.3
Programming with OPSS MBeans
E.3
Access Restrictions
E.3.1
Annotation Examples
E.3.2
Mapping of Logical Roles to WebLogic Roles
E.3.3
Particular Access Restrictions
F
OPSS System and Configuration Properties
F.1
OPSS System Properties
F.2
OPSS Configuration Properties
F.2.1
Policy Store Properties
F.2.1.1
Policy Store Configuration
F.2.1.2
Runtime Policy Store Configuration
F.2.2
Credential Store Properties
F.2.3
LDAP Identity Store Properties
F.2.4
Properties Common to All LDAP-Based Instances
F.2.5
Anonymous and Authenticated Roles Properties
G
Upgrading Security Data
G.1
Upgrading Security Data with upgradeSecurityStore
G.1.1
Examples of Use
G.1.1.1
Example 1 - Upgrading Identities
G.1.1.2
Example 2 - Upgrading to File-Based Policies
G.1.1.3
Example 3 - Upgrading to Oracle Internet Directory LDAP-Based Policies
G.1.1.4
Example 4 - Upgrading File-Based Policies to Use the Resource Catalog
G.2
Upgrading Policies with upgradeOpss
H
References
H.1
OPSS API References
I
OPSS Scripts
I.1
Policy-Related Scripts
I.2
Credential-Related Scripts
I.3
Other Security Scripts
I.4
Audit Scripts
J
Using an OpenLDAP Identity Store
J.1
Using an OpenLDAP Identity Store
K
Adapter Configuration for Identity Virtualization
K.1
About Split Profiles
K.2
Configuring a Split Profile
K.3
Deleting a Join Rule
K.4
Deleting a Join Adapter
K.5
Changing Adapter Visibility
L
Troubleshooting Security in Oracle Fusion Middleware
L.1
Diagnosing Security Errors
L.1.1
Log Files
L.1.1.1
Diagnostic Log Files
L.1.1.2
Generic Log Files
L.1.1.3
Audit Diagnostic Log Files
L.1.1.4
Using Fusion Middleware Control Logging Support
L.1.2
System Properties
L.1.2.1
jps.auth.debug
L.1.2.2
jps.auth.debug.verbose
L.1.2.3
Debugging the Authorization Process
L.1.3
Solving Security Errors
L.1.3.1
Understanding Sample Log Entries
L.1.3.2
Searching Logs with Fusion Middleware Control
L.1.3.3
Identifying a Message Context with Fusion Middleware Control
L.1.3.4
Generating Error Listing Files with Fusion Middleware Control
L.2
Reassociation Failure
L.2.1
Missing Policies in Reassociated Policy Store
L.3
Server Fails to Start
L.3.1
Missing Required LDAP Authenticator
L.3.2
Missing Administrator Account
L.3.3
Missing Permission
L.3.4
Other Causes
L.4
Failure to Grant or Revoke Permissions - Case Mismatch
L.5
Failure to Connect to an LDAP Server
L.6
Failure to Connect to the Embedded LDAP Authenticator
L.7
User and Role API Failure
L.8
Failure to Access Data in the Credential Store
L.9
Failure to Establish an Anonymous SSL Connection
L.10
Authorization Check Failure
L.11
User Gets Unexpected Permissions
L.12
Security Access Control Exception
L.13
Permission Check Failure
L.14
Policy Migration Failure
L.15
Characters in Policies
L.15.1
Use of Special Characters in Oracle Internet Directory 10.1.4.3
L.15.2
XML Policy Store that Contains Certain Characters
L.15.3
Characters in Application Role Names
L.15.4
Missing Newline Characters in XML Policy Store
L.16
Granting Permissions in J2SE Applications
L.17
Troubleshooting Oracle Business Intelligence Reporting
L.17.1
Audit Templates for Oracle Business Intelligence Publisher
L.17.2
Oracle Business Intelligence Publisher Time Zone
L.18
Search Failure when Matching Attribute in Policy Store
L.19
Search Failure with an Unknown Host Exception
L.20
Incompatible Versions of Binaries and Policy Store
L.21
Need Further Help?
Index
Scripting on this page enhances content navigation, but does not change the content in any way.