This section contains the typical security tasks you can perform with Oracle CEP Visualizer, including:
For more information, see "Configuring Security for Oracle CEP" in the Oracle Complex Event Processing Administrator's Guide.
Oracle CEP uses role-based authorization control to secure the Oracle CEP Visualizer and the wlevs.Admin
command-line utility. There are a variety of default out-of-the-box security groups. You can add users to different groups to give them the different roles.
Administrators who use Oracle CEP Visualizer, wlevs.Admin,
or any custom administration application that uses JMX to connect to an Oracle CEP instance use role-based authorization to gain access.
You can also use role-based authorization to control access to the HTTP publish-subscribe server.
There are two types of role:
Application roles: application roles grant users the permission to access various Oracle CQL applications deployed to the Oracle CEP server. You can create application roles and associate them with the task roles that Oracle CEP provides.
By default, administrator users can access any application and non-administration users cannot access any applications. Before a none-administration user can access an application, an administration user must grant the user the associated application role.
Task roles: task roles grant users the permission to perform various tasks with the applications their application role authorizes them to access. Oracle CEP provides the default task roles that Table 20-1 describes.
Users that successfully authenticate themselves when using Oracle CEP Visualizer or wlevs.Admin
are assigned roles based on their group membership, and then subsequent access to administrative functions is restricted according to the roles held by the user. Anonymous users (non-authenticated users) will not have any access to the Oracle CEP Visualizer or wlevs.Admin
.
When an administrator uses the Configuration Wizard to create a new domain, they enter an administrator user that will be part of the wlevsAdministrators
group. By default, this information is stored in a file-based provider filestore. The password is hashed using the SHA-256 algorithm. The default administrator user is named wlevs
with password wlevs
.
Table 20-1 describes the default Oracle CEP task roles available right after the creation of a new domain, as well as the name of the groups that are assigned to these roles.
Table 20-1 Default Oracle CEP Task Roles and Groups
Task Role | Group | Privileges |
---|---|---|
|
wlevsAdministrators |
Has all privileges of all the preceding roles, as well as permission to:
|
|
wlevsApplicationAdmins |
Has all Operator privileges as well as permission to update the configuration of any deployed application. |
|
wlevsBusinessUsers |
Has all Operator privileges as well as permission to update the Oracle CQL and EPL rules associated with the processor of a deployed application. |
|
wlevsDeployers |
Has all Operator privileges as well as permission to deploy, undeploy, update, suspend, and resume any deployed application. |
|
wlevsMonitors |
Has all Operator privileges as well as permission to enable/disable diagnostic functions, such as creating a diagnostic profile and recording events (then playing them back.) |
|
wlevsOperators |
Has read-only access to all server resources, services, and deployed applications. |
Once the domain has been created, the administrator can use Oracle CEP Visualizer to create a group and associate it with one or more roles: each role grants access to an application. When you assign a user to a group, the roles you associate with the group give the user the privileges to access those applications.
Using Oracle CEP Visualizer, you can:
Oracle CEP provides an HTTP Publish-Subscribe Server (HTTP pub-sub server): a mechanism whereby Web clients subscribe to channels (similar to a topic in JMS) and then publish messages to these channels using asynchronous messages over HTTP and subscribe to these channels to receive messages as they become available.
Using Oracle CEP Visualizer, you can specify which users can access HTTP publish-subscribe server channels.
For more information, see:
Chapter 24, "Managing HTTP Publish-Subscribe Server Security"
"Configuring HTTP Publish-Subscribe for Oracle CEP" in the Oracle Complex Event Processing Administrator's Guide
Oracle CEP provides one-way Secure Sockets Layer (SSL) to secure network traffic between Oracle CEP Visualizer and Oracle CEP server instances, between the Oracle CEP server instances of a multi-server domain, and between the wlevs.Admin
command-line utility and Oracle CEP server instances.
You configure SSL in the Oracle CEP server config.xml
file. By default, the Configuration Wizard creates the config.xml
file in the ORACLE_CEP_HOME
/user_projects/domains/
DOMAIN_DIR
/
servername
/config
directory, where ORACLE_CEP_HOME
refers to the Oracle CEP installation directory (such as d:/oracle_cep
), DOMAIN_DIR
refers to the domain directory (such as my_domain
), and servername
refers to the server instance directory (such as server1
).
For more information, see: