Skip Headers
Oracle® Communications Marketing and Advertising System Administrator's Guide
Release 5.1

Part Number E20558-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

4 Setting Up Web Services Security and JMX Policy

This chapter provides a high level overview of security settings for Web services and for Operation and Management (OAM) MBeans in Oracle Communications Marketing and Advertising.

It describes two types of security settings:

Web Services Security

Web services security provides end-to-end message-level security for Web services through an implementation of the WS-Security standard. It defines a mechanism for adding three levels of security to SOAP messages:

Marketing and Advertising uses an Oracle WebLogic Server mechanism for Web Services Security -WSSE policies. For information about WebLogic Security, see Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server at:

http://download.oracle.com/docs/cd/E15523_01/web.1111/e13710/toc.htm

Authentication is handled transparently by WS-Security and subsequently by the configured authentication providers and login modules of the WebLogic Security framework. WS-Security also supports signing and encrypting a message by providing a security token hierarchy associated with the keys used for signing and to ensure message integrity and confidentiality.

The following outlines the general WebLogic security configurations that can be performed, either automatically using a script or manually from the Administration console.

Deploying the Web Services EAR

The administration Web services EAR, ocma-ws.ear, is not deployed by default in any installation except for those using the basic collocated domain template.

If you wish to use the administration Web services in other environments, you need to deploy this EAR. The EAR file can be found in Middleware_Home/ocma_5.1/applications.

There are many ways to deploy applications in WebLogic Server. See Deploying Applications to Oracle WebLogic Server at:

http://download.oracle.com/docs/cd/E15523_01/web.1111/e13702/toc.htm

Using WS-Policy

This section describes how to apply an existing WS-Policy. It also describes where to find more information on creating and using custom WS-Policies.

Apply WS-Policy to a Web Service

Use this overview to apply a WSSE policy to a Web service endpoint in Marketing and Advertising.

Marketing and Advertising uses standard WebLogic Server mechanisms. See the online help for the WebLogic Server Administration console for a full description of how to associate a WS-Policy file with an administration Web service.

To associate a WS-Policy with an operation

  1. In the Domain Structure panel, select Deployments.

    The Summary of Deployments screen appears.

  2. Select the Control tab if is not already selected.

  3. Expand the ocma-ws section by clicking the +.

  4. Under Web services, click the Web service on which you wish to apply Web Services security: for example, AccountManager or CampaignManager.

    The Settings for Web Service screen appears.

  5. Click the Configuration tab.

  6. Click WS-Policy sub-tab.

  7. Do one of the following:

    • To apply a policy to a single operation, expand the operations list by clicking the + next to Web ServiceTypePort and select the operation whose WS-Policy you wish to edit.

    • To apply a policy to all the operations in a Web service, click Web ServiceTypePort

    The Configure a Web Service Policy page appears.

  8. Use the first page if you wish to configure WS-Policy for both inbound and outbound requests. Click Next if you wish to specify only inbound options and Next again if you wish to specify only outbound options.

    To apply a policy, select the policy and click the right-facing arrow to it from the Available Policies to the Chosen Policies.

    To revoke a policy, select a policy and click the left arrow to move a it from the Chosen Policies to the Available Policies.

  9. When you are done, click Finish.

Available Default WS-Policies

WS-Policy files can be used to require applications clients to authenticate, digitally encrypt, or digitally sign SOAP messages. For a list of the WS-SecurityPolicy 1.2 files supplied by WLS, see Using WS-SecurityPolicy 1.2 Policy Files at:

http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/message.htm#WSSOV310

By default, a default_x509_cp credential provider is set up for Marketing and Advertising, but you can modify it to suit your installation. If the built-in WS-Policy files do not meet your security needs, you can build custom policies as described in Creating and Using Custom WS-Policy. WS-Policy assertions are used to specify a Web service's requirements for digital signatures and encryption, along with the related security algorithms and authentication mechanisms.

Creating and Using Custom WS-Policy

For information about creating and using a custom policy file for message-level security, see Oracle Fusion Middleware Securing WebLogic Web Services for Oracle WebLogic Server at:

http://download.oracle.com/docs/cd/E15523_01/web.1111/e13713/toc.htm

There is also information about associating a WS-Policy file with a Web service in the on-line help for WebLogic Server Administration console at:

http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13952/taskhelp/webservices/ConfigureWSPolicyFile.html

Creating a Web Service Security Configuration

When a deployed WebLogic Web service has been configured to use message-level security (encryption and digital signatures, as described by the WS-Security specification), the Web services runtime determines whether a Web service security configuration is also associated with the service. This security configuration specifies information such as whether to use an X.509 certificate for identity, whether to use password digests, the keystore to be used for encryption, and so on. A single security configuration can be associated with many Web services.

WebLogic Web services are not required to be associated with a security configuration. If the default behavior of the Web services security runtime is adequate, no additional configuration is needed. If, however, a Web service requires different behavior from the default (such as using an X.509 certificate for identity, rather than the default username/password token), the Web service must be associated with a security configuration.

The default security configuration is default_wss. It must be created using the Administration console, following the steps in Create a Web Service security configuration in the Administration Console Online Help at:

http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13952/pagehelp/J2EEwebservicewebservicesecuritycreatetitle.html

Setting Up JMX Policy

You use Java Management Extension (JMX) MBeans Access to control access to the OAM functionality of Marketing and Advertising, both through the Administration console and through external mechanisms. Access to these MBeans is controlled by JMX Policy, which associates management user groups with access privilege levels. When Marketing and Advertising is installed, there are no controls established by default on access to the OAM MBeans. Each installation must make decisions about access based on its own needs.

Management Groups

Management users and groups are set up as described in "Setting Up Management Users". To control how these users have access to MBeans, and thus OAM functionality, you must assign JMX Policy to these user groups. You use WebLogic Server Administration console to do this, as described in the on-line help for the Administration console at:

http://download.oracle.com/docs/cd/E12839_01/apirefs.1111/e13952/core/index.html

Each policy can do the following:

  • Control read access for all an MBean's attributes or for specific attributes that you select.

  • Control write access for all an MBean's attributes or for specific attributes that you select.

  • Control invoke access for all an MBean's operations or for specific operations that you select.

Management Service Groups

In addition to controlling access to OAM functionality in a general way (ReadOnly, ReadWrite, etc.), you may also wish to control access by service group. For example, if you have users whose job is limited to setting up and managing some aspects of provisioning, but not all, you might want to give them, and only them, ReadWrite privileges, but only to a subset of the available MBeans. To do this you have to create custom XACML policies to attach to these subsets. Oracle Communications Services Gatekeeper uses the standard WebLogic Server mechanisms for doing this. For the basic process you must:

  • Determine the special identifier (called the resourceId) for each MBean.

  • Create an XACML policy for a security role.

  • Specify one or more Rule elements that define which users, groups, or roles belong to the new security role.

  • Attach this role to the MBean by way of the resourceId.

For more information, see "Using XACML Documents to Secure WebLogic Resources" in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server at:

http://download.oracle.com/docs/cd/E15523_01/web.1111/e13747/xacmlusing.htm#i1276253