This chapter contains the following sections:
Securing an Oracle Identity Manager deployment is achieved through authorization and hardening. Authorization controls the access to various components. Hardening secures the components from potential security threats.
Table 26-1 lists the various topics that you can refer for information about securing an Oracle Identity Manager deployment:
Table 26-1 Securing a Deployment
| Topic | Topic Type | Information Covered |
|---|---|---|
|
Hardening |
Scheduled tasks and scheduled jobs. Ensure that only required scheduled tasks are enabled. |
|
|
Hardening |
System properties related to system behavior. Ensure that password policies and challenge questions and answers are defined. |
|
|
Hardening |
Specific permissions required to install connectors. |
|
|
Hardening |
Enabling Oracle Identity Manager to work over SSL. |
|
|
"Configuring LDAP Authentication When LDAP Synchronization is Enabled" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite |
Hardening |
Enabling LDAP authentication. |
|
Hardening |
Steps to make the corresponding changes in Oracle Identity Manager and Oracle WebLogic configuration for any change in the integrated and dependent applications |
|
|
Hardening |
Steps to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products. |
|
|
Hardening |
Securing Oracle Identity Manager by configuring SSL. |
|
|
"Managing Password Policies" in the Performing Self Service Tasks with Oracle Identity Manager. |
Hardening |
Password policy configuration. |
|
"Security Architecture" in the Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager |
Authorization |
Authorization and security model in Oracle Identity Manager |
|
"Check Permissions for Roles" in the Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager |
Authorization |
Permissions for role while importing and exporting roles. Check for any errors in setting data object permissions if data object is missing. |
See Also:
Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management and Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for information about Oracle Identity Management software integrations and related security aspectsOracle Identity Manager application is not configured for SSL access by default. So, the oimjsessionid cookie used by Oracle Identity Manager web applications is not secure for HTTPS access. In other words, the cookie-secure tag is not set to true. However, when SSL access to Oracle Identity Manager is enabled, it is recommended to configure oimjsessionid as a secure cookie by setting the cookie-secure tag to true. This tag enables the browser to send the cookie back over an HTTPS connection only. This ensures that the cookie ID is secure and is only used upon HTTPS access of Oracle Identity Manager. This also implies that HTTP access to Oracle Identity Manager no longer works when this feature is enabled. In addition, the url-rewriting-enabled element must be disabled.
Secure cookies need to be configured for the following Oracle Identity Manager UI pages:
/identity, available in OIM_HOME/apps/oracle.iam.console.identity.self-service.ear/ oracle.iam.console.identity.self-service.war
/sysadmin, available in OIM_HOME/apps/oracle.iam.console.identity.sysadmin.ear/ oracle.iam.console.identity.sysadmin.war
/oim, available in OIM_HOME/apps/oim.ear/iam-consoles-faces.war
/xlWebApp, available in OIM_HOME/apps/oim.ear/xlWebApp.war
Secure cookies can be configured by updating the deployment plan for each of the applications, which are iam.console.identity.self-service.ear, oracle.iam.console.identity.sysadmin.ear, and oim.ear.
This section describes how to configure secure cookies in the default scenario when there is no deployment plan for these applications. It also describes the configuration when updating a current deployment plan if you have explicitly configured it. This section contains the following topics:
Deployment plan specific to the applications can be configured by logging into the WebLogic Administrative Console. The following are sample deployment plans with secure cookie enabled for each of the applications:
Following is the sample deployment plan XML for the oracle.iam.console.identity.self-service.ear application. In this deployment plan, cookie-secure is configured to true, and url-rewriting-enabled is configured to false for the oracle.iam.console.identity.self-service.war web application:
<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
<application-name>oracle.iam.console.identity.self-service.ear#V2.0</application-name>
<variable-definition>
<variable>
<name>SessionDescriptor_CookieSecure_identity_13909448828172</name>
<value>true</value>
</variable>
<variable>
<name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name>
<value>false</value>
</variable>
</variable-definition>
<module-override>
<module-name>oracle.iam.console.identity.self-service.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
<variable-assignment>
<name>SessionDescriptor_CookieSecure_identity_13909448828172</name>
<xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
</variable-assignment>
<variable-assignment>
<name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name>
<xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
</deployment-plan>
The following is the sample deployment plan XML for the oracle.iam.console.identity.sysadmin.ear application. In this deployment plan, cookie-secure is configured to true, and url-rewriting-enabled is configured to false for the oracle.iam.console.identity.sysadmin.war web application.
<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
<application-name>oracle.iam.console.identity.sysadmin.ear#V2.0</application-name>
<variable-definition>
<variable>
<name>SessionDescriptor_CookieSecure_sysadmin_13909448828173</name>
<value>true</value>
</variable>
<variable>
<name>SessionDescriptor_UrlRewritingEnabled_sysadmin_139095392691834</name>
<value>false</value>
</variable>
</variable-definition>
<module-override>
<module-name>oracle.iam.console.identity.sysadmin.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
<variable-assignment>
<name>SessionDescriptor_CookieSecure_sysadmin_13909448828173</name>
<xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
</variable-assignment>
<variable-assignment>
<name>SessionDescriptor_UrlRewritingEnabled_sysadmin_139095392691834</name>
<xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
</deployment-plan>
The following is the sample deployment plan XML for the oim.ear application. In this deployment plan, cookie-secure is configured to true, and url-rewriting-enabled is configured to false for the iam-consoles-faces.war and xlWebApp.war web applications.
<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
<application-name>oim#11.1.2.0.0</application-name>
<variable-definition>
<variable>
<name>SessionDescriptor_CookieSecure_oim_13909448828170</name>
<value>true</value>
</variable>
<variable>
<name>SessionDescriptor_UrlRewritingEnabled_oim_139095392691831</name>
<value>false</value>
</variable>
<variable>
<name>SessionDescriptor_CookieSecure_xlWebApp_13909448828171</name>
<value>true</value>
</variable>
<variable>
<name>SessionDescriptor_UrlRewritingEnabled_xlWebApp_139095392691832</name>
<value>false</value>
</variable>
</variable-definition>
<module-override>
<module-name>iam-consoles-faces.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
<variable-assignment>
<name>SessionDescriptor_CookieSecure_oim_13909448828170</name>
<xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
</variable-assignment>
<variable-assignment>
<name>SessionDescriptor_UrlRewritingEnabled_oim_139095392691831</name>
<xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
<module-override>
<module-name>xlWebApp.war</module-name>
<module-type>war</module-type>
<module-descriptor external="false">
<root-element>weblogic-web-app</root-element>
<uri>WEB-INF/weblogic.xml</uri>
<variable-assignment>
<name>SessionDescriptor_CookieSecure_xlWebApp_13909448828171</name>
<xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
</variable-assignment>
<variable-assignment>
<name>SessionDescriptor_UrlRewritingEnabled_xlWebApp_139095392691832</name>
<xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
</deployment-plan>
To configure the deployment plan(s), copy them to the host on which the Oracle Identity Manager application is deployed. Perform the following steps for all the applications, which as iam.console.identity.self-service.ear, oracle.iam.console.identity.sysadmin.ear, and oim.ear:
Login to WebLogic Administrative Console.
Navigate to Deployments, and then select the application.
Click Update. The Update Application Assistant page is displayed.
Click Change Path against the deployment plan path configuration.
Specify the path to the deployment plan XML file specific to the application, and click Next.
Select the Update this application in place with new deployment plan changes option. Click Finish to complete the deployment plan configuration. Activate changes if required.
Note:
You can ignore the following error while updating the deployment plan foriam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear:
'weblogic.management.DeploymentException: The application oracle.iam.console.identity.self-service.ear#V2.0 cannot have the resource WEB-INF/weblogic.xml updated dynamically. Either: 1.) The resource does not exist. or 2) The resource cannot be changed dynamically.
Perform steps 1 through 6 for all the three applications.
Restart the Oracle Identity Manager Managed Server.
If any of the applications, iam.console.identity.self-service.ear, oracle.iam.console.identity.sysadmin.ear, and oim.ear have an existing deployment plan, then you must update it to configure cookie-secure and url-rewriting-enabled. To do so, locate the corresponding deployment plan XML file, and edit it to add the highlighted content (in bold), as shown in the sample deployment plans in "Configuring a New Deployment Plan".
For example, to configure cookie-secure for oracle.iam.console.identity.self-service.war web application, add the highlighted content as follows:
<?xml version='1.0' encoding='UTF-8'?> <deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"> <application-name>oracle.iam.console.identity.self-service.ear#V2.0</application-name> ………… ………… <variable-definition> ………… <variable> <name>SessionDescriptor_CookieSecure_identity_13909448828172</name> <value>true</value> </variable> <variable> <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name> <value>false</value> </variable> ………… </variable-definition> ………… ………… <module-override> <module-name>oracle.iam.console.identity.self-service.war</module-name> <module-type>war</module-type> <module-descriptor external="false"> <root-element>weblogic-web-app</root-element> <uri>WEB-INF/weblogic.xml</uri> ……….. <variable-assignment> <name>SessionDescriptor_CookieSecure_identity_13909448828172</name> <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath> </variable-assignment> <variable-assignment> <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name> <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath> </variable-assignment> ……… </module-descriptor> </module-override> </deployment-plan>
Save the updated the deployment plan XML file, and then restart the Oracle Identity Manager Managed Server for the changes to take effect.