9 Security

Oracle Event Processing provides a variety of ways to protect server resources such as data and event streams, configuration, user name and password data, security policy information, remote credentials, and network traffic.

This chapter includes the following sections:

9.1 Users, Groups, and Roles

Oracle Event Processing uses role-based authorization control to secure the Oracle Event Processing Visualizer and the wlevs.Admin command-line utility. There are a variety of default out-of-the-box security groups. You can add users to different groups to give them the different roles.

Administrators who use Oracle Event Processing Visualizer, wlevs.Admin, or any custom administration application that uses JMX to connect to an Oracle Event Processing server use role-based authorization to gain access.

You can also use role-based authorization to control access to the HTTP publish-subscribe server.

There are two types of roles:

  • Application roles: Application roles grant users the permission to access various Oracle CQL applications deployed to the Oracle Event Processing server. You can create application roles and associate them with the task roles that Oracle Event Processing provides.

    By default, administrator users can access any application and non-administration users cannot access any applications. Before a non-administration user can access an application, an administration user must grant the user the associated application role.

    Application Isolation enables administrators to create new roles that can associate new roles to a given application to allow only a selected group access to this application. After the new role is created, non-admin users without this role cannot see the application in visualizer and cannot list or change the application configuration through Admin tool.

  • Task roles: Task roles grant users the permission to perform various tasks with the applications their application role authorizes them to access. Oracle Event Processing provides the default task roles that Table 9-1 describes.

Users that successfully authenticate themselves when using Oracle Event Processing Visualizer or wlevs.Admin are assigned roles based on their group membership, and then subsequent access to administrative functions is restricted according to the roles held by the user. Anonymous users (non-authenticated users) will not have any access to the Oracle Event Processing Visualizer or wlevs.Admin.

When an administrator uses the Configuration Wizard to create a new domain, he or she enters an administrator user that is part of the wlevsAdministrators group. By default, this information is stored in a file-based provider filestore. The password is hashed using the SHA-256 algorithm. The default administrator user is named oepadmin with password welcome1.

Table 9-1 describes the default Oracle Event Processing tasks roles available right after the creation of a new domain, as well as the name of the groups that are assigned to these roles.

Table 9-1 Default Oracle Event Processing Task Roles and Groups

Task Role Group Privileges



Has all privileges of all the other roles, and permission to:

  • Create users and groups

  • Configure HTTP publish-subscribe security

  • Change the system configuration, such as Jetty, work manager, and so on.

All JMX get, set, start, stop, and deploy operations.

All set and invoke methods on these MBeans:




Has all Operator privileges and permission to update the configuration of any deployed application.

All set and invoke methods on ChannelMBean.



Has all Operator privileges and permission to update the Oracle CQL rules associated with the processor of a deployed application.

All set and invoke methods on these MBeans:




Has all Operator privileges and permission to deploy, undeploy, update, suspend, and resume any deployed application.

All JMX get and set operations related to deployment.



Has all Operator privileges and permission to enable/disable diagnostic functions, such as creating a diagnostic profile and recording events (then playing them back.) Can also inject and trace events.

All JMX get operations.

All set and invoke methods on these MBeans:




Has read-only access to all server resources, services, and deployed applications.

Once the domain is created, the administrator can use Oracle Event Processing Visualizer to create a group and associate it with one or more roles. Each role grants access to an application. When you assign a user to a group, the roles you associate with the group give the user the privileges to access those applications.

For instructions on using Oracle Event Processing Visualizer to modify users, groups, and roles, see Oracle Fusion Middleware Using Visualizer for Oracle Event Processing

For more information, see:

9.2 Java SE Security for an Oracle Event Processing Server

The Java SE platform defines a standards-based and interoperable security architecture that is dynamic and extensible. Security for features such as cryptography, authentication and authorization, public key encryption, and more are built in. See http://java.sun.com/javase/technologies/security/for more information.

Oracle Event Processing supports Java SE security with the following security policy files. Oracle provides templates for these files in the product in the following directory: /Oracle/Middleware/my_oep/oep/utils/security.

  • policy.xml: Defines the security policies of all the bundles that make up Oracle Event Processing. The first bundle set defines the policies for server-related bundles; the second bundle set defines the policies for application bundles.

  • security.policy: Defines the security policies for server startup and Web applications deployed to the Jetty HTTP server. This file also defines policies for the Oracle Event Processing Visualizer Web application.

You can define Java SE security policies for the following Oracle Event Processing features:

  • All bundles that make up Oracle Event Processing

  • Server startup

  • Web applications deployed to the Oracle Event Processing server Jetty HTTP server

  • Oracle Event Processing Visualizer

Configure Java SE Security on a Server:

  1. Stop the Oracle Event Processing server, if it is currently running.

    See Start and Stop Servers.

  2. Copy policy.xml and security.policy:



    /Oracle/Middleware/my_oep/user_projects/domains/ <domainname>/<servername>/config/

  3. Edit the two security policy files as needed.

  4. Update the server startup script for your platform in the <servername> directory by adding the following properties to the java command that starts the server:


    For example with everything on one line:

    "%JAVA_HOME%\bin\java" %DGC% %DEBUG% -Djava.security.manager 
    -Dwlevs.home="%USER_INSTALL_DIR%" -Dbea.hoe="%BEA_HOME%" 
    -jar "%USER_INSTALL_DIR%\bin\wlevs.jar" %1 %2 %3 %4 %5 %6
  5. Edit the Jetty configuration in the config.xml server file by adding a <scratch-directory> child element of the <jetty> element to specify the directory to which Jetty Web applications are deployed.

    For example:

  6. Restart the Oracle Event Processing server for the changes to take effect.

    See "Start and Stop Servers".

9.3 Security Provider

Oracle Event Processing supports the following security providers for authentication, authorization, role mapping, and credential mapping. The default is the file-based provider. If you use the default file-based security provider, then you do not need to do any further configuration of your domain. If you want to use the LDAP or DBMS providers, you must perform further configuration. Once you have configured the security provider, you can add new users, assign them to groups, and map groups to roles. See Users_ Groups_ and Roles.

  • File-based: Default security provider that uses an operating system file to access security data such as user, password, and group information. This provider provides authentication and authorization. Authentication is the process whereby the identity of users is proved or verified. Authorization is the process whereby a user's access to an Oracle Event Processing resource is permitted or denied based on the user's security role and the security policy assigned to the requested Oracle Event Processing resource. Authentication typically involves user name and password combinations.

  • LDAP: Uses a Lightweight Data Access Protocol (LDAP) server to access user, password, and group information. Provides only authentication.

    When you use LDAP for authentication, you cannot add or delete users and groups using Oracle Event Processing Visualizer, you can only change the password of a user.

  • RDBMS: Uses a DBMS to access user, password, and group information. Provides both authentication and authorization.

The following procedures describe two different ways to configure a security provider for authentication and authorization.

Configure Authentication with LDAP and Authorization with the DBMS Provider

  1. Add the Oracle/Middleware/my_oep/oep/bin directory to your PATH environment variable:

    set PATH=d:\Oracle\Middleware\my_oep\oep\bin;%PATH% (Windows)
    PATH=/Oracle/Middleware/my_oep/oep/bin:$PATH (UNIX)
  2. Go to the config directory for the server you want to configure.

    By default, the config directory is in /Oracle/Middleware/my_oep/ user-Projects/domains/<domainname>/<servername>/config/.

  3. In a text editor, create a file called myLDAPandDBMS.properties and copy the entire contents of the following example into it.


    Make sure the certificate of the boot user in the evsidentity.jks file is the same as what is configured in the security.xml file.

    # For attributes of type boolean or Boolean, value can be "true" or "false" 
    # and it's case insensitive.
    # For attributes of type String[], values are comma separated; blanks before
    # and after the comma are ignored. For example, if the property is defined as:
    #   saml1.IntersiteTransferURIs=uri1, uri2, uri3
    # the IntersiteTransferURIs attribute value is String[]{"uri1", "uri2", "uri3"}
    # For attributes of type Properties, the value should be inputted as 
    # a set of key=value pairs separated by commas; blanks before and after the
    # commas are also ignored. For example (in practice, the property should be all on one line):
    #  store.StoreProperties=DriverName=oracle.jdbc.driver.OracleDriver, 
    ConnectionURL=jdbc:oracle:thin:@united.bea.com:1521:xe, Username=user, Password=user
    # Split here for readability; in practice, a property should be all on one line.
        ConnectionURL=jdbc:oracle:thin:@localhost:1521:orcl, Username=wlevs, Password=wlevs
    1. Customize the property file by updating the store.StoreProperties property to reflect your database driver information, connection URL, and user name and password of the user that connects to the database. This is how the default property is set:

      # Split for readability; in practice, the property should be on one line.
      ConnectionURL=jdbc:oracle:thin:@mymachine:1521:orcl, Username=wlevs, 
    2. Update the property that specifies your LDAP server configuration.

    3. Leave all the other properties to their default values.

  4. Make a backup copy of the existing security.xml file in case you need to revert.

  5. Create a new security configuration file (security.xml) by executing the following cssconfig command:

    cssconfig -p myLDAPandDBMS.properties -c security.xml -i security-key.dat

    myLDAPandDBMS.properties: The property file you created in step GUID-38291BCC-A0AC-49F6-AFC1-2053EFD95990.htm#CEPAG-GUID-263833A9-D898-46AE-B526-2E25F0004CC1__i1018867.security.xml: The name of the new security configuration file.security-key.dat: An existing file generated by the Configuration Wizard that contains the identity key.

    See The cssconfig Command-Line Utility for additional information.

  6. Go to /Oracle/Middleware/my_oep/oep/utils/security/sql.

    This directory contains SQL scripts for creating the required security-related database tables and populating them with initial data. Because you are using the DBMS provider only for authorization, the relevant scripts for this procedure are:

    atz_create.sql: Creates all tables required for authorization.

    atz_drop.sql: Drops all authorization-related tables.

  7. Run the atz_create.sql SQL script against the database you specified as the database store in step GUID-38291BCC-A0AC-49F6-AFC1-2053EFD95990.htm#CEPAG-GUID-263833A9-D898-46AE-B526-2E25F0004CC1__i1018867.

  8. Configure your LDAP server by adding the default groups described in Users_ Groups_ and Roles and the administrator user you specified when you created the domain. By default, this user is called oepadmin.

    Refer to your LDAP server documentation for details.

  9. Optionally, configure password strength in your new security.xml file.

    See Password Strength.

Configure Authentication and Authorization with the DBMS Provider

  1. Add the Oracle/Middleware/my_oep/oep/bin directory to your PATH environment variable:

    prompt> set PATH=d:\Oracle\Middleware\my_oep\oep\bin;%PATH% (Windows)
    prompt> PATH=/Oracle/Middleware/my_oep/oep/bin:$PATH (UNIX)
  2. Go to the config directory for the server you want to configure.

    By default the config directory is in /Oracle/Middleware/my_oep/ user-Projects/domains/<domainname>/<servername>/config/.

  3. Make a backup copy of the existing security.xml file, in case you need to revert.

  4. In a text editor, create a file called myDBMS.properties and copy the entire contents of the following example into it.

    # For attributes of type boolean or Boolean, value can be "true" or "false" 
    # and it's case insensitive.
    # For attributes of type String[], values are comma separated; blanks before
    # and after the comma are ignored. For example, if the property is defined as:
    #   saml1.IntersiteTransferURIs=uri1, uri2, uri3
    # the IntersiteTransferURIs attribute value is String[]{"uri1", "uri2", "uri3"}
    # For attributes of type Properties, the value should be inputted as 
    # a set of key=value pairs separated by commas; blanks before and after the
    # commas are also ignored. For example (split for readability; in practice, the property should be all on one line):
    #  store.StoreProperties=DriverName=oracle.jdbc.driver.OracleDriver, 
        ConnectionURL=jdbc:oracle:thin:@united.bea.com:1521:xe, Username=user, Password=user
    # Split for readability; the property should be fully on one line.
        ConnectionURL=jdbc:oracle:thin:@mymachine:1521:orcl, Username=wlevs, Password=wlevs
    atn.1.SQLCreateUser=INSERT INTO USERS VALUES ( ? , ? , ? )
    atn.1.SQLRemoveGroupMemberships=DELETE FROM GROUPMEMBERS WHERE G_MEMBER \= ? ORG_NAME \= ?
    atn.1.SQLSetUserDescription=UPDATE USERS SET U_DESCRIPTION  \= ? WHERE U_NAME \= ?
    atn.1.SQLSetUserPassword=UPDATE USERS SET U_PASSWORD \= ? WHERE U_NAME \= ?
    atn.1.SQLCreateGroup=INSERT INTO GROUPS VALUES ( ? , ? )
    atn.1.SQLSetGroupDescription=UPDATE GROUPS SET G_DESCRIPTION \= ? WHERE G_NAME \=  ?
    1. Customize the property file by updating the store.StoreProperties property to reflect your database driver information, connection URL, and user name and password of the user that connects to the database. This is how the default property is set:

      ConnectionURL=jdbc:oracle:thin:@mymachine:1521:orcl, Username=wlevs,
    2. Leave all the other properties to their default values.

  5. Create a new security configuration file (security.xml) by executing the following cssconfig command:

    cssconfig -p myLDAPandDBMS.properties -c security.xml -i security-key.dat

    myDBMS.properties: The property file you created in step GUID-38291BCC-A0AC-49F6-AFC1-2053EFD95990.htm#CEPAG-GUID-263833A9-D898-46AE-B526-2E25F0004CC1__i1018867.security.xml: The name of the new security configuration file.security-key.dat: An existing file generated by the Configuration Wizard that contains the identity key.

    See The cssconfig Command-Line Utility for additional information.

  6. Go to /Oracle/Middleware/my_oep/oep/utils/security/sql:

    This directory contains SQL scripts for creating the required security-related database tables and populating them with initial data. These scripts are:

    atn_create.sql: Creates all tables required for authentication.

    atn_drop.sql: Drops all authentication-related tables.

    atn_init.sql: Inserts default values into the authentication-related user and group tables. In particular, the script inserts a single default administrator user called oepadmin, with password welcome1, into the user table and specifies that the user belongs to the wlevsAdministrators group. The script also inserts the default groups listed in Table 9-1 into the group table.

    atz_create.sql: Creates all tables required for authorization.

    atz_drop.sql: Drops all authorization-related tables.

  7. If, when you created your domain using the Configuration Wizard, you specified an administrator user other than the default, edit the atn_init.sql file and add the INSERT INTO USERS and corresponding INSERT INTO GROUPMEMBERS statements.

    For example, to add an administrative user juliet, with password shackell, add the following statements to the atn_init.sql file:

    INSERT INTO USERS (U_NAME, U_PASSWORD, U_DESCRIPTION) VALUES ('juliet','shackell','default admin');
    INSERT INTO GROUPMEMBERS (G_NAME, G_MEMBER) VALUES ('wlevsAdministrators','juliet');
  8. Run the following SQL script files, in the order listed against the database you specified as the database store in step GUID-38291BCC-A0AC-49F6-AFC1-2053EFD95990.htm#CEPAG-GUID-263833A9-D898-46AE-B526-2E25F0004CC1__i1018867:




  9. Optionally, configure password strength in your new security.xml file.

    See Password Strength.

9.4 Password Strength

Password strength measures the effectiveness of a password as an authentication credential. How you configure password strength determines the type of password a user can specify, such as whether the password can contain the user name, the minimum length of the password, the minimum number of numeric characters it can contain, and so on.

You configure the strength of the passwords used for Oracle Event Processing authentication by updating the <password-validator> element in the security configuration file (security.xml).

By default, the security configuration file is in the Oracle/Middleware/my_oep/user_projects/domains/<domainname>/<servername>/config directory.

The following example shows a snippet from the security.xml file with the default values after you create a new domain.


Table 9-2 describes all the child elements of <password-validator> that you can configure. If you manually update the security.xml file, you must restart the Oracle Event Processing server instance for the changes to take effect.

Table 9-2 Child Elements of <password-validator>

Child Element Description Default Value


When set to true, Oracle Event Processing rejects a password if it is the same as, or contains, the user name.

When set to false, Oracle Event Processing does not reject a password for this reason.



When set to true, Oracle Event Processing rejects a password if it is the same as, or contains, the reversed user name.

When set to false, Oracle Event Processing does not reject a password for this reason.



Specifies the maximum length of a password.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.



Specifies the minimum length of a password.

Valid values for this element are integers greater than or equal to 0.



Specifies the maximum number of times the same character can appear in the password. For example, if this element is set to 2, then the password bubble is invalid.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.



Specifies the maximum number of repeating consecutive characters that are allowed in the password. For example, if this element is set to 2, then the password bubbble is invalid.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.



Specifies the minimum number of alphabetic characters that a password must contain.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.



Specifies the minimum number of numeric characters that a password must contain.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.



Specifies the minimum number of lowercase characters that a password must contain.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.



Specifies the minimum number of uppercase characters that a password must contain.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.



Specifies the minimum number of non-alphanumeric characters that a password must contain. Non-alphanumeric characters include $, #, @, &,! and so on.

A value of 0 means there is no restriction.

Valid values for this element are integers greater than or equal to 0.


9.5 SSL to Secure Network Traffic

Oracle Event Processing provides one-way Secure Sockets Layer (SSL) to secure network traffic as between:

  • A browser running the Oracle Event Processing Visualizer and the Oracle Event Processing server that hosts the data-services application that the Oracle Event Processing Visualizer uses.

  • The wlevs.Admin command-line utility and an Oracle Event Processing instance.

    See Run wlevs.Admin Utility in SSL Mode.

  • The member servers of a multiserver domain.

You can configure Oracle Event Processing to use a Federal Information Processing Standards (FIPS)-certified pseudo-random number generator for SSL. After you configure SSL, you can configure the Oracle Event Processing server to accept only client requests on the HTTPS port. See HTTPS-Only Connections.

You configure SSL in the server's config.xml file. When you create an Oracle Event Processing server, the server config.xml includes a default SSL configuration. The following procedures show how to configure SSL and a key store.

9.5.1 Configure SSL Manually

  1. Use the Configuration Wizard to create a standalone-server domain or a multiserver domain.
  2. In an XML editor, open the config.xml file for the server you want to configure.

    By default, the config.xml file is in /Oracle/Middleware/my_oep/user_projects/domains/<domainname>/<servername>/config.

  3. Configure the ssl element.

    The following example shows the default ssl element the Configuration Wizard creates.


    The key-store element points to a certificate file. The Configuration Wizard creates a default certificate file called evsidentity.jks in the ssl directory for the server you want to configure.

    By default, the password for the certificate private key is the same as the password for the identity key store.


    The Oracle Event Processing Server will not start unless the password for the certificate private key is the same as the password for the identity key store.

    The evsidentity.jks file contains a self-signed certificate. Optionally, create your own certificate file and either replace the evsidentity.jks file, or update the key-store element in the config.xml file.


    In a production environment, the system administrator should replace the default self-signed certificate with a CA signed certificate.

    For more information about creating a key store, see Create a Key Store Manually.

    For more information about the enforce-fips element, see FIPS.

  4. Configure a netio element for SSL.

    The following example shows the default netio element the Configuration Wizard creates.


    The ssl-config-bean-name must match the ssl element name child element (see step 3).

    The default secure port is 9003 by default. You can change the port.

  5. Configure the jetty element to add a secure-network-io-name child element.

    The following example shows the default jetty element.


    The secure-network-io-name must match the SSL netio element name child element (see step 4).

  6. Save and close the config.xml file.
  7. Restart the Oracle Event Processing server (if it is running).

9.5.2 Create a Key Store Manually

By default, the Configuration Wizard creates a default key store certificate file called evsidentity.jks.

By default the evsidentity.jks file is in the Oracle/Middleware/my_oep/user_projects/domains/<domainname>/<servername>/ssl directory.

The password is the same as the password you entered when you created the server. Optionally, you can create a key store manually.

  1. Use the JDK keytool command to generate a key store:
    keytool -genkey -alias evsidentity -keyalg RSA -validity 10958 -keystore evsidentity.jks -keysize 1024
  2. Enter the key store password, when prompted:
    Enter keystore password:
  3. Enter the key-store attributes, when prompted:
    What is your first and last name?
      [Unknown]:  OEP
    What is the name of your organizational unit?
      [Unknown]:  SOA
    What is the name of your organization?
      [Unknown]:  ORACLE
    What is the name of your City or Locality?
      [Unknown]:  SF
    What is the name of your State or Province?
      [Unknown]:  CA
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=OEP, OU=SOA, O=ORACLE, L=SF, ST=CA, C=US correct?
      [no]:  y
  4. When prompted for a key password, do not enter a password, but press Return:
    Enter key password for <evsidentity>
            (RETURN if same as keystore password):


    The Oracle Event Processing Server will not start unless the password for certificate private key is the same as the password for the identity key store.

  5. In an XML editor, open the Oracle Event Processing server config.xml file.

    By default, the Configuration Wizard creates the config.xml file in the /Oracle/Middleware/my_oep/user_projects/domains/ <domainname>/<servername>/config directory.

  6. Configure the ssl element.

    The following example shows the default ssl element.


    KEYSTORE_PATH: The file path to the key store file. The file name comes from the -keystore argument to the keytool command.

    PASSWORD: The cleartext key store password.

    KEYSTORE_ALIAS: The key store alias. The key store alias is from the -alias argument to the keytool command.

  7. Save and close the config.xml file.
  8. Encrypt the cleartext password in the key-store-pass element password child element of the config.xml file by using the encryptMSAConfig utility.

9.5.3 Configure SSL in a Multiserver Domain for Visualizer

In a multiserver domain, you can configure one-way SSL between the server that hosts the Oracle Event Processing Visualizer data services application and another server. In the following procedure, the server that hosts the data services application is myServer1, and the second server is myServer2. Both servers are in the /Oracle/Middleware/my_oep/user_projects/domains/myServer1 directory. Repeat this procedure for other servers in the domain, if required.

For information about securing the messages sent between servers in a multiserver domain, see:

For information about starting Oracle Event Processing Visualizer in a multiserver domain, see Oracle Fusion Middleware Using Visualizer for Oracle Event Processing.

Configure SSL in a Multiserver Domain for Use by Visualizer

  1. Ensure that SSL is configured for the two servers in the domain.

    If you used the Configuration Wizard to create the servers, then SSL is configured by default.

    See Configure SSL Manually for details and information about how to change the default configuration.

  2. Start myServer2.
  3. Change to the ssl sub-directory of the myServer1 directory:
    cd /Oracle/Middleware/my_oep/user_projects/domains/myDomain/myServer1/ssl
  4. Generate a trust key store for myServer1 that includes the certificate of myServer2 by specifying the following command (split for readability; in practice, the command should be on one line):
    prompt> java -classpath Oracle\Middleware\my_oep\oep\
    com.bea.wlevs.security.util.GrabCert host:secureport 
    -alias=alias truststorepath

    host: The computer on which myServer2 is running.

    secureport: The SSL network I/O port configured for myServer2. The default value is 9003. For more information, see Configure SSL Manually.

    alias: The alias for the certificate in the trust key store. Default value is the host name.

    truststorepath: The full path name of the generated trust key store file; default is evstrust.jks

    For example (put everything on one line):

    java -classpath C:\Oracle\Middleware\
    com.bea.wlevs.security.util.GrabCert myServer2:9003 
    -alias=myServer2 evstrust.jks

    For more information, see The GrabCert Command-Line Utility.

  5. When prompted, enter the Oracle Event Processing administrator password:
    Please enter the Password for the trust store :
  6. When prompted, select the certificate sent by myServer2:
    Created TrustStore evstrust.jks
    Opening connection to myServer2:9003...
    Starting SSL handshake...
    No certificates in evstrust.jks are trusted by myServer2:9003
    Server sent 1 certificate(s):
     1 Subject CN=localhost, OU=Event Server, O=BEA, L=San Jose, ST=California, C=US
       Issuer  CN=localhost, OU=Event Server, O=BEA, L=San Jose, ST=California, C=US
       sha1    00 07 c0 f4 10 48 9a f9 07 82 4f b6 9c 7f 7c d0 37 57 90 7d
       md5     a4 d4 ff d2 43 69 95 ca c3 43 e6 f6 b8 08 df b7
    Enter certificate to add to trusted keystore evstrust.jks or 'q' to quit: [1]
  7. Update the config.xml file of myServer1, by adding trust key store information to the ssl element and adding a use-secure-connections element, as shown in bold in the following example:

    The config.xml file is in the config directory of the main server directory. In this example, the location is /Oracle/Middleware/my_oep/user_projects/domains/myDomain/myServer1/config/.

  8. Encrypt the cleartext password in the trust-store-pass element password child element of the config.xml file by using the encryptMSAConfig utility.
  9. Start myServer1.

9.5.4 Configure SSL Between an SAML2 Service Provider and Identity Provider

You can use SSL to secure communications between the service provider (SP) and identity provider (IDP) in an SSO environment by configuring an Oracle Event Processing Server as a SAML2 SP and configure the SP with the needed SAML2 identity IDP options.

The following examples shows an ssl element with a sample configuration. The procedure edits the example to configure SSL between a SAML2 SP and an IP.


Configure SSL between a SAML2 SP and an IP

  1. Configure the mandatory SAML2 IDP options.
  2. Add a transport-layer-client-cert-alias element to the saml2-identity-provider element in your Oracle Event Processing server config.xml:
  3. Add an ssl-config-bean-name element to the saml2-identity-provider element in your Oracle Event Processing server config.xml:

    ssl-config-bean-name: The name of your ssl element.

  4. Restart the Oracle Event Processing server for the changes to take effect.

9.6 FIPS

The National Institute of Standards and Technology (NIST) creates standards for Federal computer systems. NIST issues these standards as Federal Information Processing Standards (FIPS) for government-wide use.

Oracle Event Processing supports FIPS with the com.rsa.jsafe.provider.JsafeJCE security provider. Use this provider to configure Oracle Event Processing to use a FIPS-certified pseudo-random number generator for SSL.

For more information, see:

You can configure Oracle Event Processing servers to use a FIPS-certified pseudo-random number generator.

Configure FIPS for an Oracle Event Processing Server

  1. Configure Java SE security.
  2. Configure SSL.
  3. Copy com.bea.core.jsafejcefips_version.jar:

    From: /Oracle/Middleware/my_oep/oep/utils/security

    To: JRE_HOME/jre/lib/ext

    JRE_HOME : The directory that contains your JDK installation.

  4. Stop the Oracle Event Processing server, if it is currently running.
  5. Edit the JRE_HOME/jre/lib/security/java.security file to add com.bea.core.jsafejcefips_2.0.0.0.jar as a JCE provider as the following example shows.

    N: A unique integer that specifies the order in which Java accesses security providers. To make the JsafeJCE provider the default provider, set N to 1. In this case, change the value of N for any other providers in the java.security file so that each provider has a unique number as the following shows.

  6. Edit the ssl element in the config.xml server file to add the following child elements:
    • enforce-fips: set this option to true.

    • secure-random-algorithm: set this option to FIPS186PRNG

    • secure-random-provider: set this option to JsafeJCE.

  7. Restart the Oracle Event Processing server for the changes to take effect.

9.7 SSO with SAML2

The Security Assertion Markup Language (SAML) is an OASIS XML standard for exchanging authentication and authorization data between security domains. Oracle Event Processing server supports SAML2.

With SAML configuration, you can define a web application single sign-on (SSO) environment between Oracle Event Processing servers and a SAML-compliant system such as Oracle WebLogic Server or Oracle Access Manager.

SSO enables you to have a user to sign on to an application once and gain access to many different application components even when these components have their own authentication schemes. Single sign-on enables users to log in securely to all of their applications with one identity.

There are two roles in a SAML2 SSO environment as Figure 9-1 shows:

  • Identity Provider (IDP): The process that performs authentication. You configure SAML2 options for the IDP in the Oracle Event Processing server config.xml file.

  • Service Provider (SP): The process that delegates authentication to an IDP. You configure SAML2 options for the SP in the Oracle Event Processing security.xml file.

In the context of Oracle Event Processing, the Oracle Event Processing server is the service provider. The identity provider is any SAML2-compliant system such as Oracle WebLogic Server or Oracle Access Manager.

Be aware that Oracle Event Processing Visualizer supports SSO with SAML2, but the Oracle Event Processing HTTP Publish-Subscribe Server (HTTP pub-sub server) does not support SSO with SAML2.

For more information, see:

The following procedures explain how to configure SSO with SAML2 on an Oracle Event Processing server:

9.7.1 Configure SAML2 Service Provider Options

In this configuration, the Oracle Event Processing server receives client requests and delegates their authentication to a SAML2 IDP. You configure SAML2 SP options in the security.xml file with the cssconfig command-line tool.

Configure SAML2 Service Provider Options

  1. Add the Oracle\Middleware\my_oep\oep\bin directory to your PATH environment variable:
    set PATH=d:\Oracle\Middleware\my_oep\oep\bin;%PATH% (Windows)
    PATH=/Oracle/Middleware/my_oep/oep/bin:$PATH (UNIX)
  2. Change to the config directory for the server you want to update.

    By default the domain directory is Oracle/Middleware/my_oep/user_projects/domains/<domainname>.

  3. Make a backup copy of the existing security.xml file in case you need to revert:
  4. In a text editor, create a file called saml2.properties and copy the entire contents of the following example into it.

    You can customize the properties file.

  5. Create a new security configuration file (security.xml) by executing the following cssconfig command:
    cssconfig -p saml2.properties -i security-key.dat -c security.xml

    saml2.properties: The property file you created in step 4.security.xml is the name of the new security configuration file, and security-key.dat: An existing file, generated by the Configuration Wizard, that contains the identity key.

    See The cssconfig Command-Line Utility for additional information.

  6. Restart the Oracle Event Processing server for the changes to take effect.

9.7.2 Configure SAML2 Identity Provider Options

In this configuration, you configure an Oracle Event Processing server with SAML2 IDP options that the server then uses to delegate authentication to a SAML2-compliant IDP. You configure SAML2 IDP options in the Oracle Event Processing server config.xml file.

This procedure uses Oracle WebLogic Server as an example IDP. Refer to your IDP documentation for configuration details specific to your IDP and use this procedure as a guide.

Configure SAML2 Identity Provider Options

  1. Obtain the IDP metadata file from your IDP.

    If Oracle WebLogic Server is your IDP, you can generate the IDP metadata file as follows:

    1. Open a browser and log into the Oracle WebLogic Server console:

    2. Under your domain, select Environment > Servers > SERVER_NAME > Federation > Services > SAML 2.0 General

      Where SERVER_NAME is the name of your Oracle WebLogic Server.

    3. Click Publish Meta Data and specify a file name.

      In this example, call it myidp.xml.

  2. Change to the config directory for the server you want to update.

    By default, the directory is Oracle/Middleware/my_oep/user_projects/domains/<domainname>/<servername>/config.

  3. Copy the myidp.xml file to your Oracle Event Processing server config directory.

  4. Make a backup copy of the existing config.xml file, in case you need to revert:

  5. In a text editor, edit the config.xml file and add a saml2-identity-provider element as the following example shows.

    You can configure only one IDP per Oracle Event Processing server.


    meta-data-file-name: The IDP metadata file you created in step 1.partner-name: The name of this IDP instance.redirect-uris: SAML2 authentication URIs.

  6. Restart the Oracle Event Processing server for the changes to take effect.

    See "Start and Stop Servers".

9.7.3 Configure SAML2 Web Application Options

After you configure SAML2 SP and IDP options, you must configure the web.xml file for the web applications that will access the SP.

Configure SAML2 Web Application Options

  1. Change to the directory that contains the web.xml file for the web application that needs to access the SP.
  2. In a text editor, edit the web.xml file and add a filter element:
  3. Add a filter-mapping element:

    The protected resource defined in the filter-mapping child element url-pattern must match the redirectUri you configured in the config.xml file.

  4. Repackage and deploy the web application.

9.8 HTTPS-Only Connections

You can lock down the server to allow only HTTPS connections.

Configure HTTPS-Only Connections for a Server

  1. Ensure that SSL is configured for the server.
  2. Remove the HTTP port configuration from the config.xml server file.

    By default the file is in Oracle/Middleware/my_oep/user_projects/domains/<domainname>/<servername>/config/

    The following example shows config.xml entries with a standard configuration where both an HTTP and HTTPS ports are configured. The HTTP port is 9002 and the HTTPS port is 9003. Clients can access the Jetty server through both ports.


    The following example shows the same config.xml file with HTTP access removed. Clients can now access the Jetty server using the HTTPS port only.

  3. If you have a multiserver domain, make sure that SSL is configured between the member servers.

9.9 Security for Server Services

After you complete basic security tasks such as configuring Java SE security, a security service provider, and SSL, you can configure security details specific to the various services that Oracle Event Processing server provides.

This section describes:

9.9.1 Configure Jetty Security

Oracle Event Processing supports Jetty as a Java web server to deploy HTTP servlets and static resources. See http://mvnrepository.com/artifact/org.mortbay.jetty. For more information about Jetty, see Jetty.

The following security tasks affect Jetty configuration:

9.9.2 Configure JMX Security

Clients that access the Oracle Event Processing server with JMX are subject to Oracle Event Processing role-based authentication. For more information about roles, see:

For more information about JMX, see JMX .

9.9.3 Configure JDBC Security

If you update a data source with a new password using the Configuration Wizard, then the Configuration Wizard performs password encryption for you. If you update the config.xml file manually by adding or modifying a data-source element, then you enter the password in plain text and encrypt the password with the encryption utility, encryptMSAConfig.

The following example shows a config.xml file data-source element with a new plain text password, secret, specified in the properties element with the name password.


The following example shows the config.xml file data-source element after encryption. Note the plain text password is encrypted.


For more information, see:

For more information about JDBC, see JDBC

9.9.4 Configure HTTP Publish-Subscribe Server Channel Security

After you configure at least one HTTP publish-subscribe server channel, you can use role-based authentication to control access to individual HTTP publish-subscribe server channels using the Oracle Event Processing Visualizer.

For more information, see:

9.10 Cross-Domain Security for Visualizer

Oracle Event Processing Visualizer provides an Adobe Flash-based user interface with which you can create and configure event processing networks. To provide the most flexible default performance for Visualizer, the software is installed with a configured trust level that allows access to Visualizer data from any domain. If this trust level is inappropriate for your deployment, you can edit the application's Flash cross-domain policy file to restrict access.

Review the domains the Flash cross-domain policy allows and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains. See the Adobe web site for a thorough description of editing cross-domain policy. See the Adobe security web site for information about using the Adobe cross-domain policy files.

Update Cross-Domain Security

  1. Locate the Oracle Event Processing Visualizer JAR file.

    By default the file is in Oracle/Middleware/my_oep/oep/modules/ com.bea.wlevs.visualizer.jmxhttpadapter_version.jar.

  2. Expand the JAR file and locate the crossdomain.war file.

  3. Expand the crossdomain.war file to locate the crossdomain.xml file.

  4. Edit the crossdomain.xml file to reflect your cross-domain security needs.

  5. Repackage the crossdomain.war file and the Oracle Event Processing Visualizer JAR file.

9.11 Security Auditor

Oracle Event Processing provides a security auditor that logs security-related activity. By default, the security auditor logs to

Oracle/Middleware/my_oep/user_projects/domains/<domainname>/ <servername>/legacy-rootdir/servers/legacy-server-name/logs

By default, the Oracle Event Processing security auditor logs security errors or failures to keep the security auditor log file at a manageable size. You can configure the level at which the Oracle Event Processing security auditor logs information.

For more information, see Oracle Fusion Middleware Securing Oracle WebLogic Server.

To configure security auditor logging:

  1. Change to the config directory for the server you want to configure.
  2. In a text editor, open the security.xml file and locate the sec:auditor element element:
    <sec:auditor xsi:type="wls:default-auditorType">
  3. Modify the sec:auditor element as required:

    wls:rotation-minutes: How many minutes to wait before creating a new DefaultAuditRecorder.log file. At the specified time, the audit file closes and a new files is created. Oracle Event Processing creates a backup file named DefaultAuditRecorder.YYYYMMDDHHMM.log in the same directory.

    wls:severity: The severity level from the following list that is appropriate for your server. The security auditor audits security events of the specified severity and all events with a higher numeric severity rank. For example, if you set the severity level to ERROR, the Oracle Event Processing security auditor audits security events of severity level ERROR, SUCCESS, and FAILURE.


    You can also set the wls:severity level to CUSTOM, and enable (true) or disable (false) the specific severity levels you want to audit by using one or more of the following child elements:

    • wls:information-audit-severity-enabled: If the severity value is set to CUSTOM, setting this child element to true causes the Oracle Event Processing security auditor to generate audit records for events with a severity level of INFORMATION.

    • wls:warning-audit-severity-enabled: If the severity value is set to CUSTOM, setting this child element to true causes the Oracle Event Processing security auditor to generate audit records for events with a severity level of WARNING.

    • wls:error-audit-severity-enabled: If the severity value is set to CUSTOM, setting this child element to true causes the Oracle Event Processing security auditor to generate audit records for events with a severity level of ERROR.

    • wls:success-audit-severity-enabled: If the severity value is set to CUSTOM, setting this child element to true causes the Oracle Event Processing security auditor to generate audit records for events with a severity level of SUCCESS.

    • wls:failure-audit-severity-enabled: If the severity value is set to CUSTOM, setting this child element to true causes the Oracle Event Processing security auditor to generate audit records for events with a severity level of FAILURE.

  4. Save and close the security.xml file.
  5. Restart the Oracle Event Processing server for the changes to take effect.

9.12 Disable Security

You can disable security entirely on the Oracle Event Processing server. While this configuration might be appropriate for development environments, Oracle does not recommend disabling security in a production environment.

To temporarily disable security, you can run the startwlevs.cmd or startwlevs.sh script with the -disablesecurity argument on the command line. For example:

startwlevs.cmd -disablesecurity


In some sample domains, the startwlevs.cmd and startwlevs.sh scripts already include a -disablesecurity argument. Executing such a script with -disablesecurity on the command line will fail with an Illegal argument error.

9.13 Security Utilities

Oracle Event Processing provides a variety of command-line utilities to simplify security administration. In addition to command-line utilities, you can use Oracle Event Processing Visualizer to perform many security tasks.

For more information, see:

9.14 User Credentials for Command-Line Utilities

Oracle Event Processing provides the following command-line utilities for performing a variety of tasks:

  • wlevs.Admin: a command-line interface to administer Oracle Event Processing and, in particular, dynamically configure the rules for Oracle CQ processors and monitor the event latency and throughput of an application. See wlevs.Admin Command-Line Reference for details

  • Deployer: a Java-based deployment utility that provides administrators and developers command-line based operations for deploying Oracle Event Processing applications. See Deployer Command-Line Reference for details.

  • cssconfig: a command-line utility to generate a security configuration file (security.xml) that uses a password policy. See The cssconfig Command-Line Utility for details.

  • encryptMSAConfig: an encryption command-line utility to encrypt cleartext passwords, specified by the password element, in XML files. See The encryptMSAConfig Command-Line Utility for details.

For each utility, you can specify user credentials (user name and password) using the following three methods:

  • On the command line using options such as -user and -password.

  • Interactively so that the command line utility always prompts for the credentials.

  • Specifying a filestore that stores the user credentials; the filestore itself is also password protected.

In a production environment you should never use the first option (specifying user credentials on the command line) but rather use only the second and third option.

When using interactive mode (command-line utility prompts for credentials), be sure you have the appropriate terminalio native libraries for your local computer in your CLASSPATH so that the user credentials are not echoed on the screen when you type them. Oracle Event Processing includes a set of standard native libraries for this purpose, but it may not include the specific one you need.

9.15 Security in Oracle Event Processing Examples and Domains

When you use the Configuration Wizard to create a new domain, you specify the administrator user and password, as well as the password to the domain identity key store. This user is automatically added to the wlevsAdministrators group. All security configuration is stored using a file-based provider, by default.

All Oracle Event Processing examples are configured to have an administrator with user name oepadmin and password welcome1. When you create a new domain you specify the administrator name and password.

By default, security is disabled in the HelloWorld example. This means that any user can start the server, deploy applications, and run all commands of the administration tool (wlevs.Admin) without providing a password.

Security is enabled in the FX and AlgoTrading examples. In both examples, the user oepadmin, with password welcome1, is configured to be the Oracle Event Processing administrator with full administrator privileges. The scripts to start the server for these examples use the appropriate arguments to pass this user name and password to the java command. If you use the Deployer or wlevs.Admin utility, you must also pass this user name/password pair using the appropriate arguments.

For more information, see User Credentials for Command-Line Utilities.