12 Post-Installation Application Administration

This chapter covers the administration tasks performed during post installation of RMS application.

Application Security Configuration

Access control of system resources is achieved by requiring users to authenticate at login and by restricting users to only those resources for which they are authorized. A default security configuration is available for immediate use after the Oracle Retail Fusion application is installed and is configured to use the Oracle Fusion Middleware security model. The default configuration includes eleven (11) predefined security roles for application-specific permission grants. Users can be added to predefined groups that are mapped to pre-configured application roles. RMS is pre-configured to grant specific application permissions.

Table 12-1 Privileges

Name	Description
Maintain Batch Administration Priv	This privilege provides maintain access to Batch Administration Screen
Maintain Batch Monitoring Priv	This privilege provides maintain access to Batch Administration Screen as well as Batch Schedule Viewer Screen.This Privilege also allows to use the Action items in the above mentioned Screen.
View Batch Monitoring Priv	A privilege for viewing Batch Monitoring Screen
View Application Logs Priv	A privilege for viewing application logs
View Historical Batch Logs Priv	This privilege provides view access to the Historic Batch Logs stored.
External Configuration Priv	This privilege provides access to the External System Configuration Screen.

Table 12-2 Duties

Duty	Description	List of Privileges
Business User Duty	A duty for monitoring batch as a business user.	View Batch Monitoring Privilege External Configuration Priv
System Administration Duty	A duty for maintaining application administration information.	View Historical Batch Logs Priv Maintain Batch Monitoring Privilege Maintain Batch Administration Privilege View Application Logs Priv
Batch Monitoring User Duty	A duty for maintaining the batch monitoring screen.	View Historical Batch Logs Priv Maintain Batch Monitoring Privilege View Application Logs Priv
Batch Administrator Job	System Administrator Duty	View Historical Batch Logs Priv Maintain Batch Monitoring Privilege Maintain Batch Administration Privilege View Application Logs Priv
Batch Business Job	Business User Duty	View Batch Monitoring Privilege External Configuration Priv
Batch Monitoring Job	Batch Monitoring User Duty	View Historical Batch Logs Priv Maintain Batch Monitoring Privilege View Application Logs Priv

Post-Installation Steps for Webservice Security

You need to configure the user credentials and other security-related information at the service consumer and the app service provider layers to provide end-to-end security between web service consumer and the provider.

Applying Policy A

Applying policy A involves the following:

• Enabling the HTTPS servers

• Creating the Webservice users

• Securing services

• Updating the Webservice deployment

• Webservice Clock Skew setting

Enabling the HTTPS Servers

Perform the following steps to enable HTTPS servers:

1. In WebLogic Admin Console, click Environment > Servers.

2. Click the server where the web service has been deployed.

3. Click the General tab.

4. Check the SSL Listen Port Enabled check box.

5. Enter a port number for the SSL Listen Port. This is the port number for service end point.

6. Enter the hostname in Listen Address field.

7. Click Save.

Figure 12-1 Enabling the HTTPS Servers

Creating the Webservice User

Perform the following steps to create roles and users who can access the Web services:

1. In WebLogic Admin Console, click the Domain Structure window, and click the Security Realms link.

   The default realm appears.

2. Click the link on the realm.

3. Click the Users and Groups tab.

4. Click New.

5. Enter the user name and password details on the next screen.

6. Leave the default value for Provider.

7. Click OK to save the changes.

   The new user is shown in the list of users.

Securing Services

Perform the following steps in WebLogic Admin Console for each of the services to be secured:

1. Attach the user created in previous step to the service.

2. Click Deployments.

3. Click the service you want to secure.

4. Click Securities and then Policies.

   Figure 12-2 Securing Services

   
   

5. Click Add Conditions.

6. Click Predict List: Pick User from dropdown, then click Next.

7. Click User Argument Name.

8. Enter the username you created, then click Add.

9. Click Finish, then Save.

   Figure 12-3 Add Conditions Window

   
   

10. Attach the policy to the service.

11. Navigate to Configuration tab.

12. Click the WSB Policy tab and select the service port.

    Figure 12-4 Attaching WS Policy to the Service

    
    

13. Click WebLogic, then Next.

14. Click Service Endpoint Policies.

15. Select policy:Wssp1.22007HttpsUsernameTokenPlain.xml, then click Finish.

    Figure 12-5 Service Endpoint Policies

    
    

16. Click OK if WebLogic prompts you to save Plan.xml.

Updating the Webservice Deployment

Perform the following steps to update the Webservice deployment:

1. In WebLogic Admin Console, click Deployments.

2. Click Lock & Edit and select the deployed application with the Webservices to be secured.

3. Click Update and select the deployment .ear file, along with the Plan.xml file if it was saved earlier.

4. Click Finish.

5. Click Activate Changes to reflect the changes.

6. Verify the configuration by checking the WSDL of the service.

   The WSDL must have the policy information in it.

Webservice Clock Skew Setting

Webservices, when secured, need to be time-synced with providers and consumers. However, for various reasons, the providers and consumers can have different time gaps.

Weblogic can be configured to different tolerance level for webservices to work. Perform the following steps to set the time tolerance level to a different value:

1. Navigate to WLS Console > Domain > Web Service Security > default_wss > Timestamp.

2. Click Lock and Edit.

3. Update the Clock Skew with the new tolerance limit (in milliseconds).

4. Click Activate Changes.

5. Restart the managed server hosting Webservice once the changes are implemented.

   Figure 12-6 Set New Time Tolerance

   
   

Applying Policy B

Applying policy B involves the following:

• Creating the Webservice users

• Securing services

• Updating the Webservice deployment

Creating the Webservice User

Perform the following steps to create roles and users who can access the Web services:

1. In WebLogic Admin Console, click the Domain Structure window, then click the Security Realms link.

   The default realm appears.

2. Click the link on the realm.

3. Click the Users and Groups tab.

4. Click New.

5. Enter the user name and password details on the next screen.

6. Leave the default value for Provider.

7. Click OK to save the changes.

   The new user is shown in the list of users.

Securing Services

Perform the following steps in WebLogic Admin Console for each of the services to be secured:

1. Attach the user created in previous step to the service.

2. Click Deployments.

3. Click the service you want to secure.

4. Click Securities, then Policies.

   Figure 12-7 Securing Services

   
   

5. Click Add Conditions > Predict List:.

6. Pick the User from the dropdown, then click Next

7. Click User Argument Name.

8. Type the username you created, then click Add.

9. Click Finish, then click Save.

   Figure 12-8 Add Condition Window

   
   

10. Attach policy to the service.

11. Navigate to the Configuration tab.

12. Click the WSB Policy tab and select the service port.

    Figure 12-9 Attaching WS Policy to the Service

    
    

13. Click WebLogic, then click Next.

14. Click Service Endpoint Policies.

15. Select policy:Wssp1.22007HttpsUsernameTokenPlain.xml, then click Finish.

    Figure 12-10 Service Endpoint Policies

    
    

16. Click OK if WebLogic prompts you to save Plan.xml.

Updating the Webservice Deployment

Perform the following steps to update the Webservice deployment:

1. In WebLogic Admin Console, click Deployments.

2. Click Lock & Edit and select the deployed application with the Webservices to be secured.

3. Click Update and select the deployment ear along with the Plan.xml if saved in the previous steps.

4. Click Finish.

5. Click Activate Changes to reflect the changes.

6. Verify the configuration by checking the WSDL of the service.

   The WSDL must have the policy information in it.