This chapter describes the main tasks you carry out to manage application security and the tools you use to accomplish those tasks.
It contains the following sections:
Application security administration is an iterative process that incudes the following main tasks:
Packing and deploying applications
Managing application roles and users
Managing application and system policies
Managing application credentials
Managing application keys and certificates
Managing audit
See also:
Chapter 6, "Deploying Secure Applications," for information about packing security with an application
Chapter 10, "Managing Application Policies"
Chapter 10, "Managing Application Roles"
Chapter 11, "Managing Credentials"
To administer security, use any of the following tools:
Oracle WebLogic Server Administration Console
Fusion Middleware Control
WebLogic Scripting Tool (WLST)
Oracle Entitlements Server (OES)
The tool you use depends on the type of data and the kind of store.
OPSS does not support automatic backup or recovery of server files. It is recommended that all server configuration files be periodically backed up. For information about backup, see Introducing Backup and Recovery in Administering Oracle Fusion Middleware.
If a domain uses the WebLogic Default Authenticator to store identities, then use WebLogic Server Administration Console to manage the stored data. This data can be accessed by the User and Role API to query user profile attributes or to insert additional attributes to users or groups.
If your domain uses the Default Authenticator, then the Administration Server must be running for an application to access identity data with the User and Role API. Otherwise, if it uses an LDAP server different from the Default Authenticator, then use the utilities of that LDAP server to manage users and groups.
Policies, Credentials, Keys, and Certificates
Policies, keys, credentials, and certificates are stored in the same kind of storage (file, LDAP, or DB). The tools to manage these artifacts are:
WebLogic Server Administration Console, for identities.
Fusion Middleware Control, WLST, or OES, for policies and credentials.
WLST, for keys and certificates.
Changes to policies, credentials, or keys do not require server restart. Changes to the jps-config.xml
file require server restart.
See also:
Getting Started Managing Oracle Fusion Middleware in Administering Oracle Fusion Middleware
This section addresses only security-related operations. For other administrative operations, see Oracle Fusion Middleware Administering Oracle WebLogic Server with Fusion Middleware Control.
Use Oracle Enterprise Manager Fusion Middleware Control (Fusion Middleware Control) to:
Postinstallation and before you deploy the application, reassociate the security store.
Postinstallation and before you deploy the application, define OPSS properties.
At application deployment, configure the automatic migration of application policies and credentials to the security store.
After application deployment:
Manage application policies.
Manage credentials.
Manage users and groups.
Specify the mapping from application roles to users, groups, and application roles.
Manage system policies for the domain.
Manage OPSS properties for the domain.
See also:
Section 6.3, "Deploying Oracle ADF Applications to a New Environment"
Section 9.4.1, "Reassociating the Security Store with Fusion Middleware Control"
Section 9.6, "Configuring Security Providers with Fusion Middleware Control"
Section 9.5, "Migrating the Security Store"
Section 10.2, "Managing the Policy Store"
Section 10.3.2, "Managing Application Roles"
Use WebLogic Server Administration Console to:
Start and stop WebLogic servers.
Configure WebLogic servers and domains.
Deploy applications.
Configure failover support.
Configure WebLogic Server domains and WebLogic Server realms.
Manage WebLogic Authentication Providers.
Enable single sign-on in Microsoft clients, Web browsers, and HTTP clients.
Manage administrative users and administrative policies.
See also:
Configuring Existing Domains in Understanding the WebLogic Scripting Tool
Deploying Applications to Oracle WebLogic Server
Failover and Replication in a Cluster in Administering Clusters for Oracle WebLogic Server
Starting and Stopping Servers in Administering Server Startup and Shutdown for Oracle WebLogic Server
All security configuration tasks you do with WebLogic Server Administration Console, you can also do with WLST, including domain configuration and application deployment.
A Java Virtual Machine (JVM) instance points to at most one jps-config.xml
file. All WLST commands called within the instance use the configuration file first obtained, regardless of the configuration location passed to subsequent commands.
OES provides a large number of functions to configure and maintain authorization, including the ability to:
Search application roles and the role hierarchy.
Manage application policies and the role hierarchy.
View the role hierarchy.
Manage application role mappings.
For information about OES, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.