1. Administering Oracle Java Cloud Service
  2. Secure an Oracle Java Cloud Service Instance
  3. Authenticate Users
  4. About Users

About Users

There are multiple types of users associated with Oracle Java Cloud Service. Each has its own purpose and is found in a specific identity store.

Topics

Cloud Users and Service Administrators

When an Oracle Cloud account is created that includes a subscription to Oracle Java Cloud Service, the default administrator is given the Java Administrator role.

Only Oracle Cloud users with this role can create and manage Oracle Java Cloud Service instances with either the console, CLI or REST API. Users in your account who have the Identity Domain Administrator role can create additional cloud users and grant them the Java Administrator role. Similar roles exist for the other services available in Oracle Cloud. See Add Users, Assign Policies and Roles in Getting Started with Oracle Cloud.

Oracle Identity Cloud Service provides a secure, centralized cloud service to manage the relationships that your users have with your applications, including with other Oracle Cloud services like Oracle Java Cloud Service. With Oracle Identity Cloud Service you can create custom password policies and email notifications, onboard new users, assign users and groups to applications, and run security reports. See Use Oracle Identity Cloud Service with Oracle Java Cloud Service.

Oracle Java Cloud Service can optionally store backups of service instances in cloud storage (either Oracle Cloud Infrastructure Object Storage or Oracle Cloud Infrastructure Object Storage Classic). Configuring a service instance for backups includes specifying the credentials for an Oracle Cloud user who has read/write access to cloud storage. See About Backup and Restoration in Oracle Java Cloud Service.

WebLogic Server Administrators

An Oracle Java Cloud Service instance includes an Oracle WebLogic Server domain, which is comprised of an Administration Server and one or more Managed Servers.

A domain also defines a security realm that controls authentication, authorization, role mapping, credential mapping and security auditing across all of the servers in the domain. When you create a service instance you provide the credentials for the initial user in this WebLogic security realm. This user has the Admin role and can perform all WebLogic Server administrative operations through either the WebLogic Server Administration Console, Fusion Middleware Control, WebLogic Scripting Tool (WLST) or WebLogic REST API. You can also use the default WebLogic administrator to create additional WebLogic administrators and assign them specific roles and privileges. For example, users with the Deployer role can deploy Java applications to the domain.

By default, the domain in an Oracle Java Cloud Service instance is configured to use the embedded LDAP identity store for WebLogic Server roles, users and policies. This embedded LDAP is hosted in the Administration Server and is replicated to all Managed Servers in the domain. If the default security configuration does not meet your requirements, you can modify the default security realm or create a new one with any combination of WebLogic and custom security providers.

If your cloud account includes Oracle Identity Cloud Service, Oracle Java Cloud Service can provision your service instance so that WebLogic Server uses Oracle Identity Cloud Service for authentication in addition to the default embedded LDAP. As a result, when WebLogic administrators access tools like the Administration Console they are authenticated against the users, groups, roles and policies defined in Oracle Identity Cloud Service. See Use Oracle Identity Cloud Service with Oracle Java Cloud Service.

To learn more about WebLogic security see:

Application Users

Java applications deployed to the WebLogic Server domain in your Oracle Java Cloud Service instance can have security policies that protect the applications against unauthorized access.

WebLogic Server supports various security providers that assign an identity to the requesting user or software entity. For example, WebLogic Server can determine the identity of an application user by validating a user name and password. By default, the domain in an Oracle Java Cloud Service instance is configured to use the embedded LDAP identity store for both WebLogic administrators and application users. You can use standard WebLogic tools like the WebLogic Server Administration Console to manage users, groups, roles and policies in the embedded LDAP.

If your cloud account includes Oracle Identity Cloud Service, Oracle Java Cloud Service can provision your service instance so that WebLogic Server uses Oracle Identity Cloud Service for authentication in addition to the default embedded LDAP. As a result, users that access your Java applications are authenticated against the users, groups, roles and policies defined in Oracle Identity Cloud Service. See Use Oracle Identity Cloud Service with Oracle Java Cloud Service.

If this security configuration does not meet your requirements, you can modify the default security realm or create a new one with any combination of WebLogic and custom security providers. For large production applications, Oracle recommends that you use a proper identity management system such as Oracle Identity Cloud Service instead of the embedded LDAP.

Database Users

An Oracle Java Cloud Service instance requires access to at least one Oracle Database.

Oracle Java Cloud Service provisions your chosen database with the Oracle Fusion Middleware (FMW) schema and also connects the WebLogic Server domain in your service instance to this database. When you create a service instance you provide appropriate credentials to access and update this FMW database.

You can also connect your service instance to additional relational databases by using standard WebLogic tools like the WebLogic Server Administration Console. Just as with the FMW database, you must provide the necessary credentials to connect to these application databases.

If your database is running Oracle Database 12c, users can be scoped to the container database (CDB) or a pluggable database (PDB). To connect to a specific PDB from WebLogic Server, be sure to specify user credentials in the target PDB and not the CDB.

To learn more about database connectivity in WebLogic Server see:

A component of your WebLogic Server domain is Oracle Platform Security Services (OPSS), which requires a connection to your service instance’s FMW database. The credentials for this database connection are stored in a separate file named jps-config.xml.

Load Balancer Administrators

Your Oracle Java Cloud Service instance can optionally include a user-managed load balancer, an Oracle-managed load balancer, or your own instance of Oracle Cloud Infrastructure Load Balancing. The load balancer distributes application traffic to the servers in the WebLogic Server domain.

A user-managed load balancer is Oracle Traffic Director, which has an Administration/Managed server architecture similar to WebLogic Server, along with its own identity store. When you create a service instance, the same WebLogic Server administrator credentials that you provide are also used as the default Traffic Director credentials. This user has full administrative access to the Load Balancer Console and other Traffic Director tools. You can also use the Load Balancer Console to create additional Traffic Director administrators.

An Oracle-managed load balancer runs on Oracle Cloud Infrastructure Load Balancing or Oracle Cloud Infrastructure Load Balancing Classic, depending on the region where the service instance was created. Cloud users must be granted access to these services in order to view or modify the generated configuration for a load balancer.

See Configure a Load Balancer for a Service Instance.

Operating System Users

Each Oracle Java Cloud Service instance is associated with at least one Secure Shell (SSH) public key. Using the matching private key, you can SSH to the underlying nodes running WebLogic Server and the load balancer.

SSH to a node as the opc OS user and then switch to the oracle OS user in order to manage Oracle Java Cloud Service software like WebLogic Server, or to install additional Oracle software. The opc user has root privileges to the OS if you need to modify the OS configuration, create additional OS users, or install additional OS packages. See Access a Node with a Secure Shell (SSH).