5 Security Administration

This chapter describes the main tasks you carry out to manage application security and the tools you use to accomplish those tasks.

It contains the following sections:

• OPSS Administration: Main Steps

• Security Management Tools

• Security Practices with Fusion Middleware Control

• Security Practices with WebLogic Server Administration Console

• Security Practices with OES

OPSS Administration: Main Steps

Application security administration is an iterative process that incudes the following main tasks:

• Packaging and deploying applications

• Managing application roles and users

• Managing application and system policies

• Managing application credentials

• Managing application keys and certificates

• Managing audit

See also:

Deploying Secure Applications for information about packing security with an application

Managing Application Policies

Managing Application Roles

Managing Credentials

Managing Keys and Certificates

Managing Audit

Administration with Scripts and MBeans

Security Management Tools

To administer security, use any of the following tools:

• Oracle WebLogic Server Administration Console

• Fusion Middleware Control

• WebLogic Scripting Tool (WLST)

• Oracle Entitlements Server (OES)

The tool you use depends on the type of data and the kind of store.

OPSS does not support automatic backup or recovery of server files. It is recommended that all server configuration files be periodically backed up. For information about backup, see Introduction to Backup and Recovery in Administering Oracle Fusion Middleware.

Users and Groups

If a domain uses the WebLogic Server Default Authenticator to store identities, then use WebLogic Server Administration Console to manage the stored data. This data can be accessed by the User and Role API to query user profile attributes or to insert additional attributes to users or groups.

If your domain uses the Default Authenticator, then the Administration Server must be running for an application to access identity data with the User and Role API. Otherwise, if it uses an LDAP server different from the Default Authenticator, then use the utilities of that LDAP server to manage users and groups.

Policies, Credentials, Keys, and Certificates

Policies, keys, credentials, and certificates are stored in the same kind of storage (file, LDAP, or DB). The tools to manage these artifacts are:

• WebLogic Server Administration Console, for identities.

• Fusion Middleware Control, WLST, or OES, for policies and credentials.

• WLST, for keys and certificates.

Changes to policies, credentials, or keys do not require server restart. Changes to the jps-config.xml file require server restart.

See also:

Getting Started Managing Oracle Fusion Middleware in Administering Oracle Fusion Middleware

Security Practices with Fusion Middleware Control

This section addresses only OPSS security-related operations. For other security administrative operations, see WebLogic Server Security in Administering Oracle WebLogic Server with Fusion Middleware Control.

Use Oracle Enterprise Manager Fusion Middleware Control (Fusion Middleware Control):

• Post-installation and before you deploy the application to reassociate the security store.

• Post-installation and before you deploy the application to define OPSS properties.

• At application deployment, to configure the automatic migration of application policies and credentials to the security store.

• After application deployment, to:

  • Manage application policies.

  • Manage credentials.

  • Manage users and groups.

  • Specify the mapping from application roles to users, groups, and application roles.

• Manage system policies for the domain.

• Manage OPSS properties for the domain.

See also:

Deploying Oracle ADF Applications to a New Environment

Reassociating the Security Store with Fusion Middleware Control

Configuring Security Providers with Fusion Middleware Control

Migrating the Security Store

Managing the Policy Store

Managing Application Roles

Managing System Policies

Managing Credentials

Security Practices with WebLogic Server Administration Console

Use WebLogic Server Administration Console to:

• Start and stop WebLogic servers.

• Configure WebLogic servers and domains.

• Deploy applications.

• Configure failover support.

• Configure WebLogic Server domains and WebLogic Server realms.

• Manage WebLogic Server Authentication Providers.

• Enable single sign-on in Microsoft clients, Web browsers, and HTTP clients.

• Manage administrative users and administrative policies.

See also:

Configuring Existing WebLogic Domains in Understanding the WebLogic Scripting Tool

Understanding WebLogic Server Deployment in Deploying Applications to Oracle WebLogic Server

Failover and Replication in a Cluster in Administering Clusters for Oracle WebLogic Server

Starting and Stopping Servers in Administering Server Startup and Shutdown for Oracle WebLogic Server

Secure servers and resources in Oracle WebLogic Server Administration Console Online Help

Security Practices with WLST

All security configuration tasks you do with WebLogic Server Administration Console, you can also do with WLST, including domain configuration and application deployment.

A Java Virtual Machine (JVM) instance points to at most one jps-config.xml file. All WLST commands called within the instance use the configuration file first obtained, regardless of the configuration location passed to subsequent commands.

See also:

WLST Command Reference for Infrastructure Security

Security Practices with OES

OES provides a large number of functions to configure and maintain authorization, including the ability to:

• Search application roles and the role hierarchy.

• Manage application policies and the role hierarchy.

• View the role hierarchy.

• Manage application role mappings.

For information about OES, see Introduction to Oracle Entitlements Server in Administering Oracle Entitlements Server.