This chapter describes how to use an Oracle Fusion Middleware credential store with EDQ.
This chapter contains the following sections:
EDQ supports the use of the Oracle Fusion Middleware credential store to hide user names and passwords that are used by EDQ to connect to protected resources, such as a JMS broker or LDAP server. These credentials otherwise would be exposed as clear-text in the EDQ properties files. When a credential store is used, a user name and password are replaced by a key name that serves as an alias for the credential whenever a login is required.
Using a credential store with EDQ comprises the following steps:
To configure a credential store, use Oracle Enterprise Manager Fusion Middleware Control. For more information about using this browser-based console, see Administering Oracle Fusion Middleware.
In a credential store, a credential is identified by a credential map. The credential map consists of a map and one or more keys. In EDQ, the default map name is edq. The key name is specified by the person who is creating the credential map and serves as the ”alias” for the credential in the properties files. The person who creates the credential map must be an Oracle Fusion Middleware administrator.
To Configure a Credential Store for EDQ
Log in to Oracle Enterprise Manager Fusion Middleware Control as an administrator.
Navigate to Domain > Security > Credentials to display the Credentials page.
Click Create Map to display the Create Map dialog. Once you create a map, you can create multiple keys for it at the same time, or you can add more keys at a later date.
Create a map named edq, and then click OK. The edq map name is displayed in the table.
Click Create Key to display the Create Key dialog.
Select the following in this dialog:
Select the edq map from the Select Map pull-down menu.
Enter a name for the key in the Key text box. This is the key name that will be entered in the properties files to replace the credential.
Select Password from the Type pull-down menu.
Enter the user name for the EDQ user in the User Name field and enter the password for that user in the Password field. Confirm the password in the Confirm Password field.
Optionally, you can add a description of this credential.
Click OK to return to the Credentials page. The new key is displayed under the edq map icon.
Once you have configured an EDQ credential map in Fusion Middleware Control, use the .cred.key property to specify the key name in place of the credential in properties files.
The syntax is this:
prefix.cred.key = keyname
It replaces the standard, non-secured username and password entries:
prefix.username = username prefix.password = password
The following shows an entry for a credential for user ”myuser”, followed by an entry for the same credential as represented by its key name.
Non-secured Credential in director.properties
This example shows the regular way of using the username and password properties to specify the actual user name and password.
sccs.vcs.username = myuser sccs.vcs.password = mypassword1234
Secured Credential in director.properties
This example uses the cred.key property to specify a key name from the credential store in place of the login credential.
sccs.vcs.cred.key = mykey1
In cases where only a password is required, for example if creating a keystore for JMX over SSL, append the .cred.key property to the property name. The following is an example:
management.ssl.km.storepw.cred.key = mykey1
These examples show additional ways to specify credentials by means of a key name.
This example shows a realtime bucket definition in which a credential is required to connect to a JMS broker.
The following is the unsecured way of specifying the credential:
<messengerconfig> … username = myuser password = mypassword1234 … </messengerconfig>
…
The following is the secure specification using the key name:
… <messengerconfig> … cred.key = mykey1 … </messengerconfig> …
This example uses a credential to connect to a JNDI store.
The following is the unsecured way of specifying the credential:
… <messengerconfig> … java.naming.security.principal = myuser java.naming.security.credentials = mypassword1234 … </messengerconfig> …
The following is the secure specification using the key name. In this case, the jndi prefix is required, so the .cred.key is appended to it.
… <messengerconfig> … jndi.cred.key = mykey1 … </messengerconfig> …
This example shows the correct syntax for specifying a connection to an LDAP server in the login.properties file.
Non-secured entry:
myrealm.ldap.user = myuser myrealm.ldap.pw = mypassword
Secured entry with credential store key:
myrealm.ldap.cred.key = mykey1