This chapter introduces security tasks you can perform with Oracle Event Processing Visualizer, including managing users, groups, and roles, as well as managing HTTP publish-subscribe server channel security and SSL.
This chapter includes the following sections:
For more information, see "Configuring Security for Oracle Event Processing" in the Oracle Fusion Middleware Administrator's Guide for Oracle Event Processing.
Oracle Event Processing uses role-based authorization control to secure the Oracle Event Processing Visualizer and the wlevs.Admin command-line utility. There are a variety of default out-of-the-box security groups. You can add users to different groups to give them the different roles.
Administrators who use Oracle Event Processing Visualizer, wlevs.Admin, or any custom administration application that uses JMX to connect to an Oracle Event Processing instance use role-based authorization to gain access.
You can also use role-based authorization to control access to the HTTP publish-subscribe server.
There are two types of role:
Application roles: application roles grant users the permission to access various Oracle CQL applications deployed to the Oracle Event Processing server. You can create application roles and associate them with the task roles that Oracle Event Processing provides.
By default, administrator users can access any application and non-administration users cannot access any applications. Before a none-administration user can access an application, an administration user must grant the user the associated application role.
Task roles: task roles grant users the permission to perform various tasks with the applications their application role authorizes them to access. Oracle Event Processing provides the default task roles that Table 20-1 describes.
Users that successfully authenticate themselves when using Oracle Event Processing Visualizer or wlevs.Admin are assigned roles based on their group membership, and then subsequent access to administrative functions is restricted according to the roles held by the user. Anonymous users (non-authenticated users) will not have any access to the Oracle Event Processing Visualizer or wlevs.Admin.
When an administrator uses the Configuration Wizard to create a new domain, they enter an administrator user that will be part of the wlevsAdministrators group. By default, this information is stored in a file-based provider filestore. The password is hashed using the SHA-256 algorithm. The default administrator user is named wlevs with password wlevs.
Table 20-1 describes the default Oracle Event Processing task roles available right after the creation of a new domain, as well as the name of the groups that are assigned to these roles.
Table 20-1 Default Oracle Event Processing Task Roles and Groups
| Task Role | Group | Privileges |
|---|---|---|
|
|
wlevsAdministrators |
Has all privileges of all the preceding roles, as well as permission to:
|
|
|
wlevsApplicationAdmins |
Has all Operator privileges as well as permission to update the configuration of any deployed application. |
|
|
wlevsBusinessUsers |
Has all Operator privileges as well as permission to update the Oracle CQL and EPL rules associated with the processor of a deployed application. |
|
|
wlevsDeployers |
Has all Operator privileges as well as permission to deploy, undeploy, update, suspend, and resume any deployed application. |
|
|
wlevsMonitors |
Has all Operator privileges as well as permission to enable/disable diagnostic functions, such as creating a diagnostic profile and recording events (then playing them back.) |
|
|
wlevsOperators |
Has read-only access to all server resources, services, and deployed applications. |
Once the domain has been created, the administrator can use Oracle Event Processing Visualizer to create a group and associate it with one or more roles: each role grants access to an application. When you assign a user to a group, the roles you associate with the group give the user the privileges to access those applications.
Using Oracle Event Processing Visualizer, you can:
Oracle Event Processing provides an HTTP Publish-Subscribe Server (HTTP pub-sub server): a mechanism whereby Web clients subscribe to channels (similar to a topic in JMS) and then publish messages to these channels using asynchronous messages over HTTP and subscribe to these channels to receive messages as they become available.
Using Oracle Event Processing Visualizer, you can specify which users can access HTTP publish-subscribe server channels.
For more information, see:
Chapter 24, "Managing HTTP Publish-Subscribe Server Security"
"Configuring HTTP Publish-Subscribe for Oracle Event Processing" in the Oracle Fusion Middleware Administrator's Guide for Oracle Event Processing
Oracle Event Processing provides one-way Secure Sockets Layer (SSL) to secure network traffic between Oracle Event Processing Visualizer and Oracle Event Processing server instances, between the Oracle Event Processing server instances of a multi-server domain, and between the wlevs.Admin command-line utility and Oracle Event Processing server instances.
You configure SSL in the Oracle Event Processing server config.xml file. By default, the Configuration Wizard creates the config.xml file in the ORACLE_CEP_HOME/user_projects/domains/DOMAIN_DIR/servername/config directory, where ORACLE_CEP_HOME refers to the Oracle Event Processing installation directory (such as d:/oracle_cep), DOMAIN_DIR refers to the domain directory (such as my_domain), and servername refers to the server instance directory (such as server1).
For more information, see: