Go to main content
1/47
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New in This Guide
New Features in Release 11.1.1.9.0
New Features in Release 11.1.1.7.0
New Features in Release 11.1.1.6.0
New Features in Release 11.1.1.4.0
New Features in Release 11.1.1.3.0
New Features in Release 11.1.1.2.0
New Features in Release 11gR1
Desupported Features from 10.1.3.x
Part I Understanding Security Concepts
1
Introduction to Oracle Platform Security Services
1.1
What is Oracle Platform Security Services?
1.1.1
OPSS Main Features
1.1.2
Supported Server Platforms
1.2
OPSS Architecture Overview
1.2.1
Benefits of Using OPSS
1.3
Oracle ADF Security Overview
1.4
OPSS for Administrators
1.5
OPSS for Developers
1.5.1
Scenario 1: Enhancing Security in a Java EE Application
1.5.2
Scenario 2: Securing an Oracle ADF Application
1.5.3
Scenario 3: Securing a Java SE Application
2
Understanding Users and Roles
2.1
Terminology
2.2
Role Mapping
2.2.1
Permission Inheritance and the Role Hierarchy
2.3
The Authenticated Role
2.4
The Anonymous User and Role
2.4.1
Anonymous Support and Subject
2.5
Administrative Users and Roles
2.6
Managing User Accounts
2.7
Principal Name Comparison Logic
2.7.1
How Does Principal Comparison Affect Authorization?
2.7.2
System Parameters Controlling Principal Name Comparison
2.8
The Role Category
3
Understanding Identities, Policies, Credentials, Keys, Certificates, and Auditing
3.1
Compatibility Matrix for 11g Versions
3.2
Authentication Basics
3.2.1
Identity Store Types and WebLogic Authenticators
3.2.2
WebLogic Authenticators
3.2.2.1
Multiple Authenticators
3.2.2.2
Additional Authentication Methods
3.2.3
WebSphere Identity Stores
3.3
Policy Store Basics
3.4
Credential Store Basics
3.5
Keystore Service Basics
3.5.1
Keystore Repository Types
3.5.2
Keystore Repository Scope and Reassociation
3.6
Audit Service Basics
4
About Oracle Platform Security Services Scenarios
4.1
Supported File-, LDAP-, and DB-Based Services
4.2
Management Tools
4.3
Packaging Requirements
4.4
Example Scenarios
4.5
Other Scenarios
4.6
FIPS 140 Support in Oracle Platform Security Services
Part II Basic OPSS Administration
5
Security Administration
5.1
Choosing the Administration Tool According to Technology
5.2
Basic Security Administration Tasks
5.2.1
Setting Up a Brand New Production Environment
5.3
Typical Security Practices with Fusion Middleware Control
5.4
Typical Security Practices with the Administration Console
5.5
Typical Security Practices with Oracle Entitlements Server
5.6
Typical Security Practices with WLST Commands
6
Deploying Secure Applications
6.1
Overview
6.2
Selecting the Tool for Deployment
6.2.1
Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control
6.3
Deploying Oracle ADF Applications to a Test Environment
6.3.1
Deploying to a Test Environment
6.3.1.1
Typical Administrative Tasks after Deployment in a Test Environment
6.4
Deploying Standard Java EE Applications
6.5
Deploying Applications with Auditing
6.5.1
Packaging Requirements for Auditing
6.5.2
Registration with the Audit Service
6.5.3
Migrating Audit Data
6.6
Migrating from a Test to a Production Environment
6.6.1
Migrating Identities
6.6.1.1
Migrating Identities with migrateSecurityStore
6.6.2
Migrating Policies and Credentials
6.6.2.1
Migrating Policies with migrateSecurityStore
6.6.2.2
Migrating Credentials with migrateSecurityStore
6.6.2.3
Migrating Large Volume Policy and Credential Stores
6.6.3
Migrating Audit Information
6.6.4
Migrating Keystore Service Artifacts
6.6.4.1
Background for Keystore Migration
6.6.4.2
Migrating Keystore Service Artifacts Within a Domain
6.6.4.3
Migrating Keystore Service Artifacts Across Domains
Part III OPSS Services
7
Configuring the Identity Store Service
7.1
Introduction to the Identity Store Service
7.1.1
About the Identity Store Service
7.1.2
Service Architecture
7.1.3
Application Server Support
7.1.4
Java SE Support
7.2
Configuring the Identity Store Provider
7.3
Configuring the Identity Store Service
7.3.1
What is Configured?
7.3.1.1
Configuring Multi-LDAP Lookup
7.3.1.2
Global/Connection Parameters
7.3.1.3
Back-End/Connection Parameters
7.3.2
Configuration in WebLogic Server
7.3.2.1
Configuring the Service for Single LDAP
7.3.2.2
Configuring the Service for Multiple LDAP Without virtualize Property
7.3.2.3
Configuring the Service for Multiple LDAP using Fusion Middleware Control
7.3.2.4
Configuring the Service for Multiple LDAP using WLST
7.3.2.5
Configuring the Timeout Setting Using WLST
7.3.2.6
Configuring Other Parameters
7.3.2.7
Restarting Servers
7.3.2.8
Examples of the Configuration File
7.3.3
Configuring Split Profiles
7.3.4
Configuring Custom Authenticators
7.3.5
Configuration in Other Application Servers
7.3.5.1
Configuring the Service for Single LDAP
7.3.5.2
Configuring the Service for Multiple LDAP
7.3.6
Java SE Environments
7.4
Querying the Identity Store Programmatically
7.5
SSL for the Identity Store Service
7.5.1
Connections from Oracle WebLogic Server to Identity Store
7.5.2
One-way SSL in a Multi-LDAP Scenario
7.5.3
Two-way SSL in a Multi-LDAP Scenario
8
Configuring the OPSS Security Store
8.1
Introduction to the OPSS Security Store
8.1.1
Multi-Server Environments
8.2
Recommendations
8.3
Using an LDAP-Based OPSS Security Store
8.3.1
Prerequisites to Using an LDAP-Based Security Store
8.3.2
Setting Up a One- Way SSL Connection to the LDAP
8.4
Using a DB-Based OPSS Security Store
8.4.1
Prerequisites to Using a DB-Based Security Store
8.4.2
Maintaining a DB-Based Security Store
8.4.3
Setting Up an SSL Connection to the DB
8.5
Configuring the OPSS Security Store
8.6
Reassociating the OPSS Security Store
8.6.1
Reassociating with Fusion Middleware Control
8.6.1.1
Securing Access to Oracle Internet Directory Nodes
8.6.2
reassociateSecurityStore
8.7
Migrating the OPSS Security Store
8.7.1
Migrating with Fusion Middleware Control
8.7.2
Migrating with migrateSecurityStore
8.7.2.1
Migrating Audit Metadata
8.7.2.2
Examples of Use
8.8
Configuring Services Providers with Fusion Middleware Control
8.8.1
Configuring the Identity Store Provider
8.8.2
Configuring the Single Sign-On Provider
8.8.3
Configuring the Trust Service Provider
8.8.4
Configuring Properties and Property Sets
9
Managing the Policy Store
9.1
Determining the Domain Security Store Characteristics
9.2
Managing the Policy Store
9.3
Managing Policies with Fusion Middleware Control
9.3.1
Managing Application Policies
9.3.2
Managing Application Roles
9.3.3
Managing System Policies
9.4
Managing Application Policies with WLST Commands
9.5
Caching and Refreshing the Cache
9.5.1
An Example
9.6
Granting Policies to Anonymous and Authenticated Roles with WLST Commands
9.7
Application Stripe for Versioned Applications in WLST Commands
9.8
Managing Application Policies with Oracle Entitlements Server
10
Managing the Credential Store
10.1
Credential Types
10.2
Encrypting Credentials
10.3
Managing the Credential Store
10.4
Managing Credentials with Fusion Middleware Control
10.5
Managing Credentials with WLST Commands
11
Managing Keys and Certificates with the Keystore Service
11.1
About the Keystore Service
11.1.1
Structure of the Keystore Service
11.1.2
Types of Keystores
11.1.3
Domain Trust Store
11.1.4
Keystores for Domains with Multiple Servers
11.2
Keystore Management with the Keystore Service
11.2.1
About the Keystore Life Cycle
11.2.2
Common Keystore Operations
11.2.2.1
Creating a Keystore with Fusion Middleware Control
11.2.2.2
Creating a Keystore at the Command Line
11.2.2.3
Deleting a Keystore with Fusion Middleware Control
11.2.2.4
Deleting a Keystore at the Command Line
11.2.2.5
Changing Keystore Password with Fusion Middleware Control
11.2.2.6
Changing Keystore Password at the Command Line
11.2.2.7
Exporting a Keystore at the Command Line
11.2.2.8
Importing a Keystore at the Command Line
11.3
Certificate Management with the Keystore Service
11.3.1
About the Certificate Life-cycle
11.3.2
Common Certificate Operations
11.3.2.1
Generating a Keypair with Fusion Middleware Control
11.3.2.2
Generating a Keypair at the Command Line
11.3.2.3
Generating CSR for a Certificate with Fusion Middleware Control
11.3.2.4
Generating CSR for a Keypair at the Command Line
11.3.2.5
Importing a Certificate or Trusted Certificate with Fusion Middleware Control
11.3.2.6
Importing a Certificate at the Command Line
11.3.2.7
Exporting a Certificate or Trusted Certificate with Fusion Middleware Control
11.3.2.8
Exporting a Certificate or Trusted Certificate at the Command Line
11.3.2.9
Deleting a Certificate with Fusion Middleware Control
11.3.2.10
Deleting a Certificate at the Command Line
11.3.2.11
Changing Certificate Password with Fusion Middleware Control
11.3.2.12
Changing Certificate Password at the Command Line
11.4
About Keystore Service Commands
11.5
Getting Help for Keystore Service Commands
11.6
Keystore Service Command Reference
11.6.1
changeKeyPassword
11.6.2
changeKeyStorePassword
11.6.3
createKeyStore
11.6.4
deleteKeyStore
11.6.5
deleteKeyStoreEntry
11.6.6
exportKeyStore
11.6.7
exportKeyStoreCertificate
11.6.8
exportKeyStoreCertificateRequest
11.6.9
generateKeyPair
11.6.10
generateSecretKey
11.6.11
getKeyStoreCertificates
11.6.12
getKeyStoreSecretKeyProperties
11.6.13
importKeyStore
11.6.14
importKeyStoreCertificate
11.6.15
listExpiringCertificates
11.6.16
listKeyStoreAliases
11.6.17
listKeyStores
12
Introduction to Oracle Fusion Middleware Audit Service
12.1
Benefits and Features of the Oracle Fusion Middleware Audit Framework
12.1.1
Objectives of Auditing
12.1.2
Today's Audit Challenges
12.1.3
Oracle Fusion Middleware Audit Framework in 11
g
12.2
Overview of Audit Features
12.3
Oracle Fusion Middleware Audit Framework Concepts
12.3.1
The Audit Architecture
12.3.1.1
The Audit Service Model
12.3.1.2
Audit APIs
12.3.1.3
Run-time Support and Audit Event Flow
12.3.2
Key Technical Concepts
12.3.3
The Audit Metadata Store
12.3.4
Audit Data Storage
12.3.5
Analytics
12.3.6
Understanding the Audit Lifecycle
12.4
The Audit Metadata Model
12.4.1
Naming Conventions for Audit Artifacts
12.4.2
Attribute Groups
12.4.2.1
Audit Attribute Data Types
12.4.2.2
Common Attribute Groups
12.4.2.3
Generic Attribute Groups
12.4.2.4
Custom Attribute Groups
12.4.3
Event Categories and Events
12.4.3.1
System Categories and Events
12.4.3.2
Component/Application Categories
12.5
About Audit Definition Files
12.5.1
The component_events.xml File
12.5.2
Translation Files
12.5.3
Understand Mapping and Versioning Rules
12.5.3.1
Version Numbers
12.5.3.2
Custom Attribute to Database Column Mappings
13
Configuring and Managing Auditing
13.1
Audit Administration Tasks
13.2
Managing the Audit Data Store
13.2.1
Create the Audit Schema using RCU
13.2.2
Set Up Audit Data Sources
13.2.2.1
Multiple Data Sources
13.2.3
Configure a Database Audit Data Store for Java Components
13.2.3.1
View Audit Data Store Configuration
13.2.3.2
Configure the Audit Data Store and Bus-Stop Storage
13.2.3.3
Deconfigure the Audit Data Store
13.2.4
Configure a Database Audit Data Store for System Components
13.2.4.1
Deconfigure the Audit Data Store
13.2.5
Tuning the Bus-stop Files
13.2.6
Configuring the Stand-alone Audit Loader
13.2.6.1
Configuring the Environment
13.2.6.2
Running the Stand-Alone Audit Loader
13.3
Managing Audit Policies
13.3.1
Manage Audit Policies for Java Components with Fusion Middleware Control
13.3.2
Manage Audit Policies for System Components with Fusion Middleware Control
13.3.3
Manage Audit Policies with WLST
13.3.3.1
View Audit Policies with WLST
13.3.3.2
Update Audit Policies with WLST
13.3.3.3
Example 1: Configuring an Audit Policy for Users with WLST
13.3.3.4
Example 2: Configuring an Audit Policy for Events with WLST
13.3.3.5
Custom Configuration is Retained when the Audit Level Changes
13.3.4
Manage Audit Policies Manually
13.3.4.1
Location of Configuration Files for Java Components
13.3.4.2
Audit Service Configuration Properties in jps-config.xml for Java Components
13.3.4.3
Switching from Database to File for Java Components
13.3.4.4
Manually Configuring Audit for System Components
13.4
Audit Timestamps
13.5
Audit Logs and Bus-stop Files
13.5.1
Location of Audit Logs
13.5.2
Audit Timestamps in Bus-stop Files
13.6
Advanced Management of Database Store
13.6.1
Schema Overview
13.6.2
Base and Component Table Attributes
13.6.3
Indexing Scheme
13.6.4
Backup and Recovery
13.6.5
Importing and Exporting Data
13.6.6
Partitioning
13.6.6.1
Partition Tables
13.6.6.2
Backup and Recovery of Partitioned Tables
13.6.6.3
Import and Export
13.6.6.4
Data Purge
13.6.6.5
Tiered Archival
14
Using Audit Analysis and Reporting
14.1
Setting up Oracle Business Intelligence Publisher for Audit Reports
14.1.1
About Oracle Business Intelligence Publisher
14.1.2
Install Oracle Business Intelligence Publisher
14.1.3
Set Up Oracle Reports in Oracle Business Intelligence Publisher
14.1.4
Set Up Audit Report Templates
14.1.5
Set Up Audit Report Filters
14.1.6
Configure Scheduler in Oracle Business Intelligence Publisher
14.2
Organization of Audit Reports
14.3
View Audit Reports
14.4
Example of Oracle Business Intelligence Publisher Reports
14.5
Audit Report Details
14.5.1
List of Audit Reports in Oracle Business Intelligence Publisher
14.5.2
Attributes of Audit Reports in Oracle Business Intelligence Publisher
14.6
Customizing Audit Reports
14.6.1
Using Advanced Filters on Pre-built Reports
14.6.2
Creating Custom Reports
Part IV Developing with Oracle Platform Security Services APIs
15
Integrating Application Security with OPSS
15.1
Introduction
15.2
Security Integration Use Cases
15.2.1
Authentication
15.2.1.1
Java EE Application Requiring Authenticated Users
15.2.1.2
Java EE Application Requiring Programmatic Authentication
15.2.1.3
Java SE Application Requiring Authentication
15.2.2
Identities
15.2.2.1
Application Running in Two Environments
15.2.2.2
Application Accessing User Profiles in Multiple Stores
15.2.3
Authorization
15.2.3.1
Java EE Application Accessible by Specific Roles
15.2.3.2
ADF Application Requiring Fine-Grained Authorization
15.2.3.3
Web Application Securing Web Services
15.2.3.4
Java EE Application Requiring Codebase Permissions
15.2.3.5
Non-ADF Application Requiring Fine-Grained Authorization
15.2.4
Credentials
15.2.4.1
Application Requiring Credentials to Access System
15.2.5
Audit
15.2.5.1
Auditing Security-Related Activity
15.2.5.2
Auditing Business-Related Activity
15.2.6
Identity Propagation
15.2.6.1
Propagating the Executing User Identity
15.2.6.2
Propagating a User Identity
15.2.6.3
Propagating Identities Across Domains
15.2.6.4
Propagating Identities over HTTP
15.2.7
Administration and Management
15.2.7.1
Application Requiring a Central Store
15.2.7.2
Application Requiring Custom Management Tool
15.2.7.3
Application Running in a Multiple Server Environment
15.2.8
Integration
15.2.8.1
Application Running in Multiple Domains
15.3
The OPSS Trust Service
15.3.1
Updating with the Script updateTrustServiceConfig
15.4
Propagating Identities over the HTTP Protocol
15.5
Propagating Identities with the OPSS Trust Service
15.5.1
Across Multiple WebLogic Domains
15.5.1.1
Token Generation on the Client-Side Domain
15.5.1.2
Server Side or Token Validation Domain
15.5.2
Across Containers in a Single WebLogic Domain
15.5.3
Embedded Trust Service Provider Properties
15.6
A Custom Graphical User Interface
15.6.1
Imports Assumed
15.6.2
Code Sample 1
15.6.3
Code Sample 2
15.6.4
Code Sample 3
15.6.5
Code Sample 4
15.6.6
Code Sample 5
15.6.7
Code Sample 6
15.7
Appendix - Security Life Cycle of an ADF Application
15.7.1
Development Phase
15.7.2
Deployment Phase
15.7.3
Management Phase
15.7.4
Summary of Tasks per Participant per Phase
15.8
Appendix - Code and Configuration Examples
15.8.1
Code Examples
15.8.2
Configuration Examples
15.8.3
Full Code Example of a Java EE Application with Integrated Security
15.9
Appendix - Propagating Identities with JKS-Based Key Stores
15.9.1
Single Domain Scenario
15.9.1.1
Client Application Code Sample
15.9.1.2
Keystore Service Configuration
15.9.1.3
CSF Configuration
15.9.1.4
Grant Configuration
15.9.1.5
Servlet Code
15.9.1.6
web.xml Configuration
15.9.1.7
webLogic Asserter and Trust Service Configuration
15.9.1.8
WebShere Trust Asserter Interceptor Configuration
15.9.2
Multiple Domain Scenario
15.9.3
Domains Using Both Protocols
15.9.3.1
Single Domain Scenario
15.9.3.2
Multiple Domain Scenario
16
The OPSS Policy Model
16.1
The Security Policy Model
16.2
Authorization Overview
16.2.1
Introduction to Authorization
16.2.2
The Java EE Authorization Model
16.2.2.1
Declarative Authorization
16.2.2.2
Programmatic Authorization
16.2.2.3
Java EE Code Example
16.2.3
The JAAS Authorization Model
16.3
The JAAS/OPSS Authorization Model
16.3.1
The Resource Catalog
16.3.2
Managing Policies
16.3.3
Checking Policies
16.3.3.1
Using the Method checkPermission
16.3.3.2
Using the Methods doAs and doAsPrivileged
16.3.3.3
Using the Method checkBulkAuthorization
16.3.3.4
Using the Method getGrantedResources
16.3.4
The Class ResourcePermission
17
Developing with the Authorization Service
17.1
Configuring Policy and Credential Stores in Java SE Applications
17.1.1
Configuring File-Based Policy and Credential Stores
17.1.2
Configuring LDAP-Based Policy and Credential Stores
17.1.3
Configuring DB-Based OPSS Security Stores
17.2
Unsupported Methods for File-Based Policy Stores
18
Developing with the Credential Store Framework
18.1
About the Credential Store Framework API
18.2
Overview of Application Development with CSF
18.3
Setting the Java Security Policy Permissions
18.3.1
Guidelines for Granting Permissions
18.3.2
Permissions Grant Example 1
18.3.3
Permissions Grant Example 2
18.4
Guidelines for the Map Name
18.5
Configuring the Credential Store
18.6
Using the CSF API
18.6.1
Using the CSF API in Java SE Applications
18.6.2
Using the CSF API in Java EE Applications
18.7
Examples
18.7.1
Common Code for CSF Operations
18.7.2
Example 1: Java SE Application with Wallet Store
18.7.3
Example 2: Java EE Application with Wallet Store
18.7.4
Example 3: Java EE Application with OID LDAP Store
18.7.5
Example 4: Java EE Application with Oracle DB Store
18.8
Best Practices
19
Developing with the User and Role API
19.1
Introduction to the User and Role API Framework
19.1.1
User and Role API and the Oracle WebLogic Server Authenticators
19.2
Summary of Roles and Classes
19.3
Working with Service Providers
19.3.1
Understanding Service Providers
19.3.2
Setting Up the Environment
19.3.2.1
Jar Configuration
19.3.2.2
User Classes in jps-config.xml (Oracle Virtual Directory only)
19.3.2.3
Read Privileges for Provider User (Oracle Internet Directory Only)
19.3.3
Selecting the Provider
19.3.4
Creating the Provider Instance
19.3.5
Properties for Provider Configuration
19.3.5.1
Start-time and Run-time Configuration
19.3.5.2
ECID Propagation
19.3.5.3
When to Pass Configuration Values
19.3.6
Configuring the Provider when Creating a Factory Instance
19.3.6.1
Oracle Internet Directory Provider
19.3.6.2
Using Existing Logger Objects
19.3.6.3
Supplying Constant Values
19.3.6.4
Configuring Connection Parameters
19.3.6.5
Configuring a Custom Connection Pool Class
19.3.7
Configuring the Provider when Creating a Store Instance
19.3.8
Runtime Configuration
19.3.9
Programming Considerations
19.3.9.1
Provider Portability Considerations
19.3.9.2
Considerations when Using IdentityStore Objects
19.3.10
Provider Life cycle
19.4
Searching the Repository
19.4.1
Searching for a Specific Identity
19.4.2
Searching for Multiple Identities
19.4.3
Specifying Search Parameters
19.4.4
Using Search Filters
19.4.4.1
Operators in Search Filters
19.4.4.2
Handling Special Characters when Using Search Filters
19.4.4.3
Search Filter for Logged-In User
19.4.4.4
Examples of Using Search Filters
19.4.5
Searching by GUID
19.5
User Authentication
19.6
Creating and Modifying Entries in the Identity Store
19.6.1
Handling Special Characters when Creating Identities
19.6.2
Creating an Identity
19.6.3
Modifying an Identity
19.6.4
Deleting an Identity
19.7
Examples of User and Role API Usage
19.7.1
Example 1: Searching for Users
19.7.2
Example 2: User Management in an Oracle Internet Directory Store
19.7.3
Example 3: User Management in a Microsoft Active Directory Store
19.8
SSL Configuration for LDAP-based User and Role API Providers
19.8.1
Out-of-the-box Support for SSL
19.8.1.1
System Properties
19.8.1.2
SSL configuration
19.8.2
Customizing SSL Support for the User and Role API
19.8.2.1
SSL configuration
19.9
The User and Role API Reference
19.10
Developing Custom User and Role Providers
19.10.1
SPI Overview
19.10.2
Types of User and Role Providers
19.10.3
Developing a Read-Only Provider
19.10.3.1
SPI Classes Requiring Extension
19.10.3.2
oracle.security.idm.spi.AbstractIdentityStoreFactory
19.10.3.3
oracle.security.idm.spi.AbstractIdentityStore
19.10.3.4
oracle.security.idm.spi.AbstractRoleManager
19.10.3.5
oracle.security.idm.spi.AbstractUserManager
19.10.3.6
oracle.security.idm.spi.AbstractRoleProfile
19.10.3.7
oracle.security.idm.spi.AbstractUserProfile
19.10.3.8
oracle.security.idm.spi.AbstractSimpleSearchFilter
19.10.3.9
oracle.security.idm.spi.AbstractComplexSearchFilter
19.10.3.10
oracle.security.idm.spi.AbstractSearchResponse
19.10.4
Developing a Full-Featured Provider
19.10.5
Development Guidelines
19.10.6
Testing and Verification
19.10.7
Example: Implementing an Identity Provider
19.10.7.1
About the Sample Provider
19.10.7.2
Overview of Implementation
19.10.7.3
Configure jps-config.xml to use the Sample Identity Provider
19.10.7.4
Configure Oracle WebLogic Server
The User and Role SPI Reference
oracle.security.idm.spi.AbstractUserProfile
oracle.security.idm.spi.AbstractUserManager
oracle.security.idm.spi.AbstractUser
oracle.security.idm.spi.AbstractSubjectParser
oracle.security.idm.spi.AbstractStoreConfiguration
oracle.security.idm.spi. AbstractSimpleSearchFilter
oracle.security.idm.spi.AbstractSearchResponse
oracle.security.idm.spi.AbstractRoleProfile
oracle.security.idm.spi.AbstractRoleManager
oracle.security.idm.spi.AbstractRole
oracle.security.idm.spi.AbstractIdentityStoreFactory
oracle.security.idm.spi.AbstractIdentityStore
oracle.security.idm.spi.AbstractComplexSearchFilter
20
Developing with the Identity Directory API
20.1
About the Identity Directory API
20.1.1
Feature Overview
20.2
Summary of Classes
20.3
Identity Directory Configuration
20.4
Working with the Identity Directory API
20.4.1
Getting an Identity Directory API Instance
20.4.2
Performing CRUD Operations on Users and Groups
20.4.2.1
User Operations
20.4.2.2
Group Operations
20.5
Examples of Identity Directory API
20.5.1
Initialize and Obtain Identity Directory Handle
20.5.2
Create a User
20.5.3
Get a User
20.5.4
Modify a User
20.5.5
Simple Search for a User
20.5.6
Complex Search for Users
20.5.7
Create a Group
20.5.8
Get a Group
20.5.9
Get Group Using a Search Filter
20.5.10
Delete a Group
20.5.11
Add a Member to a Group
20.5.12
Delete a Member from a Group
20.6
SSL Configuration
20.7
Configuring Filtering for Users and Groups
20.7.1
Defining Filter Properties
20.7.2
Using the Filter Properties
21
Developing with the Keystore Service
21.1
About the Keystore Service API
21.2
Overview of Application Development with the Keystore Service
21.3
Setting the Java Security Policy Permission
21.3.1
Guidelines for Granting Permissions
21.3.2
Permissions Grant Example 1
21.3.3
Permissions Grant Example 2
21.3.4
Permissions Grant Example 3
21.4
Configuring the Keystore Service
21.5
Using the Keystore Service API
21.5.1
Using the Keystore Service API in Java SE Applications
21.5.2
Using the Keystore Service API in Java EE Applications
21.6
Example of Keystore Service API Usage
21.6.1
Java Program for Keystore Service Management Operations
21.6.2
Reading Keys at Runtime
21.6.2.1
Getting the Keystore Handle
21.6.2.2
Accessing Keystore Artifacts - Method 1
21.6.2.3
Accessing Keystore Artifacts - Method 2
21.6.3
Policy Store Setup
21.6.4
Configuration File
21.6.5
About Using the Keystore Service in the Java SE Environment
21.7
Best Practices
22
Developing with the Audit Service
22.1
Application Integration with Audit Flow
22.2
Integrating the Application with the Audit Framework
22.3
Create Audit Definition Files
22.4
Register Application with the Registration Service
22.4.1
Default Application Audit Registration
22.4.2
Custom Application Audit Registration
22.4.3
Programmatic Registration
22.5
Use the Administration Service APIs
22.5.1
Query Audit Metadata
22.5.2
View and Set Audit Run-time Policy
22.6
Add Application Code to Log Audit Events
22.6.1
Audit Client API
22.6.2
Set System Grants
22.6.3
Obtain Auditor Instance
22.7
Generate Reports of Audit Data
22.8
Update and Maintain Audit Definitions
23
Configuring Java EE Applications to Use OPSS
23.1
Links to Authentication Topics for Java EE Applications
23.2
Configuring the Servlet Filter and the EJB Interceptor
23.2.1
Interceptor Configuration Syntax
23.2.2
Summary of Filter and Interceptor Parameters
23.2.3
Configuring the Application Stripe for Application MBeans
23.3
Choosing the Appropriate Class for Enterprise Groups and Users
23.4
Packaging a Java EE Application Manually
23.4.1
Packaging Policies with Application
23.4.2
Packaging Credentials with Application
23.5
Configuring Applications to Use OPSS
23.5.1
Parameters Controlling Policy Migration
23.5.2
Policy Parameter Configuration According to Behavior
23.5.2.1
To Skip Migrating Policies
23.5.2.2
To Migrate Merging Policies
23.5.2.3
To Migrate Overwriting Policies
23.5.2.4
To Remove (or to Prevent Removing) Policies
23.5.2.5
To Migrate Policies in a Static Deployment
23.5.2.6
Recommendations
23.5.3
Using a Wallet-Based Credential Store
23.5.4
Parameters Controlling Credential Migration
23.5.5
Credential Parameter Configuration According to Behavior
23.5.5.1
To Skip Migrating Credentials
23.5.5.2
To Migrate Merging Credentials
23.5.5.3
To Migrate Overwriting Credentials
23.5.6
Supported Permission Classes
23.5.6.1
Policy Store Permission
23.5.6.2
Credential Store Permission
23.5.6.3
Generic Permission
23.5.7
Specifying Bootstrap Credentials Manually
23.5.8
Migrating Identities with migrateSecurityStore
23.5.9
Example of Configuration File jps-config.xml
23.6
Executing As an Asserted User
23.6.1
Use Cases
23.6.2
Programming Guidelines and Recommendations
23.6.3
A Code Example
24
Configuring Java SE Applications to Use OPSS
24.1
Using OPSS in Java SE Applications
24.1.1
The Class JpsStartup
24.1.1.1
JpsStartup.start States
24.1.1.2
Run-Time Options to JpsStartup
24.1.1.3
A New Class Constructor
24.1.1.4
The Method JpsStartup.getState
24.1.1.5
OPSS Starting Examples
24.2
Security Services in Java SE Applications
24.3
Authentication for Java SE Applications
24.3.1
The Identity Store
24.3.2
Configuring an LDAP Identity Store in Java SE Applications
24.3.3
Supported Login Modules for Java SE Applications
24.3.3.1
The Identity Store Login Module
24.3.3.2
Using the Identity Store Login Module for Authentication
24.3.3.3
Using the Identity Store Login Module for Assertion
24.3.4
Using the OPSS API LoginService in Java SE Applications
24.4
Auditing in Java SE Applications
24.4.1
About Auditing in the Java SE Environment
24.4.2
Configuring the Audit Bus-stop Directory
24.4.3
Configuring Audit Loaders
24.4.4
Implementing Common Audit Scenarios in JavaSE
24.4.4.1
Auditing by JavaSE Clients, with co-located WebLogic Server
24.4.4.2
Auditing by JavaSE Clients, without co-located WebLogic Server
24.5
Configuration Examples
Part V Appendices
A
OPSS Configuration File Reference
A.1
Top- and Second-Level Element Hierarchy
A.2
Lower-Level Elements
<description>
<extendedProperty>
<extendedPropertySet>
<extendedPropertySetRef>
<extendedPropertySets>
<jpsConfig>
<jpsContext>
<jpsContexts>
<name>
<property>
<propertySet>
<propertySetRef>
<propertySets>
<serviceInstance>
<serviceInstanceRef>
<serviceInstances>
<serviceProvider>
<serviceProviders>
<value>
<values>
B
File-Based Identity and Policy Store Reference
B.1
Hierarchy of Elements in system-jazn-data.xml
B.2
Elements and Attributes of system-jazn-data.xml
<actions>
<actions-delimiter>
<app-role>
<app-roles>
<application>
<applications>
<attribute>
<class>
<codesource>
<credentials>
<description>
<display-name>
<extended-attributes>
<grant>
<grantee>
<guid>
<jazn-data>
<jazn-policy>
<jazn-realm>
<matcher-class>
<member>
<member-resource>
<member-resources>
<members>
<name>
<owner>
<owners>
<permission>
<permissions>
<permission-set>
<permission-sets>
<policy-store>
<principal>
<principals>
<provider-name>
<realm>
<resource>
<resources>
<resource-name>
<resource-type>
<resource-types>
<role>
<role-categories>
<role-category>
<role-name-ref>
<roles>
<type>
<type-name-ref>
<uniquename>
<url>
<user>
<users>
<value>
<values>
C
Oracle Fusion Middleware Audit Framework Reference
C.1
Audit Events
C.1.1
What Components Can be Audited?
C.1.2
What Events can be Audited?
C.1.2.1
Oracle Directory Integration Platform Events and their Attributes
C.1.2.2
Oracle Platform Security Services Events and their Attributes
C.1.2.3
Oracle HTTP Server Events and their Attributes
C.1.2.4
Oracle Internet Directory Events and their Attributes
C.1.2.5
Oracle Identity Federation Events and their Attributes
C.1.2.6
Oracle Virtual Directory Events and their Attributes
C.1.2.7
OWSM-Agent Events and their Attributes
C.1.2.8
OWSM-PM-EJB Events and their Attributes
C.1.2.9
OWSM-JKSMBEAN Events and their Attributes
C.1.2.10
Reports Server Events and their Attributes
C.1.2.11
WS-Policy Attachment Events and their Attributes
C.1.2.12
Oracle Web Cache Events and their Attributes
C.1.2.13
Oracle Web Services Events and their Attributes
C.1.3
Event Attribute Descriptions
C.2
Pre-built Audit Reports
C.2.1
Common Audit Reports
C.2.2
Component-Specific Audit Reports
C.3
The Audit Schema
C.4
OPSS Scripts for Auditing
C.4.1
getNonJava EEAuditMBeanName
C.4.1.1
Description
C.4.1.2
Syntax
C.4.1.3
Example
C.4.2
getAuditPolicy
C.4.2.1
Description
C.4.2.2
Syntax
C.4.2.3
Example
C.4.3
setAuditPolicy
C.4.3.1
Description
C.4.3.2
Syntax
C.4.3.3
Example
C.4.4
getAuditRepository
C.4.4.1
Description
C.4.4.2
Syntax
C.4.4.3
Example
C.4.5
setAuditRepository
C.4.5.1
Description
C.4.5.2
Syntax
C.4.5.3
Example
C.4.6
listAuditEvents
C.4.6.1
Description
C.4.6.2
Syntax
C.4.6.3
Example
C.4.7
exportAuditConfig
C.4.7.1
Description
C.4.7.2
Syntax
C.4.7.3
Example
C.4.8
importAuditConfig
C.4.8.1
Description
C.4.8.2
Syntax
C.4.8.3
Example
C.4.9
createAuditDBView
C.4.9.1
Description
C.4.9.2
Syntax
C.4.9.3
Example
C.4.10
listAuditComponents
C.4.10.1
Description
C.4.10.2
Syntax
C.4.10.3
Example
C.4.11
registerAudit
C.4.11.1
Description
C.4.11.2
Syntax
C.4.11.3
Example
C.4.12
deregisterAudit
C.4.12.1
Description
C.4.12.2
Syntax
C.4.12.3
Example
C.5
Audit Filter Expression Syntax
C.6
Naming and Logging Format of Audit Files
D
User and Role API Reference
D.1
Mapping User Attributes to LDAP Directories
D.2
Mapping Role Attributes to LDAP Directories
D.3
Default Configuration Parameters
D.4
Secure Connections for Microsoft Active Directory
E
Administration with Scripting and MBean Programming
E.1
Configuring OPSS Service Provider Instances with a Script
E.2
Configuring OPSS Services with MBeans
E.2.1
List of Supported OPSS MBeans
E.2.2
Invoking an OPSS MBean
E.2.3
Programming with OPSS MBeans
E.3
Access Restrictions
E.3.1
Annotation Examples
E.3.2
Mapping of Logical Roles to WebLogic Roles
E.3.3
Particular Access Restrictions
F
OPSS System and Configuration Properties
F.1
OPSS System Properties
F.2
OPSS Configuration Properties
F.2.1
Common Properties
F.2.2
Policy Store Properties
F.2.2.1
Policy Store Configuration
F.2.2.2
Runtime Policy Store Configuration
F.2.3
Credential Store Properties
F.2.4
LDAP Identity Store Properties
F.2.5
Properties Common to All OID-Based Instances
F.2.6
Anonymous and Authenticated Roles Properties
F.2.7
Trust Service Properties
F.2.8
Audit Service Properties
F.2.9
Keystore Service Properties
G
Upgrading Security Data
G.1
Upgrading with upgradeSecurityStore
G.1.1
Examples of Use
G.1.1.1
Example 1 - Upgrading Identities
G.1.1.2
Example 2 - Upgrading to File-Based Policies
G.1.1.3
Example 3 - Upgrading to Oracle Internet Directory LDAP-Based Policies
G.1.1.4
Example 4 - Upgrading File-Based Policies to Use the Resource Catalog
G.2
Upgrading the OPSS Security Store with upgradeOpss
G.2.1
What Gets Upgraded
G.2.2
Important Points
G.2.3
Upgrading Procedure
G.2.4
Script Syntax
G.3
Backing Up and Recovering the OPSS Security Store
G.3.1
Backing Up and Recovering a DB-Based Security Store
G.3.2
Backing Up and Recovering an OID-Based Security Store
G.3.3
Recommendations
H
References
H.1
OPSS API References
I
Using an OpenLDAP Identity Store
I.1
Using an OpenLDAP Identity Store
J
Adapter Configuration for Identity Virtualization
J.1
About Split Profiles
J.2
Configuring a Split Profile
J.3
Deleting a Join Rule
J.4
Deleting a Join Adapter
J.5
Changing Adapter Visibility
J.6
Enabling Access Logging for Identity Virtualization Library
K
Troubleshooting OPSS
K.1
Diagnosing Security Errors
K.1.1
Log Files and OPSS Loggers
K.1.1.1
Diagnostic Log Files
K.1.1.2
Generic Log Files
K.1.1.3
Authorization Loggers
K.1.1.4
Offline WLST Commands Loggers
K.1.1.5
Other OPSS Loggers
K.1.1.6
User and Role API Logger
K.1.1.7
Audit Loggers
K.1.1.8
Attribute Service Logger
K.1.1.9
Managing Loggers with Fusion Middleware Control
K.1.1.10
Managing Loggers with a Script
K.1.2
System Properties
K.1.2.1
jps.auth.debug
K.1.2.2
jps.auth.debug.verbose
K.1.2.3
Debugging the Authorization Process
K.1.3
Solving Security Errors
K.1.3.1
Understanding Sample Log Entries
K.1.3.2
Searching Logs with Fusion Middleware Control
K.1.3.3
Identifying a Message Context with Fusion Middleware Control
K.1.3.4
Generating Error Listing Files with Fusion Middleware Control
K.2
The OPSS Diagnostic Framework
K.3
Troubleshooting Reassociation and Migration
K.3.1
Reassociation Failure
K.3.2
Unsupported Schema
K.3.3
Missing Policies in Reassociated Policy Store
K.3.4
Migration Failure
K.4
Troubleshooting Server Starting
K.4.1
Missing Required LDAP Authenticator
K.4.2
Missing Administrator Account
K.4.3
Missing Permission
K.4.4
Server Fails to Start
K.4.5
Other Server Start Issues
K.4.6
Permission Failure Before Server Starts
K.5
Troubleshooting Permissions
K.5.1
Troubleshooting System Policy Failures
K.5.2
Failure to Grant or Revoke Permissions - Case Mismatch
K.5.3
Authorization Check Failure
K.5.4
User Gets Unexpected Permissions
K.5.5
Granting Permissions in Java SE Applications
K.5.6
Application Policies Not Seen in 12c HA Environment
K.6
Troubleshooting Connections and Access
K.6.1
Failure to Connect to the Embedded LDAP Authenticator
K.6.2
Failure to Connect to an OID Server
K.6.3
Failure to Access Data in the Credential Store
K.6.4
Security Access Control Exception
K.6.5
Failure to Establish an Anonymous SSL Connection
K.7
Troubleshooting Oracle Business Intelligence Reporting
K.7.1
Audit Templates for Oracle Business Intelligence Publisher
K.7.2
Oracle Business Intelligence Publisher Time Zone
K.8
Troubleshooting Searching
K.8.1
Search Failure when Matching Attribute in Policy Store
K.8.2
Search Failure with an Unknown Host Exception
K.9
Troubleshooting Versioning
K.9.1
Incompatible Versions of Binaries and Policy Store
K.9.2
Incompatible Versions of Policy Stores
K.10
Troubleshooting Other Errors
K.10.1
Runtime Permission Check Failure
K.10.2
Tablespace Needs Resizing
K.10.3
Oracle Internet Directory Exception
K.10.4
User and Role API Failure
K.10.5
Characters in Policies
K.10.5.1
Use of Special Characters in Oracle Internet Directory 10.1.4.3
K.10.5.2
XML Policy Store that Contains Certain Characters
K.10.5.3
Characters in Application Role Names
K.10.5.4
Missing Newline Characters in XML Policy Store
K.10.6
Invalid Key Size
K.11
Need Further Help?
Scripting on this page enhances content navigation, but does not change the content in any way.