Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New in This Guide

• New Features in Release 11.1.1.9.0
• New Features in Release 11.1.1.7.0
• New Features in Release 11.1.1.6.0
• New Features in Release 11.1.1.4.0
• New Features in Release 11.1.1.3.0
• New Features in Release 11.1.1.2.0
• New Features in Release 11gR1
• Desupported Features from 10.1.3.x

Part I Understanding Security Concepts

1 Introduction to Oracle Platform Security Services

• 1.1 What is Oracle Platform Security Services?
  • 1.1.1 OPSS Main Features
  • 1.1.2 Supported Server Platforms
• 1.2 OPSS Architecture Overview
  • 1.2.1 Benefits of Using OPSS
• 1.3 Oracle ADF Security Overview
• 1.4 OPSS for Administrators
• 1.5 OPSS for Developers
  • 1.5.1 Scenario 1: Enhancing Security in a Java EE Application
  • 1.5.2 Scenario 2: Securing an Oracle ADF Application
  • 1.5.3 Scenario 3: Securing a Java SE Application

2 Understanding Users and Roles

• 2.1 Terminology
• 2.2 Role Mapping
  • 2.2.1 Permission Inheritance and the Role Hierarchy
• 2.3 The Authenticated Role
• 2.4 The Anonymous User and Role
  • 2.4.1 Anonymous Support and Subject
• 2.5 Administrative Users and Roles
• 2.6 Managing User Accounts
• 2.7 Principal Name Comparison Logic
  • 2.7.1 How Does Principal Comparison Affect Authorization?
  • 2.7.2 System Parameters Controlling Principal Name Comparison
• 2.8 The Role Category

3 Understanding Identities, Policies, Credentials, Keys, Certificates, and Auditing

• 3.1 Compatibility Matrix for 11g Versions
• 3.2 Authentication Basics
  • 3.2.1 Identity Store Types and WebLogic Authenticators
  • 3.2.2 WebLogic Authenticators
    • 3.2.2.1 Multiple Authenticators
    • 3.2.2.2 Additional Authentication Methods
  • 3.2.3 WebSphere Identity Stores
• 3.3 Policy Store Basics
• 3.4 Credential Store Basics
• 3.5 Keystore Service Basics
  • 3.5.1 Keystore Repository Types
  • 3.5.2 Keystore Repository Scope and Reassociation
• 3.6 Audit Service Basics

4 About Oracle Platform Security Services Scenarios

• 4.1 Supported File-, LDAP-, and DB-Based Services
• 4.2 Management Tools
• 4.3 Packaging Requirements
• 4.4 Example Scenarios
• 4.5 Other Scenarios
• 4.6 FIPS 140 Support in Oracle Platform Security Services

Part II Basic OPSS Administration

5 Security Administration

• 5.1 Choosing the Administration Tool According to Technology
• 5.2 Basic Security Administration Tasks
  • 5.2.1 Setting Up a Brand New Production Environment
• 5.3 Typical Security Practices with Fusion Middleware Control
• 5.4 Typical Security Practices with the Administration Console
• 5.5 Typical Security Practices with Oracle Entitlements Server
• 5.6 Typical Security Practices with WLST Commands

6 Deploying Secure Applications

• 6.1 Overview
• 6.2 Selecting the Tool for Deployment
  • 6.2.1 Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control
• 6.3 Deploying Oracle ADF Applications to a Test Environment
  • 6.3.1 Deploying to a Test Environment
    • 6.3.1.1 Typical Administrative Tasks after Deployment in a Test Environment
• 6.4 Deploying Standard Java EE Applications
• 6.5 Deploying Applications with Auditing
  • 6.5.1 Packaging Requirements for Auditing
  • 6.5.2 Registration with the Audit Service
  • 6.5.3 Migrating Audit Data
• 6.6 Migrating from a Test to a Production Environment
  • 6.6.1 Migrating Identities
    • 6.6.1.1 Migrating Identities with migrateSecurityStore
  • 6.6.2 Migrating Policies and Credentials
    • 6.6.2.1 Migrating Policies with migrateSecurityStore
    • 6.6.2.2 Migrating Credentials with migrateSecurityStore
    • 6.6.2.3 Migrating Large Volume Policy and Credential Stores
  • 6.6.3 Migrating Audit Information
  • 6.6.4 Migrating Keystore Service Artifacts
    • 6.6.4.1 Background for Keystore Migration
    • 6.6.4.2 Migrating Keystore Service Artifacts Within a Domain
    • 6.6.4.3 Migrating Keystore Service Artifacts Across Domains

Part III OPSS Services

7 Configuring the Identity Store Service

• 7.1 Introduction to the Identity Store Service
  • 7.1.1 About the Identity Store Service
  • 7.1.2 Service Architecture
  • 7.1.3 Application Server Support
  • 7.1.4 Java SE Support
• 7.2 Configuring the Identity Store Provider
• 7.3 Configuring the Identity Store Service
  • 7.3.1 What is Configured?
    • 7.3.1.1 Configuring Multi-LDAP Lookup
    • 7.3.1.2 Global/Connection Parameters
    • 7.3.1.3 Back-End/Connection Parameters
  • 7.3.2 Configuration in WebLogic Server
    • 7.3.2.1 Configuring the Service for Single LDAP
    • 7.3.2.2 Configuring the Service for Multiple LDAP Without virtualize Property
    • 7.3.2.3 Configuring the Service for Multiple LDAP using Fusion Middleware Control
    • 7.3.2.4 Configuring the Service for Multiple LDAP using WLST
    • 7.3.2.5 Configuring the Timeout Setting Using WLST
    • 7.3.2.6 Configuring Other Parameters
    • 7.3.2.7 Restarting Servers
    • 7.3.2.8 Examples of the Configuration File
  • 7.3.3 Configuring Split Profiles
  • 7.3.4 Configuring Custom Authenticators
  • 7.3.5 Configuration in Other Application Servers
    • 7.3.5.1 Configuring the Service for Single LDAP
    • 7.3.5.2 Configuring the Service for Multiple LDAP
  • 7.3.6 Java SE Environments
• 7.4 Querying the Identity Store Programmatically
• 7.5 SSL for the Identity Store Service
  • 7.5.1 Connections from Oracle WebLogic Server to Identity Store
  • 7.5.2 One-way SSL in a Multi-LDAP Scenario
  • 7.5.3 Two-way SSL in a Multi-LDAP Scenario

8 Configuring the OPSS Security Store

• 8.1 Introduction to the OPSS Security Store
  • 8.1.1 Multi-Server Environments
• 8.2 Recommendations
• 8.3 Using an LDAP-Based OPSS Security Store
  • 8.3.1 Prerequisites to Using an LDAP-Based Security Store
  • 8.3.2 Setting Up a One- Way SSL Connection to the LDAP
• 8.4 Using a DB-Based OPSS Security Store
  • 8.4.1 Prerequisites to Using a DB-Based Security Store
  • 8.4.2 Maintaining a DB-Based Security Store
  • 8.4.3 Setting Up an SSL Connection to the DB
• 8.5 Configuring the OPSS Security Store
• 8.6 Reassociating the OPSS Security Store
  • 8.6.1 Reassociating with Fusion Middleware Control
    • 8.6.1.1 Securing Access to Oracle Internet Directory Nodes
  • 8.6.2 reassociateSecurityStore
• 8.7 Migrating the OPSS Security Store
  • 8.7.1 Migrating with Fusion Middleware Control
  • 8.7.2 Migrating with migrateSecurityStore
    • 8.7.2.1 Migrating Audit Metadata
    • 8.7.2.2 Examples of Use
• 8.8 Configuring Services Providers with Fusion Middleware Control
  • 8.8.1 Configuring the Identity Store Provider
  • 8.8.2 Configuring the Single Sign-On Provider
  • 8.8.3 Configuring the Trust Service Provider
  • 8.8.4 Configuring Properties and Property Sets

9 Managing the Policy Store

• 9.1 Determining the Domain Security Store Characteristics
• 9.2 Managing the Policy Store
• 9.3 Managing Policies with Fusion Middleware Control
  • 9.3.1 Managing Application Policies
  • 9.3.2 Managing Application Roles
  • 9.3.3 Managing System Policies
• 9.4 Managing Application Policies with WLST Commands
• 9.5 Caching and Refreshing the Cache
  • 9.5.1 An Example
• 9.6 Granting Policies to Anonymous and Authenticated Roles with WLST Commands
• 9.7 Application Stripe for Versioned Applications in WLST Commands
• 9.8 Managing Application Policies with Oracle Entitlements Server

10 Managing the Credential Store

• 10.1 Credential Types
• 10.2 Encrypting Credentials
• 10.3 Managing the Credential Store
• 10.4 Managing Credentials with Fusion Middleware Control
• 10.5 Managing Credentials with WLST Commands

11 Managing Keys and Certificates with the Keystore Service

• 11.1 About the Keystore Service
  • 11.1.1 Structure of the Keystore Service
  • 11.1.2 Types of Keystores
  • 11.1.3 Domain Trust Store
  • 11.1.4 Keystores for Domains with Multiple Servers
• 11.2 Keystore Management with the Keystore Service
  • 11.2.1 About the Keystore Life Cycle
  • 11.2.2 Common Keystore Operations
    • 11.2.2.1 Creating a Keystore with Fusion Middleware Control
    • 11.2.2.2 Creating a Keystore at the Command Line
    • 11.2.2.3 Deleting a Keystore with Fusion Middleware Control
    • 11.2.2.4 Deleting a Keystore at the Command Line
    • 11.2.2.5 Changing Keystore Password with Fusion Middleware Control
    • 11.2.2.6 Changing Keystore Password at the Command Line
    • 11.2.2.7 Exporting a Keystore at the Command Line
    • 11.2.2.8 Importing a Keystore at the Command Line
• 11.3 Certificate Management with the Keystore Service
  • 11.3.1 About the Certificate Life-cycle
  • 11.3.2 Common Certificate Operations
    • 11.3.2.1 Generating a Keypair with Fusion Middleware Control
    • 11.3.2.2 Generating a Keypair at the Command Line
    • 11.3.2.3 Generating CSR for a Certificate with Fusion Middleware Control
    • 11.3.2.4 Generating CSR for a Keypair at the Command Line
    • 11.3.2.5 Importing a Certificate or Trusted Certificate with Fusion Middleware Control
    • 11.3.2.6 Importing a Certificate at the Command Line
    • 11.3.2.7 Exporting a Certificate or Trusted Certificate with Fusion Middleware Control
    • 11.3.2.8 Exporting a Certificate or Trusted Certificate at the Command Line
    • 11.3.2.9 Deleting a Certificate with Fusion Middleware Control
    • 11.3.2.10 Deleting a Certificate at the Command Line
    • 11.3.2.11 Changing Certificate Password with Fusion Middleware Control
    • 11.3.2.12 Changing Certificate Password at the Command Line
• 11.4 About Keystore Service Commands
• 11.5 Getting Help for Keystore Service Commands
• 11.6 Keystore Service Command Reference
  • 11.6.1 changeKeyPassword
  • 11.6.2 changeKeyStorePassword
  • 11.6.3 createKeyStore
  • 11.6.4 deleteKeyStore
  • 11.6.5 deleteKeyStoreEntry
  • 11.6.6 exportKeyStore
  • 11.6.7 exportKeyStoreCertificate
  • 11.6.8 exportKeyStoreCertificateRequest
  • 11.6.9 generateKeyPair
  • 11.6.10 generateSecretKey
  • 11.6.11 getKeyStoreCertificates
  • 11.6.12 getKeyStoreSecretKeyProperties
  • 11.6.13 importKeyStore
  • 11.6.14 importKeyStoreCertificate
  • 11.6.15 listExpiringCertificates
  • 11.6.16 listKeyStoreAliases
  • 11.6.17 listKeyStores

12 Introduction to Oracle Fusion Middleware Audit Service

• 12.1 Benefits and Features of the Oracle Fusion Middleware Audit Framework
  • 12.1.1 Objectives of Auditing
  • 12.1.2 Today's Audit Challenges
  • 12.1.3 Oracle Fusion Middleware Audit Framework in 11g
• 12.2 Overview of Audit Features
• 12.3 Oracle Fusion Middleware Audit Framework Concepts
  • 12.3.1 The Audit Architecture
    • 12.3.1.1 The Audit Service Model
    • 12.3.1.2 Audit APIs
    • 12.3.1.3 Run-time Support and Audit Event Flow
  • 12.3.2 Key Technical Concepts
  • 12.3.3 The Audit Metadata Store
  • 12.3.4 Audit Data Storage
  • 12.3.5 Analytics
  • 12.3.6 Understanding the Audit Lifecycle
• 12.4 The Audit Metadata Model
  • 12.4.1 Naming Conventions for Audit Artifacts
  • 12.4.2 Attribute Groups
    • 12.4.2.1 Audit Attribute Data Types
    • 12.4.2.2 Common Attribute Groups
    • 12.4.2.3 Generic Attribute Groups
    • 12.4.2.4 Custom Attribute Groups
  • 12.4.3 Event Categories and Events
    • 12.4.3.1 System Categories and Events
    • 12.4.3.2 Component/Application Categories
• 12.5 About Audit Definition Files
  • 12.5.1 The component_events.xml File
  • 12.5.2 Translation Files
  • 12.5.3 Understand Mapping and Versioning Rules
    • 12.5.3.1 Version Numbers
    • 12.5.3.2 Custom Attribute to Database Column Mappings

13 Configuring and Managing Auditing

• 13.1 Audit Administration Tasks
• 13.2 Managing the Audit Data Store
  • 13.2.1 Create the Audit Schema using RCU
  • 13.2.2 Set Up Audit Data Sources
    • 13.2.2.1 Multiple Data Sources
  • 13.2.3 Configure a Database Audit Data Store for Java Components
    • 13.2.3.1 View Audit Data Store Configuration
    • 13.2.3.2 Configure the Audit Data Store and Bus-Stop Storage
    • 13.2.3.3 Deconfigure the Audit Data Store
  • 13.2.4 Configure a Database Audit Data Store for System Components
    • 13.2.4.1 Deconfigure the Audit Data Store
  • 13.2.5 Tuning the Bus-stop Files
  • 13.2.6 Configuring the Stand-alone Audit Loader
    • 13.2.6.1 Configuring the Environment
    • 13.2.6.2 Running the Stand-Alone Audit Loader
• 13.3 Managing Audit Policies
  • 13.3.1 Manage Audit Policies for Java Components with Fusion Middleware Control
  • 13.3.2 Manage Audit Policies for System Components with Fusion Middleware Control
  • 13.3.3 Manage Audit Policies with WLST
    • 13.3.3.1 View Audit Policies with WLST
    • 13.3.3.2 Update Audit Policies with WLST
    • 13.3.3.3 Example 1: Configuring an Audit Policy for Users with WLST
    • 13.3.3.4 Example 2: Configuring an Audit Policy for Events with WLST
    • 13.3.3.5 Custom Configuration is Retained when the Audit Level Changes
  • 13.3.4 Manage Audit Policies Manually
    • 13.3.4.1 Location of Configuration Files for Java Components
    • 13.3.4.2 Audit Service Configuration Properties in jps-config.xml for Java Components
    • 13.3.4.3 Switching from Database to File for Java Components
    • 13.3.4.4 Manually Configuring Audit for System Components
• 13.4 Audit Timestamps
• 13.5 Audit Logs and Bus-stop Files
  • 13.5.1 Location of Audit Logs
  • 13.5.2 Audit Timestamps in Bus-stop Files
• 13.6 Advanced Management of Database Store
  • 13.6.1 Schema Overview
  • 13.6.2 Base and Component Table Attributes
  • 13.6.3 Indexing Scheme
  • 13.6.4 Backup and Recovery
  • 13.6.5 Importing and Exporting Data
  • 13.6.6 Partitioning
    • 13.6.6.1 Partition Tables
    • 13.6.6.2 Backup and Recovery of Partitioned Tables
    • 13.6.6.3 Import and Export
    • 13.6.6.4 Data Purge
    • 13.6.6.5 Tiered Archival

14 Using Audit Analysis and Reporting

• 14.1 Setting up Oracle Business Intelligence Publisher for Audit Reports
  • 14.1.1 About Oracle Business Intelligence Publisher
  • 14.1.2 Install Oracle Business Intelligence Publisher
  • 14.1.3 Set Up Oracle Reports in Oracle Business Intelligence Publisher
  • 14.1.4 Set Up Audit Report Templates
  • 14.1.5 Set Up Audit Report Filters
  • 14.1.6 Configure Scheduler in Oracle Business Intelligence Publisher
• 14.2 Organization of Audit Reports
• 14.3 View Audit Reports
• 14.4 Example of Oracle Business Intelligence Publisher Reports
• 14.5 Audit Report Details
  • 14.5.1 List of Audit Reports in Oracle Business Intelligence Publisher
  • 14.5.2 Attributes of Audit Reports in Oracle Business Intelligence Publisher
• 14.6 Customizing Audit Reports
  • 14.6.1 Using Advanced Filters on Pre-built Reports
  • 14.6.2 Creating Custom Reports

Part IV Developing with Oracle Platform Security Services APIs

15 Integrating Application Security with OPSS

• 15.1 Introduction
• 15.2 Security Integration Use Cases
  • 15.2.1 Authentication
    • 15.2.1.1 Java EE Application Requiring Authenticated Users
    • 15.2.1.2 Java EE Application Requiring Programmatic Authentication
    • 15.2.1.3 Java SE Application Requiring Authentication
  • 15.2.2 Identities
    • 15.2.2.1 Application Running in Two Environments
    • 15.2.2.2 Application Accessing User Profiles in Multiple Stores
  • 15.2.3 Authorization
    • 15.2.3.1 Java EE Application Accessible by Specific Roles
    • 15.2.3.2 ADF Application Requiring Fine-Grained Authorization
    • 15.2.3.3 Web Application Securing Web Services
    • 15.2.3.4 Java EE Application Requiring Codebase Permissions
    • 15.2.3.5 Non-ADF Application Requiring Fine-Grained Authorization
  • 15.2.4 Credentials
    • 15.2.4.1 Application Requiring Credentials to Access System
  • 15.2.5 Audit
    • 15.2.5.1 Auditing Security-Related Activity
    • 15.2.5.2 Auditing Business-Related Activity
  • 15.2.6 Identity Propagation
    • 15.2.6.1 Propagating the Executing User Identity
    • 15.2.6.2 Propagating a User Identity
    • 15.2.6.3 Propagating Identities Across Domains
    • 15.2.6.4 Propagating Identities over HTTP
  • 15.2.7 Administration and Management
    • 15.2.7.1 Application Requiring a Central Store
    • 15.2.7.2 Application Requiring Custom Management Tool
    • 15.2.7.3 Application Running in a Multiple Server Environment
  • 15.2.8 Integration
    • 15.2.8.1 Application Running in Multiple Domains
• 15.3 The OPSS Trust Service
  • 15.3.1 Updating with the Script updateTrustServiceConfig
• 15.4 Propagating Identities over the HTTP Protocol
• 15.5 Propagating Identities with the OPSS Trust Service
  • 15.5.1 Across Multiple WebLogic Domains
    • 15.5.1.1 Token Generation on the Client-Side Domain
    • 15.5.1.2 Server Side or Token Validation Domain
  • 15.5.2 Across Containers in a Single WebLogic Domain
  • 15.5.3 Embedded Trust Service Provider Properties
• 15.6 A Custom Graphical User Interface
  • 15.6.1 Imports Assumed
  • 15.6.2 Code Sample 1
  • 15.6.3 Code Sample 2
  • 15.6.4 Code Sample 3
  • 15.6.5 Code Sample 4
  • 15.6.6 Code Sample 5
  • 15.6.7 Code Sample 6
• 15.7 Appendix - Security Life Cycle of an ADF Application
  • 15.7.1 Development Phase
  • 15.7.2 Deployment Phase
  • 15.7.3 Management Phase
  • 15.7.4 Summary of Tasks per Participant per Phase
• 15.8 Appendix - Code and Configuration Examples
  • 15.8.1 Code Examples
  • 15.8.2 Configuration Examples
  • 15.8.3 Full Code Example of a Java EE Application with Integrated Security
• 15.9 Appendix - Propagating Identities with JKS-Based Key Stores
  • 15.9.1 Single Domain Scenario
    • 15.9.1.1 Client Application Code Sample
    • 15.9.1.2 Keystore Service Configuration
    • 15.9.1.3 CSF Configuration
    • 15.9.1.4 Grant Configuration
    • 15.9.1.5 Servlet Code
    • 15.9.1.6 web.xml Configuration
    • 15.9.1.7 webLogic Asserter and Trust Service Configuration
    • 15.9.1.8 WebShere Trust Asserter Interceptor Configuration
  • 15.9.2 Multiple Domain Scenario
  • 15.9.3 Domains Using Both Protocols
    • 15.9.3.1 Single Domain Scenario
    • 15.9.3.2 Multiple Domain Scenario

16 The OPSS Policy Model

• 16.1 The Security Policy Model
• 16.2 Authorization Overview
  • 16.2.1 Introduction to Authorization
  • 16.2.2 The Java EE Authorization Model
    • 16.2.2.1 Declarative Authorization
    • 16.2.2.2 Programmatic Authorization
    • 16.2.2.3 Java EE Code Example
  • 16.2.3 The JAAS Authorization Model
• 16.3 The JAAS/OPSS Authorization Model
  • 16.3.1 The Resource Catalog
  • 16.3.2 Managing Policies
  • 16.3.3 Checking Policies
    • 16.3.3.1 Using the Method checkPermission
    • 16.3.3.2 Using the Methods doAs and doAsPrivileged
    • 16.3.3.3 Using the Method checkBulkAuthorization
    • 16.3.3.4 Using the Method getGrantedResources
  • 16.3.4 The Class ResourcePermission

17 Developing with the Authorization Service

• 17.1 Configuring Policy and Credential Stores in Java SE Applications
  • 17.1.1 Configuring File-Based Policy and Credential Stores
  • 17.1.2 Configuring LDAP-Based Policy and Credential Stores
  • 17.1.3 Configuring DB-Based OPSS Security Stores
• 17.2 Unsupported Methods for File-Based Policy Stores

18 Developing with the Credential Store Framework

• 18.1 About the Credential Store Framework API
• 18.2 Overview of Application Development with CSF
• 18.3 Setting the Java Security Policy Permissions
  • 18.3.1 Guidelines for Granting Permissions
  • 18.3.2 Permissions Grant Example 1
  • 18.3.3 Permissions Grant Example 2
• 18.4 Guidelines for the Map Name
• 18.5 Configuring the Credential Store
• 18.6 Using the CSF API
  • 18.6.1 Using the CSF API in Java SE Applications
  • 18.6.2 Using the CSF API in Java EE Applications
• 18.7 Examples
  • 18.7.1 Common Code for CSF Operations
  • 18.7.2 Example 1: Java SE Application with Wallet Store
  • 18.7.3 Example 2: Java EE Application with Wallet Store
  • 18.7.4 Example 3: Java EE Application with OID LDAP Store
  • 18.7.5 Example 4: Java EE Application with Oracle DB Store
• 18.8 Best Practices

19 Developing with the User and Role API

• 19.1 Introduction to the User and Role API Framework
  • 19.1.1 User and Role API and the Oracle WebLogic Server Authenticators
• 19.2 Summary of Roles and Classes
• 19.3 Working with Service Providers
  • 19.3.1 Understanding Service Providers
  • 19.3.2 Setting Up the Environment
    • 19.3.2.1 Jar Configuration
    • 19.3.2.2 User Classes in jps-config.xml (Oracle Virtual Directory only)
    • 19.3.2.3 Read Privileges for Provider User (Oracle Internet Directory Only)
  • 19.3.3 Selecting the Provider
  • 19.3.4 Creating the Provider Instance
  • 19.3.5 Properties for Provider Configuration
    • 19.3.5.1 Start-time and Run-time Configuration
    • 19.3.5.2 ECID Propagation
    • 19.3.5.3 When to Pass Configuration Values
  • 19.3.6 Configuring the Provider when Creating a Factory Instance
    • 19.3.6.1 Oracle Internet Directory Provider
    • 19.3.6.2 Using Existing Logger Objects
    • 19.3.6.3 Supplying Constant Values
    • 19.3.6.4 Configuring Connection Parameters
    • 19.3.6.5 Configuring a Custom Connection Pool Class
  • 19.3.7 Configuring the Provider when Creating a Store Instance
  • 19.3.8 Runtime Configuration
  • 19.3.9 Programming Considerations
    • 19.3.9.1 Provider Portability Considerations
    • 19.3.9.2 Considerations when Using IdentityStore Objects
  • 19.3.10 Provider Life cycle
• 19.4 Searching the Repository
  • 19.4.1 Searching for a Specific Identity
  • 19.4.2 Searching for Multiple Identities
  • 19.4.3 Specifying Search Parameters
  • 19.4.4 Using Search Filters
    • 19.4.4.1 Operators in Search Filters
    • 19.4.4.2 Handling Special Characters when Using Search Filters
    • 19.4.4.3 Search Filter for Logged-In User
    • 19.4.4.4 Examples of Using Search Filters
  • 19.4.5 Searching by GUID
• 19.5 User Authentication
• 19.6 Creating and Modifying Entries in the Identity Store
  • 19.6.1 Handling Special Characters when Creating Identities
  • 19.6.2 Creating an Identity
  • 19.6.3 Modifying an Identity
  • 19.6.4 Deleting an Identity
• 19.7 Examples of User and Role API Usage
  • 19.7.1 Example 1: Searching for Users
  • 19.7.2 Example 2: User Management in an Oracle Internet Directory Store
  • 19.7.3 Example 3: User Management in a Microsoft Active Directory Store
• 19.8 SSL Configuration for LDAP-based User and Role API Providers
  • 19.8.1 Out-of-the-box Support for SSL
    • 19.8.1.1 System Properties
    • 19.8.1.2 SSL configuration
  • 19.8.2 Customizing SSL Support for the User and Role API
    • 19.8.2.1 SSL configuration
• 19.9 The User and Role API Reference
• 19.10 Developing Custom User and Role Providers
  • 19.10.1 SPI Overview
  • 19.10.2 Types of User and Role Providers
  • 19.10.3 Developing a Read-Only Provider
    • 19.10.3.1 SPI Classes Requiring Extension
    • 19.10.3.2 oracle.security.idm.spi.AbstractIdentityStoreFactory
    • 19.10.3.3 oracle.security.idm.spi.AbstractIdentityStore
    • 19.10.3.4 oracle.security.idm.spi.AbstractRoleManager
    • 19.10.3.5 oracle.security.idm.spi.AbstractUserManager
    • 19.10.3.6 oracle.security.idm.spi.AbstractRoleProfile
    • 19.10.3.7 oracle.security.idm.spi.AbstractUserProfile
    • 19.10.3.8 oracle.security.idm.spi.AbstractSimpleSearchFilter
    • 19.10.3.9 oracle.security.idm.spi.AbstractComplexSearchFilter
    • 19.10.3.10 oracle.security.idm.spi.AbstractSearchResponse
  • 19.10.4 Developing a Full-Featured Provider
  • 19.10.5 Development Guidelines
  • 19.10.6 Testing and Verification
  • 19.10.7 Example: Implementing an Identity Provider
    • 19.10.7.1 About the Sample Provider
    • 19.10.7.2 Overview of Implementation
    • 19.10.7.3 Configure jps-config.xml to use the Sample Identity Provider
    • 19.10.7.4 Configure Oracle WebLogic Server
• The User and Role SPI Reference
  • oracle.security.idm.spi.AbstractUserProfile
  • oracle.security.idm.spi.AbstractUserManager
  • oracle.security.idm.spi.AbstractUser
  • oracle.security.idm.spi.AbstractSubjectParser
  • oracle.security.idm.spi.AbstractStoreConfiguration
  • oracle.security.idm.spi. AbstractSimpleSearchFilter
  • oracle.security.idm.spi.AbstractSearchResponse
  • oracle.security.idm.spi.AbstractRoleProfile
  • oracle.security.idm.spi.AbstractRoleManager
  • oracle.security.idm.spi.AbstractRole
  • oracle.security.idm.spi.AbstractIdentityStoreFactory
  • oracle.security.idm.spi.AbstractIdentityStore
  • oracle.security.idm.spi.AbstractComplexSearchFilter

20 Developing with the Identity Directory API

• 20.1 About the Identity Directory API
  • 20.1.1 Feature Overview
• 20.2 Summary of Classes
• 20.3 Identity Directory Configuration
• 20.4 Working with the Identity Directory API
  • 20.4.1 Getting an Identity Directory API Instance
  • 20.4.2 Performing CRUD Operations on Users and Groups
    • 20.4.2.1 User Operations
    • 20.4.2.2 Group Operations
• 20.5 Examples of Identity Directory API
  • 20.5.1 Initialize and Obtain Identity Directory Handle
  • 20.5.2 Create a User
  • 20.5.3 Get a User
  • 20.5.4 Modify a User
  • 20.5.5 Simple Search for a User
  • 20.5.6 Complex Search for Users
  • 20.5.7 Create a Group
  • 20.5.8 Get a Group
  • 20.5.9 Get Group Using a Search Filter
  • 20.5.10 Delete a Group
  • 20.5.11 Add a Member to a Group
  • 20.5.12 Delete a Member from a Group
• 20.6 SSL Configuration
• 20.7 Configuring Filtering for Users and Groups
  • 20.7.1 Defining Filter Properties
  • 20.7.2 Using the Filter Properties

21 Developing with the Keystore Service

• 21.1 About the Keystore Service API
• 21.2 Overview of Application Development with the Keystore Service
• 21.3 Setting the Java Security Policy Permission
  • 21.3.1 Guidelines for Granting Permissions
  • 21.3.2 Permissions Grant Example 1
  • 21.3.3 Permissions Grant Example 2
  • 21.3.4 Permissions Grant Example 3
• 21.4 Configuring the Keystore Service
• 21.5 Using the Keystore Service API
  • 21.5.1 Using the Keystore Service API in Java SE Applications
  • 21.5.2 Using the Keystore Service API in Java EE Applications
• 21.6 Example of Keystore Service API Usage
  • 21.6.1 Java Program for Keystore Service Management Operations
  • 21.6.2 Reading Keys at Runtime
    • 21.6.2.1 Getting the Keystore Handle
    • 21.6.2.2 Accessing Keystore Artifacts - Method 1
    • 21.6.2.3 Accessing Keystore Artifacts - Method 2
  • 21.6.3 Policy Store Setup
  • 21.6.4 Configuration File
  • 21.6.5 About Using the Keystore Service in the Java SE Environment
• 21.7 Best Practices

22 Developing with the Audit Service

• 22.1 Application Integration with Audit Flow
• 22.2 Integrating the Application with the Audit Framework
• 22.3 Create Audit Definition Files
• 22.4 Register Application with the Registration Service
  • 22.4.1 Default Application Audit Registration
  • 22.4.2 Custom Application Audit Registration
  • 22.4.3 Programmatic Registration
• 22.5 Use the Administration Service APIs
  • 22.5.1 Query Audit Metadata
  • 22.5.2 View and Set Audit Run-time Policy
• 22.6 Add Application Code to Log Audit Events
  • 22.6.1 Audit Client API
  • 22.6.2 Set System Grants
  • 22.6.3 Obtain Auditor Instance
• 22.7 Generate Reports of Audit Data
• 22.8 Update and Maintain Audit Definitions

23 Configuring Java EE Applications to Use OPSS

• 23.1 Links to Authentication Topics for Java EE Applications
• 23.2 Configuring the Servlet Filter and the EJB Interceptor
  • 23.2.1 Interceptor Configuration Syntax
  • 23.2.2 Summary of Filter and Interceptor Parameters
  • 23.2.3 Configuring the Application Stripe for Application MBeans
• 23.3 Choosing the Appropriate Class for Enterprise Groups and Users
• 23.4 Packaging a Java EE Application Manually
  • 23.4.1 Packaging Policies with Application
  • 23.4.2 Packaging Credentials with Application
• 23.5 Configuring Applications to Use OPSS
  • 23.5.1 Parameters Controlling Policy Migration
  • 23.5.2 Policy Parameter Configuration According to Behavior
    • 23.5.2.1 To Skip Migrating Policies
    • 23.5.2.2 To Migrate Merging Policies
    • 23.5.2.3 To Migrate Overwriting Policies
    • 23.5.2.4 To Remove (or to Prevent Removing) Policies
    • 23.5.2.5 To Migrate Policies in a Static Deployment
    • 23.5.2.6 Recommendations
  • 23.5.3 Using a Wallet-Based Credential Store
  • 23.5.4 Parameters Controlling Credential Migration
  • 23.5.5 Credential Parameter Configuration According to Behavior
    • 23.5.5.1 To Skip Migrating Credentials
    • 23.5.5.2 To Migrate Merging Credentials
    • 23.5.5.3 To Migrate Overwriting Credentials
  • 23.5.6 Supported Permission Classes
    • 23.5.6.1 Policy Store Permission
    • 23.5.6.2 Credential Store Permission
    • 23.5.6.3 Generic Permission
  • 23.5.7 Specifying Bootstrap Credentials Manually
  • 23.5.8 Migrating Identities with migrateSecurityStore
  • 23.5.9 Example of Configuration File jps-config.xml
• 23.6 Executing As an Asserted User
  • 23.6.1 Use Cases
  • 23.6.2 Programming Guidelines and Recommendations
  • 23.6.3 A Code Example

24 Configuring Java SE Applications to Use OPSS

• 24.1 Using OPSS in Java SE Applications
  • 24.1.1 The Class JpsStartup
    • 24.1.1.1 JpsStartup.start States
    • 24.1.1.2 Run-Time Options to JpsStartup
    • 24.1.1.3 A New Class Constructor
    • 24.1.1.4 The Method JpsStartup.getState
    • 24.1.1.5 OPSS Starting Examples
• 24.2 Security Services in Java SE Applications
• 24.3 Authentication for Java SE Applications
  • 24.3.1 The Identity Store
  • 24.3.2 Configuring an LDAP Identity Store in Java SE Applications
  • 24.3.3 Supported Login Modules for Java SE Applications
    • 24.3.3.1 The Identity Store Login Module
    • 24.3.3.2 Using the Identity Store Login Module for Authentication
    • 24.3.3.3 Using the Identity Store Login Module for Assertion
  • 24.3.4 Using the OPSS API LoginService in Java SE Applications
• 24.4 Auditing in Java SE Applications
  • 24.4.1 About Auditing in the Java SE Environment
  • 24.4.2 Configuring the Audit Bus-stop Directory
  • 24.4.3 Configuring Audit Loaders
  • 24.4.4 Implementing Common Audit Scenarios in JavaSE
    • 24.4.4.1 Auditing by JavaSE Clients, with co-located WebLogic Server
    • 24.4.4.2 Auditing by JavaSE Clients, without co-located WebLogic Server
• 24.5 Configuration Examples

Part V Appendices

A OPSS Configuration File Reference

• A.1 Top- and Second-Level Element Hierarchy
• A.2 Lower-Level Elements
• <description>
• <extendedProperty>
• <extendedPropertySet>
• <extendedPropertySetRef>
• <extendedPropertySets>
• <jpsConfig>
• <jpsContext>
• <jpsContexts>
• <name>
• <property>
• <propertySet>
• <propertySetRef>
• <propertySets>
• <serviceInstance>
• <serviceInstanceRef>
• <serviceInstances>
• <serviceProvider>
• <serviceProviders>
• <value>
• <values>

B File-Based Identity and Policy Store Reference

• B.1 Hierarchy of Elements in system-jazn-data.xml
• B.2 Elements and Attributes of system-jazn-data.xml
• <actions>
• <actions-delimiter>
• <app-role>
• <app-roles>
• <application>
• <applications>
• <attribute>
• <class>
• <codesource>
• <credentials>
• <description>
• <display-name>
• <extended-attributes>
• <grant>
• <grantee>
• <guid>
• <jazn-data>
• <jazn-policy>
• <jazn-realm>
• <matcher-class>
• <member>
• <member-resource>
• <member-resources>
• <members>
• <name>
• <owner>
• <owners>
• <permission>
• <permissions>
• <permission-set>
• <permission-sets>
• <policy-store>
• <principal>
• <principals>
• <provider-name>
• <realm>
• <resource>
• <resources>
• <resource-name>
• <resource-type>
• <resource-types>
• <role>
• <role-categories>
• <role-category>
• <role-name-ref>
• <roles>
• <type>
• <type-name-ref>
• <uniquename>
• <url>
• <user>
• <users>
• <value>
• <values>

C Oracle Fusion Middleware Audit Framework Reference

• C.1 Audit Events
  • C.1.1 What Components Can be Audited?
  • C.1.2 What Events can be Audited?
    • C.1.2.1 Oracle Directory Integration Platform Events and their Attributes
    • C.1.2.2 Oracle Platform Security Services Events and their Attributes
    • C.1.2.3 Oracle HTTP Server Events and their Attributes
    • C.1.2.4 Oracle Internet Directory Events and their Attributes
    • C.1.2.5 Oracle Identity Federation Events and their Attributes
    • C.1.2.6 Oracle Virtual Directory Events and their Attributes
    • C.1.2.7 OWSM-Agent Events and their Attributes
    • C.1.2.8 OWSM-PM-EJB Events and their Attributes
    • C.1.2.9 OWSM-JKSMBEAN Events and their Attributes
    • C.1.2.10 Reports Server Events and their Attributes
    • C.1.2.11 WS-Policy Attachment Events and their Attributes
    • C.1.2.12 Oracle Web Cache Events and their Attributes
    • C.1.2.13 Oracle Web Services Events and their Attributes
  • C.1.3 Event Attribute Descriptions
• C.2 Pre-built Audit Reports
  • C.2.1 Common Audit Reports
  • C.2.2 Component-Specific Audit Reports
• C.3 The Audit Schema
• C.4 OPSS Scripts for Auditing
  • C.4.1 getNonJava EEAuditMBeanName
    • C.4.1.1 Description
    • C.4.1.2 Syntax
    • C.4.1.3 Example
  • C.4.2 getAuditPolicy
    • C.4.2.1 Description
    • C.4.2.2 Syntax
    • C.4.2.3 Example
  • C.4.3 setAuditPolicy
    • C.4.3.1 Description
    • C.4.3.2 Syntax
    • C.4.3.3 Example
  • C.4.4 getAuditRepository
    • C.4.4.1 Description
    • C.4.4.2 Syntax
    • C.4.4.3 Example
  • C.4.5 setAuditRepository
    • C.4.5.1 Description
    • C.4.5.2 Syntax
    • C.4.5.3 Example
  • C.4.6 listAuditEvents
    • C.4.6.1 Description
    • C.4.6.2 Syntax
    • C.4.6.3 Example
  • C.4.7 exportAuditConfig
    • C.4.7.1 Description
    • C.4.7.2 Syntax
    • C.4.7.3 Example
  • C.4.8 importAuditConfig
    • C.4.8.1 Description
    • C.4.8.2 Syntax
    • C.4.8.3 Example
  • C.4.9 createAuditDBView
    • C.4.9.1 Description
    • C.4.9.2 Syntax
    • C.4.9.3 Example
  • C.4.10 listAuditComponents
    • C.4.10.1 Description
    • C.4.10.2 Syntax
    • C.4.10.3 Example
  • C.4.11 registerAudit
    • C.4.11.1 Description
    • C.4.11.2 Syntax
    • C.4.11.3 Example
  • C.4.12 deregisterAudit
    • C.4.12.1 Description
    • C.4.12.2 Syntax
    • C.4.12.3 Example
• C.5 Audit Filter Expression Syntax
• C.6 Naming and Logging Format of Audit Files

D User and Role API Reference

• D.1 Mapping User Attributes to LDAP Directories
• D.2 Mapping Role Attributes to LDAP Directories
• D.3 Default Configuration Parameters
• D.4 Secure Connections for Microsoft Active Directory

E Administration with Scripting and MBean Programming

• E.1 Configuring OPSS Service Provider Instances with a Script
• E.2 Configuring OPSS Services with MBeans
  • E.2.1 List of Supported OPSS MBeans
  • E.2.2 Invoking an OPSS MBean
  • E.2.3 Programming with OPSS MBeans
• E.3 Access Restrictions
  • E.3.1 Annotation Examples
  • E.3.2 Mapping of Logical Roles to WebLogic Roles
  • E.3.3 Particular Access Restrictions

F OPSS System and Configuration Properties

• F.1 OPSS System Properties
• F.2 OPSS Configuration Properties
  • F.2.1 Common Properties
  • F.2.2 Policy Store Properties
    • F.2.2.1 Policy Store Configuration
    • F.2.2.2 Runtime Policy Store Configuration
  • F.2.3 Credential Store Properties
  • F.2.4 LDAP Identity Store Properties
  • F.2.5 Properties Common to All OID-Based Instances
  • F.2.6 Anonymous and Authenticated Roles Properties
  • F.2.7 Trust Service Properties
  • F.2.8 Audit Service Properties
  • F.2.9 Keystore Service Properties

G Upgrading Security Data

• G.1 Upgrading with upgradeSecurityStore
  • G.1.1 Examples of Use
    • G.1.1.1 Example 1 - Upgrading Identities
    • G.1.1.2 Example 2 - Upgrading to File-Based Policies
    • G.1.1.3 Example 3 - Upgrading to Oracle Internet Directory LDAP-Based Policies
    • G.1.1.4 Example 4 - Upgrading File-Based Policies to Use the Resource Catalog
• G.2 Upgrading the OPSS Security Store with upgradeOpss
  • G.2.1 What Gets Upgraded
  • G.2.2 Important Points
  • G.2.3 Upgrading Procedure
  • G.2.4 Script Syntax
• G.3 Backing Up and Recovering the OPSS Security Store
  • G.3.1 Backing Up and Recovering a DB-Based Security Store
  • G.3.2 Backing Up and Recovering an OID-Based Security Store
  • G.3.3 Recommendations

H References

• H.1 OPSS API References

I Using an OpenLDAP Identity Store

• I.1 Using an OpenLDAP Identity Store

J Adapter Configuration for Identity Virtualization

• J.1 About Split Profiles
• J.2 Configuring a Split Profile
• J.3 Deleting a Join Rule
• J.4 Deleting a Join Adapter
• J.5 Changing Adapter Visibility
• J.6 Enabling Access Logging for Identity Virtualization Library

K Troubleshooting OPSS

• K.1 Diagnosing Security Errors
  • K.1.1 Log Files and OPSS Loggers
    • K.1.1.1 Diagnostic Log Files
    • K.1.1.2 Generic Log Files
    • K.1.1.3 Authorization Loggers
    • K.1.1.4 Offline WLST Commands Loggers
    • K.1.1.5 Other OPSS Loggers
    • K.1.1.6 User and Role API Logger
    • K.1.1.7 Audit Loggers
    • K.1.1.8 Attribute Service Logger
    • K.1.1.9 Managing Loggers with Fusion Middleware Control
    • K.1.1.10 Managing Loggers with a Script
  • K.1.2 System Properties
    • K.1.2.1 jps.auth.debug
    • K.1.2.2 jps.auth.debug.verbose
    • K.1.2.3 Debugging the Authorization Process
  • K.1.3 Solving Security Errors
    • K.1.3.1 Understanding Sample Log Entries
    • K.1.3.2 Searching Logs with Fusion Middleware Control
    • K.1.3.3 Identifying a Message Context with Fusion Middleware Control
    • K.1.3.4 Generating Error Listing Files with Fusion Middleware Control
• K.2 The OPSS Diagnostic Framework
• K.3 Troubleshooting Reassociation and Migration
  • K.3.1 Reassociation Failure
  • K.3.2 Unsupported Schema
  • K.3.3 Missing Policies in Reassociated Policy Store
  • K.3.4 Migration Failure
• K.4 Troubleshooting Server Starting
  • K.4.1 Missing Required LDAP Authenticator
  • K.4.2 Missing Administrator Account
  • K.4.3 Missing Permission
  • K.4.4 Server Fails to Start
  • K.4.5 Other Server Start Issues
  • K.4.6 Permission Failure Before Server Starts
• K.5 Troubleshooting Permissions
  • K.5.1 Troubleshooting System Policy Failures
  • K.5.2 Failure to Grant or Revoke Permissions - Case Mismatch
  • K.5.3 Authorization Check Failure
  • K.5.4 User Gets Unexpected Permissions
  • K.5.5 Granting Permissions in Java SE Applications
  • K.5.6 Application Policies Not Seen in 12c HA Environment
• K.6 Troubleshooting Connections and Access
  • K.6.1 Failure to Connect to the Embedded LDAP Authenticator
  • K.6.2 Failure to Connect to an OID Server
  • K.6.3 Failure to Access Data in the Credential Store
  • K.6.4 Security Access Control Exception
  • K.6.5 Failure to Establish an Anonymous SSL Connection
• K.7 Troubleshooting Oracle Business Intelligence Reporting
  • K.7.1 Audit Templates for Oracle Business Intelligence Publisher
  • K.7.2 Oracle Business Intelligence Publisher Time Zone
• K.8 Troubleshooting Searching
  • K.8.1 Search Failure when Matching Attribute in Policy Store
  • K.8.2 Search Failure with an Unknown Host Exception
• K.9 Troubleshooting Versioning
  • K.9.1 Incompatible Versions of Binaries and Policy Store
  • K.9.2 Incompatible Versions of Policy Stores
• K.10 Troubleshooting Other Errors
  • K.10.1 Runtime Permission Check Failure
  • K.10.2 Tablespace Needs Resizing
  • K.10.3 Oracle Internet Directory Exception
  • K.10.4 User and Role API Failure
  • K.10.5 Characters in Policies
    • K.10.5.1 Use of Special Characters in Oracle Internet Directory 10.1.4.3
    • K.10.5.2 XML Policy Store that Contains Certain Characters
    • K.10.5.3 Characters in Application Role Names
    • K.10.5.4 Missing Newline Characters in XML Policy Store
  • K.10.6 Invalid Key Size
• K.11 Need Further Help?