This chapter describes the set of typical tasks you need to manage security and auditing.
This chapter includes the following sections:
Fusion Middleware Audit Framework provides a centralized audit framework for the middleware family of products. Audit settings for Java components like Oracle Platform Security Services, Oracle Web Services Manager, Oracle Web Services, and other components are handled at the domain level as part of security administration.
You can perform the following tasks on this page:
View and update audit policies for a component
Select audit events for the component
Customize audit policies
For more information about audit policies, see "Managing Audit Policies with Fusion Middleware Control" in Securing Applications with Oracle Platform Security Services
By default, security audit data is saved in a file. It is recommended that you configure auditing to use a database store to provide better management of the audit data.
To configure a database for the audit store (applies to Java components only):
Verify that you have installed the audit schema in the database, using the Repository Creation Utility (RCU). How?
Create a Data Source using the Oracle WebLogic Server Administration Console. How?
View the audit store settings for the domain. How?
Configure the domain so it uses the database as the audit store. How?
To view audit reports:
Configure a database for the audit store as explained above.
Analyze the audit data that you have gathered. How?
Note:
Using the same database for Java components and system components ensures that your audit reports can display the audit records for all components together.For more information about auditing, see the following topics in Securing Applications with Oracle Platform Security Services:
An application policy is a functional policy that specifies a set of permissions that a principal is allowed to perform within the application, such as viewing web pages or modifying reports.
An application policy uses:
Principals as grantees, and must have at least one principal.
Either one or more permissions, or an entitlement, but not both.
Policies that use an entitlement are called entitlement-based policies; policies that use one or more permissions are called resource-based policies.
You can perform the following tasks in this page:
Create an application policy
Create an application policy based on an existing one
Edit an application policy
Display application policies matching a pattern
For details about managing application policies, see Managing Application Policies in Securing Applications with Oracle Platform Security Services.
An application role is a collection of users, groups, and other application roles; it can be hierarchical. Application roles are defined by application policies and not necessarily known to a Java EE container. Application roles can be many-to-many mapped to external roles. For example, the external group employee
(stored in the identity store) can be mapped to the application role helpdesk service request
(in one stripe) and to the application role self service HR
(in another stripe).
You can perform the following tasks in this page:
Create an application role
Create an application role based on an existing role
Edit an application role
Display application roles matching a pattern
For details about managing application roles, see Managing Application Roles in Securing Applications with Oracle Platform Security Services.
A system policy is a policy that specifies a set of permissions that a principal or a code source is allowed to perform, and it holds for an entire domain. System policies grant privileges to code sources and principals, while application policies can grant privileges to principals only.
You can perform the following tasks in this page:
Create a system policy
Create a system policy based on an existing one
Edit a system policy
Display system policies matching a pattern
For details about managing system policies, see Managing System Policies inSecuring Applications with Oracle Platform Security Services.
OPSS supports the following types of credentials according to the data they contain:
A password credential encapsulates a user name and a password.
A generic credential encapsulates any customized data or arbitrary token, such as a symmetric key.
A credential is uniquely identified by a map name and a key name. A map can hold several keys and, typically, the map name corresponds with the name of an application; all credentials with the same map name define a logical group of credentials, such as the credentials used by the application. The pair of map and key names must be unique for all entries in a credential store.
There is no limit to the number or kind of characters you can set in a password, except that it must be non-empty and non-null. The maximum size of a generic credential in an LDAP security store is 4K.
Oracle Wallet is the default file-based credential store, and it can store X.509 certificates; production environments typically use either an Oracle Internet Directory LDAP-based or a DB-based credential store.
You can perform the following tasks in this page:
Create a credential map
Add a key to a credential map
Edit a key
Display credentials matching a pattern
For details about managing credentials, see Managing Credentials in Securing Applications with Oracle Platform Security Services.
The OPSS Keystore Service allows managing keys and certificates for SSL, message security, encryption, and similar tasks. Use this service to create and maintain keystores that contain keys, certificates, and other artifacts.
Typical tasks on a keystore are as follows:
Create a keystore in the context of an application stripe, directly or by importing a keystore file from the file system.
Update or delete keystores; a password-protected keystore updating requires that the keystore password be entered.
Change a keystore password.
You can perform the following tasks in this page:
Create a keystore
Delete a keystore
Edit the keystore password
For details about managing keystores, see the following topics in Securing Applications with Oracle Platform Security Services:
Creating a keystore
Deleting a keystore
Changing keystore Password
Keys and certificates reside in a keystore within an application stripe; there may be more than one keystore in an application stripe, each with a unique name. Each keystore contains asymmetric keys, symmetric keys, and trusted certificates.
You can perform the following tasks in this page:
Create a key pair
Generate a Certificate Signing request
Export and import a certificate
Change a certificate password
Delete a certificate
For details about managing keystores, see the following topics in Securing Applications with Oracle Platform Security Services:
Generating a Keypair
Generating a CSR Certificate
Exporting a Certificate or Trusted Certificate
Importing a Certificate or Trusted Certificate
Deleting a Certificate
Changing a Certificate Password