5 Security Administration

This chapter describes the main tasks you carry out to manage application security and the tools you use to accomplish those tasks.

It contains the following sections:

5.1 OPSS Administration: Main Steps

Application security administration is an iterative process that incudes the following main tasks:

  • Packing and deploying applications

  • Managing application roles and users

  • Managing application and system policies

  • Managing application credentials

  • Managing application keys and certificates

  • Managing audit

5.2 Security Management Tools

To administer security, use any of the following tools:

  • Oracle WebLogic Server Administration Console

  • Fusion Middleware Control

  • WebLogic Scripting Tool (WLST)

  • Oracle Entitlements Server (OES)

The tool you use depends on the type of data and the kind of store.

OPSS does not support automatic backup or recovery of server files. It is recommended that all server configuration files be periodically backed up. For information about backup, see Introducing Backup and Recovery in Administering Oracle Fusion Middleware.

Users and Groups

If a domain uses the WebLogic Default Authenticator to store identities, then use WebLogic Server Administration Console to manage the stored data. This data can be accessed by the User and Role API to query user profile attributes or to insert additional attributes to users or groups.

If your domain uses the Default Authenticator, then the Administration Server must be running for an application to access identity data with the User and Role API. Otherwise, if it uses an LDAP server different from the Default Authenticator, then use the utilities of that LDAP server to manage users and groups.

Policies, Credentials, Keys, and Certificates

Policies, keys, credentials, and certificates are stored in the same kind of storage (file, LDAP, or DB). The tools to manage these artifacts are:

  • WebLogic Server Administration Console, for identities.

  • Fusion Middleware Control, WLST, or OES, for policies and credentials.

  • WLST, for keys and certificates.

Changes to policies, credentials, or keys do not require server restart. Changes to the jps-config.xml file require server restart.

See also:

Getting Started Managing Oracle Fusion Middleware in Administering Oracle Fusion Middleware

5.3 Security Practices with Fusion Middleware Control

This section addresses only security-related operations. For other administrative operations, see Oracle Fusion Middleware Administering Oracle WebLogic Server with Fusion Middleware Control.

Use Oracle Enterprise Manager Fusion Middleware Control (Fusion Middleware Control) to:

  • Postinstallation and before you deploy the application, reassociate the security store.

  • Postinstallation and before you deploy the application, define OPSS properties.

  • At application deployment, configure the automatic migration of application policies and credentials to the security store.

  • After application deployment:

    • Manage application policies.

    • Manage credentials.

    • Manage users and groups.

    • Specify the mapping from application roles to users, groups, and application roles.

  • Manage system policies for the domain.

  • Manage OPSS properties for the domain.

5.4 Security Practices with WebLogic Server Administration Console

Use WebLogic Server Administration Console to:

  • Start and stop WebLogic servers.

  • Configure WebLogic servers and domains.

  • Deploy applications.

  • Configure failover support.

  • Configure WebLogic Server domains and WebLogic Server realms.

  • Manage WebLogic Authentication Providers.

  • Enable single sign-on in Microsoft clients, Web browsers, and HTTP clients.

  • Manage administrative users and administrative policies.

5.4.1 Security Practices with WLST

All security configuration tasks you do with WebLogic Server Administration Console, you can also do with WLST, including domain configuration and application deployment.

A Java Virtual Machine (JVM) instance points to at most one jps-config.xml file. All WLST commands called within the instance use the configuration file first obtained, regardless of the configuration location passed to subsequent commands.

5.5 Security Practices with OES

OES provides a large number of functions to configure and maintain authorization, including the ability to:

  • Search application roles and the role hierarchy.

  • Manage application policies and the role hierarchy.

  • View the role hierarchy.

  • Manage application role mappings.

For information about OES, see Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server.