This chapter describes the main tasks you carry out to manage application security and the tools you use to accomplish those tasks.
It contains the following sections:
Application security administration is an iterative process that incudes the following main tasks:
Packing and deploying applications
Managing application roles and users
Managing application and system policies
Managing application credentials
Managing application keys and certificates
Managing audit
See also:
Deploying Secure Applications for information about packing security with an application
To administer security, use any of the following tools:
Oracle WebLogic Server Administration Console
Fusion Middleware Control
WebLogic Scripting Tool (WLST)
Oracle Entitlements Server (OES)
The tool you use depends on the type of data and the kind of store.
OPSS does not support automatic backup or recovery of server files. It is recommended that all server configuration files be periodically backed up. For information about backup, see Introduction to Backup and Recovery in Administering Oracle Fusion Middleware.
If a domain uses the WebLogic Server Default Authenticator to store identities, then use WebLogic Server Administration Console to manage the stored data. This data can be accessed by the User and Role API to query user profile attributes or to insert additional attributes to users or groups.
If your domain uses the Default Authenticator, then the Administration Server must be running for an application to access identity data with the User and Role API. Otherwise, if it uses an LDAP server different from the Default Authenticator, then use the utilities of that LDAP server to manage users and groups.
Policies, Credentials, Keys, and Certificates
Policies, keys, credentials, and certificates are stored in the same kind of storage (file, LDAP, or DB). The tools to manage these artifacts are:
WebLogic Server Administration Console, for identities.
Fusion Middleware Control, WLST, or OES, for policies and credentials.
WLST, for keys and certificates.
Changes to policies, credentials, or keys do not require server restart. Changes to the jps-config.xml
file require server restart.
See also:
Getting Started Managing Oracle Fusion Middleware in Administering Oracle Fusion Middleware
This section addresses only OPSS security-related operations. For other security administrative operations, see WebLogic Server Security in Administering Oracle WebLogic Server with Fusion Middleware Control.
Use Oracle Enterprise Manager Fusion Middleware Control (Fusion Middleware Control):
Post-installation and before you deploy the application to reassociate the security store.
Post-installation and before you deploy the application to define OPSS properties.
At application deployment, to configure the automatic migration of application policies and credentials to the security store.
After application deployment, to:
Manage application policies.
Manage credentials.
Manage users and groups.
Specify the mapping from application roles to users, groups, and application roles.
Manage system policies for the domain.
Manage OPSS properties for the domain.
Use WebLogic Server Administration Console to:
Start and stop WebLogic servers.
Configure WebLogic servers and domains.
Deploy applications.
Configure failover support.
Configure WebLogic Server domains and WebLogic Server realms.
Manage WebLogic Server Authentication Providers.
Enable single sign-on in Microsoft clients, Web browsers, and HTTP clients.
Manage administrative users and administrative policies.
See also:
Configuring Existing WebLogic Domains in Understanding the WebLogic Scripting Tool
Understanding WebLogic Server Deployment in Deploying Applications to Oracle WebLogic Server
Failover and Replication in a Cluster in Administering Clusters for Oracle WebLogic Server
Starting and Stopping Servers in Administering Server Startup and Shutdown for Oracle WebLogic Server
Secure servers and resources in Oracle WebLogic Server Administration Console Online Help
All security configuration tasks you do with WebLogic Server Administration Console, you can also do with WLST, including domain configuration and application deployment.
A Java Virtual Machine (JVM) instance points to at most one jps-config.xml
file. All WLST commands called within the instance use the configuration file first obtained, regardless of the configuration location passed to subsequent commands.
OES provides a large number of functions to configure and maintain authorization, including the ability to:
Search application roles and the role hierarchy.
Manage application policies and the role hierarchy.
View the role hierarchy.
Manage application role mappings.
For information about OES, see Introduction to Oracle Entitlements Server in Administering Oracle Entitlements Server.