10 Managing Policies
This chapter includes the following sections:
- Determining the Security Store Characteristics
- Managing the Policy Store
- Managing Policies with Fusion Middleware Control
- Managing Policies with WLST
- Refreshing the Policy Cache
- Principals and Roles in WLST Commands
- Application Stripe in WLST Commands
- Managing Application Policies with OES
Parent topic: OPSS Services
Determining the Security Store Characteristics
Use the listSecurityStoreInfo WLST command to determine several attributes of the security store. For information about this command, see listSecurityStoreInfo in WLST Command Reference for Infrastructure Security.
                     
Parent topic: Managing Policies
Managing the Policy Store
To avoid unexpected authorization failures and to manage policies effectively, note the following points:
- 
                        Before deleting a user, revoke all permissions, application roles, and enterprise groups that have been granted to the user. If you fail to remove all security data referencing a deleted user, then these artifacts are left dangling and, potentially, be inadvertently inherited if another user with the same name is created at a later time. Similar considerations apply to when a user name is changed: all policies (grants, permissions, groups) referring to old data must be updated so that authorization works as expected with the changed data. 
- 
                        When applied, policies use case-sensitivity in names. The best way to avoid possible authorization errors due to case in user or group names is to use the spelling of those names exactly as specified in the identity store. Oracle recommends that: - 
                              When provisioning a policy, spell the names of users and groups used in the policy exactly as they are spelled in the identity store. 
- 
                              When entering a user name at runtime, enter a name that matches exactly the case of a name in the identity store. 
 
- 
                              
- 
                        Resource type, resource, or entitlement names can contain printable characters only and they cannot start or end with a white space. 
- 
                        Authorization failures are not shown in the console by default. To have authorization failures (such as JpsAuth.checkPermissionfailures) displayed in the console, set thejps.auth.debugsystem variable totrue.
The following sections explain how to manage policies with Fusion Middleware Control, WLST, and OES. Typical operations include:
Parent topic: Managing Policies
Managing Policies with Fusion Middleware Control
Fusion Middleware Control allows you to manage system and application policies in a WebLogic Server domain as explained in the following sections:
Parent topic: Managing Policies
Managing Application Policies
You must perform the following tasks to manage application policies with Fusion Middleware Control.
Task 1, Opening the Application Policies Page
Log in to Fusion Middleware Control and go to Domain, then to Security, and then to Application Policies. The Application Policies page is displayed. The Policy Store Provider area is read-only and displays the provider currently used in the domain.
Task 2, Searching Application Policies
In the Search area, choose an application stripe, enter a string to match (a principal name, principal group, or application role), and click the search button. The results of the search are displayed in the table at the bottom of the page.
Task 3, Creating an Application Policy
Choose an application stripe, and click Create. The Create Application Grant page is displayed. In this page, add principals and permissions to the grant, as appropriate:
- 
                              To add permissions, in the Permissions area click Add to display the Add Permission dialog. In the Search area of that dialog, first choose Permissions or Resource Types. If you chose Permissions, then identify permissions matching a class or resource name, and determine the Permission Class and Resource Name. If you chose Resource Types, then identify the resource types matching a type name, and determine a type. Then click OK to return to the Create Application Grant page. The permission you chose is displayed in the table in the Permissions area. 
- 
                              To add principals, click Add in the Grantee area to display the Add Principal dialog. In the Search area of that dialog, choose a Type, enter strings to match principal names and display names, and click the search button. The result of the query is displayed in the Searched Principals table. Then choose one or more rows from that table, and click OK to return to the Create Application Grant page. The principals you chose are displayed in the table in the Grantee area 
- 
                              Click OK to return to the Application Policies page. The new policy is displayed in the table at the bottom of the page. 
Task 4, Creating an Application Policy Like Another One
- Choose a policy.
- Click Create Like. The Create Application Grant Like page is displayed and the table of permissions is filled in with the data extracted from the chosen policy.
- Modify those values, as appropriate, and then click OK.
Parent topic: Managing Policies with Fusion Middleware Control
Managing Application Roles
You must perform the following tasks to manage application roles with Fusion Middleware Control.
Task 1, Opening the Application Roles Page
Log in to Fusion Middleware Control and go to Domain, then to Security, and then to Application Roles. The Application Roles page is displayed. The Policy Store Provider area is read-only and displays the provider currently used in the domain.
Task 2, Searching Application Roles
In the Search area, choose an application stripe, enter a string to match, and click the search button. The results of the search are displayed in the table at the bottom of the page.
Task 3, Creating an Application Role
Click Create to display the Create Application Role page.
You need not enter data in this page all at one time. For example, you could create a role by entering the role name and display name, save your data, and later on specify the members in it. Similarly, you could specify the role mapping at a later time.
In the area General:
- 
                              In the Role Name text field enter the name of the role. 
- 
                              In the Display Name text field, optionally, enter the name to display for the role. 
- 
                              In the Description text field, optionally, enter a description of the role. 
- 
                              In the Members area, specify the users, groups, or other application roles into which the role is mapped. 
Task 4, Adding Application Roles to a Role
- 
                              Choose a role and click Add. The Add Principal dialog is displayed. 
- 
                              Choose a Type (application role, group, or user), enter a string to match principal names, and click the search button. The result of the search is displayed in the Searched Principals table. Choose one or more principals from that table. 
- 
                              Choose one or more principals to which you want to add the role. 
- 
                              Click OK to return to the Create Application Role page. The new application role is displayed in the Members table. 
Task 5, Creating an Application Role Like Another One
- Choose a role.
- Click Create Like. The Create Application Role Like page is displayed and some entries are filled in with data extracted from the role you chose.
- Modify the list of roles and users, as appropriate, and then click OK.
To understand how permissions are inherited in the role hierarchy, see Permission Inheritance and the Role Hierarchy.
Parent topic: Managing Policies with Fusion Middleware Control
Managing System Policies
You must perform the following tasks to manage system policies with Fusion Middleware Control.
Task 1, Opening the System Policies Page
Log in to Fusion Middleware Control and go to Domain, then to Security, and then to System Policies. The System Policies page is displayed. The Policy Store Provider area is read-only and displays the provider currently used in the domain.
Task 2, Searching System Policies
In the Search area, choose a type, enter a string to match, and click the search button. The results of the search are displayed in the table at the bottom of the page.
Task 3, Creating a System Policy
Parent topic: Managing Policies with Fusion Middleware Control
Managing Policies with WLST
An online WLST command is a command that requires a connection to a running server. Unless otherwise stated, commands listed in this section are online commands and operate on the security store, regardless of its type. There are a few commands that are offline which do not require a running server to operate.
Read-only commands can be performed only by users in the following WebLogic Server groups: Monitor, Operator, Configurator, or Admin. Read/write commands can be performed only by users in the following WebLogic Server groups: Admin or Configurator. All commands are available with the installation of Oracle WebLogic Server.
                     
You can run WSLT commands in interactive or in script mode. In interactive mode, you enter the command at a command-line prompt. In script mode, you write the commands in a text file and run the script, much like the directives in a shell script.
All class names specified in commands must be fully qualified path names.
OPSS provides the following commands to administer application policies:
- 
                           migrateSecurityStore. see Migrating the Security Store with migrateSecurityStore 
Parent topic: Managing Policies
reassociateSecurityStore
The reassociateSecurityStore WLST command migrates the security store from a source to a target store and resets service configurations in the jps-config.xml and jps-config-jse.xml files to the target repository. This command is supported in only the interactive mode.
                        
The source store can be a file, LDAP, or DB security store. The target store can be a new store or an existing store in some other domain (see optional join argument below). When the target is a store in some other domain, you specify whether to append the source data to the target store (see optional migrate argument below).
                        
The version of the source store must be equal to or greater than the version of the target store. If the version of the source is later than the version of the target, then the command runs a compatibility check between the source and the target security data. If the check fails on some artifacts, then the command allows skipping the migration of incompatible artifacts by setting the skip argument to true. If this argument is not true and incompatible artifacts are detected, then the command terminates.
                        
The command resets the bootstrap credentials (see admin and password arguments below). For an alternate way to reset bootstrap credentials, see the  modifyBootStrapCredential and addBootStrapCredential commands. 
                        
Command Syntax
The command syntax varies according to the type of the target store. When the target is an LDAP store, use the following syntax (arguments are displayed in separate lines for clarity only):
reassociateSecurityStore(domain="domainName", 
      servertype="OID",  
      ldapurl="hostAndPort", 
      jpsroot="cnSpecification", 
      admin="cnSpecification", 
      password="passWord",
      [join="trueOrfalse"] [,keyFilePath="dirLoc", keyFilePassword="password"]]
      [migrate="trueOrfalse"]
      [skip="trueOrfalse"])
When the target is a DB security store, use the following syntax (arguments are displayed in separate lines for clarity only):
reassociateSecurityStore(domain="domainName", 
       servertype="DB_ORACLE", 
       datasourcename="datasourceName", 
       jpsroot="jpsRoot",
       jdbcurl="jdbcURL",
       jdbcdriver="jdbcDriverClass",
       dbUser="dbUserName",
       dbPassword="dbPassword",
       [admin="adminAccnt", password="passWord",]
       [,join="trueOrfalse" 
          [,keyFilePath="dirLoc", keyFilePassword="password"]                         [,migrate="trueOrfalse" [,skip="trueOrfalse"]]])
       [odbcdsn="odbcDsnSting"]
       [migrate="trueOrfalse"]
       [skip="trueOrfalse"])
The main points regarding the use of the join, migrate, and skip arguments are next summarized:
                        
- 
                              The migrateargument is relevant only whenjoinistrue. Otherwise it is ignored. Therefore, if migration is desired, then set bothjoinandmigratetotrue.
- 
                              The keyFilePathandkeyFilePasswordarguments are required whenjoinandmigrateare bothtrue.
- 
                              When the joinandmigratearguments are bothtrue, then ifskipistrue, then the migration of incompatible artifacts with the target store is skipped. Ifskipisfalse, then the command terminates when it finds any incompatible artifacts. Skipping is supported for generic credentials only.
The argument descriptions are:
- 
                              domain: specifies the name of the domain where the target store is located.
- 
                              adminin case of an LDAP target, specifies the administrator's user name on the target server. Use the format:cn=usrName.In case of a DB security store, it is required only when the database has a data source protected with user and password. In this case, this argument specifies the user name that was set to protect the data source when the data source was created. That user and password must be present in the bootstrap credential store. If specified, then passwordmust also be specified.
- 
                              passwordspecifies the password associated with the user specified inadmin. It is required in case of an LDAP target.In case of a DB security store, it is required only when the database has a protected data source. In this case, it specifies the password associated with the user specified in admin. If specified, thenadminmust also be specified.
- 
                              ldapurlspecifies the URI of the LDAP server. Use the formatldap//host:port, if you are using the default port, orldaps://host:port, if you are using an anonymous Secure Sockets Layer (SSL) or one-way SSL. The secure port must be configured to handle the desired SSL connection mode, and must be distinct from the default (nonsecure) port.
- 
                              servertypespecifies the kind of the target store. Valid types areOID,DB_ORACLE.
- 
                              jpsrootspecifies the root node in the target LDAP repository under which all data is migrated. The format iscn=nodeName.
- 
                              joinspecifies whether the target store is a store in some other domain. Optional. Set totrueto share a target store in some other domain. Set tofalseotherwise. If unspecified, it defaults tofalse. The use of this argument allows multiple WebLogic Server domains to point to the same security store, but note that:- 
                                    Joining to a security store is supported only when you create a new domain. 
- 
                                    Merging two distinct security stores in two domains is not supported. 
- 
                                    If joinistrue, then you must export the OPSS encryption keys from one domain and import them into the other domain.
 Note: To export and import encryption keys use the following procedure. For an alternate procedure, see keyFilePathargument.Assume that Domain1 has a security store and Domain2 has reassociated to Domain1's security store with joinset totrue. Then:- 
                                       Use the exportEncryptionKeyWLST command to extract the key from Domain1 into theewallet.p12file. The value of thekeyFilePasswordargument passed must be used later when you import that key into the second domain.
- 
                                       Use the importEncryptionKeyWLST command to import the extractedewallet.p12file into Domain2. The value of thekeyFilePasswordargument must be identical to the one used when theewallet.p12file was generated.
- 
                                       Restart Domain2's server. 
 For information about the export and import commands, see exportEncrytionKey and importEncryptionKey in WLST Command Reference for Infrastructure Security. 
- 
                                    
- 
                              migrateis meaningful only ifjoinistrue, otherwise ignored. Specifies whether the data in the source store should be appended to the joined store. Set totrueto append source data to the target store. Set tofalseto join to the target store without any appending source data. Optional. If unspecified, then it defaults tofalse.
- 
                              skipis meaningful only if bothjoinandmigratearetrue, otherwise it is ignored. Specifies whether to skip the migration of incompatible artifacts. Set totrueto skip appending incompatible artifacts to the target store and not to terminate the command. Set tofalseto terminate the command upon encountering an incompatible artifact in the source store. Optional. If unspecified, it defaults tofalse.
- 
                              datasourcenamespecifies the Java Naming and Directory Interface (JNDI) name of the Java Database Connectivity (JDBC) data source. The value should be identical to the value of the JNDI name data source entered when the data source was created.
- 
                              keyFilePathspecifies the directory where theewallet.p12file for the target domain is located. The content of this file is encrypted and secured by the value passed tokeyFilePassword. It is required only ifjoinistrue.If joinistrue, then the encryption keys must be exported from one domain and imported in the other. These tasks are carried out automatically when you use thekeyFilePathandkeyFilePasswordarguments.Assume that Domain1 has a security store and Domain2 reassociates to Domain1 security store with joinset totrueand key file arguments. Then first run thereassociateSecurityStoreWLST command with the appropriate argument values, and then restart Domain2's server. For an alternate procedure to export and import encryption keys, see Note in the description ofjoinargument.
- 
                              keyFilePasswordspecifies the password to secure theewallet.p12file. Required only ifjoinistrue.
- 
                              jdbcurlspecifies the JDBC URL used by a Java SE application to connect to the database. Applies only to Java SE applications. Required. Must be used with thejdbcdriver,dbUser, anddbPassword. arguments.
- 
                              jdbcdriverspecifies the class of the JDBC driver used to connect to the database. Required. Must be used with thejdbcurlargument.
- 
                              dbUserspecifies the database user (in the credential store) to add to the bootstrap credentials. Required. Must be used with thejdbcurlargument.
- 
                              dbPasswordspecifies the password of the user specified bydbUser. Required. Must be used with thejdbcurlargument.
- 
                              odbcdsnspecifies the Open Database Connectivity (ODBC) data source name used by the C Credential Store Framework API. Applies only to C programs.
Reassociation Examples
The following example illustrates how to reassociate to a DB security store:
reassociateSecurityStore(domain="targetDomain", servertype="DB_ORACLE", jpsroot="cn=jpsroot", datasourcename="jdbc/opssds", jdbcurl="jdbc:oracle:thin:@myhost.oracle.com:5555:testdb", dbUser="test_opss", dbPassword="mypass", jdbcdriver="oracle.jdbc.xa.client.OracleXADataSource")
To share the security store in otherDomain without migrating the contents of the source security store:
                        
reassociateSecurityStore(domain="otherDomain", servertype="DB_ORACLE", jpsroot="cn=jpsroot", datasourcename="jdbc/opssds", jdbcurl="jdbc:oracle:thin:@myhost.oracle.com:5555:testdb",dbUser="test_opss", dbPassword="mypass", jdbcdriver="oracle.jdbc.xa.client.OracleXADataSource", join="true", keyFilePath="/tmp/myFileDirectory", keyFilePassword="password")
To share the security store in otherDomain and to migrate the contents of the source security store to the target DB security store skipping over incompatible artifacts:
                        
reassociateSecurityStore(domain="otherDomain", servertype="DB_ORACLE", jpsroot="cn=jpsroot", datasourcename="jdbc/opssds", jdbcurl="jdbc:oracle:thin:@myhost.oracle.com:5555:testdb",dbUser="test_opss", dbPassword="mypass", jdbcdriver="oracle.jdbc.xa.client.OracleXADataSource", join="true", migrate="true", skip="true", keyFilePath="/tmp/myFileDirectory", keyFilePassword="password")
Parent topic: Managing Policies with WLST
Refreshing the Policy Cache
This topic applies to LDAP and DB security stores only. In case of a file store, the cache is updated after a few seconds.
OPSS optimizes the authorization process by caching security artifacts. When a security artifact is modified, the change becomes effective at different times depending on where the tool used to modified the artifact and the application are running:
- 
                           If both the application and the tool are running on the same host and in the same domain, then the change becomes effective immediately. 
- 
                           Otherwise, if the application and the tool are running on different hosts or in different domains, then the change becomes effective after the store cache is refreshed. The frequency of the cache refresh is determined by the value of the oracle.security.jps.ldap.policystore.refresh.intervalproperty. The default value is 10 minutes.Within a domain, any changes introduced with WLST or Fusion Middleware Control are first accounted on the Administration Server only. Those changes are pushed to all Managed Servers in the domain only when the server is restarted. 
Authorization Scenarios Using Policy Refreshing
The following use case illustrates the authorization behavior in scenarios when (from a different domain or host) OES is used to modify security data, and the property oracle.security.jps.ldap.policystore.refresh.interval is set to 10 minutes.
                        
This case assumes that:
- 
                              A user is member of an enterprise role. 
- 
                              That enterprise role is included as a member of an application role. 
- 
                              The application role is granted a permission that governs some application functionality. 
Consider a scenario where:
- 
                              A user logs in to the application. 
- 
                              The user accesses the functionality secured by the application role. 
- 
                              From another host (or domain), the enterprise role is removed from the application role. 
Then consider the following actions and outcomes:
- 
                              The user logs out from the application, and immediately logs back in. The user can still access the functionality secured by the application role, because the policy cache has not yet been refreshed with the change introduced in step 3. 
- 
                              The user logs out from the application, and logs back in after 10 minutes. The user is not able to access the functionality secured by the application role, because the policy cache has been refreshed with the change introduced in step 3. 
- 
                              The user does not log out and remains able to access the functionality secured by the application role for 10 minutes, because the policy cache has not yet been refreshed with the change introduced in step 3. 
- 
                              The user does not log out, waits more than 10 minutes, and then attempts to access the functionality secured by the application role: the access is denied, because the policy cache has been refreshed with the change introduced in step 3. 
Parent topic: Refreshing the Policy Cache
Principals and Roles in WLST Commands
Several commands require that you specify the principal name and class for a role involved in the operation, such as the following which adds a principal to the myAppRole role in the myApp application stripe:
                     
grantAppRole.py -appStripe myApp 
                -appRoleName myAppRole 
                -principalClass myPrincipalClass 
                -principalName myPrincipal
When the principal refers to the authenticated role or the anonymous role, the principal names and principal classes are fixed and must be one of the following name-class pairs:
- 
                           Authenticated role - 
                                 authenticated-role
- 
                                 oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl
 
- 
                                 
- 
                           Anonymous role - 
                                 anonymous-role
- 
                                 oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl
 
- 
                                 
The following WLST commands require principal name and class specification:
- 
                           grantAppRole
- 
                           revokeAppRole
- 
                           grantPermission
- 
                           revokePermission
- 
                           listPermissions
Parent topic: Managing Policies
Application Stripe in WLST Commands
Several commands require that you specify an application stripe. If the application does not have a version, then the application stripe defaults to the application name. Otherwise, if the application has a version, then the application name and the application stripe are not identical.
For example, the name of the myApp application with version 1 is  myApp(v1.0), but the application stripe name is myApp#v1.0. More generally, an application with name appName(vers) gets assigned the application stripe appName#vers. Pass a string with this last pattern as the application stripe name:
                     
>listAppRoles myApp#v1.0
The following WLST commands require stripe specification:
- 
                           createAppRole
- 
                           deleteAppRole
- 
                           grantAppRole
- 
                           revokeAppRole
- 
                           listAppRoles
- 
                           listAppRoleMembers
- 
                           grantPermission
- 
                           revokePermission
- 
                           listPermissions
- 
                           deleteAppPolicies
Parent topic: Managing Policies
Managing Application Policies with OES
OES allows you to manage and search application policies and other security data in a WebLogic Server domain.
For information about managing policies with OES, see the following topics in Administering Oracle Entitlements Server:
Parent topic: Managing Policies