Go to main content
1/46
Contents
List of Examples
List of Figures
List of Tables
Title and Copyright Information
Preface
Audience
Documentation Accessibility
Related Documentation
Conventions
What's New in This Guide
Changes in this Document for Release 12.2.1.3.0
Changes in This Document for Release 12.2.1.2.0
Changes in This Document for Release 12.2.1.1.0
New Features in Release 12.2.1.0.0
Part I Understanding Security Concepts
1
Introduction to Oracle Platform Security Services
What Is OPSS?
OPSS Main Features
OPSS Architecture Overview
Benefits of Using OPSS
OPSS for Developers
About Java EE Application Security
About Java SE Application Security
ADF Security Overview
Oracle ADF Application Security
2
Understanding Users and Roles
Terminology
Role Mapping
Permission Inheritance and the Role Hierarchy
Role Hierarchy Example
About the Role Category
About the Authenticated Role
About the Anonymous User and Role
About Administrative Users and Roles
Managing User Accounts
3
Understanding Identities, Policies, Credentials, Keys, Certificates, and Audit
Authentication Basics
WebLogic Server Authentication Providers
Support for Multiple Authentication Providers
Additional Authentication Methods
Identity Store Types and WebLogic Server Authentication Providers
Policies Basics
Credentials Basics
Keys and Certificates Basics
Audit Basics
4
About the Security Store
Supported File, LDAP, and Database Stores
Packaging Requirements
FIPS Support in OPSS
Part II Basic OPSS Administration
5
Security Administration
OPSS Administration: Main Steps
Security Management Tools
Security Practices with Fusion Middleware Control
Security Practices with WebLogic Server Administration Console
Security Practices with WLST
Security Practices with OES
6
Deploying Secure Applications
Developing Oracle ADF Applications
Choosing the Tool for Deployment
Deploying Secure Applications with Fusion Middleware Control
Migrating Application Policies at Deployment
Migrating Application Credentials at Deployment
Deploying Oracle ADF Applications to a New Environment
Deploying to a Test Environment
Typical Administrative Tasks After Deployment
Deploying Standard Java EE Applications
Deploying Audit-Aware Applications
Migrating from a Test to a Production Environment
Migrating Identities
Migrating Identities with migrateSecurityStore
Migrating Policies and Credentials
Migrating Policies with migrateSecurityStore
Examples for Migrating Policies with migrateSecurityStore
Migrating Credentials with migrateSecurityStore
Examples for Migrating Credentials with migrateSecurityStore
Migrating Audit Data
Migrating Keys and Certificates with migrateSecurityStore
Migrating Keys and Certificates in the Same Domain
Examples for Migrating Keys and Certificates in the Same Domain
Migrating Keys and Certificates across Different Domains
Part III OPSS Services
7
Life Cycle of Security Artifacts
How Security Artifacts Are Seeded
About Fusion Middleware Domains
Creating Fusion Middleware Domains
Using a New Database Instance
Sharing a Database Instance
Layered Component Security Artifacts
Backing Up and Recovering the Security Store
Configuration Files for Backup
Backing Up and Recovering a Database-Based Security Store
Backing Up and Recovering LDAP Security Stores
Recommendations
8
Configuring the Identity Store
About the Identity Store
Configuring the Identity Store Provider
Configuring the Identity Store
Identity Store Parameters
Query Parameters
Global Connection Parameters
Back-End Connection Parameters
Understanding the Service Configuration
Configuring the Service for a Single LDAP
Configuring the Service for Multiple LDAPs without Virtualization
Configuring the Service for Multiple LDAPs with Fusion Middleware Control
Configuring the Service with WLST
Configuring the Timeout Setting with WLST
Configuring Other Parameters
Restarting Servers
Configuring Single and Multiple LDAPs
Configuring Split Profiles
Configuring Custom Authentication Providers
Configuring Virtualization in Java SE Applications
Querying the Identity Store Programmatically
Configuring SSL for the Identity Store
9
Configuring the Security Store
About the Security Store
Environments with Multiple Servers
Using an LDAP Security Store
Prerequisites to Using the LDAP Security Store
Resetting the LDAP User Password
Using a Database-Based Security Store
Prerequisites to Using the Database Security Store
Maintaining a Database Security Store
Resetting the OPSS Schema Password
Setting Up an SSL Connection to the Database Security Store
Reassociating the Security Store
Reassociating the Security Store with Fusion Middleware Control
Securing Access to LDAP Nodes
Reassociating the Security Store with reassociateSecurityStore
Migrating the Security Store
Migrating the Security Store with Fusion Middleware Control
Migrating the Security Store with migrateSecurityStore
Migrating All Policies with migrateSecurityStore
Migrating System Policies with migrateSecurityStore
Migrating Application Policies with migrateSecurityStore
Migrating All Credentials with migrateSecurityStore in the Same Domain
Migrating One Credential Map with migrateSecurityStore in the Same Domain
Migrating All Credentials with migrateSecurityStore Across Domains
Migrating One Credential Map with migrateSecurityStore Across Domains
Migrating Audit Data with migrateSecurityStore
migrateSecurityStore Usage Examples
Configuring Security Providers with Fusion Middleware Control
10
Managing Policies
Determining the Security Store Characteristics
Managing the Policy Store
Managing Policies with Fusion Middleware Control
Managing Application Policies
Managing Application Roles
Managing System Policies
Managing Policies with WLST
reassociateSecurityStore
Refreshing the Policy Cache
Authorization Scenarios Using Policy Refreshing
Principals and Roles in WLST Commands
Application Stripe in WLST Commands
Managing Application Policies with OES
11
Managing Credentials
Credential Types
Encrypting Credentials
Managing Credentials with Fusion Middleware Control
Managing Credentials with WLST
12
Managing Keys and Certificates
About the Keystore Service
Structure of the Keystore Service
Types of Keystores
The Truststore
About Keystore Service Commands
Getting Help for Keystore Service Commands
Keystore Service Command Reference
Managing Keystores with Fusion Middleware Control
Managing Keystores with WLST
About Certificates
Managing Certificates with Fusion Middleware Control
Managing Certificates with WLST
Replacing Demonstration CA Signed Certificates
Replacing Demo CA Certificates With Domain CA Signed Certificates
Replacing Demo CA Certificates With Third-Party CA Signed Certificates
Replacing the Demo CA Trust Service Certificate
Setting Up a Security Hardened Domain: An Example
How Fusion Middleware Components Use the Keystore Service
Synchronizing the Local Keystore with the Security Store
syncKeyStores Usage
When to Synchronize the Keystores
13
Introduction to Oracle Fusion Middleware Audit Framework
What Are the Audit Objectives?
Audit Terminology
About Auditing with Oracle Fusion Middleware Audit Framework
Overview of Oracle Fusion Middleware Audit Framework
About Components and Applications
Understanding Audit
The Audit Model
About the Audit Store
How Audit Data Is Stored
About the Oracle Fusion Middleware Audit Framework
Audit Setup: Main Steps
Understanding the Runtime Audit Event Flow
About Audit Attributes, Events, and Event Categories
Audit Attribute Groups
About Generic Attribute Groups
About Custom Attribute Groups
About Audit Attribute Data Types
Audit Events and Event Categories
About System Categories and Events
About Component and Application Categories
Audit Artifact Naming Requirements
About Audit Definition Files
About the component_events.xml File
About Mapping and Version Rules
What Are Version Numbers?
About Custom Attribute to Database Column Mappings
14
Managing Audit
Audit Administration Tasks
Managing the Audit Store
About Audit Data Sources
Managing Bus-Stop Files
Configuring Standalone Audit Loader
Configuring the Environment
Running Standalone Audit Loader
Managing Audit Policies
Managing Audit Policies with Fusion Middleware Control
Managing Audit Policies with WLST
Viewing Audit Policies with WLST Commands
Updating Audit Policies with WLST Commands
Configuring Audit Policies Example
Configuring Audit Events Example
What Happens to Custom Configuration when the Audit Level Changes?
Managing Audit Policies Programmatically
Understanding Audit Time Stamps
About Audit Logs and Bus-stop Files
Audit Database Administration
Overview of the Audit Schema
Base and Component Table Attributes
Tuning Performance
Planning Backup and Recovery
Importing and Exporting Data
Purging Data
Partitioning
Performing Tiered Archival
Creating Indexes on Custom Table Attributes Using Materialized Views
Best Practices for Audit Event Definitions
Guidelines for Naming Events
Differentiating Events
Event Categorization
Use of Generic Attributes
Use of Component Attributes
Guidelines for Linking Across Components
Updating Event Definitions
15
Using Audit Analysis and Reporting
About Audit Reporting
Audit Reporting with the Dynamic Metadata Model
Audit Views Created at Registration
Manually Created Audit Views
Part IV Developing with OPSS APIs
16
Integrating Application Security with OPSS
About Security Challenges
Security Integration Use Cases
Authentication
Java EE Application Requiring Authenticated Users
Java EE Application Requiring Programmatic Authentication
Java SE Application Requiring Authentication
Identities
Application Running in Two Environments
Application Accessing User Profiles in Multiple Stores
Authorization
Java EE Application Accessible by Specific Roles
Oracle ADF Application Requiring Fine-Grained Authorization
Application Securing Web Services
Java EE Application Requiring Codesource Permissions
Non-Oracle ADF Application Requiring Fine-Grained Authorization
Credentials
Application Requiring Credentials to Access System
Audit
Auditing Security-Related Activity
Auditing Business-Related Activity
Identity Propagation
Propagating the Executing User Identity
Propagating a User Identity
Propagating Identities Across Domains
Propagating Identities over HTTP
Administration and Management
Application Requiring a Centralized Store
Application Requiring a Custom Management Tool
Application Running in a Multiple Server Environment
Integration
The OPSS Trust Service
Propagating Identities over HTTP
Propagating Identities with the OPSS Trust Service
Propagating Identities Across Multiple WebLogic Server Domains
Token Generation on the Client-Side Domain
Server-Side or Token Validation Domain
Propagating Identities Across Containers in a Single WebLogic Server Domain
Trust Provider Properties
Implementing a Custom Graphical User Interface
Imports Assumed
Query Identity Store Example
Create Role Example
Query Roles Example
Map Roles Example
Get Roles that Contain a User Example
Delete Role Mapping Example
Securing Oracle ADF Applications
Development Phase
Deployment Phase
Administration Phase
Summary of Tasks per Participant per Phase
Code and Configuration Examples
Programming Examples
Configuration Examples
Propagating Identities with JKS
Single Domain Scenario
Create the Client Application
Configure the Keystore
Configure Maps and Keys
Configure a Grant
Create the Java Servlet
Configure web.xml
Configure the Asserter
Update Trust Parameters
Multiple Domain Scenario
Domains Using Both Protocols
Single Domain Scenario
Multiple Domain Scenario
17
The Security Model
About the OPSS Authorization and Policy Models
Authorization Models
The Java EE Authorization Model
Declarative Authorization
Programmatic Authorization
Java EE Application Example
The JAAS Authorization Model
The JAAS/OPSS Authorization Model
The Resource Catalog
Managing Policies
Checking Policies Programmatically
Using checkPermission
Using doAs and doAsPrivileged
Using checkBulkAuthorization
Using getGrantedResources
The Class ResourcePermission
18
Developing with the Credential Store Framework
About the Credential Store Framework API
Guidelines for Using the Credential Store Framework API
About Map and Key Names
Provisioning Access Permissions
Permission to Access a Key Example
Permission to Access a Map Example
Using the Credential Store Framework API
Using the Credential Store Framework API in Java SE Applications
Using the Credential Store Framework API in Java EE Applications
Credential Store Framework API Examples
Credential Store Framework Operations Example
Java SE Application with File Credentials Example
Java EE Application with File Credentials Example
Java EE Application with LDAP Store Example
Java EE Application with DB Store Example
19
Developing with the User and Role API
About the User and Role API
Authentication Providers and the User and Role API
Working with Service Providers
Setting Up the Environment
Choosing the Provider Repository
Creating the Provider Instance
Configuring the Provider Start-Time and Runtime Properties
Configuring Start-Time and Runtime Properties
Enabling Execution Context ID
Configuring the Provider when Creating a Factory Instance
Configuring Common Properties
Configuring Constants, Number of Connections, and Pool Connection
Configuring the Provider when Creating a Store Instance
Configuring the Provider at Runtime
Programming Guidelines
Switching Providers
Using Identity Store Objects
The Provider's Lifetime
Searching the Identity Store
Searching for a Specific Identity
Searching for Multiple Identities
Using Search Filters
Filter Operators
Filter for Logged-In User and Role
Filters Examples
Creating and Modifying Entries in the Identity Store
Creating Identities and Roles
Modifying an Identity
Deleting an Identity
User and Role API Examples
Searching Users Example
Managing Users Example
Configuring SSL for LDAP Providers
Setting Up SSL to Providers
Customizing SSL to Providers
20
Developing with the Identity Governance Framework
About the Identity Governance Framework
Identity Directory API Overview
About the Identity Directory API Configuration
Using the Identity Directory API
Initializing and Obtaining the Identity Directory Handle
Creating and Deleting a User
Obtaining and Modifying a User
Simple and Complex User Search
Creating and Deleting a Group
Obtaining a Group
Group Search Filter
Adding and Deleting a Member to a Group
Configuring SSL Using the Identity Directory API
21
Developing with the Keystore Service
About the Keystore Service API
Setting Policy Permissions
Permission for a Keystore Example
Permission for a Map Example
Permission for a Key Alias Example
Using the Keystore Service API in Java EE Applications
Using the Keystore Service API in Java SE Applications
Keystore Service API Examples
Keystore Service Management Example
Reading Keys at Runtime Example
Getting a Handle to the Keystore
Accessing Keystore Artifacts - Method 1
Accessing Keystore Artifacts - Method 2
22
Developing with Oracle Fusion Middleware Audit Framework
Integrating Applications with the Oracle Fusion Middleware Audit Framework
Creating Audit Definition Files
The component-events.xml File
Translation Files
Registering the Application with the Audit Service
Performing Declarative Audit Registration
Application Audit Registration
Custom Audit Registration
Programmatic Registration
Registering the Application with Audit Using WLST
Using Domain Extension Templates for Audit Artifacts
Managing Audit Policies Programmatically
Querying Audit Data
Viewing and Setting Audit Policies
Logging Audit Events Programmatically
Oracle Fusion Middleware Audit Framework Interfaces
Setting System Grants
Obtaining the Auditor Instance
Updating and Maintaining Audit Definitions
23
Configuring Java EE Applications to Use OPSS
About Authentication in Java EE Applications
Developing Authentication in Java EE Applications
Configuring the Filter and the Interceptor
Setting the Application Stripe
Setting Application Role Support
Setting the Anonymous User and Role
Setting Authenticated Role Support
Setting JAAS Mode
Interceptor Configuration Requirements
Summary of Filter and Interceptor Parameters
Choosing the Appropriate Class for Enterprise Groups and Users
Packaging a Java EE Application Manually
Packaging Policies with the Application
Packaging Credentials with the Application
Configuring Java EE Applications to Use OPSS
Controlling Policy Migration
jps.policystore.migration
jps.policystore.applicationid
jps.apppolicy.idstoreartifact.migration
jps.policystore.removal
jps.policystore.migration.validate.principal
JpsApplicationLifecycleListener
Configuring Policy Migration According to Behavior
Recommendations
Skipping Migrating Policies
Migrating Merging Policies
Migrating Overwriting Policies
Removing or Not Removing Policies
Migrating Policies in a Static Deployment
Using File Credential Stores
Controlling Credential Migration
jps.credstore.migration
Configuring Credential Migration According to Behavior
Skipping Migrating Credentials
Migrating Merging Credentials
Migrating Overwriting Credentials
Using Supported Permission Classes
Security Store Permission Class
Credential Store Permission Class
Generic Permission Class
Specifying Bootstrap Credentials Manually
24
Configuring Java SE Applications to Use OPSS
Using OPSS in Java SE Applications
The JpsStartup Class
JpsStartup.start States
JpsStartup Constructor
JpsStartup runtime Options
OPSS Starting Examples
Implementing Security Services in Java SE Applications
Authentication in Java SE Applications
Configuring the LDAP Identity Store in Java SE Applications
Using Login Modules in Java Applications
The User Authentication Login Module
The User Assertion Login Module
The Identity Store Login Module
The Asserted User
Using the Login Modules in Java SE Applications
Authorization in Java SE Applications
Configuring Policy and Credential File Stores
Configuring Policy and Credential LDAP Stores
Configuring Database-Based Security Stores
File Store Unsupported Methods
Audit in Java SE Applications
About Audit in Java SE Applications
Configuring the Audit Bus-Stop Directory
Configuring Audit Loaders
Common Audit Scenarios in Java SE Applications
Configuring Audit with a Collocated WebLogic Server
Configuring Audit Without a Collocated WebLogic Server
Part V Reference
A
OPSS Configuration File Reference
First and Second Hierarchy Levels
Third and Lower Hierarchy Levels
<description>
<extendedProperty>
<extendedPropertySet>
<extendedPropertySetRef>
<extendedPropertySets>
<jpsConfig>
<jpsContext>
<jpsContexts>
<name>
<property>
<propertySet>
<propertySetRef>
<propertySets>
<serviceInstance>
<serviceInstanceRef>
<serviceInstances>
<serviceProvider>
<serviceProviders>
<value>
<values>
B
File Store References
File Store Hierarchy
File Store Elements and Attributes
<actions>
<actions-delimiter>
<app-role>
<app-roles>
<application>
<applications>
<attribute>
<class>
<codesource>
<credentials>
<description>
<display-name>
<extended-attributes>
<grant>
<grantee>
<guid>
<jazn-data>
<jazn-policy>
<jazn-realm>
<matcher-class>
<member>
<member-resource>
<member-resources>
<members>
<name>
<owner>
<owners>
<permission>
<permissions>
<permission-set>
<permission-sets>
<policy-store>
<principal>
<principals>
<provider-name>
<realm>
<resource>
<resources>
<resource-name>
<resource-type>
<resource-types>
<role>
<role-categories>
<role-category>
<role-name-ref>
<roles>
<type>
<type-name-ref>
<uniquename>
<url>
<user>
<users>
<value>
<values>
C
Oracle Fusion Middleware Audit Framework Reference
Audit Events
What Components Can Be Audited?
System Categories and Events
OPSS Event Attributes
The Audit Schema
Audit Filter Expression Syntax
Naming and Logging Audit Files
D
User and Role API Reference
Mapping User Attributes to LDAP Directories
Mapping Role Attributes to LDAP Directories
Default Configuration Parameters
E
Administration with Scripts and MBeans
Configuring Services with Scripts
Configuring Services with MBeans
Supported OPSS MBeans
Using OPSS MBeans
Programming with OPSS MBeans
Restricting Access to MBeans
Annotation Examples
Mapping Logical Roles to Enterprise Groups
Particular Access Restrictions
F
OPSS System and Configuration Properties
OPSS System Properties
OPSS Configuration Properties
Properties Common to OPSS Services
Policy Store Service Properties
Policy Store Service Configuration
Runtime Policy Configuration
Credential Service Properties
LDAP Identity Properties
Properties Common to All LDAP Servers
Trust Service Properties
Audit Service Properties
Keystore Service Properties
Anonymous and Authenticated Roles Properties
G
OPSS API References
OPSS API References
H
Using an OpenLDAP Identity Store
Using an OpenLDAP Identity Store
I
Configuring Adapters for Identity Virtualization
About Split Profiles
Configuring Split Profiles
Implementing Split Profiles
Logging Identity Virtualization Library
J
Troubleshooting OPSS
The OPSS Diagnostic Framework
Diagnosing Security Errors
About OPSS Loggers
About Diagnostic Log Files
Offline WLST Loggers
Loggers by Service
Logging Authorization
Logging Audit
Logging the User and Role API
Logging Other Components
System Properties
Understanding Log Entries
Troubleshooting Reassociation and Migration
Reassociation Failure
Unsupported Schema
Missing Policies in Reassociated Security Store
Migration Failure
Troubleshooting Server Startup
Missing Required LDAP Authentication Provider
Missing Administrator Account
Missing Permission
Server Fails to Start
Other Server Start Issues
Permission Failure Before Server Starts
Troubleshooting Permissions
Troubleshooting System Policy Failures
Failure to Get Permissions - Case Mismatch
Authorization Check Failure
User Gets Unexpected Permissions
Granting Permissions in Java SE Applications
Application Policies Not Seen in 12c High Availability (HA) Domain
Troubleshooting Connections and Access
Database Connection Exception
Other Database Exceptions
JNDI Connection Exception
Failure to Connect to the Embedded LDAP Server
Failure to Connect to LDAP Server
Failure to Access Data in the Credential Store
Security Access Control Exception
Failure to Establish an Anonymous SSL Connection
Oracle Business Intelligence Publisher Time Zone
Troubleshooting Searching
Search Failure When Matching Attribute in Security Store
Search Failure with an Unknown Host Exception
Troubleshooting Versions
Incompatible Versions of Binaries and Security Store
Incompatible Versions of Security Stores
Troubleshooting Other Errors
Runtime Permission Check Failure
Tablespace Needs Resizing
Oracle Internet Directory Exception
User and Role API Failure
Characters in Policies
Special Characters in Oracle Internet Directory 10.1.4.3
Characters in File Security Stores
Characters in Application Role Names
Missing Newline Characters in File Store
Invalid Key Size
Need Further Help?
Scripting on this page enhances content navigation, but does not change the content in any way.