6 Security Administration

This chapter introduces the tools available to an administrator and the typical tasks to manage application security; it is divided into the following sections:

Choosing the Administration Tool According to Technology
Basic Security Administration Tasks
Typical Security Practices with Fusion Middleware Control
Typical Security Practices with the Administration Console
Typical Security Practices with WLST Commands

For advanced administrator tasks, see Appendix E, "Administration with WLST Scripting and MBean Programming."

6.1 Choosing the Administration Tool According to Technology

The three basic tools available to a security administrator are Oracle Enterprise Manager Fusion Middleware Control, the Oracle WebLogic Administration Console, and the Oracle WebLogic Scripting Tool (WLST). For further details on these and other tools, see chapter 3, Getting Started Managing Oracle Fusion Middleware in Oracle Fusion Middleware Administrator's Guide.

The main criterion that determines the tool to use to administer an application is whether the application uses just container-managed security (JavaEE application) or it includes Oracle ADF security (Oracle ADF application).

Oracle-specific applications, such as Oracle Application Development Framework (Oracle ADF) applications, Oracle Server-Oriented Architecture (SOA) applications, and Web Center applications, are deployed, secured, and maintained with Fusion Middleware Control.

Other applications, such as those developed by third parties, JavaSE, and JavaEE applications, are typically deployed, secured, and administered with Oracle WebLogic Administration Console or with WLST.

The recommended tool to develop applications is Oracle JDeveloper 11g. This tool helps the developer configure file-based identity, policy, and credential stores through specialized editors and UI gadgets. In particular, when developing Oracle ADF applications, the developer can run a wizard to configure security for web pages associated with Oracle ADF resources (such as Oracle ADF task flows and page definitions), and define security artifacts using a specialized, visual editor for the file jazn-data.xml.

For details about procedures and related topics, see the following sections in the Oracle JDeveloper online help documentation:

Securing a Web Application Using Oracle ADF Security
Securing a Web Application Using Java EE Security
About Oracle ADF Security as an Alternative to Security Constraints
About Securing Web Applications

For further details about Oracle ADF Security and its integration with Oracle JDeveloper, see Accessing the Oracle ADF Security Design Time Tools, in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.

6.2 Basic Security Administration Tasks

Table 6-1 lists some basic security tasks and the tool(s) used to execute them. Recall that the tool chosen to configure and manage application security depends on the type of the application: for JavaEE applications, which use just container-managed security, use the Oracle WebLogic Administration Console; for Oracle ADF applications, which use fine-grained authorization, use Fusion Middleware Control.

Manual settings without the aid of the tools listed below are not recommended. For information about using the Oracle WebLogic Administration Console to perform the tasks marked with an X, see list of links following the table.

Table 6-1 Basic Administrative Security Tasks

Task	Use Fusion Middleware Control Security Menu	Use Oracle WebLogic Administration Console
Configure WebLogic Domains		X
Configure WebLogic Security Realms		X
Manage WebLogic Domain Authenticators		X
Enable SSO for MS clients, Web Browsers, and HTTP clients.		X
Manage Domain Administrative Accounts		X
Manage Credentials for Oracle ADF Application	Credentials
Enable anonymous role in Oracle ADF Application	Security Provider Configuration
Enable authenticated role in Oracle ADF Application	Security Provider Configuration
Enable JAAS in Oracle ADF Application	Security Provider Configuration
Map application to enterprise groups for Oracle ADF Application	Application Roles or Application Policies
Manage systemwide policies for Oracle ADF Applications	System Policies
Configure OPSS Properties	Security Provider Configuration
Reassociate Domain Policy and Credential Stores	Security Provider Configuration

Details about using the Oracle WebLogic Administration Console for the tasks above are found in the following documents:

For general use of the Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
To configure WebLogic domains, see Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server.
To configure WebLogic security realms, see section Creating and Configuring a New Security Realm: Main Steps in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To manage WebLogic domain authenticators, see chapter 5 in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To configure SSO with MS clients, see chapter 6 in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To manage domain administrative accounts, see chapter 6 in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.

Note:

OPSS does not support automatic backup or cloning of server files. It is recommended that the server administrator periodically back up all server configuration files, as appropriate, using third-party tools.

6.2.1 Setting Up a Brand New Production Environment

A new production environment based on an existing environment can be set up in either of the following ways:

Replicating an established environment using Oracle Cloning utilities. For details, see section 17.5, Cloning a Middleware Home or an Oracle Home, in Oracle Fusion Middleware Administrator's Guide.
Reinstalling software and configuring the environment, as it was done to set up the established environment.

6.3 Typical Security Practices with Fusion Middleware Control

Fusion Middleware Control is a Web-based tool that allows the administration of a network of applications from a single point. Fusion Middleware Control is used to deploy, configure, monitor, diagnose, and audit Oracle SOA applications, Oracle ADF applications, Oracle WebCenter, and other Oracle applications using OPSS. Note that this section mentions only security-related operations.

In regards to security, it provides several administration tasks; using this tool, an administrator can:

Post-installation and before deploying applications, reassociate the policy and credential stores; for details, see Section 8.2.1, "Reassociating Domain Stores with Fusion Middleware Control."
Post-installation and before deploying applications, define OPSS properties. For details, see Section 8.5, "Configuring Other Artifacts with Oracle Fusion Middleware Control."
At deploy time, configure the automatic migration of file-based application policies and credentials to LDAP-based domain policies and credentials.

For details see:
For each application after it is deployed:
- Manage application policies. For details, see Section 8.4.1.1, "Managing Application Policies."
- Manage credentials; for details, see Section 9.5.1, "Managing Credentials with Fusion Middleware Control."
- Specify the mapping from application roles to users, groups, and application roles. For details, see Section 8.4.1.2, "Managing Application Roles."
For the domain, manage system policies; for details see Section 8.4.1.3, "Managing System Policies."
For the domain, manage OPSS properties; for details see Section 8.5, "Configuring Other Artifacts with Oracle Fusion Middleware Control."

For a summary of security administrative tasks and the tools used to execute them, see Basic Security Administration Tasks.

For further details about other functions, see the Fusion Middleware Control online help documentation.

6.4 Typical Security Practices with the Administration Console

This section addresses security-related operations and some basic administrative operations.

The Oracle WebLogic Administration Console is a Web-based tool that allows, among other functions, application deployment and redeployment, domain configuration, and monitoring of application status. Note that this section mentions only security-related operations.

Typical operations tasks performed with the Oracle WebLogic Administration Console include the following:

Starting and stopping Oracle WebLogic Servers; for details see section Starting and Stopping Servers in Oracle Fusion Middleware Managing Server Startup and Shutdown for Oracle WebLogic Server.
Configuring Oracle WebLogic Servers and Domains; for details see section Configuring Existing Domains in Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Deploying applications; for details, see Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Configuring fail over support; for details see section Failover and Replication in a Cluster in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.
Configuring WebLogic domains and WebLogic realms.
Managing users and groups in domain authenticators.
Enabling the use of Single Sign-On for MS clients, Web browsers, and HTTP clients.
Managing administrative users and administrative policies.

For details about Oracle WebLogic Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.

6.5 Typical Security Practices with WLST Commands

WLST is a command-line interface that allows the scripting and automation of administration tasks, including domain configuration and application deployment.

The following is the complete lists of security-related WLST commands documented in this guide. For a complete list of all WLST commands, see Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

Policy-Related Commands

For details on the following commands, see Section 8.4.2, "Managing Policies with WLST Commands."

createAppRole
deleteAppRole
grantAppRole
revokeAppRole
listAppRoles
listAppRolesMembers
grantPermission
revokePermission
listPermissions
deleteAppPolicies

Credential-Related Commands

For details on the following commands, see Section 9.5.2, "Managing Credentials with WLST Commands."

listCred
updateCred
createCred
deleteCred
modifyBootStrapCredential

Other Commands

migrateSecurityStore. For details, see Section 8.3.2, "Migrating Policies with the Command migrateSecurityStore," and Section 9.4.2, "Migrating Credentials with the Command migrateSecurityStore."
reassociateSecurityStore. For details, see Section 8.4.2, "Managing Policies with WLST Commands," and Section 9.5.2, "Managing Credentials with WLST Commands."