Contents

List of Examples

List of Figures

List of Tables

Title and Copyright Information

Preface

• Audience
• Documentation Accessibility
• Related Documentation
• Conventions

What's New in This Guide

• New Features in Release 11gR1 PS1
• New Features in Release 11gR1
• Desupported Features from 10.1.3.x
• Links to Upgrade Documentation

Part I Understanding Security Concepts

1 Overview of Java Security Models

• 1.1 Basic Security Concepts
• 1.2 Java Security Model
  • 1.2.1 Permissions
  • 1.2.2 Protection Domains and Security Policies
  • 1.2.3 Security Managers and Access Controllers
• 1.3 Java Authentication and Authorization Service
  • 1.3.1 Principals and Subjects
  • 1.3.2 Login Modules
  • 1.3.3 Subjects and the Access Control Context
• 1.4 Java EE Security Model
  • 1.4.1 Container-Based Security
  • 1.4.2 The Authentication Model
  • 1.4.3 The Authorization Model
• 1.5 Java Authorization Contract for Containers
• 1.6 Comparing the Java Security Models
  • 1.6.1 Summary of Model Comparison

2 Introduction to Oracle Platform Security Services

• 2.1 What is Oracle Platform Security Services?
  • 2.1.1 OPSS Main Features
• 2.2 OPSS Architecture Overview
  • 2.2.1 Benefits of OPSS
• 2.3 Oracle ADF Security Overview
• 2.4 OPSS for Administrators
• 2.5 OPSS for Developers
  • 2.5.1 Scenario 1: Enhancing Security in a JavaEE Application
  • 2.5.2 Scenario 2: Securing an Oracle ADF Application
  • 2.5.3 Scenario 3: Securing a JavaSE Application

3 Understanding Users and Roles

• 3.1 Terminology
• 3.2 Role Mapping
  • 3.2.1 Permission Inheritance and the Role Hierarchy
• 3.3 The Authenticated Role
• 3.4 The Anonymous User and Role
  • 3.4.1 Anonymous Support and Subject
• 3.5 Administrative Users and Roles
• 3.6 Managing User Accounts
• 3.7 Principal Name Comparison Logic
  • 3.7.1 How Does Principal Comparison Affect Authorization?
  • 3.7.2 System Parameters Controlling Principal Name Comparison

4 Understanding Identities, Policies, and Credentials

• 4.1 Authentication Basics
  • 4.1.1 Oracle WebLogic Authenticators
  • 4.1.2 Additional Authentication Methods
  • 4.1.3 Using an LDAP Authenticator
    • 4.1.3.1 Configuring the Identity Store Service
• 4.2 Policy Store Basics
• 4.3 Credential Store Basics

5 About Oracle Platform Security Services Scenarios

• 5.1 Supported LDAP Servers
• 5.2 Management Tools
• 5.3 Packaging Requirements
• 5.4 Example Scenarios
• 5.5 Other Scenarios

Part II Basic OPSS Administration

6 Security Administration

• 6.1 Choosing the Administration Tool According to Technology
• 6.2 Basic Security Administration Tasks
  • 6.2.1 Setting Up a Brand New Production Environment
• 6.3 Typical Security Practices with Fusion Middleware Control
• 6.4 Typical Security Practices with the Administration Console
• 6.5 Typical Security Practices with WLST Commands

7 Deploying Secure Applications

• 7.1 Overview
• 7.2 Selecting the Tool for Deployment
  • 7.2.1 Deploying JavaEE and Oracle ADF Applications with Fusion Middleware Control
• 7.3 Deploying Oracle ADF Applications to a Test Environment
  • 7.3.1 Deploying to a Test Environment
    • 7.3.1.1 Typical Administrative Tasks after Deployment in a Test Environment
• 7.4 Deploying Standard JavaEE Applications
• 7.5 Migrating from a Test to a Production Environment
  • 7.5.1 Migrating Providers other than Policy and Credential Providers
    • 7.5.1.1 Migrating Identities Manually
  • 7.5.2 Migrating Policies and Credentials at Deployment
    • 7.5.2.1 Migrating Policies Manually
    • 7.5.2.2 Migrating Credentials Manually
    • 7.5.2.3 Migrating Large Volume Policy and Credential Stores
  • 7.5.3 Migrating Audit Policies

Part III Advanced OPSS Administration

8 OPSS Authorization and the Policy Store

• 8.1 Configuring a Domain to Use an LDAP-Based Policy Store
  • 8.1.1 Multiple-Node Server Environments
  • 8.1.2 Prerequisites to Using an LDAP-Based Policy Store
  • 8.1.3 Cataloging Oracle Internet Directory Attributes
• 8.2 Reassociating the Domain Policy Store
  • 8.2.1 Reassociating Domain Stores with Fusion Middleware Control
    • 8.2.1.1 Setting Up a One- Way SSL Connection
    • 8.2.1.2 Securing Access to Oracle Internet Directory Nodes
  • 8.2.2 Reassociating Domain Stores with the Command reassociateSecurityStore
• 8.3 Migrating Policies to the Domain Policy Store
  • 8.3.1 Migrating Application Policies with Fusion Middleware Control
  • 8.3.2 Migrating Policies with the Command migrateSecurityStore
    • 8.3.2.1 Examples of Use
• 8.4 Managing the Domain Policy Store
  • 8.4.1 Managing Policies with Fusion Middleware Control
    • 8.4.1.1 Managing Application Policies
    • 8.4.1.2 Managing Application Roles
    • 8.4.1.3 Managing System Policies
  • 8.4.2 Managing Policies with WLST Commands
    • 8.4.2.1 createAppRole
    • 8.4.2.2 deleteAppRole
    • 8.4.2.3 grantAppRole
    • 8.4.2.4 revokeAppRole
    • 8.4.2.5 listAppRoles
    • 8.4.2.6 listAppRolesMembers
    • 8.4.2.7 grantPermission
    • 8.4.2.8 revokePermission
    • 8.4.2.9 listPermissions
    • 8.4.2.10 deleteAppPolicies
    • 8.4.2.11 reassociateSecurityStore
    • 8.4.2.12 Granting Policies to Anonymous and Authenticated Roles with WLST Commands
    • 8.4.2.13 Application Stripe for Versioned Applications in WLST Commands
• 8.5 Configuring Other Artifacts with Oracle Fusion Middleware Control
  • 8.5.1 Configuring the Identity Store Provider
  • 8.5.2 Configuring Properties and Property Sets
  • 8.5.3 Specifying a Single Sign-On Solution
    • 8.5.3.1 The OPSS SSO Framework
    • 8.5.3.2 Configuring an SSO Solution with Fusion Middleware Control
    • 8.5.3.3 OAM Configuration Example
• 8.6 Configuring LDAP-Based Policy Stores
  • 8.6.1 OPSS System Properties for JVM
  • 8.6.2 LDAP Policy Store Property Configuration for Maximum performance
  • 8.6.3 Profiling LDAP Policy Store APIs

9 Configuring the Credential Store

• 9.1 Credential Types
• 9.2 Configuring a Domain to Use an LDAP-Based Credential Store
• 9.3 Reassociating the Domain Credential Store
• 9.4 Migrating Credentials to the Domain Credential Store
  • 9.4.1 Migrating Application Credentials with Fusion Middleware Control
  • 9.4.2 Migrating Credentials with the Command migrateSecurityStore
• 9.5 Managing the Domain Credential Store
  • 9.5.1 Managing Credentials with Fusion Middleware Control
    • 9.5.1.1 Managing Credentials
  • 9.5.2 Managing Credentials with WLST Commands
    • 9.5.2.1 listCred
    • 9.5.2.2 updateCred
    • 9.5.2.3 createCred
    • 9.5.2.4 deleteCred
    • 9.5.2.5 modifyBootStrapCredential

10 Configuring Single Sign-On in Oracle Fusion Middleware

• 10.1 Choosing the Right SSO Solution for Your Deployment
• 10.2 Deploying the Oracle Access Manager Solutions
  • 10.2.1 Scenarios for Applications with the Oracle Access Manager Authentication Provider
    • 10.2.1.1 Applications Using Oracle Access Manager for the First TIme
    • 10.2.1.2 Applications Migrating from Oracle Application Server to Oracle WebLogic Server
    • 10.2.1.3 Applications Using Oracle Access Manager Security Provider for WebLogic SSPI
  • 10.2.2 Uses of the Authentication Provider for Oracle Access Manager
    • 10.2.2.1 Required Components and Files
    • 10.2.2.2 About Using Oracle Access Manager Identity Asserter for Single Sign-on
    • 10.2.2.3 About Using the Oracle Access Manager Authenticator
  • 10.2.3 Installing and Setting Up Required Components for Oracle Access Manager Providers
    • 10.2.3.1 About Oracle Access Manager Installation and Setup
    • 10.2.3.2 Installing Components and Files
    • 10.2.3.3 Creating Resource Types in Oracle Access Manager
  • 10.2.4 Configuring Oracle Access Manager Identity Assertion for Single Sign-On
    • 10.2.4.1 Establishing Trust with Oracle WebLogic Server
    • 10.2.4.2 Configuring the Authentication Scheme for the Identity Asserter
    • 10.2.4.3 Configuring Providers in the WebLogic Domain
    • 10.2.4.4 Setting Up the Login Form for the Oracle Access Manager Identity Asserter
    • 10.2.4.5 Testing Oracle Access Manager Identity Assertion for Single Sign-on
  • 10.2.5 Configuring the Oracle Access Manager Authenticator
    • 10.2.5.1 Creating an Authentication Scheme for the Authenticator
    • 10.2.5.2 Configuring a Policy Domain for the Oracle Access Manager Authenticator
    • 10.2.5.3 Configuring Providers for the Authenticator in a WebLogic Domain
    • 10.2.5.4 Configuring the Application Authentication Method for the Authenticator
    • 10.2.5.5 Mapping the Authenticated User to a Group in LDAP
    • 10.2.5.6 Testing the Oracle Access Manager Authenticator Implementation
  • 10.2.6 Configuring Identity Assertion for Oracle Web Services Manager
    • 10.2.6.1 Creating a Policy Domain for Use with Oracle Web Services Manager
    • 10.2.6.2 Configuring Oracle Web Services Manager Policies for Web Services
    • 10.2.6.3 Configuring Providers in a WebLogic Domain for Oracle Web Services Manager
    • 10.2.6.4 Testing the Identity Asserter with Oracle Web Services Manager
  • 10.2.7 Configuring Global Logout for Oracle Access Manager
    • 10.2.7.1 Zero Configuration SLO
    • 10.2.7.2 Configuring the LogoutURLs Parameter in WebGate/AccessGate Profiles
    • 10.2.7.3 Application-Managed SLO
  • 10.2.8 Oracle Access Manager Authentication Provider Parameter List
  • 10.2.9 Known Issues: JAR Files and OAMCfgTool
  • 10.2.10 Troubleshooting Tips for Provider Deployment
    • 10.2.10.1 About Using IPv6
    • 10.2.10.2 Apache Bridge Failure: Timed Out
    • 10.2.10.3 Authenticated User with Access Denied
    • 10.2.10.4 Browser Back Button Results in Error
    • 10.2.10.5 Cannot Reboot After Adding OAM and OID Authenticators
    • 10.2.10.6 Client in Cluster with Load-Balanced WebGates
    • 10.2.10.7 Error 401: Unable to Access the Application
    • 10.2.10.8 Error 403: Unable to Access the Application
    • 10.2.10.9 Error 404: Not Found ... Anything Matching the Request URI
    • 10.2.10.10 Error Issued with the Action URL in Form Login Page
    • 10.2.10.11 Error or Failure on Oracle WebLogic Server Startup
    • 10.2.10.12 JAAS Control Flag
    • 10.2.10.13 Login Form is Shown Repeatedly Upon Credential Submission: No Error
    • 10.2.10.14 Logout and Session Time Out Issues
    • 10.2.10.15 Not Found: The requested URL or Resource Was Not Found
    • 10.2.10.16 Oracle WebLogic Server Fails to Start
    • 10.2.10.17 Oracle ADF Integration and Cert Mode
    • 10.2.10.18 URL Rewriting and JSESSIONID
• 10.3 Deploying the OracleAS Single Sign-On (OSSO) Solution
  • 10.3.1 Using the OSSO Identity Asserter
    • 10.3.1.1 Oracle WebLogic Security Framework
    • 10.3.1.2 OSSO Identity Asserter Processing
    • 10.3.1.3 Consumption of Headers with OSSO Identity Asserter
  • 10.3.2 New Users of the OSSO Identity Asserter
    • 10.3.2.1 Configuring mod_weblogic
    • 10.3.2.2 Registering Oracle HTTP Server mod_osso with OSSO Server 10.1.4
    • 10.3.2.3 Configuring mod_osso to Protect Web Resources
    • 10.3.2.4 Adding Providers to a WebLogic Domain for OSSO
    • 10.3.2.5 Establishing Trust Between Oracle WebLogic Server and Other Entities
    • 10.3.2.6 Configuring the Application for the OSSO Identity Asserter
  • 10.3.3 Troubleshooting for an OSSO Identity Asserter Deployment
    • 10.3.3.1 SSO-Related Problems
    • 10.3.3.2 OSSO Identity Asserter-Related Problems
    • 10.3.3.3 URL Rewriting and JSESSIONID
    • 10.3.3.4 About mod_osso, OSSO Cookies, and Directives
    • 10.3.3.5 About Using IPv6
• 10.4 Synchronizing the User and SSO Sessions: SSO Synchronization Filter
• 10.5 Setting Up Debugging in the WebLogic Administration Console

11 Introduction to Oracle Fusion Middleware Audit Framework

• 11.1 Benefits and Features of the Oracle Fusion Middleware Audit Framework
  • 11.1.1 Objectives of Auditing
  • 11.1.2 Today's Audit Challenges
  • 11.1.3 Oracle Fusion Middleware Audit Framework in 11g
• 11.2 Overview of Audit Features
• 11.3 Oracle Fusion Middleware Audit Framework Concepts
  • 11.3.1 Audit Architecture
  • 11.3.2 Key Technical Concepts
    • 11.3.2.1 Building Blocks of the Framework
  • 11.3.3 Audit Record Storage
  • 11.3.4 Analytics

12 Configuring and Managing Auditing

• 12.1 Audit Administration Tasks
• 12.2 Managing the Audit Store
  • 12.2.1 Create the Audit Schema using RCU
  • 12.2.2 Set Up Audit Data Sources
    • 12.2.2.1 Multiple Data Sources
  • 12.2.3 Configure a Database Audit Store for Java Components
    • 12.2.3.1 View Audit Store Configuration
    • 12.2.3.2 Configure the Audit Store
    • 12.2.3.3 Deconfigure the Audit Store
  • 12.2.4 Configure a Database Audit Store for System Components
    • 12.2.4.1 Deconfigure the Audit Store
  • 12.2.5 Tuning the Bus-stop Files
• 12.3 Managing Audit Policies
  • 12.3.1 Manage Audit Policies for Java Components with Fusion Middleware Control
  • 12.3.2 Manage Audit Policies for System Components with Fusion Middleware Control
  • 12.3.3 Manage Audit Policies with WLST
    • 12.3.3.1 View Audit Policies with WLST
    • 12.3.3.2 Update Audit Policies with WLST
    • 12.3.3.3 Example 1: Configuring an Audit Policy for Users with WLST
    • 12.3.3.4 Example 2: Configuring an Audit Policy for Events with WLST
    • 12.3.3.5 Custom Configuration is Retained when the Audit Level Changes
  • 12.3.4 Manage Audit Policies Manually
    • 12.3.4.1 Location of Configuration Files for Java Components
    • 12.3.4.2 Audit Service Configuration Properties in jps-config.xml for Java Components
    • 12.3.4.3 Switching from Database to File for Java Components
    • 12.3.4.4 Manually Configuring Audit for System Components
• 12.4 Audit Logs
  • 12.4.1 Location of Audit Logs
  • 12.4.2 Audit Log Timestamps
• 12.5 Advanced Management of Database Store
  • 12.5.1 Schema Overview
  • 12.5.2 Table Attributes
  • 12.5.3 Indexing Scheme
  • 12.5.4 Backup and Recovery
  • 12.5.5 Importing and Exporting Data
  • 12.5.6 Partitioning
    • 12.5.6.1 Partition Tables
    • 12.5.6.2 Backup and Recovery of Partitioned Tables
    • 12.5.6.3 Import, Export, and Data Purge
    • 12.5.6.4 Tiered Archival

13 Using Audit Analysis and Reporting

• 13.1 Setting up Oracle Business Intelligence Publisher for Audit Reports
  • 13.1.1 About Oracle Business Intelligence Publisher
  • 13.1.2 Install Oracle Business Intelligence Publisher
  • 13.1.3 Set Up Oracle Reports in Oracle Business Intelligence Publisher
  • 13.1.4 Set Up Audit Report Templates
  • 13.1.5 Set Up Audit Report Filters
  • 13.1.6 Configure Scheduler in Oracle Business Intelligence Publisher
• 13.2 Organization of Audit Reports
• 13.3 View Audit Reports
• 13.4 Example of Oracle Business Intelligence Publisher Reports
• 13.5 Audit Report Details
  • 13.5.1 List of Audit Reports in Oracle Business Intelligence Publisher
  • 13.5.2 Attributes of Audit Reports in Oracle Business Intelligence Publisher
• 13.6 Customizing Audit Reports
  • 13.6.1 Using Advanced Filters on Pre-built Reports
  • 13.6.2 Creating Custom Reports

Part IV Developing with Oracle Platform Security Services APIs

14 Overview of Developing Secure Applications with Oracle Platform Security Services

• 14.1 About Oracle Platform Security Services for Developers
  • 14.1.1 The Development Cycle
  • 14.1.2 Challenges of Securing Java Applications
  • 14.1.3 Meeting the Challenges with Oracle Platform Security Services
  • 14.1.4 OPSS Architecture
• 14.2 The Oracle Platform Security Services APIs
  • 14.2.1 The LoginService API
  • 14.2.2 The User and Role API
  • 14.2.3 JAAS Authorization and the JpsAuth.checkPermission API
  • 14.2.4 The Credential Store Framework API
• 14.3 Common Uses for Oracle Platform Security Services
  • 14.3.1 A JavaEE Application using OPSS APIs
  • 14.3.2 Authentication with OPSS APIs
  • 14.3.3 Programmatic Authorization
  • 14.3.4 Credential Store Framework
  • 14.3.5 User and Role
  • 14.3.6 Oracle ADF Authorization
  • 14.3.7 JavaSE Application
• 14.4 Using OPSS with Oracle Application Development Framework
  • 14.4.1 About Oracle ADF
  • 14.4.2 How Oracle ADF Uses OPSS
  • 14.4.3 The Oracle ADF Development Life Cycle
• 14.5 Using the Oracle Security Developer Tools
• 14.6 Using OPSS Outside Oracle JDeveloper/Oracle ADF

15 Manually Configuring JavaEE Applications to Use OPSS

• 15.1 Configuring the Servlet Filter and the EJB Interceptor
  • 15.1.1 Interceptor Configuration Syntax
  • 15.1.2 Summary of Filter and Interceptor Parameters
• 15.2 Choosing the Appropriate Class for Enterprise Groups and Users
• 15.3 Packaging a JavaEE Application Manually
  • 15.3.1 Packaging Policies with Application
  • 15.3.2 Packaging Credentials with Application
• 15.4 Configuring a JavaEE Application to Use OPSS
  • 15.4.1 Parameters Controlling Policy Migration
  • 15.4.2 Policy Parameter Configuration According to Behavior
    • 15.4.2.1 To Skip Migrating All Policies
    • 15.4.2.2 To Migrate All Policies with Merging
    • 15.4.2.3 To Migrate All Policies with Overwriting
    • 15.4.2.4 To Remove (or Prevent the Removal of) Application Policies
    • 15.4.2.5 To Migrate Policies in a Static Deployment
    • 15.4.2.6 Recommendations
  • 15.4.3 Using a Wallet-Based Credential Store
  • 15.4.4 Parameters Controlling Credential Migration
  • 15.4.5 Credential Parameter Configuration According to Behavior
    • 15.4.5.1 To Skip Migrating Credentials
    • 15.4.5.2 To Migrate Credentials with Merging
    • 15.4.5.3 To Migrate Credentials with Overwriting
  • 15.4.6 Supported Permission Classes
    • 15.4.6.1 Policy Store Permission
    • 15.4.6.2 Credential Store Permission
    • 15.4.6.3 Generic Permission
  • 15.4.7 Specifying Bootstrap Credentials Manually
  • 15.4.8 Migrating Identities with the Command migrateSecurityStore
  • 15.4.9 Example of Configuration File jps-config.xml

16 Developing Authentication

• 16.1 Links to Authentication Topics for JavaEE Applications
• 16.2 Developing Authentication for JavaSE Applications
  • 16.2.1 The Identity Store
  • 16.2.2 Configuring an LDAP Identity Store in JavaSE Applications
  • 16.2.3 Supported Login Modules for JavaSE Applications
    • 16.2.3.1 The Identity Store Login Module
    • 16.2.3.2 Using the Identity Store Login Module for Authentication
    • 16.2.3.3 Using the Identity Login Module for Assertion
  • 16.2.4 Using the OPSS API LoginService in JavaSE Applications

17 Developing with the Credential Store Framework

• 17.1 About the Credential Store Framework API
• 17.2 Overview of Application Development with CSF
• 17.3 Setting the Java Security Policy Permissions
  • 17.3.1 Guidelines for Granting Permissions
  • 17.3.2 Permissions Grant Example 1
  • 17.3.3 Permissions Grant Example 2
• 17.4 Guidelines for the Map Name
• 17.5 Configuring the Credential Store
• 17.6 Steps for Using the API
  • 17.6.1 Using the CSF API in a Standalone Environment
  • 17.6.2 Using the CSF API in Oracle WebLogic Server
• 17.7 Examples
  • 17.7.1 Code for CSF Operations
  • 17.7.2 Example 1: JavaSE Application with Wallet Store
  • 17.7.3 Example 2: JavaEE Application with Wallet Store
  • 17.7.4 Example 3: JavaEE Application with LDAP Store
• 17.8 Best Practices

18 Developing Authorization

• 18.1 Authorization Overview
  • 18.1.1 The JavaEE Authorization Model
  • 18.1.2 The JAAS Authorization Model
• 18.2 Authorization for EJBs and Servlets (JavaEE Model)
  • 18.2.1 Declarative Authorization
  • 18.2.2 Programmatic Authorization
  • 18.2.3 JavaEE Code Example
• 18.3 Authorization Using Permissions (JAAS/OPSS Model)
  • 18.3.1 Using the Method checkPermission
  • 18.3.2 Debugging and Auditing Support
  • 18.3.3 Using the Methods doAs and doAsPrivileged
  • 18.3.4 JAAS/OPSS Code Examples
    • 18.3.4.1 Checking Permissions
    • 18.3.4.2 Managing Policies
• 18.4 The Class oracle.security.jps.ResourcePermission

19 Developing with the User and Role API

• 19.1 Introduction to the User and Role API Framework
  • 19.1.1 User and Role API and the Oracle WebLogic Server Authenticators
• 19.2 Summary of Roles and Classes
• 19.3 Working with Service Providers
  • 19.3.1 Understanding Service Providers
  • 19.3.2 Setting Up the Environment
  • 19.3.3 Selecting the Provider
  • 19.3.4 Creating the Provider Instance
  • 19.3.5 Properties for Provider Configuration
    • 19.3.5.1 Start-time and Run-time Configuration
    • 19.3.5.2 When to Pass Configuration Values
  • 19.3.6 Configuring the Provider when Creating a Factory Instance
    • 19.3.6.1 Oracle Internet Directory Provider
    • 19.3.6.2 Using Existing Logger Objects
    • 19.3.6.3 Supplying Constant Values
    • 19.3.6.4 Configuring Connection Parameters
    • 19.3.6.5 Configuring a Custom Connection Pool Class
  • 19.3.7 Configuring the Provider when Creating a Store Instance
  • 19.3.8 Runtime Configuration
  • 19.3.9 Programming Considerations
    • 19.3.9.1 Provider Portability Considerations
    • 19.3.9.2 Considerations when Using IdentityStore Objects
  • 19.3.10 Provider Life cycle
• 19.4 Searching the Repository
  • 19.4.1 Searching for a Specific Identity
  • 19.4.2 Searching for Multiple Identities
  • 19.4.3 Specifying Search Parameters
  • 19.4.4 Using Search Filters
    • 19.4.4.1 Operators in Search Filters
    • 19.4.4.2 Handling Special Characters when Using Search Filters
    • 19.4.4.3 Examples of Using Search Filters
  • 19.4.5 Searching by GUID
• 19.5 User Authentication
• 19.6 Creating and Modifying Entries in the Identity Store
  • 19.6.1 Handling Special Characters when Creating Identities
  • 19.6.2 Creating an Identity
  • 19.6.3 Modifying an Identity
  • 19.6.4 Deleting an Identity
• 19.7 Examples of User and Role API Usage
  • 19.7.1 Example 1: Searching for Users
  • 19.7.2 Example 2: User Management in an Oracle Internet Directory Store
  • 19.7.3 Example 3: User Management in a Microsoft Active Directory Store
• 19.8 SSL Configuration for LDAP-based User and Role API Providers
  • 19.8.1 Out-of-the-box Support for SSL
    • 19.8.1.1 System Properties
    • 19.8.1.2 SSL configuration
  • 19.8.2 Customizing SSL Support for the User and Role API
    • 19.8.2.1 SSL configuration
• 19.9 The User and Role API Reference

20 Developing with Oracle HTTPClient Security

• 20.1 Overview of Oracle HTTPClient Security
• 20.2 Oracle HTTPClient Security Features
  • 20.2.1 Keystore Formats
  • 20.2.2 SSL Connection Information
  • 20.2.3 Support for java.net.URL
  • 20.2.4 Cipher Suites
• 20.3 JSSE System Properties
• 20.4 Using HTTPClient with JSSE
  • 20.4.1 Prerequisites for using JSSE
  • 20.4.2 Configuring HTTPClient
• 20.5 SSL Host Name Verification
  • 20.5.1 Enabling Host Name Verification with a System Property
  • 20.5.2 Enabling Host Name Verification Programmatically
  • 20.5.3 Oracle Standard Host Name Verifier
  • 20.5.4 Additional Verification
• 20.6 Using NTLM Authentication with Oracle HTTPClient
  • 20.6.1 NTLM Domain Name and Realm
  • 20.6.2 Connecting to NTLM-Protected Servers

Part V Appendices

A OPSS Configuration File Reference

• A.1 Top- and Second-Level Element Hierarchy
• A.2 Lower-Level Elements
• <description>
• <extendedProperty>
• <extendedPropertySet>
• <extendedPropertySetRef>
• <extendedPropertySets>
• <jpsConfig>
• <jpsContext>
• <jpsContexts>
• <name>
• <property>
• <propertySet>
• <propertySetRef>
• <propertySets>
• <serviceInstance>
• <serviceInstanceRef>
• <serviceInstances>
• <serviceProvider>
• <serviceProviders>
• <value>
• <values>

B File-Based Identity and Policy Store Reference

• B.1 Hierarchy of Elements in system-jazn-data.xml
• B.2 Elements and Attributes of system-jazn-data.xml
• <actions>
• <app-role>
• <app-roles>
• <application>
• <applications>
• <attribute>
• <class>
• <codesource>
• <credentials>
• <description>
• <display-name>
• <extended-attributes>
• <grant>
• <grantee>
• <guid>
• <jazn-data>
• <jazn-policy>
• <jazn-realm>
• <member>
• <members>
• <name>
• <owner>
• <owners>
• <permission>
• <permissions>
• <policy-store>
• <principal>
• <principals>
• <realm>
• <role>
• <roles>
• <type>
• <uniquename>
• <url>
• <user>
• <users>
• <value>
• <values>

C Oracle Fusion Middleware Audit Framework Reference

• C.1 Audit Events
  • C.1.1 What Components Can be Audited?
  • C.1.2 What Events can be Audited?
    • C.1.2.1 Oracle Directory Integration Platform Events and their Attributes
    • C.1.2.2 Oracle Platform Security Services Events and their Attributes
    • C.1.2.3 Oracle HTTP Server Events and their Attributes
    • C.1.2.4 Oracle Internet Directory Events and their Attributes
    • C.1.2.5 Oracle Identity Federation Events and their Attributes
    • C.1.2.6 Oracle Virtual Directory Events and their Attributes
    • C.1.2.7 OWSM-Agent Events and their Attributes
    • C.1.2.8 OWSM-PM-EJB Events and their Attributes
    • C.1.2.9 Reports Server Events and their Attributes
    • C.1.2.10 WS-Policy Attachment Events and their Attributes
    • C.1.2.11 Oracle Web Cache Events and their Attributes
    • C.1.2.12 Oracle Web Services Manager Events and their Attributes
  • C.1.3 Event Attribute Descriptions
• C.2 Pre-built Audit Reports
  • C.2.1 Common Audit Reports
  • C.2.2 Component-Specific Audit Reports
• C.3 The Audit Schema
• C.4 WLST Commands for Auditing
  • C.4.1 getNonJavaEEAuditMBeanName
    • C.4.1.1 Description
    • C.4.1.2 Syntax
    • C.4.1.3 Example
  • C.4.2 getAuditPolicy
    • C.4.2.1 Description
    • C.4.2.2 Syntax
    • C.4.2.3 Example
  • C.4.3 setAuditPolicy
    • C.4.3.1 Description
    • C.4.3.2 Syntax
    • C.4.3.3 Example
  • C.4.4 getAuditRepository
    • C.4.4.1 Description
    • C.4.4.2 Syntax
    • C.4.4.3 Example
  • C.4.5 setAuditRepository
    • C.4.5.1 Description
    • C.4.5.2 Syntax
    • C.4.5.3 Example
  • C.4.6 listAuditEvents
    • C.4.6.1 Description
    • C.4.6.2 Syntax
    • C.4.6.3 Example
  • C.4.7 exportAuditConfig
    • C.4.7.1 Description
    • C.4.7.2 Syntax
    • C.4.7.3 Example
  • C.4.8 importAuditConfig
    • C.4.8.1 Description
    • C.4.8.2 Syntax
    • C.4.8.3 Example
• C.5 Audit Filter Expression Syntax
• C.6 Naming and Logging Format of Audit Files

D User and Role API Reference

• D.1 Mapping User Attributes to LDAP Directories
• D.2 Mapping Role Attributes to LDAP Directories
• D.3 Default Configuration Parameters
• D.4 Secure Connections for Microsoft Active Directory

E Administration with WLST Scripting and MBean Programming

• E.1 Configuring OPSS Service Provider Instances with a WLST Script
• E.2 Configuring OPSS Services with MBeans
  • E.2.1 List of Supported OPSS MBeans
  • E.2.2 Invoking an OPSS MBean
  • E.2.3 Programming with OPSS MBeans
• E.3 Access Restrictions
  • E.3.1 Annotation Examples
  • E.3.2 Mapping of Logical Roles to WebLogic Roles
  • E.3.3 Particular Access Restrictions

F OPSS System and Configuration Properties

• F.1 OPSS System Properties
• F.2 OPSS Configuration Properties
  • F.2.1 LDAP Policy Store Properties
  • F.2.2 LDAP Credential Store Properties
  • F.2.3 LDAP Identity Store Properties
  • F.2.4 Generic LDAP Properties
  • F.2.5 Anonymous and Authenticated Roles Properties
  • F.2.6 Policy Provider Framework Properties
  • F.2.7 Keystore Properties

G Upgrading Security Data

• G.1 Upgrading Security Data
  • G.1.1 Examples of Use

H References

• H.1 OPSS API References

I Troubleshooting Security in Oracle Fusion Middleware

• I.1 Diagnosing Security Errors
  • I.1.1 Log Files
    • I.1.1.1 Diagnostic Log Files
    • I.1.1.2 Generic Log Files
    • I.1.1.3 Audit Diagnostic Log Files
    • I.1.1.4 Using Fusion Middleware Control Logging Support
  • I.1.2 System Properties
    • I.1.2.1 jps.auth.debug
    • I.1.2.2 jps.auth.debug.verbose
  • I.1.3 Solving Security Errors
    • I.1.3.1 Understanding Sample Log Entries
    • I.1.3.2 Searching Logs with Fusion Middleware Control
    • I.1.3.3 Identifying a Message Context with Fusion Middleware Control
    • I.1.3.4 Generating Error Listing Files with Fusion Middleware Control
• I.2 Reassociation Failure
  • I.2.1 Missing Policies in Reassociated Policy Store
• I.3 Server Fails to Start - Missing Required LDAP Authenticator
• I.4 Server Fails to Start - Missing Administrator Account
• I.5 Server Fails to Start - Missing Permission
• I.6 Failure to Grant or Revoke Permissions - Case Mismatch
• I.7 Failure to Connect to an LDAP Server
• I.8 User and Role API Failure
• I.9 Failure to Access Data in the Domain Credential Store
• I.10 Failure to Establish an Anonymous SSL Connection
• I.11 Authorization Check Failure
• I.12 User Gets Unexpected Permissions
• I.13 Security Access Control Exception
• I.14 Permission Check Failure
• I.15 Policy Migration Failure
• I.16 Characters in Policies
  • I.16.1 Use of Special Characters in Oracle Internet Directory 10.1.4.3
  • I.16.2 XML Policy Store that Contains Certain Characters
  • I.16.3 Missing Newline Characters in XML Policy Store
• I.17 Granting Permissions in J2SE Applications
• I.18 Troubleshooting Oracle Business Intelligence Reporting
  • I.18.1 Audit Templates for Oracle Business Intelligence Publisher
  • I.18.2 Oracle Business Intelligence Publisher Time Zone
• I.19 Need Further Help?

Index