4 Security Tasks

4.1.1 Users, Groups, and Roles

Oracle CEP uses role-based authorization control to secure the Oracle CEP Visualizer and the wlevs.Admin command-line utility. There are a variety of default out-of-the-box security groups. You can add users to different groups to give them the different roles.

Administrators who use Oracle CEP Visualizer, wlevs.Admin, or any custom administration application that uses JMX to connect to an Oracle CEP instance use role-based authorization to gain access.

You can also use role-based authorization to control access to the HTTP publish-subscribe server.

There are two types of role:

• Application roles: application roles grant users the permission to access various Oracle CQL applications deployed to the Oracle CEP server. You can create application roles and associate them with the task roles that Oracle CEP provides.

  By default, administrator users can access any application and non-administration users cannot access any applications. Before a none-administration user can access an application, an administration user must grant the user the associated application role.

• Task roles: task roles grant users the permission to perform various tasks with the applications their application role authorizes them to access. Oracle CEP provides the default task roles that Table 4-1 describes.

Users that successfully authenticate themselves when using Oracle CEP Visualizer or wlevs.Admin are assigned roles based on their group membership, and then subsequent access to administrative functions is restricted according to the roles held by the user. Anonymous users (non-authenticated users) will not have any access to the Oracle CEP Visualizer or wlevs.Admin.

When an administrator uses the Configuration Wizard to create a new domain, they enter an administrator user that will be part of the wlevsAdministrators group. By default, this information is stored in a file-based provider filestore. The password is hashed using the SHA-256 algorithm. The default administrator user is named wlevs with password wlevs.

Table 4-1 describes the default Oracle CEP task roles available right after the creation of a new domain, as well as the name of the groups that are assigned to these roles.

wlevsAdministrators

wlevsApplicationAdmins

wlevsBusinessUsers

wlevsDeployers

wlevsMonitors

wlevsOperators

Once the domain has been created, the administrator can use Oracle CEP Visualizer to create a group and associate it with one or more roles: each role grants access to an application. When you assign a user to a group, the roles you associate with the group give the user the privileges to access those applications.

Using Oracle CEP Visualizer, you can:

• Section 4.2, "Managing Users"

• Section 4.3, "Managing Groups"

• Section 4.4, "Managing Roles"

4.1.2 HTTP Publish-Subscribe Server Channel Security

Oracle CEP provides an HTTP Publish-Subscribe Server (HTTP pub-sub server): a mechanism whereby Web clients subscribe to channels (similar to a topic in JMS) and then publish messages to these channels using asynchronous messages over HTTP and subscribe to these channels to receive messages as they become available.

Using Oracle CEP Visualizer, you can specify which users can access HTTP publish-subscribe server channels.

For more information, see:

• Section 4.5, "Managing HTTP Publish-Subscribe Server Channel Security"

• "Configuring HTTP Publish-Subscribe for Oracle CEP" in the Oracle CEP Administrator's Guide

4.1.3 SSL

Oracle CEP provides one-way Secure Sockets Layer (SSL) to secure network traffic between Oracle CEP Visualizer and Oracle CEP server instances, between the Oracle CEP server instances of a multi-server domain, and between the wlevs.Admin command-line utility and Oracle CEP server instances.

You configure SSL in the Oracle CEP server config.xml file. By default, the Configuration Wizard creates the config.xml file in the ORACLE_CEP_HOME/user_projects/domains/DOMAIN_DIR/servername/config directory, where ORACLE_CEP_HOME refers to the Oracle CEP installation directory (such as d:/oracle_cep), DOMAIN_DIR refers to the domain directory (such as my_domain), and servername refers to the server instance directory (such as server1).

For more information, see:

• Section 4.6, "Managing SSL"

• "SSL" in the Oracle CEP Administrator's Guide

4.2.1 How to Create a User

Using the Oracle CEP Visualizer, you can create a user.

To create a user:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the User tab.

   The User tab appears as Figure 4-1 shows.

   Figure 4-1 User Tab

   
   Description of "Figure 4-1 User Tab"
   
   

4. Click the New User button at the bottom of the right pane.

   The Add a User panel appears as Figure 4-2 shows.

   Figure 4-2 Add a User Panel

   
   Description of "Figure 4-2 Add a User Panel"
   
   

5. Configure the Add a User panel as Table 4-2 describes.

   Table 4-2 Add a User Panel Attributes

   Attribute	Description
   Username	Enter the name of the user.
   Password	Enter the password for this user. Passwords must be at least 6 characters in length.
   Confirm Password	Re-enter the password for this user.
   Description	An optional description for this user.
   Belong to groups	Check one or more groups to which the user belongs. The user inherits the privileges of the roles you assign to the groups. You must assign a user to at least one group. For more information, see Section 4.3, "Managing Groups".

   
   

6. Click OK.

   When the account has been successfully created, a confirmation message appears momentarily.

4.2.2 How to Modify a User

You can modify the configuration of existing users.

To modify user passwords, see Section 4.2.4, "How to Change the Password of a User".

To modify a user:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the User tab.

4. In the Users table, check the box to the left of the name of the user that you want to modify.

5. Click the Modify User button at the bottom of the right pane.

   The Change User panel appears as Figure 4-3 shows.

   Figure 4-3 Change User Panel

   
   Description of "Figure 4-3 Change User Panel"
   
   

6. Configure the Change User panel as Table 4-3 describes.

   Table 4-3 Change User Panel Attributes

   Attribute	Description
   Username	The name of the user. This is a read-only field.
   Password	This field is blank and read-only. To modify the password, see Section 4.2.4, "How to Change the Password of a User".
   Confirm Password	This field is blank and read-only. To modify the password, see Section 4.2.4, "How to Change the Password of a User".
   Description	Modify the optional description for this user.
   Belong to groups	Modify the groups to which the user belongs by checking or unchecking one or more of the groups displayed. Check one or more groups to which the user belongs. The user inherits the privileges of the roles you assign to the groups You must assign a user to at least one group. For more information, see Section 4.3, "Managing Groups".

   
   

7. Click OK.

4.2.3 How to Delete a User

You can delete existing users. However, you cannot delete the default administrator user, which is the administrator user originally configured for the domain when it was created with the Configuration Wizard.

To delete a user:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the User tab.

4. In the Users table, check the boxes to the left of the name of the users that you want to delete as Figure 4-4 shows.

   Figure 4-4 Selecting a User

   
   Description of "Figure 4-4 Selecting a User"
   
   

5. Click the Delete User button at the bottom of the right pane.

   A confirmation dialog appears as Figure 4-5 shows.

   Figure 4-5 Delete User Dialog

   
   Description of "Figure 4-5 Delete User Dialog"
   
   

6. Click Yes.

   When the account has been successfully deleted, a confirmation message appears momentarily.

4.2.4 How to Change the Password of a User

You can change the password for existing users.

To change other user configuration options, see Section 4.2.2, "How to Modify a User".

To change the password of a user:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the User tab.

4. In the Users table, check the boxes to the left of the name of the users that you want to delete as Figure 4-4 shows.

   Figure 4-6 Selecting a User

   
   Description of "Figure 4-6 Selecting a User"
   
   

5. Click the Change Password button at the bottom of the right pane.

   The Change Password panel appears as Figure 4-7 shows.

   Figure 4-7 Change Password Panel

   
   Description of "Figure 4-7 Change Password Panel"
   
   

6. Configure the Change Password panel as Table 4-3 describes.

   Table 4-4 Change User Panel Attributes

   Attribute	Description
   Username	The name of the user. This is a read-only field.
   Password	This field is blank. To modify the password, see Section 4.2.4, "How to Change the Password of a User".
   Confirm Password	This field is blank. To modify the password, see Section 4.2.4, "How to Change the Password of a User".

   
   

7. Click OK.

   When the password has been successfully changed, a confirmation message appears momentarily.

4.3.1 How to Create a Group

Oracle CEP is configured by default with a set of groups that are in turn mapped to roles. See Section 4.1.1, "Users, Groups, and Roles" for details.

This section describes how to create a new group.

To create a group:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the Group tab.

   The Group tab appears as Figure 4-8 shows.

   Figure 4-8 Group Tab

   
   Description of "Figure 4-8 Group Tab"
   
   

4. Click the New Group button at the bottom of the right pane.

   The Add a Group panel appears as Figure 4-9 shows.

   Figure 4-9 Add a Group Panel

   
   Description of "Figure 4-9 Add a Group Panel"
   
   

5. Configure the Add a Group panel as Table 4-5 describes.

   Table 4-5 Add a Group Panel Attributes

   Attribute	Description
   Group Name	Enter the name of the group.
   Description	An optional description for this user.
   Has roles	Check one or more roles to which the group maps. Each role grants access to an application. You must select at least one role. For more information, see Section 4.4, "Managing Roles".

   
   

6. Click OK.

   When the group has been successfully created, a confirmation message appears momentarily.

4.3.2 How to Delete a Group

Oracle CEP is configured by default with a set of groups that are in turn mapped to roles: you cannot delete the default groups. See Section 4.1.1, "Users, Groups, and Roles" for details.

This section describes how to delete a group that you created.

To delete a group:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the Group tab.

4. In the Group table, check the boxes to the left of the name of the groups that you want to delete as Figure 4-10 shows.

   Figure 4-10 Selecting a Group

   
   Description of "Figure 4-10 Selecting a Group"
   
   

5. Click the Delete Group button at the bottom of the right pane.

   A confirmation dialog appears as Figure 4-11 shows.

   Figure 4-11 Delete Group Dialog

   
   Description of "Figure 4-11 Delete Group Dialog"
   
   

6. Click Yes.

   When the group has been successfully deleted, a confirmation message appears momentarily.

4.3.3 How to Modify the Roles to Which a Group Maps

You can modify existing groups, including the default groups, to change the roles they map to.

To modify the roles to which a group maps:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the Group tab.

4. In the Group table, check the boxes to the left of the name of the groups that you want to modify as Figure 4-12 shows.

   Figure 4-12 Selecting a Group

   
   Description of "Figure 4-12 Selecting a Group"
   
   

5. Click the Modify Group button at the bottom of the right pane.

   The Change Group panel appears as Figure 4-9 shows.

   Figure 4-13 Change Group Panel

   
   Description of "Figure 4-13 Change Group Panel"
   
   

6. Configure the Change Group panel as Table 4-5 describes.

   Table 4-6 Change Group Panel Attributes

   Attribute	Description
   Group Name	The name of the group. This is a read-only field..
   Description	An optional description for this user.
   Has roles	Check one or more roles to which the group maps. Each role grants access to an application. You must select at least one role. For more information, see Section 4.4, "Managing Roles".

   
   

7. Click OK.

   When the group has been successfully modified, a confirmation message appears momentarily.

8. Optionally modify the description of the group.

9. Click OK.

4.3.4 How to Change the Groups to Which a User is Assigned

To change the groups to which a user is assigned, see Section 4.2.2, "How to Modify a User".

4.4.1 How to Create an Application Role

Oracle CEP is configured by default with a set of task roles that are in turn mapped to groups. See Section 4.1.1, "Users, Groups, and Roles" for details.

This section describes how to create a new application role.

To create an application role:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the Role tab.

   The Role tab appears as Figure 4-14 shows.

   Figure 4-14 Role Tab

   
   Description of "Figure 4-14 Role Tab"
   
   

4. Click the New Role button at the bottom of the right pane.

   The Add Application Role panel appears as Figure 4-2 shows.

   Figure 4-15 Add Application Role

   
   Description of "Figure 4-15 Add Application Role"
   
   

5. Configure the Add Application Role panel as Table 4-7 describes.

   Table 4-7 Add Application Role Panel Attributes

   Attribute	Description
   Role Name	Enter the name of the role.
   Application Name	Select the radio button of the application you want to associate with this role from the list of all the currently running applications.

   
   

6. Click OK.

   When the application role has been successfully created, a confirmation message appears momentarily.

4.4.2 How to Delete a Role

Oracle CEP is configured by default with a set of roles that are in turn mapped to groups: you cannot delete these default roles. See Section 4.1.1, "Users, Groups, and Roles" for details.

This section describes how to delete a role that you created.

To delete a role:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.

3. In the right pane, click the Role tab.

4. In the Role table, select the radio button to the left of the name of the role that you want to delete as Figure 4-4 shows.

   Figure 4-16 Selecting a Role

   
   Description of "Figure 4-16 Selecting a Role"
   
   

5. Click the Delete Role button at the bottom of the right pane.

   A confirmation dialog appears as Figure 4-17 shows.

   Figure 4-17 Delete Role Dialog

   
   Description of "Figure 4-17 Delete Role Dialog"
   
   

6. Click Yes.

   When the role has been successfully deleted, a confirmation message appears momentarily.

4.5.1 How to Configure Security for an HTTP Publish-Subscribe Channel

Using Oracle CEP Visualizer, you can specify the roles that are allowed to publish to the HTTP publish-subscribe channels that are configured for the HTTP pub-sub server included in Oracle CEP.

To configure security for an HTTP publish-subscribe channel:

1. Log on to Oracle CEP Visualizer as a user with the Admin role.

2. In the left pane, click the Domain > Server > Services > Http Pub/Sub Server node, where Domain refers to the name of your Oracle CEP domain and Server refers to the name of the server instance.

   A table appears in the right pane with the list of HTTP pub-sub servers configured for Oracle CEP.

3. In the right pane, click the name of the HTTP pub-sub server in the table. The default server is called pubsub.

4. In the Channels table, click the name of the channel for which you want to configure security.

5. In the Publish Roles table, select the roles that are allowed to publish messages to this channel.

   If you want to select more than one role, use the Ctrl key.

6. Click Modify Channel at the bottom of the pane.

4.6.1 How to View the SSL Configuration for an Oracle CEP Server

Using Oracle CEP Visualizer, you can view the SSL configuration for an Oracle CEP server.

To view the SSL configuration for an Oracle CEP server:

1. In the left pane, click the Domain > Server node, where Domain refers to the name of your Oracle CEP domain and Server refers to the name of the server instance.

2. In the right pane, click the SSL tab.

3. In the left table, click the SSL configuration you want to view as Figure 4-18 shows.

   Figure 4-18 SSL Tab

   
   Description of "Figure 4-18 SSL Tab"
   
   

   The default configuration name is sslConfig.

4. View the SSL configuration options the right table displays.

   Table 4-8 lists the SSL configuration options.

   Table 4-8 SSL Options

   Option	Description
   Name	The name of the selected SSL configuration.
   Key Store	The file path and name of the key store certificate file contains a self-signed certificate. The file path is relative to the ORACLE_CEP_HOME/user_projects/domains/DOMAIN_DIR/servername directory, where ORACLE_CEP_HOME refers to the Oracle CEP installation directory (such as d:/oracle_cep), DOMAIN_DIR refers to the domain directory (such as my_domain), and servername refers to the server instance directory (such as server1).
   Key Store Pass	The key store password.
   Key Store Alias	The key store alias.
   Key Store Type	The key store type.
   Key Manager Algorithm	The key manager algorithm.
   SSL Protocol	The SSL protocol.
   Trust Store	The file path and name of the key store certificate file contains a self-signed certificate. The file path is relative to the ORACLE_CEP_HOME/user_projects/domains/DOMAIN_DIR/servername directory, where ORACLE_CEP_HOME refers to the Oracle CEP installation directory (such as d:/oracle_cep), DOMAIN_DIR refers to the domain directory (such as my_domain), and servername refers to the server instance directory (such as server1).
   Trust Store Pass	The trust store password.
   Trust Store Alias	The trust store alias.
   Trust Store Type	The trust store type.
   Trust Manager Algorithm	The trust store algorithm.
   Enforce Fips	Whether or not Oracle CEP server uses a Federal Information Processing Standards (FIPS)-certified pseudo-random number generator for SSL. For more information, see "FIPS" in Oracle CEP Administrator's Guide.
   Need Client Auth	Whether or not Oracle CEP server uses client authentication.
   Secure Random Algorithm	The FIPS secure random algorithm, such as FIPS186PRNG.
   Secure Random Provider	The FIPS secure random provider, such as com.rsa.jsafe.provider.JsafeJCE.
   Cipher	The SSL ciphers.

   
   

4.6.2 How to Change the SSL Configuration for an Oracle CEP Server

You can only view the SSL configuration of your Oracle CEP server using Oracle CEP Visualizer. To change the configuration, you must manually update the server's config.xml file.

For more information, see "Configuring SSL to Secure Network Traffic" in the Oracle CEP Administrator's Guide.