Oracle® Complex Event Processing Visualizer User's Guide 11g Release 1 (11.1.1) Part Number E14302-03 |
|
|
View PDF |
This section contains the typical security tasks you can perform with Oracle CEP Visualizer.
Oracle CEP Visualizer is fairly self-explanatory, so not all tasks are discussed here, but rather, just those that are most common and typical and from which other similar tasks can be deduced.
This section describes:
Using Oracle CEP Visualizer, you can manage a variety of Oracle CEP security features, including managing:
For more information, see "Configuring Security for Oracle CEP" in the Oracle CEP Administrator's Guide.
Oracle CEP uses role-based authorization control to secure the Oracle CEP Visualizer and the wlevs.Admin
command-line utility. There are a variety of default out-of-the-box security groups. You can add users to different groups to give them the different roles.
Administrators who use Oracle CEP Visualizer, wlevs.Admin,
or any custom administration application that uses JMX to connect to an Oracle CEP instance use role-based authorization to gain access.
You can also use role-based authorization to control access to the HTTP publish-subscribe server.
There are two types of role:
Application roles: application roles grant users the permission to access various Oracle CQL applications deployed to the Oracle CEP server. You can create application roles and associate them with the task roles that Oracle CEP provides.
By default, administrator users can access any application and non-administration users cannot access any applications. Before a none-administration user can access an application, an administration user must grant the user the associated application role.
Task roles: task roles grant users the permission to perform various tasks with the applications their application role authorizes them to access. Oracle CEP provides the default task roles that Table 4-1 describes.
Users that successfully authenticate themselves when using Oracle CEP Visualizer or wlevs.Admin
are assigned roles based on their group membership, and then subsequent access to administrative functions is restricted according to the roles held by the user. Anonymous users (non-authenticated users) will not have any access to the Oracle CEP Visualizer or wlevs.Admin
.
When an administrator uses the Configuration Wizard to create a new domain, they enter an administrator user that will be part of the wlevsAdministrators
group. By default, this information is stored in a file-based provider filestore. The password is hashed using the SHA-256 algorithm. The default administrator user is named wlevs
with password wlevs
.
Table 4-1 describes the default Oracle CEP task roles available right after the creation of a new domain, as well as the name of the groups that are assigned to these roles.
Table 4-1 Default Oracle CEP Task Roles and Groups
Task Role | Group | Privileges |
---|---|---|
|
wlevsAdministrators |
Has all privileges of all the preceding roles, as well as permission to:
|
|
wlevsApplicationAdmins |
Has all Operator privileges as well as permission to update the configuration of any deployed application. |
|
wlevsBusinessUsers |
Has all Operator privileges as well as permission to update the Oracle CQL and EPL rules associated with the processor of a deployed application. |
|
wlevsDeployers |
Has all Operator privileges as well as permission to deploy, undeploy, update, suspend, and resume any deployed application. |
|
wlevsMonitors |
Has all Operator privileges as well as permission to enable/disable diagnostic functions, such as creating a diagnostic profile and recording events (then playing them back.) |
|
wlevsOperators |
Has read-only access to all server resources, services, and deployed applications. |
Once the domain has been created, the administrator can use Oracle CEP Visualizer to create a group and associate it with one or more roles: each role grants access to an application. When you assign a user to a group, the roles you associate with the group give the user the privileges to access those applications.
Using Oracle CEP Visualizer, you can:
Oracle CEP provides an HTTP Publish-Subscribe Server (HTTP pub-sub server): a mechanism whereby Web clients subscribe to channels (similar to a topic in JMS) and then publish messages to these channels using asynchronous messages over HTTP and subscribe to these channels to receive messages as they become available.
Using Oracle CEP Visualizer, you can specify which users can access HTTP publish-subscribe server channels.
For more information, see:
Section 4.5, "Managing HTTP Publish-Subscribe Server Channel Security"
"Configuring HTTP Publish-Subscribe for Oracle CEP" in the Oracle CEP Administrator's Guide
Oracle CEP provides one-way Secure Sockets Layer (SSL) to secure network traffic between Oracle CEP Visualizer and Oracle CEP server instances, between the Oracle CEP server instances of a multi-server domain, and between the wlevs.Admin
command-line utility and Oracle CEP server instances.
You configure SSL in the Oracle CEP server config.xml
file. By default, the Configuration Wizard creates the config.xml
file in the ORACLE_CEP_HOME
/user_projects/domains/
DOMAIN_DIR
/
servername
/config
directory, where ORACLE_CEP_HOME
refers to the Oracle CEP installation directory (such as d:/oracle_cep
), DOMAIN_DIR
refers to the domain directory (such as my_domain
), and servername
refers to the server instance directory (such as server1
).
For more information, see:
Using Oracle CEP Visualizer, you can manage user accounts to control who can access the Oracle CEP Visualizer.
This section describes:
For more information, see Section 4.1.1, "Users, Groups, and Roles".
Using the Oracle CEP Visualizer, you can create a user.
To create a user:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the User tab.
The User tab appears as Figure 4-1 shows.
Click the New User button at the bottom of the right pane.
The Add a User panel appears as Figure 4-2 shows.
Configure the Add a User panel as Table 4-2 describes.
Table 4-2 Add a User Panel Attributes
Attribute | Description |
---|---|
|
Enter the name of the user. |
|
Enter the password for this user. Passwords must be at least 6 characters in length. |
|
Re-enter the password for this user. |
|
An optional description for this user. |
|
Check one or more groups to which the user belongs. The user inherits the privileges of the roles you assign to the groups. You must assign a user to at least one group. For more information, see Section 4.3, "Managing Groups". |
Click OK.
When the account has been successfully created, a confirmation message appears momentarily.
You can modify the configuration of existing users.
To modify user passwords, see Section 4.2.4, "How to Change the Password of a User".
To modify a user:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the User tab.
In the Users table, check the box to the left of the name of the user that you want to modify.
Click the Modify User button at the bottom of the right pane.
The Change User panel appears as Figure 4-3 shows.
Configure the Change User panel as Table 4-3 describes.
Table 4-3 Change User Panel Attributes
Attribute | Description |
---|---|
|
The name of the user. This is a read-only field. |
|
This field is blank and read-only. To modify the password, see Section 4.2.4, "How to Change the Password of a User". |
|
This field is blank and read-only. To modify the password, see Section 4.2.4, "How to Change the Password of a User". |
|
Modify the optional description for this user. |
|
Modify the groups to which the user belongs by checking or unchecking one or more of the groups displayed. Check one or more groups to which the user belongs. The user inherits the privileges of the roles you assign to the groups You must assign a user to at least one group. For more information, see Section 4.3, "Managing Groups". |
Click OK.
You can delete existing users. However, you cannot delete the default administrator user, which is the administrator user originally configured for the domain when it was created with the Configuration Wizard.
To delete a user:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the User tab.
In the Users table, check the boxes to the left of the name of the users that you want to delete as Figure 4-4 shows.
Click the Delete User button at the bottom of the right pane.
A confirmation dialog appears as Figure 4-5 shows.
Click Yes.
When the account has been successfully deleted, a confirmation message appears momentarily.
You can change the password for existing users.
To change other user configuration options, see Section 4.2.2, "How to Modify a User".
To change the password of a user:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the User tab.
In the Users table, check the boxes to the left of the name of the users that you want to delete as Figure 4-4 shows.
Click the Change Password button at the bottom of the right pane.
The Change Password panel appears as Figure 4-7 shows.
Configure the Change Password panel as Table 4-3 describes.
Table 4-4 Change User Panel Attributes
Attribute | Description |
---|---|
|
The name of the user. This is a read-only field. |
|
This field is blank. To modify the password, see Section 4.2.4, "How to Change the Password of a User". |
|
This field is blank. To modify the password, see Section 4.2.4, "How to Change the Password of a User". |
Click OK.
When the password has been successfully changed, a confirmation message appears momentarily.
You can create a group and associate it with one or more roles: each role grants access to an application. When you assign a user to a group, the roles you associate with the group give the user the privileges to access those applications.
This section describes:
Section 4.3.3, "How to Modify the Roles to Which a Group Maps"
Section 4.3.4, "How to Change the Groups to Which a User is Assigned"
For more information, see Section 4.1.1, "Users, Groups, and Roles".
Oracle CEP is configured by default with a set of groups that are in turn mapped to roles. See Section 4.1.1, "Users, Groups, and Roles" for details.
This section describes how to create a new group.
To create a group:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the Group tab.
The Group tab appears as Figure 4-8 shows.
Click the New Group button at the bottom of the right pane.
The Add a Group panel appears as Figure 4-9 shows.
Configure the Add a Group panel as Table 4-5 describes.
Table 4-5 Add a Group Panel Attributes
Attribute | Description |
---|---|
|
Enter the name of the group. |
|
An optional description for this user. |
|
Check one or more roles to which the group maps. Each role grants access to an application. You must select at least one role. For more information, see Section 4.4, "Managing Roles". |
Click OK.
When the group has been successfully created, a confirmation message appears momentarily.
Oracle CEP is configured by default with a set of groups that are in turn mapped to roles: you cannot delete the default groups. See Section 4.1.1, "Users, Groups, and Roles" for details.
This section describes how to delete a group that you created.
To delete a group:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the Group tab.
In the Group table, check the boxes to the left of the name of the groups that you want to delete as Figure 4-10 shows.
Click the Delete Group button at the bottom of the right pane.
A confirmation dialog appears as Figure 4-11 shows.
Click Yes.
When the group has been successfully deleted, a confirmation message appears momentarily.
You can modify existing groups, including the default groups, to change the roles they map to.
To modify the roles to which a group maps:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the Group tab.
In the Group table, check the boxes to the left of the name of the groups that you want to modify as Figure 4-12 shows.
Click the Modify Group button at the bottom of the right pane.
The Change Group panel appears as Figure 4-9 shows.
Configure the Change Group panel as Table 4-5 describes.
Table 4-6 Change Group Panel Attributes
Attribute | Description |
---|---|
|
The name of the group. This is a read-only field.. |
|
An optional description for this user. |
|
Check one or more roles to which the group maps. Each role grants access to an application. You must select at least one role. For more information, see Section 4.4, "Managing Roles". |
Click OK.
When the group has been successfully modified, a confirmation message appears momentarily.
Optionally modify the description of the group.
Click OK.
To change the groups to which a user is assigned, see Section 4.2.2, "How to Modify a User".
You can create a role and associate it with an application. You can then create a group and associate it with one or more roles. When you assign a user to a group, the roles you associate with the group give the user the privileges to access those applications.
This section describes:
For more information, see Section 4.1.1, "Users, Groups, and Roles".
Oracle CEP is configured by default with a set of task roles that are in turn mapped to groups. See Section 4.1.1, "Users, Groups, and Roles" for details.
This section describes how to create a new application role.
To create an application role:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the Role tab.
The Role tab appears as Figure 4-14 shows.
Click the New Role button at the bottom of the right pane.
The Add Application Role panel appears as Figure 4-2 shows.
Configure the Add Application Role panel as Table 4-7 describes.
Click OK.
When the application role has been successfully created, a confirmation message appears momentarily.
Oracle CEP is configured by default with a set of roles that are in turn mapped to groups: you cannot delete these default roles. See Section 4.1.1, "Users, Groups, and Roles" for details.
This section describes how to delete a role that you created.
To delete a role:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Security node, where Domain refers to the name of your Oracle CEP domain.
In the right pane, click the Role tab.
In the Role table, select the radio button to the left of the name of the role that you want to delete as Figure 4-4 shows.
Click the Delete Role button at the bottom of the right pane.
A confirmation dialog appears as Figure 4-17 shows.
Click Yes.
When the role has been successfully deleted, a confirmation message appears momentarily.
This section describes:
For more information, see Section 4.1.2, "HTTP Publish-Subscribe Server Channel Security".
Using Oracle CEP Visualizer, you can specify the roles that are allowed to publish to the HTTP publish-subscribe channels that are configured for the HTTP pub-sub server included in Oracle CEP.
To configure security for an HTTP publish-subscribe channel:
Log on to Oracle CEP Visualizer as a user with the Admin
role.
In the left pane, click the Domain > Server > Services > Http Pub/Sub Server node, where Domain refers to the name of your Oracle CEP domain and Server refers to the name of the server instance.
A table appears in the right pane with the list of HTTP pub-sub servers configured for Oracle CEP.
In the right pane, click the name of the HTTP pub-sub server in the table. The default server is called pubsub
.
In the Channels table, click the name of the channel for which you want to configure security.
In the Publish Roles table, select the roles that are allowed to publish messages to this channel.
If you want to select more than one role, use the Ctrl key.
Click Modify Channel at the bottom of the pane.
This section describes:
Section 4.6.1, "How to View the SSL Configuration for an Oracle CEP Server"
Section 4.6.2, "How to Change the SSL Configuration for an Oracle CEP Server"
For more information, see Section 4.1.3, "SSL".
Using Oracle CEP Visualizer, you can view the SSL configuration for an Oracle CEP server.
To view the SSL configuration for an Oracle CEP server:
In the left pane, click the Domain > Server node, where Domain refers to the name of your Oracle CEP domain and Server refers to the name of the server instance.
In the right pane, click the SSL tab.
In the left table, click the SSL configuration you want to view as Figure 4-18 shows.
The default configuration name is sslConfig
.
View the SSL configuration options the right table displays.
Table 4-8 lists the SSL configuration options.
Table 4-8 SSL Options
You can only view the SSL configuration of your Oracle CEP server using Oracle CEP Visualizer. To change the configuration, you must manually update the server's config.xml
file.
For more information, see "Configuring SSL to Secure Network Traffic" in the Oracle CEP Administrator's Guide.