Oracle® Fusion Middleware Application Security Guide 11g Release 1 (11.1.1) Part Number E10043-08 |
|
|
View PDF |
This chapter introduces the tools available to an administrator and the typical tasks to manage application security; it is divided into the following sections:
For advanced administrator tasks, see Appendix E, "Administration with WLST Scripting and MBean Programming."
The four basic tools available to a security administrator are Oracle Enterprise Manager Fusion Middleware Control, Oracle WebLogic Administration Console, Oracle Authorization Policy Manager, and the Oracle WebLogic Scripting Tool (WLST). For further details on these and other tools, see chapter 3, Getting Started Managing Oracle Fusion Middleware in Oracle Fusion Middleware Administrator's Guide.
The main criterion that determines the tool to use to administer application security is whether the application uses just container-managed security (JavaEE application) or it includes Oracle ADF security (Oracle ADF application).
Oracle-specific applications, such as Oracle Application Development Framework (Oracle ADF) applications, Oracle Server-Oriented Architecture (SOA) applications, and Web Center applications, are deployed, secured, and maintained with Fusion Middleware Control and Oracle Authorization Policy Manager.
Other applications, such as those developed by third parties, JavaSE, and JavaEE applications, are typically deployed, secured, and administered with Oracle WebLogic Administration Console or with WLST.
The recommended tool to develop Java applications is Oracle JDeveloper 11g. This tool helps the developer configure file-based identity, policy, and credential stores through specialized graphical editors. In particular, when developing Oracle ADF applications, the developer can run a wizard to configure security for web pages associated with Oracle ADF resources (such as Oracle ADF task flows and page definitions), and define security artifacts using a specialized, visual editor for the file jazn-data.xml
.
For details about procedures and related topics, see the following sections in the Oracle JDeveloper online help documentation:
Securing a Web Application Using Oracle ADF Security
Securing a Web Application Using Java EE Security
About Oracle ADF Security as an Alternative to Security Constraints
About Securing Web Applications
For further details about Oracle ADF Security and its integration with Oracle JDeveloper, see Accessing the Oracle ADF Security Design Time Tools, in Oracle Fusion Middleware Fusion Developer's Guide for Oracle Application Development Framework.
For further details about Oracle Authorization Policy Manager, see Oracle Fusion Middleware Administrator's Guide for Authorization Policy Manager.
Table 5-1 lists some basic security tasks and the tools used to execute them. Recall that the tool chosen to configure and manage application security depends on the type of the application: for JavaEE applications, which use just container-managed security, use the Oracle WebLogic Administration Console; for Oracle ADF applications, which use OPSS authorization, use Fusion Middleware Control and Oracle Authorization Policy Manager.
Manual settings without the aid of the tools listed below are not recommended. For information about using the Oracle WebLogic Administration Console, see list of links following the table below. For details about Oracle Authorization Policy Manager, see Oracle Fusion Middleware Administrator's Guide for Authorization Policy Manager.
Table 5-1 Basic Administrative Security Tasks and Tools
Task | Use Fusion Middleware Control Security Menu | Use Other Tool |
---|---|---|
Configure WebLogic Domains |
WebLogic Admin Console |
|
Configure WebLogic Security Realms |
WebLogic Admin Console |
|
Manage WebLogic Domain Authenticators |
WebLogic Admin Console |
|
Enable SSO for MS clients, Web Browsers, and HTTP clients. |
WebLogic Admin Console |
|
Manage Domain Administrative Accounts |
WebLogic Admin Console |
|
Configuring the identity store service |
WebLogic Admin Console or the WebSphere command |
|
Manage Credentials for Oracle ADF Application |
Credentials |
|
Security Provider Configuration |
||
Security Provider Configuration |
||
Enable JAAS in Oracle ADF Application |
Security Provider Configuration |
|
Map application to enterprise groups for Oracle ADF Application |
Application Roles or Application Policies |
Oracle Authorization Policy Manager |
Manage system-wide policies for Oracle ADF Applications |
System Policies |
|
Configure OPSS Properties |
Security Provider Configuration |
|
Reassociate Policy and Credential Stores |
Security Provider Configuration |
Details about using the Oracle WebLogic Administration Console for the tasks above are found in the following documents:
For general use of the Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
To configure WebLogic domains, see Oracle Fusion Middleware Understanding Domain Configuration for Oracle WebLogic Server.
To configure WebLogic security realms, see section Creating and Configuring a New Security Realm: Main Steps in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To manage WebLogic domain authenticators, see chapter 5 in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To configure SSO with MS clients, see chapter 6 in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To manage domain administrative accounts, see chapter 6 in Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.
For details about configuring an LDAP identity store, see Section 3.1.2, "Oracle WebLogic Authenticators," and Section 3.1.3, "WebSphere Identity Stores."
Note:
OPSS does not support automatic backup or recovery of server files. It is recommended that the server administrator periodically back up all server configuration files, as appropriate.For details about backing up and recovering Oracle Fusion Middleware, see chapter 15, Introducing Backup and Recovery, in Oracle Fusion Middleware Administrator's Guide.
A new production environment based on an existing environment can be set up in either of the following ways:
Replicating an established environment using Oracle Cloning utilities. For details, see section 9.5, Cloning Oracle Fusion Middleware Entities, in Oracle Fusion Middleware Administrator's Guide.
Reinstalling software and configuring the environment, as it was done to set up the established environment.
Fusion Middleware Control is a Web-based tool that allows the administration of a network of applications from a single point. Fusion Middleware Control is used to deploy, configure, monitor, diagnose, and audit Oracle SOA applications, Oracle ADF applications, Oracle WebCenter, and other Oracle applications using OPSS. Note that this section mentions only security-related operations.
In regards to security, it provides several administration tasks; using this tool, an administrator can:
Post-installation and before deploying applications, reassociate the policy and credential stores; for details, see Section 8.5.1, "Reassociating with Fusion Middleware Control."
Post-installation and before deploying applications, define OPSS properties. For details, see Section 8.7, "Configuring the Identity Provider, Property Sets, and SSO."
At deploy time, configure the automatic migration of file-based application policies and credentials to LDAP-based domain policies and credentials.
For details see:
For each application after it is deployed:
Manage application policies. For details, see Section 9.1, "Managing the Policy Store."
Manage credentials; for details, see Section 10.2, "Managing the Credential Store."
Specify the mapping from application roles to users, groups, and application roles. For details, see Section 9.2.2, "Managing Application Roles."
For the domain, manage system policies; for details see Section 9.2.3, "Managing System Policies."
For the domain, manage OPSS properties; for details see Section 8.7, "Configuring the Identity Provider, Property Sets, and SSO."
For a summary of security administrative tasks and the tools used to execute them, see Basic Security Administration Tasks.
For further details about other functions, see the Fusion Middleware Control online help documentation.
For details about managing Oracle Fusion Middleware on WebSphere Application Server, see Oracle Fusion Middleware Third-Party Application Server Guide.
The Oracle WebLogic Administration Console is a Web-based tool that allows, among other functions, application deployment and redeployment, domain configuration, and monitoring of application status. Note that this section mentions only security-related operations.
Typical tasks performed with the Oracle WebLogic Administration Console include the following:
Starting and stopping Oracle WebLogic Servers; for details see section Starting and Stopping Servers in Oracle Fusion Middleware Managing Server Startup and Shutdown for Oracle WebLogic Server.
Configuring Oracle WebLogic Servers and Domains; for details see section Configuring Existing Domains in Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
Deploying applications; for details, see Oracle Fusion Middleware Deploying Applications to Oracle WebLogic Server.
Configuring fail over support; for details see section Failover and Replication in a Cluster in Oracle Fusion Middleware Using Clusters for Oracle WebLogic Server.
Enabling the use of Single Sign-On for MS clients, Web browsers, and HTTP clients.
Managing administrative users and administrative policies.
For details about Oracle WebLogic Administration Console, see Oracle Fusion Middleware Oracle WebLogic Server Administration Console Help.
Typical security tasks performed with Oracle Authorization Policy Manager include the following:
Searching application security artifacts.
Managing application security artifacts, including policies.
Viewing the external role hierarchy.
Managing the application role hierarchy.
For a list of some of the most frequent security tasks to administer application security with Oracle Authorization Policy Manager, see Oracle Fusion Middleware Administrator's Guide for Authorization Policy Manager.
Most of the operations available in the Oracle WebLogic Administration Console can be effected with OPSS scripts, a set of command-line interface that allows the scripting and automation of administration tasks, including domain configuration and application deployment.
For the list of security-related OPSS scripts, see Appendix I, "OPSS Scripts." For the complete list of WLST scripts, see Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
For details about managing Oracle Fusion Middleware on WebSphere Application Server, see Oracle Fusion Middleware Third-Party Application Server Guide.