Audit Levels About Auditing in Oracle Identity Federation

Diagnostics and Auditing 7-21 ■ Security.FAILUREONLY – CreateSignature.FAILUREONLY – VerifySignature.FAILUREONLY – EncryptData.FAILUREONLY – DecryptData.FAILUREONLY Events Audited at Custom Level The Custom audit level allows you to select only the events you wish to audit.

7.4.2 Configuring Auditing for Oracle Identity Federation

You can use Oracle Enterprise Manager Fusion Middleware Control or WLST command-line interface to configure auditing. Take these steps to get started with configuring auditing with Fusion Middleware Control:

1. Log in to Fusion Middleware Control and navigate to the Identity Management

domain.

2. In the Weblogic Domain drop down menu, select Security, then Audit Policy.

3. Select the Oracle Identity Federation component.

4. In the Audit Level menu, select the desired audit level.

You can view the audit policies that will be enforced in different categories by expanding the + check-box for the component. 5. Optionally, in the Users text box, you can add users who will always be audited for all events, regardless of audit level.

6. Click Apply.

7.4.2.1 Configuring Auditing at the Custom Level

Take these steps if you are configuring audit policies and wish to use the Custom audit level:

1. In the Audit Level menu, select Custom as the audit level.

2. Select the events to audit in the table of events: ■ Click the + sign next to the component name to get the list of audit event categories. ■ Click the + sign next to the category name to get the list of events. ■ Click the + sign next to the event name to get SuccessFailure audit options. 3. Check the Enable Audit box next to the events or categories desired to audit. for example, checking the box next to Security will audit all security events. Checking See Also: Configuring and Managing Auditing in the Oracle Fusion Middleware Application Security Guide. Note: If selected level is Custom, refer to Section 7.4.2.1, Configuring Auditing at the Custom Level . 7-22 Oracle Fusion Middleware Administrators Guide for Oracle Identity Federation the box next to CreateUserSession Failure event will audit all CreateUserSession failure events. 4. Optionally, you can add filters for fine-grained auditing. Click the pencil icon to the right of the event or category name. Add the desired filter conditions.

5. Click OK when finished.

7.4.3 Viewing Audit Data

Your audit data may reside in files also known as bus-stop files, or it may reside in a database audit store. If the audit data resides in a bus-stop file, you can query the file directly at this location: domain_homeserversserver_namelogsauditlogsOIFaudit.log If the audit data resides in a database, you can use a tool like Oracle Business Intelligence Publisher to view audit reports. See Also: Configuring and Managing Auditing in the Oracle Fusion Middleware Application Security Guide for details about audit policy configuration. See Also: Using Audit Analysis and Reporting in the Oracle Fusion Middleware Application Security Guide. 8 Security 8-1 8 Security This chapter describes Oracle Identity Federation security topics, including: ■ Configuring SSL for Oracle Identity Federation ■ Managing Signing and Encryption Wallets ■ Setting up JCE Policy Files for Oracle WebLogic Server

8.1 Configuring SSL for Oracle Identity Federation

Oracle Identity Federation only supports configuring one password for signing and encryption keystores, and uses that password to open both the keystore and the private key. This means that if a keystore is configured with different store password and key password, an error will occur when Oracle Identity Federation tries to access the private key. To avoid this error, ensure that the private key password for the configured key alias is the same as the keystore password. This section contains these topics: ■ Configuring Oracle Identity Federation as an SSL Server ■ Configuring Oracle Identity Federation as an SSL Client

8.1.1 Configuring Oracle Identity Federation as an SSL Server

This section explains how to configure the SSL port for Oracle WebLogic Server, and how to configure Oracle Identity Federation to use SSL. Note: In Oracle Identity Federation 11g Release 1 11.1.1, if you change the key password to match the keystore password, you must remove the old keystorewallet from the configuration. Note: Keystores, trusted certificates and certificates for Oracle Identity Federation are managed the same way as they are for any other Oracle Fusion Middleware component. For details, see the Oracle Fusion Middleware Administrators Guide.