24-2 Oracle Fusion Middleware Application Security Guide ■ supports file-based Oracle wallet and LDAP-based credential management Critical create, update, delete functions provided by the CSF API include: ■ verifying if a credential map, or a credential with a given key, exists in the store ■ returning credentials associated with mapname, key ■ assigning credentials to mapname, key ■ deleting credentials associated with a given map name, or a given map name and key ■ resetting credentials for a specified mapname, key Operations on CredentialStore are secured by CredentialAccessPermission, which implements the fine-grained access control model utilized by CSF.

24.2 Overview of Application Development with CSF

Knowledge of the following areas is helpful in getting your applications to work with the credential store framework: ■ Determining appropriate map names and key names to use. This is critical in an environment with multiple applications storing credentials in the common credential store. ■ Provisioning Java security policies. Policy permissions are set in the policy store, which can be file-based system-jazn-data.xml or LDAP-based. Setting appropriate permissions to enable application usage without compromising the security of your data requires careful consideration of permission settings. ■ How to define the credential store instance in jps-config.xml. You will need to define the service instance in jps-config.xml only if manually crafting the configuration file. ■ Steps to take in setting up the environment. The steps are different for stand-alone applications and those that operate in an Oracle WebLogic Server environment. Subsequent sections provide details about each of these tasks.

24.3 Setting the Java Security Policy Permissions

The Oracle Platform Security Services policy provider is set when the server is started. When the provider is file-based, the policy data is stored in system-jazn-data.xml. See Also: ■ Chapter 10, Managing the Credential Store See Also: Section 9.1, Managing the Policy Store . Note: The file-based provider is already configured by default, and can be changed to an LDAP-based provider. See Section 8.6, Migrating the OPSS Security Store . Developing with the Credential Store Framework 24-3 CSF supports securing credentials: ■ at the map level, or ■ with finer granularity for specific mapname, key

24.3.1 Guidelines for Granting Permissions

The Credential Store Framework relies on Java permissions to grant permissions to credential store objects. It is highly recommended that only the requisite permissions be granted, and no more.

24.3.2 Permissions Grant Example 1

The CredentialStore maintains mappings between map names and credential maps. Each map name is mapped to a CredentialMap, which is a secure map of keys to Credential objects. This example grants permissions for a specific map name and a specific key name of that map. jazn-policy grant grantee principals...principals -- This is the location of the jar -- -- as loaded with the run-time -- codesource urlfile:{oracle.deployed.app.dir}MyApp{oracle.deployed.app.ext}url codesource grantee permissions permission classoracle.security.jps.service.credstore. CredentialAccessPermissionclass namecontext=SYSTEM,mapName=myMap,keyName=myKeyname -- All actions are granted -- actionsactions permission permissions grant Notes: ■ To properly access the CSF APIs, you need to grant Java permissions in the policy store. ■ The code invoking CSF APIs needs code source permission. The permissions are typically for specific code jars and not for the complete application. WARNING: It is risky and inadvisable to grant unnecessary permissions, particularly permissions to all maps andor keys. Note: In the examples, the application jar file name is AppName.jar.