Configuring Security for Oracle CEP 10-25 6. Edit the server.config file ssl element as Example 10–10 shows to add the following child elements: ■ enforce-fips: set this option to true. ■ secure-random-algorithm: set this option to FIPS186PRNG ■ secure-random-provider: set this option to JsafeJCE. Example 10–10 Editing server.config to Enable Fips ssl namesslConfigname key-store.sslevsidentity.jkskey-store key-store-pass passwords4YUEvH4Wl2DAjb45iJnrw==password key-store-pass key-store-aliasevsidentitykey-store-alias key-manager-algorithmSunX509key-manager-algorithm ssl-protocolTLSssl-protocol enforce-fipstrueenforce-fips need-client-authfalseneed-client-auth secure-random-algorithmFIPS186PRNGsecure-random-algorithm secure-random-providerJsafeJCEsecure-random-provider ssl 7. Restart the Oracle CEP server for the changes to take effect. See Section 1.5.4, Starting and Stopping Oracle CEP Servers .

10.7 Configuring HTTPS-Only Connections for Oracle CEP Server

This section describes how to lock down the server so that only HTTPS connections are allowed. To configure HTTPS-Only connections for Oracle CEP server: 1. Ensure that SSL is configured for the server. See Section 10.5, Configuring SSL to Secure Network Traffic for details. 2. Remove the HTTP port configuration from the servers DOMAIN_ DIR servernameconfigconfig.xml file, leaving only the configuration for the HTTPS port. Example 10–11 shows a config.xml snippet with a standard configuration in which both an HTTP and HTTPS port have been configured. The HTTP port is 9002 and the HTTPS port is 9003. Clients can access the Jetty server using both ports. Example 10–11 Typical config.xml File With Both HTTP and HTTPS Access netio nameNetIOname port9002port netio netio namesslNetIoname port9003port ssl-config-bean-namesslConfigssl-config-bean-name netio jetty 10-26 Oracle Complex Event Processing Administrators Guide nameJettyServername network-io-nameNetIOnetwork-io-name secure-network-io-namesslNetIosecure-network-io-name ... jetty ssl namesslConfigname key-store.sslevsidentity.jkskey-store ... ssl Example 10–12 shows the same config.xml file with HTTP access removed. Clients can now access the Jetty server only using the HTTPS port. Example 10–12 Typical config.xml File With HTTP Access Removed netio namesslNetIoname port9003port ssl-config-bean-namesslConfigssl-config-bean-name netio jetty nameJettyServername secure-network-io-namesslNetIosecure-network-io-name ... jetty ssl namesslConfigname key-store.sslevsidentity.jkskey-store ... ssl 3. If you have a multi-server domain, be sure that SSL has been configured between the member servers. See Section 10.5.3, How to Configure SSL in a Multi-Server Domain for Oracle CEP Visualizer for details.

10.8 Configuring Security for Oracle CEP Server Services

After you complete basic security tasks such as configuring Java SE security, a security service provider, and SSL, you can configure security details specific to the various services that Oracle CEP server provides. This section describes: ■ Section 10.8.1, Configuring Jetty Security ■ Section 10.8.2, Configuring JMX Security ■ Section 10.8.3, Configuring JDBC Security ■ Section 10.8.4, Configuring HTTP Publish-Subscribe Server Channel Security

10.8.1 Configuring Jetty Security

Oracle CEP supports Jetty see http:www.mortbay.org as Java Web server to deploy HTTP servlets and static resources. The following security tasks affect Jetty configuration: ■ Section 10.2, Configuring Java SE Security for Oracle CEP Server Configuring Security for Oracle CEP 10-27 ■ Section 10.5, Configuring SSL to Secure Network Traffic For more information on Jetty, see Chapter 11, Configuring Jetty for Oracle CEP .

10.8.2 Configuring JMX Security

Clients that access the Oracle CEP server using JMX are subject to Oracle CEP role-based authentication. For more information, see: ■ Section 10.1.3, Users, Groups, and Roles ■ Managing Groups in the Oracle Complex Event Processing Visualizer Users Guide ■ Managing Users in the Oracle Complex Event Processing Visualizer Users Guide For more information about JMX, see Chapter 12, Configuring JMX for Oracle CEP .

10.8.3 Configuring JDBC Security

If you update a data-source with a new password using the Configuration Wizard, the Configuration Wizard performs password encryption for you. If you update the config.xml file manually by adding or modifying a data-source element, you enter the password in plain text and then encrypt the password using the encryption utility encryptMSAConfig. Example 10–13 shows a config.xml file data-source element with a new plain text password secret specified in the properties element with name password. Example 10–13 Oracle CEP config.xml File data-source Element After Encryption data-source nameepcisDSname driver-params urljdbc:sqlserver:localhost:1433;databaseName=myDB;SelectMethod=cursorurl driver-namecom.microsoft.sqlserver.jdbc.SQLServerDriverdriver-name properties element nameusername valuejulietvalue element element namepasswordname valuesecretvalue element properties driver-params data-source transaction-manager nameTMname rmi-service-nameRMIrmi-service-name transaction-manager Example 10–14 shows the config.xml file data-source element after encryption. Note the plain text password has been encrypted. Example 10–14 Oracle CEP config.xml File data-source Element After Encryption data-source nameepcisDSname driver-params urljdbc:sqlserver:localhost:1433;databaseName=myDB;SelectMethod=cursorurl driver-namecom.microsoft.sqlserver.jdbc.SQLServerDriverdriver-name 10-28 Oracle Complex Event Processing Administrators Guide properties element nameusername valuejulietvalue element element namepasswordname value{Salted-3DES}hVgC5iZ3nZA=value element properties driver-params data-source transaction-manager nameTMname rmi-service-nameRMIrmi-service-name transaction-manager For more information, see: ■ Section 10.1.8, Specifying User Credentials When Using the Command-Line Utilities ■ Section C.2, The encryptMSAConfig Command-Line Utility For more information about JDBC, see Chapter 13, Configuring JDBC for Oracle CEP

10.8.4 Configuring HTTP Publish-Subscribe Server Channel Security

After you configure at least one HTTP publish-subscribe server channel, you can use role-based authentication to control access to individual HTTP publish-subscribe server channels using the Oracle CEP Visualizer. For more information, see: ■ Section 10.1.3, Users, Groups, and Roles ■ Chapter 14, Configuring HTTP Publish-Subscribe for Oracle CEP ■ Configuring Security for the HTTP Publish-Subscribe Channels in the Oracle Complex Event Processing Visualizer Users Guide.

10.9 Configuring the Oracle CEP Security Auditor

Oracle CEP provides a security auditor that logs security-related activity. By default, the security auditor logs to DOMAIN_ DIR servernamelegacy-rootdirserverslegacy-server-namelogsDe faultAuditRecorder.log file, where DOMAIN_DIR refers to the main directory of your domain, such as d:\oracle_cep\user_projects\domains\mydomain, and servername refers to the name of your server. By default, the Oracle CEP security auditor will only log security errors or failures. This helps keep the security auditor log file at a manageable size. Optionally, you can configure the level at which the Oracle CEP security auditor logs information. For more information, see Configuring the WebLogic Auditing Provider in the Oracle Fusion Middleware Securing Oracle WebLogic Server. To configure security auditor logging: 1. Change to the DOMAIN_DIRservernameconfig directory, where DOMAIN_ DIR refers to the main directory of your domain, such as d:\oracle_cep\user_