Querying the Identity Store Programmatically
8.2.1 Multiple-Node Server Environments
In domains where several server instances are distributed across multiple machines, it is highly recommended that the OPSS security store be LDAP- or DB-based. Typically, applications do not change policy, credential, or key data. When they do, however, it is crucial that these changes be correctly propagated to all managed servers and clusters in a domain and, therefore, it is recommended that any such changes be performed in the domain administration server and not in managed servers. In a single-node server domain, the propagation of local changes to security data is irrelevant: in this scenario, local changes are equivalent to global changes. In a multiple-node server domain, however, the JMX framework propagates local changes to a file-based policy to each runtime environment, so that the data is refreshed based on caching policies and configuration. For details about properties you can set on policies and credentials, see sections Appendix F.2.1, Policy Store Properties, and Appendix F.2.2, Credential Store Properties. To summarize, in a multiple-node server environment, it is highly recommended that: ■ Both the policy and credential stores be centralized in a LDAP-based store and configured in the administration server. ■ Or, if they are file-based, then local changes to policy or credential data be performed only by the domain administration server to ensure that they are correctly propagated from the administration server to all managed servers in the domain.8.2.2 Prerequisites to Using an LDAP-Based Security Store
The only supported LDAP-based OPSS security store is Oracle Internet Directory. In order to ensure the proper access to the Oracle Internet Directory, you must set a node in the server directory as explained below. Fusion Middleware Control automatically provides bootstrap credentials in the file cwallet.sso when that tool is used to reassociate to an LDAP-based repository. To specify these required credentials manually, see section Section 21.4.7, Specifying Bootstrap Credentials Manually. Setting a Node in an Oracle Internet Directory Server The following procedure is carried out by an Oracle Internet Directory administrator. To set a node in the LDAP Oracle Internet Directory directory, proceed as follows: 1. Create an LDIF file assumed jpstestnode.ldif, for illustration purpose specifying the following DN and CN entries: dn: cn=jpsroot cn: jpsroot objectclass: top objectclass: OrclContainer 8-4 Oracle Fusion Middleware Application Security Guide The distinguished name of the root node illustrated by the string jpsroot above must be distinct from any other distinguished name. Some LDAP servers enforce case sensitivity by default. One root node can be shared by multiple WebLogic domains. It is not required that this node be created at the top level, as long as read and write access to the subtree is granted to the Oracle Internet Directory administrator. 2. Import this data into the LDAP server using the command ldapadd, as illustrated in the following example there should be no line break in the command invocation: ldapadd -h ldap_host -p ldap_port -D cn=orcladmin -w password -v -f jpstestnode.ldif 3. Verify that the node has been successfully inserted using the command ldapsearch, as illustrated in the following example there should be no line break in the command invocation: ldapsearch -h ldap_host -p ldap_port -D cn=orcladmin -w password -s base -b cn=jpsroot objectclass=orclContainer 4. Run the utility oidstats.sql to generate database statistics for optimal database performance, as illustrated in the following example: ORACLE_HOMEldapadminoidstats.sql The above utility must be run just once after the initial provisioning. For details about this utility, consult the Oracle Fusion Middleware User Reference for Oracle Identity Management. To reassociate a policy store, see Reassociating the OPSS Security Store .8.3 Using a DB-Based OPSS Security Store
A DB-based security store is typically used in production environments. The only supported DB-based security store is Oracle RDBMS releases 10.2.0.4 or later; releases 11.1.0.7 or later; and releases 11.2.0.1 or later. To use a DB-based OPSS security store the domain administrator must configure it, as appropriate, using Oracle Enterprise Manager Fusion Middleware Control or OPSS scripts. For a list of properties that can be configured, see Appendix F.2, OPSS Configuration Properties. This section contains the following topics: ■ Prerequisites to Using a DB-Based Security Store ■ Maintaining a DB-Based Security Store ■ Setting Up an SSL Connection to the DB8.3.1 Prerequisites to Using a DB-Based Security Store
To use a database repository for the OPSS security store, one must first use Oracle Fusion Middleware Repository Creation Utility RCU to create the required schema and to seed some initial data. This setup is also required before reassociating the OPSS security store to a DB-based security store. Configuring the OPSS Security Store 8-5 For details about RCU, see chapters Repository Creation Utility Overview and Running Repository Creation Utility in Oracle Fusion Middleware Repository Creation Utility Users Guide. The creation the schema and seeding of initial data are explained in the following sections: ■ Creating the OPSS Schema in an Oracle Database ■ Dropping the OPSS Schema in an Oracle Database ■ Creating a Data Source Instance8.3.1.1 Creating the OPSS Schema in an Oracle Database
To create the OPSS schema in an Oracle database with RCU, proceed as follows:1. Start RCU to display the RCU Welcome page; in this page, click Next to display
the Create Repository page. 2. In that page, select the radio button Create; then click Next to display the Database Connections Details page.3. In that page, enter the appropriate connectivity information: Database Type, Host
Name, Port, Service Name, Username, Password, and Role. Then click Next to have RCU check the entered data and perform pre-creation operations; once this check is successfully completed, RCU displays the Select Components dialog.4. In that dialog, choose to use an existing schema prefix or create a new prefix, and
pick the OPSS component to install the schema. When finished selecting components, click Next to display the Schema Passwords dialog where you supply passwords, and then click Next to display the Map Tablespaces dialog which shows the tablespace summary. Use one default tablespace and one temporary tablespace; the default tablespace names are PREFIX_IAS_OPSS and PREFIX_IAS_TEMP, respectively. To create a non-default tablespace or datafile, click the button Manage Tablespaces to display the Manage Tablespaces dialog, where you can specify the information to create them. When finished, click OK. If the specified tablespaces are not yet in the database, RCU creates them and informs about this in the Creating Tablespaces ; click OK to display the Summary dialog, which displays the summary of data you have entered, and then click Create to effect the creation of the additional tablespaces or datafiles.5. When the creation is completed, RCU displays the Completion Summary, which
shows the database details. 6. Invoke the SQLPlus command illustrated below to verify that the database schema has been properly created: SQL desc jps_dn;8.3.1.2 Dropping the OPSS Schema in an Oracle Database
Dropping the OPSS schema is required only if one no longer wishes to use that DB for storing OPSS security policies. After the OPSS schema has been successfully created, use RCU to drop the OPSS schema as follows: 8-6 Oracle Fusion Middleware Application Security Guide1. Start RCU to display the RCU Welcome page; in this page, click Next to display
the Drop Repository page. 2. In that page, select the radio button Drop; then click Next to display the Database Connections Details page. 3. In that page, enter the appropriate connectivity information: Database Type, Host Name, Port, Service Name, Username, Password, and Role. Then click Next to display the Select Components dialog.4. In that dialog, select the prefix and, in the Component hierarchy, check AS
Common Schemas and Oracle Platform Security Services; then click Next to display the Summary page.5. In that page, verify that the details gathered are correct, and click Drop to trigger
the dropping; when the operation is successfully completed, RCU displays the Completion Summary page detailing the schema dropped.8.3.1.3 Creating a Data Source Instance
To create a data source instance, see section Creating a JDBC Data Source in Oracle Fusion Middleware Configuring and Managing JDBC for Oracle WebLogic Server. The JNDI name of the JDBC data source entered in the procedure in that section is used in the configuration of a DB-based store. To set up a data source on WebSphere Application Server, see Oracle Fusion Middleware Third-Party Application Server Guide.8.3.2 Maintaining a DB-Based Security Store
This section describes a few tasks that an administrator can follow to maintain a DB-based security store. A DB-based security store maintains a change log that should be periodically purged. To purge it, an administrator can use the provided SQL script opss_purge_changelog.sql, which will purge change logs older than 24 hours, or connect to the database and run SQL delete with the appropriate arguments as illustrated in the following lines: SQLdelete from jps_changelog where createdate selectmaxcreatedate - 1 from jps_changelog; SQLCommit; If the OPSS management API performs slowly while accessing the DB-based security store, run the DBMS_STATS package to gather statistics about the physical storage of a DB table, index, of cluster. This information is stored in the data dictionary and can be used to optimize the execution plan for SQL statements accessing analyzed objects. When loading large amount of data into a DB-based security store, such as when creating thousands of new application roles, it is recommended that DBMS_STATS be run within short periods and concurrently with the loading activity. Otherwise, when the loading activity is small, DBMS_STATS needs to be run just once and according to your needs. The following sample illustrates the use of DBMS_STATS: Note: 11.2 Oracle JDBC driver deprecated the following time zones: EtcUCT, UCT, EtcUTC, EtcUniversal, EtcZulu, and Universal. When setting a time zone for your Oracle JDBC driver, make sure that it is a non-deprecated time zone.Parts
» Oracle Fusion Middleware Online Documentation Library
» OPSS Main Features What is Oracle Platform Security Services?
» Supported Server Platforms What is Oracle Platform Security Services?
» Scenario 3: Securing a Java SE Application
» Oracle ADF Security Overview OPSS for Administrators Terminology
» Permission Inheritance and the Role Hierarchy
» The Authenticated Role Oracle Fusion Middleware Online Documentation Library
» Administrative Users and Roles Managing User Accounts The Role Category
» Supported LDAP Identity Store Types
» Oracle WebLogic Authenticators Authentication Basics
» Policy Store Basics Oracle Fusion Middleware Online Documentation Library
» Credential Store Basics Oracle Fusion Middleware Online Documentation Library
» Supported LDAP-, DB-, and File-Based Services
» Management Tools Oracle Fusion Middleware Online Documentation Library
» Packaging Requirements Example Scenarios
» Other Scenarios Oracle Fusion Middleware Online Documentation Library
» Choosing the Administration Tool According to Technology
» Setting Up a Brand New Production Environment
» Typical Security Practices with Typical Security Practices with the Administration Console
» Overview Oracle Fusion Middleware Online Documentation Library
» Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control
» Deploying to a Test Environment
» Deploying Standard Java EE Applications
» Migrating Providers other than Policy and Credential Providers
» Migrating Large Volume Policy and Credential Stores
» Migrating Audit Policies Migrating from a Test to a Production Environment
» About the Identity Store Service
» Service Architecture Introduction to the Identity Store Service
» Configuring the Identity Store Provider
» What is Configured? Configuring the Identity Store Service
» Configuring the Service for Multiple LDAP using WLST Configuring Other Parameters
» Configuring Split Profiles Configuration in Other Application Servers
» Java SE Environments Configuring the Identity Store Service
» Querying the Identity Store Programmatically
» Introduction to the OPSS Security Store
» Multiple-Node Server Environments Using an LDAP-Based OPSS Security Store
» Prerequisites to Using an LDAP-Based Security Store
» Dropping the OPSS Schema in an Oracle Database
» In that dialog, select the prefix and, in the Component hierarchy, check AS
» Creating a Data Source Instance
» Maintaining a DB-Based Security Store
» Connecting to a DB Server with sqlplus or JDBC OCI Driver This task involves
» Navigate to Data Sources YourDataSourceName Custom Properties.
» Configuring the OPSS Security Store
» Log in to Fusion Middleware Control and navigate to Domain Security
» Click the button Change Association to display the Set Security Provider page,
» If you have selected Database, enter the name of the data source in the Datasource
» Optionally, check the box Use SSL to Connect to establish an anonymous SSL
» In the text box Connect DN, enter the full distinguished name, a string
» In the box Password, enter the user password, also a string containing
» In the Root Node Details area, enter the root DN in the box Root DN, which
» Optionally, in the Policy Store Properties and Credential Store Properties areas,
» Setting Up a One- Way SSL Connection
» Securing Access to Oracle Internet Directory Nodes
» Reassociating with the Script reassociateSecurityStore
» Migrating with Fusion Middleware Control
» Migrating with the Script migrateSecurityStore
» Use the button Delete to remove a selected item from any table. When finished
» Cataloging Oracle Internet Directory Attributes
» To display roles in an application, expand the Search area, choose the application
» To create an application role, click Create to display the Create Application Role
» Click Add Application Role, to display the Add Application Role dialog.
» Select roles from the box Available Roles, as appropriate, and use the buttons
» Click Add Group, to display the Add Group dialog.
» Select groups from the box Available Groups, as appropriate, and use the
» Click Add User, to display the Add User dialog.
» Select users from the box Available Users, as appropriate, and use the buttons
» Click Create Like, to display the Create Application Role Like page. Notice
» Modify the list of roles and users, as appropriate, and then click OK.
» Log in to Fusion Middleware Control and navigate to Domain Security System
» listAppStripes Managing Application Policies with OPSS Scripts
» createAppRole Managing Application Policies with OPSS Scripts
» deleteAppRole grantAppRole Managing Application Policies with OPSS Scripts
» revokeAppRole listAppRoles Managing Application Policies with OPSS Scripts
» listAppRolesMembers grantPermission Managing Application Policies with OPSS Scripts
» revokePermission Managing Application Policies with OPSS Scripts
» listPermissions Managing Application Policies with OPSS Scripts
» deleteAppPolicies createResourceType Managing Application Policies with OPSS Scripts
» getResourceType deleteResourceType Managing Application Policies with OPSS Scripts
» createResource Managing Application Policies with OPSS Scripts
» deleteResource listResources Managing Application Policies with OPSS Scripts
» listResourceActions createEntitlement Managing Application Policies with OPSS Scripts
» getEntitlement Managing Application Policies with OPSS Scripts
» deleteEntitlement Managing Application Policies with OPSS Scripts
» addResourceToEntitlement Managing Application Policies with OPSS Scripts
» revokeResourceFromEntitlement Managing Application Policies with OPSS Scripts
» listEntitlements Managing Application Policies with OPSS Scripts
» grantEntitlement Managing Application Policies with OPSS Scripts
» listResourceTypes reassociateSecurityStore Managing Application Policies with OPSS Scripts
» The user accesses the functionality secured by the application role.
» Granting Policies to Anonymous and Authenticated Roles with WLST Scripts
» Guidelines for Configuring the Policy Store
» Credential Types Managing the Credential Store
» Managing Credentials with Fusion Middleware Control
» listCred Managing Credentials with OPSS Scripts
» updateCred Managing Credentials with OPSS Scripts
» createCred Managing Credentials with OPSS Scripts
» deleteCred Managing Credentials with OPSS Scripts
» modifyBootStrapCredential Managing Credentials with OPSS Scripts
» addBootStrapCredential Managing Credentials with OPSS Scripts
» Objectives of Auditing Benefits and Features of the Oracle Fusion Middleware Audit Framework
» Oracle Fusion Middleware Audit Framework in 11g
» Audit Architecture Oracle Fusion Middleware Audit Framework Concepts
» Key Technical Concepts Oracle Fusion Middleware Audit Framework Concepts
» Audit Record Storage Analytics
» Audit Administration Tasks Oracle Fusion Middleware Online Documentation Library
» Choose Create at the starting screen. Click Next.
» Multiple Data Sources Enter the following details for the new data source:
» Open the opmn.xml file, which resides in
» Configuring the Stand-alone Audit Loader
» If you made any policy changes, click Apply to save the changes. For Java
» Click Select Failures Only to select only failed events in the policy - for example,
» ImportExport - These buttons enable you to save and re-use a policy
» Optionally, under “Users to Always Audit”, a comma-separated list of users can
» Manage Audit Policies Manually
» Audit Log Timestamps Audit Logs
» Schema Overview Advanced Management of Database Store
» Table Attributes Indexing Scheme Backup and Recovery
» Importing and Exporting Data Partitioning
» About Oracle Business Intelligence Publisher
» Install Oracle Business Intelligence Publisher
» Set Up Oracle Reports in Oracle Business Intelligence Publisher
» Configure Scheduler in Oracle Business Intelligence Publisher
» Organization of Audit Reports
» View Audit Reports Oracle Fusion Middleware Online Documentation Library
» Example of Oracle Business Intelligence Publisher Reports
» List of Audit Reports in Oracle Business Intelligence Publisher
» The condition is now included in the report. Be sure to click Save again on the
» Choosing the Right SSO Solution for Your Deployment
» About Using the Identity Asserter Function with Oracle Access Manager
» Choosing Applications for Oracle Access Manager SSO Scenarios and Solutions
» Implementation: Using the Provider with OAM 11g versus OAM 10g
» Requirements for the Provider with Oracle Access Manager
» Setting Up Debugging in the WebLogic Administration Console
» Previewing Pre-Seeded OAM 11g Policies for Use by the OAM 10g AccessGate
» Install and set up Oracle Internet Directory for Oracle Access Manager.
» Optional Installing the Authentication Provider with Oracle Access Manager 11g
» WebGate for Identity Asserter for Single Sign-On
» AccessGate for the Authenticator or for Oracle Web Services Manager
» Provision the agent. For example:
» Locate the remote registration script.
» No Oracle Fusion Middleware Application
» With Oracle Fusion Middleware Application Installed
» Click Security Realms, Default Realm Name, and click Providers.
» OAM Identity Asserter Configuring Identity Assertion for SSO with Oracle Access Manager 11g
» Click Lock Edit, if desired.
» OAM Authenticator Configuring the Authenticator Function for Oracle Access Manager 11g
» Click Security Realms and select the realm you want to configure.
» Select Providers, Authentication, and click New to display the Create a New
» Logout for 11g WebGate and OAM 11g
» Optional Logout for 10g WebGate with Oracle Access Manager 11g
» Synchronizing the User and SSO Sessions: SSO Synchronization Filter
» Troubleshooting Tips Oracle Fusion Middleware Online Documentation Library
» An Oracle Internet Directory or Oracle Sun One LDAP directory server configured
» Alternative Process for Configuring Logout
» Oracle Access Manager Authentication Provider Parameter List
» OAMCfgTool Parameters and Values
» Sample Policy Domain and AccessGate Profile Created with OAMCfgTool
» Known Issues: JAR Files and OAMCfgTool
» Establishing Trust with Oracle WebLogic Server
» Output LDIF Created Validate
» Fresh WebGate ProfileWebGate Not Installed Fresh WebGate Profile with Installed WebGate
» Setting Up the Login Form for the Identity Asserter and OAM 10g
» Testing Identity Assertion for SSO with OAM 10g
» Creating an Authentication Scheme for the Authenticator
» Authentication Rule Oracle Fusion Middleware Online Documentation Library
» OAM Authenticator Configuring Providers for the Authenticator in a WebLogic Domain
» Ensure that the parameter Control Flag is set to OPTIONAL initially.
» From the WebLogic Administration Console, go to Security Realms, myrealm,
» Configuring the Application Authentication Method for the Authenticator
» Mapping the Authenticated User to a Group in LDAP
» Testing the Oracle Access Manager Authenticator Implementation
» General Tab Creating an Policy Domain for Use with Oracle Web Services Manager
» Resources Tab Creating an Policy Domain for Use with Oracle Web Services Manager
» Authorization Rules Tab Creating an Policy Domain for Use with Oracle Web Services Manager
» General Tab Oracle Fusion Middleware Online Documentation Library
» Timing Conditions Oracle Fusion Middleware Online Documentation Library
» Actions Oracle Fusion Middleware Online Documentation Library
» Allow Access Oracle Fusion Middleware Online Documentation Library
» Configuring Oracle Web Services Manager Policies for Web Services
» OAM Identity Asserter Configuring Providers in a WebLogic Domain for Oracle Web Services Manager
» Click the Provider Specific tab and specify the following required settings
» About Using IPv6 Troubleshooting Tips for OAM Provider Deployments
» Apache Bridge Failure: Timed Out
» Authenticated User with Access Denied
» Browser Back Button Results in Error
» Client in Cluster with Load-Balanced WebGates
» Log in to Oracle Technology Network at:
» Locate the OAMCfgTool ZIP file with Access Manager Core Components
» Extract and copy oamcfgtool.jar to the computer hosting WebGate:
» Error 401: Unable to Access the Application Error 403: Unable to Access the Application
» JAAS Control Flag Click Access System Configuration, and then click AccessGate
» Oracle WebLogic Server Fails to Start
» Oracle ADF Integration and Cert Mode
» About Protected_JSessionId_Policy
» Consumption of Headers with OSSO Identity Asserter
» New Users of the OSSO Identity Asserter
» Oracle WebLogic Server 10.3.1+ Oracle Fusion Middleware Online Documentation Library
» Click Security Realms, Default Realm Name, Providers.
» Check whether the server is being hit without first going through authentication
» URL Rewriting and JSESSIONID
» About mod_osso, OSSO Cookies, and Directives
» About Using IPv6 Troubleshooting for an OSSO Identity Asserter Deployment
» Introduction Oracle Fusion Middleware Online Documentation Library
» Terminology Oracle Fusion Middleware Online Documentation Library
» OID for Identity and Policy Stores
» OAM and OSSO for User Authentication and Web SSO
» OIM for User and Role Provisioning
» OPSS for User and Role Profiling
» OAPM for Application Policy Management
» OPSS for Cryptography Oracle Identity and Access Management Suite
» Development Phase Security Life Cycle of an Application
» Summary of Tasks per Participant per Phase
» Oracle Platform Security Services
» Use Case 1 - Java EE Application
» Credentials Required Security Features
» Authentication Required Security Features
» Authorization Required Security Features
» Container-Based Authentication Integrating Authentication
» Oracle WebLogic Server Authentication Providers
» Functional Security Integrating Authorization
» Functional Security with ADF
» Cryptography Integrating the Credential Store
» The Development Cycle OPSS for Developers
» Challenges of Securing Java Applications
» Meeting the Challenges with Oracle Platform Security Services OPSS Architecture
» The LoginService API OPSS APIs
» The User and Role API JAAS Authorization and the JpsAuth.checkPermission API
» Java EE Application using OPSS APIs Authenticating with OPSS APIs
» Programmatic Authorization Credential Store Framework
» User and Role Common Uses of OPSS
» Oracle ADF Authorization Common Uses of OPSS
» About Oracle ADF Using OPSS with Oracle Application Development Framework
» The Oracle ADF Development Life Cycle
» Using the Oracle Security Developer Tools
» Using OPSS Outside Oracle JDeveloperOracle ADF
» Introduction to Authorization Authorization Overview
» The Resource Catalog The JAASOPSS Authorization Model
» Managing Policies The JAASOPSS Authorization Model
» The Class ResourcePermission The JAASOPSS Authorization Model
» Interceptor Configuration Syntax Configuring the Servlet Filter and the EJB Interceptor
» Summary of Filter and Interceptor Parameters
» Configuring the Application Stripe for Application MBeans
» The Security Policy Model Choosing the Appropriate Class for Enterprise Groups and Users
» Packaging Policies with Application
» Packaging Credentials with Application
» Parameters Controlling Policy Migration
» Policy Parameter Configuration According to Behavior
» Using a Wallet-Based Credential Store
» Parameters Controlling Credential Migration
» Credential Parameter Configuration According to Behavior
» Supported Permission Classes Configuring Applications to Use OPSS
» Specifying Bootstrap Credentials Manually
» Migrating Identities with migrateSecurityStore
» Example of Configuration File jps-config.xml
» Links to Authentication Topics for Java EE Applications
» The Identity Store Authentication for Java SE Applications
» Configuring an LDAP Identity Store in Java SE Applications
» Supported Login Modules for Java SE Applications
» Using the OPSS API LoginService in Java SE Applications
» Supported Services The OPSS Java SE Client
» Configuration Examples The OPSS Java SE Client
» Configuring File-Based Policy and Credential Stores
» Configuring LDAP-Based Policy and Credential Stores
» Configuring DB-Based OPSS Security Stores
» Unsupported Methods for File-Based Policy Stores
» About the Credential Store Framework API
» Guidelines for Granting Permissions Permissions Grant Example 1
» Overview of Application Development with CSF Guidelines for the Map Name
» Code for CSF Operations Example 1: Java SE Application with Wallet Store
» Example 2: Java EE Application with Wallet Store
» Example 3: Java EE Application with LDAP Store
» Configuring the Credential Store Best Practices
» User and Role API and the Oracle WebLogic Server Authenticators
» Summary of Roles and Classes
» Understanding Service Providers Working with Service Providers
» Selecting the Provider Working with Service Providers
» Creating the Provider Instance
» Properties for Provider Configuration
» Configuring the Provider when Creating a Factory Instance
» Configuring the Provider when Creating a Store Instance
» Runtime Configuration Working with Service Providers
» Specifying Search Parameters Searching the Repository
» Using Search Filters Searching the Repository
» Handling Special Characters when Creating Identities Creating an Identity
» Example 1: Searching for Users
» Example 2: User Management in an Oracle Internet Directory Store
» Example 3: User Management in a Microsoft Active Directory Store
» Out-of-the-box Support for SSL
» Customizing SSL Support for the User and Role API
» User Authentication The User and Role API Reference
» SPI Overview Types of User and Role Providers
» Developing a Read-Only Provider
» Policy-Related Scripts Oracle Fusion Middleware Online Documentation Library
» Credential-Related Scripts Oracle Fusion Middleware Online Documentation Library
Show more