18-2 Oracle Fusion Middleware Application Security Guide Identity and Access Management IAM IAM is a set of tools, processes, and best practices to manage user identities and their access to resources. Oracle Application Development Framework ADF ADF is a comprehensive Java EE development framework integrated with the Oracle JDeveloper development environment. ADF greatly simplifies Java EE development and minimizes the need to write code by providing application infrastructure as part of the framework. Being also integrated with Oracle Fusion Middleware Security, ADF allow developers to implement security concepts using a declarative approach. Oracle Access Manager OAM OAM provides a full range of Web access security management functions including Web single sign-on, user self-service, and self-registration. Oracle Adaptive Access Manager OAAM OAAM secures access to Web resources through strong multi-factor authentication and real-time fraud prevention. Oracle Authorization Policy Manager OAPM OAPM is graphical interface tool to provision and administer security application artifacts. Oracle Enterprise Manager OID OID provides an LDAP-based directory for the storage of identity, policies, and business-related data. Oracle Enterprise Manager OEM OEM is the central tool to manage Oracle applications. Oracle Identity Manager OIM OIM is a user provisioning and administration tool that facilitates adding, updating, and deleting user accounts from enterprise applications. Oracle Security Developer Tools OSDT OSDT provides the cryptographic building blocks necessary to develop secure applications. It includes secure messaging and the implementation of a secured service-oriented architecture. OPSS Subject An OPSS subject is a collection of principals and, possibly, user credentials such as passwords or cryptographic keys. The Oracle WebLogic Server authentication populates the OPSS subject with principals, that is, with users and groups, and application roles. Oracle Web Services Manager OWSM OWSM is a tool to secure, manage, and deploy SOAP-based applications, that is, built on service-oriented architectures. Integrating Java EE Application Security with OPSS 18-3 Oracle Wallet OW OW stores credentials such as certificates, trusted certificates, certificate requests and private keys. Web Services Security WSS WSS provides authentication, authorization, confidentiality, privacy, and integrity among SOAP-based applications. Web Single Sign-On Web-SSO Web-SSO allows users access to multiple Web applications by being authenticated just once.

18.3 Oracle Identity and Access Management Suite

The Oracle IAM suite of products is designed to support heterogeneous, multiple-vendor developments and run-time environments, including operating systems, Web servers, application servers, and database management systems. The products in the suite and their support of key areas of application security are described in the following sections: ■ OID for Identity and Policy Stores ■ OAM and OSSO for User Authentication and Web SSO ■ OIM for User and Role Provisioning ■ OPSS for User and Role Profiling ■ OPSS for User Authorization ■ OAPM for Application Policy Management ■ OPSS for Cryptography For a detail list of required OPSS security features when integrating security with OPSS, see Required Security Features .

18.3.1 OID for Identity and Policy Stores

Applications use OID to store user identities, identity profiles, roles, policies, and credentials.

18.3.2 OAM and OSSO for User Authentication and Web SSO

It is critical that user identities be established correctly and securely in environments that allow users access to applications. Once a user identity has been established, he must be able to sign on to other enterprise applications without being prompted. OAM provides user authentication and Web SSO services and hides single sign-on implementation details from applications. Oracle offers two single sing-on solutions: OAM and OSSO. For details, see Part IV, Single Sign-On Configuration

18.3.3 OIM for User and Role Provisioning

Managing users is an on-going activity that requires externalizing some amount of user information typically kept in a central repository. OIM exposes SPML, an 18-4 Oracle Fusion Middleware Application Security Guide interface to provision users and roles, manage user and role profiles, and change user passwords. Applications are expected to use the SPML interface for all write and update operations on users and roles.

18.3.4 OPSS for User and Role Profiling

OPSS exposes the User and Role API, a standard, privacy-enabled interface to read identity and role data without having to open explicit connections to the underlying data repositories. For details, see Chapter 25, Developing with the User and Role API.

18.3.5 OPSS for User Authorization

OPSS provides a scalable, extensible, role-based authorization framework that allows applications to specify and control their security artifacts, including entitlements, roles, and grants. The application defines security policies stored in the policy store that are enforced at runtime by the authorization engine. For details, see Chapter 23, Authorization for Java SE Applications.

18.3.6 OAPM for Application Policy Management

OAPM is used to manage security artifacts once the application has been deployed. Working with OPSS, OAPM facilitates many administration tasks, such as managing entitlements and roles, and mapping application roles to enterprise groups.

18.3.7 OPSS for Cryptography

OPSS provides other security services, including the Credential Store Framework for storing application credentials, cryptographic toolkits for message confidentiality, a toolkit to manage keys, and the audit framework for security auditing. For a complete list of developer tool APIs, see Appendix H, References.

18.4 Security Life Cycle of an Application

This section introduces the phases of the security life cycle of an application. It is assumed that the application uses ADF and that it is developed in the Oracle JDeveloper environment. The phases of the security life cycle of an application are the development phase, the deployment phase, and the management phase. The participants are the product manager or application architect, application developers, and application security administrators. For a summary of tasks, see Summary of Tasks per Participant per Phase .

18.4.1 Development Phase

In the development phase developers design the application to work with the full range of security options available in Oracle Fusion Middleware. Developers have access to a rich set of security services exposed by Oracle JDeveloper, the built-in ADF framework, and the Oracle WebLogic Server. All these components are based on OPSS, which ensures a consistent approach to security throughout the application’s life span.