Developing with the Credential Store Framework 24-5 MapName - RCU, Key - Key1 and Credential - PasswordCredential1 MapName - RCU, Key - Key2 and Credential - PasswordCredential2 MapName - RCU, Key - Key3 and Credential - GenericCredential1 For Oracle WebCenter, the map name is Web and the key for a single credential is Key1: MapName - Web, Key - Key1 and Credential - PasswordCredential3 For Fusion Middleware Control, the map name is denoted by EM and the keys for two credentials are Key1 and Key2 respectively: MapName - EM, Key - Key1 and Credential - PasswordCredential4 MapName - EM, Key - Key2 and Credential - GenericCredential2 Note that the map name and key name are just two arbitrary strings and can have any valid string values in practice. However, implementing this way makes map names easier to manage.

24.5 Configuring the Credential Store

The administrator needs to define the credential store instance in a configuration file which contains information about the location of the credential store and the provider classes. Configuration files are located in: DOMAIN_HOMEconfigfmwconfig and are named as follows: ■ jps-config.xml for Oracle WebLogic Server ■ jps-config-jse.xml for Java SE For details, see Chapter 10, Managing the Credential Store .

24.6 Steps for Using the API

You can use the credential store framework within Oracle WebLogic Server or in a standalone environment. ■ Using the CSF API in a Standalone Environment ■ Using the CSF API in Oracle WebLogic Server

24.6.1 Using the CSF API in a Standalone Environment

The steps for using the API in a standalone environment are:

1. Set up the classpath. Ensure that the jps-manifest.jar file is in your classpath.

For details, see Required JAR in Classpath in Section 1.5.3, Scenario 3: Securing a Java SE Application .

2. Set up the policy; to provide access to the CSF APIs, you need to configure the

access permissions in the reference policy store. For examples, see Section 24.3, Setting the Java Security Policy Permissions . Note: The map names and key names used here are arbitrary and chosen for illustration only. Your application can use altogether different map names andor keynames. 24-6 Oracle Fusion Middleware Application Security Guide 3. Run the application. Command-line options include: -Doracle.security.jps.config specifies the full path to the configuration file -Djava.security.policy specifies the location of the OPSSOracle WebLogic Server policy file -Djava.security.debug=all is helpful for debugging purposes

24.6.2 Using the CSF API in Oracle WebLogic Server

The steps for using the API in an Oracle WebLogic Server environment are: 1. The credential store service provider section of the jps-config.xml file is configured out-of-the-box in the following directory: DOMAIN_HOMEconfigfmwconfig If needed, reassociate to an LDAP credential store.

2. Set up the policy; to provide access to the CSF APIs, you need to configure the

access permissions in the reference policy store. For examples, see Section 24.3, Setting the Java Security Policy Permissions .

3. Start Oracle WebLogic Server.

4. Deploy and test the application.

24.7 Examples

This section provides several examples of using the credential store framework APIs. It shows: ■ a utility Java program which is called by all examples and performs the actual credential store operations ■ the Java SE or Java EE code that calls the utility program, ■ the policy store setup ■ the configuration file In each example, the test code is set up to show how the credential store operations are affected by the permissions. For each example the policy file, the test code, and the configuration file are provided to demonstrate how the provider information must be specified, and to enable you to compare the defined permissions on the mapkey with the operation attempted in the code. The section is structured as follows: ■ Code for CSF Operations ■ Example 1: Java SE Application with Wallet Store ■ Example 2: Java EE Application with Wallet Store ■ Example 3: Java EE Application with LDAP Store Developing with the Credential Store Framework 24-7

24.7.1 Code for CSF Operations

The following common utility program performs the CSF API operations. It is called by the example programs. package demo.util; import java.security.AccessController; import java.security.PrivilegedAction; import oracle.security.jps.JpsException; import oracle.security.jps.service.credstore.Credential; import oracle.security.jps.service.credstore.CredentialAlreadyExistsException; import oracle.security.jps.service.credstore.CredentialFactory; import oracle.security.jps.service.credstore.CredentialStore; import oracle.security.jps.service.credstore.PasswordCredential; public class CsfUtil { final CredentialStore store; public CsfUtilCredentialStore store { super; this.store = store; } private void doOperation { try { PasswordCredential pc = null; try { this call requires read privilege pc = PasswordCredentialstore.getCredentialpc_map, pc_key; if pc == null { key not found, create one pc = CredentialFactory.newPasswordCredentialjdoe, password.toCharArray; this call requires write privilege store.setCredentialpc_map, pc_key, pc; System.out.printCreated ; } else { System.out.printFound ; } System.out.printlnpassword credential: Name= + pc.getName + ,Password= + new Stringpc.getPassword; } catch CredentialAlreadyExistsException e { ignore since credential already exists. System.out.printlnCredential already exists for pc_map, pc_key: + pc.getName + : + new Stringpc.getPassword; } try { permission corresponding to context=SYSTEM,mapName=gc_map,keyName=gc_key byte[] secret = new byte[] { 0x7e, 0x7f, 0x3d, 0x4f, 0x10, 0x20, 0x30 }; Credential gc = CredentialFactory.newGenericCredentialsecret; 24-8 Oracle Fusion Middleware Application Security Guide store.setCredentialgc_map, gc_key, gc; System.out.printlnCreated generic credential; } catch CredentialAlreadyExistsException e { ignore since credential already exists. System.out.printlnGeneric credential already exists for gc_map,gc_key; } try { no permission for pc_map2 pc_key2 to perform operation on store Credential pc2 = CredentialFactory.newPasswordCredentialpc_jode2, pc_password.toCharArray; store.setCredentialpc_map2, pc_key2, pc2; } catch Exception expected { CredentialAccess Exception expected here. Not enough permission System.out.printlnThis is expected : + expected.getLocalizedMessage; } } catch JpsException e { e.printStackTrace; } } This method performs a non-privileged operation. Either all code in the call stack must have CredentialAccessPermission OR the caller must have the CredentialAccessPermission only and invoke this operation in doPrivileged block public void doCredOperation { doOperation; } Since this method performs a privileged operation, only current class or jar containing this class needs CredentialAccessPermission public void doPrivilegedCredOperation { AccessController.doPrivilegednew PrivilegedActionString { public String run { doOperation; return done; } }; } }

24.7.2 Example 1: Java SE Application with Wallet Store

This example shows a sample Java SE application using wallet credentials, that is, a file-based provider. The example illustrates: