21-18 Oracle Fusion Middleware Application Security Guide app-roles app-role classoracle.security.jps.service.policystore.SomeRoleclass nameapplicationDeveloperRolename display-nameapplication role applicationDeveloperRoledisplay-name members member classoracle.security.somePath.JpsXmlEnterpriseRoleImplclass namedevelopersname member members app-role app-roles jazn-policy grant grantee principals principal classoracle.security.jps.service.policystore.ApplicationRoleclass nameapplicationDeveloperRolename principal principals grantee permissions permission classoracle.security.jps.JpsPermissionclass nameloadPolicyname permission permissions grant jazn-policy application applications policy-store jazn-policy -- The following code-based application grant is migrated to the element jazn-policy in domain system-jazn-data.xml; when myApp is undeployed with EM, it is not removed from domain store -- grant grantee codesource urlfile:{domain.home}servers{weblogic.Name}Foo.ear-url codesource grantee permissions permission classoracle.security.jps.service.credstore.CredentialAccessPermissionclass namecontext=SYSTEM,mapName=,keyName=name actionsactions permission permissions grant jazn-policy jazn-data To summarize: in regards to what gets removed, the important points to remember are the following: Manually Configuring Java EE Applications to Use OPSS 21-19 ■ All data inside the element application can be automatically removed at undeployment. In case of an LDAP-based policy store, the application scoped authorization policy data nodes get cleaned up. ■ All data inside the element jazn-policy cannot be automatically removed at undeployment.

21.4.2.5 To Migrate Policies in a Static Deployment

Table 21–7 shows the setting that migrates application policies when the application is statically deployed. The MERGE or OVERWRITE operation takes place only if the application policies do not already exist in the domain. Table 21–8 shows the setting that skip the migration of application policies when the application is statically deployed.

21.4.2.6 Recommendations

Keep in mind the following suggestions: When a LDAP-based policy store is used and the application is to be deployed to multiple managed servers, then choose to migrate to one of the servers only. The rest of the deployments should choose not to migrate policies. This ensures that the policies are migrated only once from the application store to the policy store. All the deployments must use the same application id. Attempting policy migration to the same node for the same application multiple times for example, on different managed servers can result in policy migration failures. An alternative is to migrate the policy data to the store outside of the deployment process using the OPSS script migrateSecurityStore. If, however, the application is deployed to several servers and the policy store is file-based, the deployment must include the administration server for the migration to update the policy file DOMAIN_ HOMEconfigfmwconfigsystem-jazn-data.xml.

21.4.3 Using a Wallet-Based Credential Store

The content of a wallet-based credential store is defined in a file that must be named cwallet.sso. A wallet-based credential store is also referred to as a file-based credential store. For instructions on how to create a wallet, see section Common Wallet Operations in Oracle Fusion Middleware Administrators Guide. The location of the file cwallet.sso is specified in the configuration file jps-config.xml with the element serviceInstance, as illustrated in the following example: Table 21–7 Settings to Migrate Policies with Static Deployments JpsApplicationLifecycleListener Set jps.policystore.migration MERGE or OVERWRITE Table 21–8 Settings Not to Migrate Policies with Static Deployments JpsApplicationLifecycleListener Set jps.policystore.migration OFF 21-20 Oracle Fusion Middleware Application Security Guide serviceInstance name=credstore provider=credstoressp property name=location value=myCredStorePath serviceInstance For other types of credential storage, see chapter Managing Keystores, Wallets, and Certificates in Oracle Fusion Middleware Administrators Guide.

21.4.4 Parameters Controlling Credential Migration

The migration of application credentials at deployment is controlled by several parameters configured in the file META-INFweblogic-application.xml. For details about the specification of these parameters on WebSphere, see Oracle Fusion Middleware Third-Party Application Server Guide. The parameter that controls credential migration is jps.credstore.migration . The listener is JpsApplicationLifecycleListener - Credentials . jps.credstore.migration This parameter specifies whether the migration should take place, and, when it does, whether it should merge with or overwrite matching credentials present in the target store. On WebLogic, it is configured as illustrated in the following fragment: wls:application-param wls:param-namejps.credstore.migrationwls:param-name wls:param-valuebehaviorValuewls:param-value wls:application-param For details about the specification this parameter on WebSphere, see Oracle Fusion Middleware Third-Party Application Server Guide. If set, this parameter’s value must be one of the following: MERGE, OVERWRITE, or OFF. The OVERWRITE value is available on WebLogic only and when the server is running in development mode. If not set, the migration of credentials takes place with the option MERGE. JpsApplicationLifecycleListener - Credentials This listener is supported only on WebLogic and it is configured as illustrated in the following fragment: wls:listener wls:listener-class oracle.security.jps.wls.listeners.JpsApplicationLifecycleListener wls:listener-class wls:listener

21.4.5 Credential Parameter Configuration According to Behavior

This section describes the manual settings required to migrate application credentials with the following behaviors: ■ To Skip Migrating Credentials ■ To Migrate Credentials with Merging ■ To Migrate Credentials with Overwriting Manually Configuring Java EE Applications to Use OPSS 21-21 Any value settings other than the ones described in the following sections are not recommended and may lead to unexpected migration behavior. If the migration target is an LDAP-based credential store, it is recommended that the application be deployed to just one managed server or cluster. Otherwise, application credentials may not work as expected.

21.4.5.1 To Skip Migrating Credentials

The following matrix shows the setting that prevents the migration from taking place:

21.4.5.2 To Migrate Credentials with Merging

The following matrix shows the setting of required and optional parameters that migrates only credentials that are not present in the target store optional parameters are enclosed in between brackets:

21.4.5.3 To Migrate Credentials with Overwriting

This operation is valid on WebLogic only and when the server is running in development mode. The following matrix shows the setting that migrates all credentials overwriting matching target credentials:

21.4.6 Supported Permission Classes

The components of a permission are illustrated in the following snippet from a system-jazn-data.xml file: grant grantee codesource urlfile:{oracle.deployed.app.dir}MyApp{oracle.deployed.app.ext}url Note: Credentials are not deleted upon an application undeployment. A credential may have started its life as being packaged with an application, but when the application is undeployed credentials are not removed. Table 21–9 Settings to Skip Credential Migration Valid at deploy or redeploy jps.credstore.migration OFF Table 21–10 Settings to Migrate Credentials with Merging Valid at deploy or redeploy JpsApplicationLifecycleListener Set jps.credstore.migration MERGE Table 21–11 Settings to Migrate Credentials with Overwriting Valid at deploy or redeploy JpsApplicationLifecycleListener Set jps.credstore.migration OVERWRITE jps.app.credential.overwrite.allowed This system property must be set to TRUE 21-22 Oracle Fusion Middleware Application Security Guide codesource grantee permissions permission class oracle.security.jps.service.policystore.PolicyStoreAccessPermission class namecontext=SYSTEMname actionsgetConfiguredApplicationsactions permission permission class oracle.security.jps.service.policystore.PolicyStoreAccessPermission class namecontext=APPLICATION,name=name actionsgetApplicationPolicyactions permission permissions grant This section describes the supported values for the elements class, name, and actions within a permission.

21.4.6.1 Policy Store Permission

Class name: oracle.security.jps.service.policystore.PolicyStoreAccessPermission When the permission applies to a particular application, use the following pattern for the corresponding element name: context=APPLICATION,name=appStripeName When the permission applies to all applications, use the following name pattern for the corresponding element name: context=APPLICATION,name= When the permission applies to all applications and system policies, use the following name pattern for the corresponding element name: context=APPLICATION The list of values allowed in the corresponding element actions are the following stands for any allowed action: createPolicy getConfiguredApplications getSystemPolicy getApplicationPolicy createApplicationPolicy deleteApplicationPolicy grant revoke Important: All permission classes used in policies must be included in the class path, so the policy provider can load them when a service instance is initialized.