4 About Oracle Platform Security Services Scenarios 4-1 4 About Oracle Platform Security Services Scenarios This chapter describes some typical security scenarios supported by Oracle Platform Security Services. It also includes the list of LDAP, DB, and XML servers supported, the management tools that an administrator would use to administer security data in each scenario, and the package requirements for policies and credentials. These topics are explained in the following sections: ■ Supported LDAP-, DB-, and File-Based Services ■ Management Tools ■ Packaging Requirements ■ Example Scenarios ■ Other Scenarios

4.1 Supported LDAP-, DB-, and File-Based Services

Oracle Platform Security Services supports the following LDAP-, DB-, and file-based repositories: ■ For the OPSS security store: – If file-based, XML for the policy store and cwallet for the credential store. – If LDAP-based, Oracle Internet Directory versions 10.1.4.3 or 11g for the policy store and credential store. – If DB-based, Oracle RDBMS releases 10.2.0.4 or later; releases 11.1.0.7 or later; and releases 11.2.0.1 or later. ■ For the identity store, any of the LDAP authenticators supported by the Oracle WebLogic Server. An XML identity store is supported in only Java SE applications. 4-2 Oracle Fusion Middleware Application Security Guide For details about LDAP authenticators, see section Configuring LDAP Authentication Providers in Oracle Fusion Middleware Securing Oracle WebLogic Server. In particular, the DefaultAuthenticator is available out-of-the-box, but its use is recommended only in developing environments for no more than ten thousand entries, for users, and for no more than twenty five hundred entries, for groups. Policies and credentials stored in an LDAP-based store must use the same physical persistent repository. For details, see the following chapters: ■ Chapter 9, Managing the Policy Store ■ Chapter 10, Managing the Credential Store

4.2 Management Tools

The tools available to a security administrator are the following: ■ WebLogic Administration Console ■ Oracle Enterprise Manager Fusion Middleware Control ■ Oracle Entitlements Server ■ OPSS scripts available on all supported platforms ■ LDAP server-specific utilities The tool to manage security data depends on the type of data stored and the kind of store used to keep that data. For applications deployed on WebSphere Application Server, there is also the WebSphere Application Server Administration Console; for details, see WebSphere Application Server documentation. Note that OPSS scripts are available for both platforms: WebLogic and WebSphere. Users and Groups If a domain uses the DefaultAuthenticator to store identities, then use the Oracle WebLogic Server Administration Console to manage the stored data. The data stored in the DefaultAuthenticator can also be accessed by the User and Role API to query user profile attributes. To insert additional attributes to users or groups in the DefaultAuthenticator, an applications also uses the User and Role API. Important: If using Oracle Internet Directory 10.1.4.3 with OPSS, a mandatory one-off patch for bug number 8351672 is recommended on top of Oracle Internet Directory 10.1.4.3. Download the patch for your platform from Oracle Support at http:myoraclesupport.oracle.com . To ensure optimal performance, the following Oracle Internet Directory tuning is recommended: ldapmodify -D cn=orcladmin -w password -v EOF dn: cn=dsaconfig,cn=configsets,cn=oracle internet directory changetype: modify add: orclinmemfiltprocess orclinmemfiltprocess: objectclass=orcljaznpermission orclinmemfiltprocess: objectclass=orcljazngrantee EOF