10-6 Oracle Complex Event Processing Administrators Guide ■ cssconfig: a command-line utility to generate a security configuration file security.xml that uses a password policy. See Appendix C.1, The cssconfig Command-Line Utility for details. ■ encryptMSAConfig: an encryption command-line utility to encrypt cleartext passwords, specified by the password element, in XML files. See Appendix C.2, The encryptMSAConfig Command-Line Utility for details. For each utility, you can specify user credentials username and password using the following three methods: ■ On the command line using options such as -user and -password. ■ Interactively so that the command line utility always prompts for the credentials. ■ Specifying a filestore that stores the user credentials; the filestore itself is also password protected. In a production environment you should never use the first option specifying user credentials on the command line but rather use only the second and third option. When using interactive mode command-line utility prompts for credentials, be sure you have the appropriate terminalio native libraries for your local computer in your CLASSPATH so that the user credentials are not echoed on the screen when you type them. Oracle CEP includes a set of standard native libraries for this purpose, but it may not include the specific one you need.

10.1.9 Security in Oracle CEP Examples and Domains

When you use the Configuration Wizard to create a new domain, you specify the administrator user and password, as well as the password to the domain identity keystore. This user is automatically added to the wlevsAdministrators group. All security configuration is stored using a file-based provider, by default. All Oracle CEP examples are configured to have an administrator with username wlevs and password wlevs. When you create a new domain you specify the administrator name and password. By default, security is disabled in the HelloWorld example. This means that any user can start the server, deploy applications, and run all commands of the administration tool wlevs.Admin without providing a password. Security is enabled in the FX and AlgoTrading examples. In both examples, the user wlevs, with password wlevs, is configured to be the Oracle CEP administrator with full administrator privileges. The scripts to start the server for these examples use the appropriate arguments to pass this username and password to the java command. If you use the Deployer or wlevs.Admin utility, you must also pass this usernamepassword pair using the appropriate arguments. For more information, see Section 10.1.8, Specifying User Credentials When Using the Command-Line Utilities .

10.2 Configuring Java SE Security for Oracle CEP Server

The Java SE platform defines a standards-based and interoperable security architecture that is dynamic and extensible. Security features — cryptography, authentication and authorization, public key infrastructure, and more — are built in. Oracle CEP supports Java SE security by using the following security policies: Configuring Security for Oracle CEP 10-7 ■ policy.xml—Defines the security policies of all the bundles that make up Oracle CEP. The first bundle set defines the policies for server-related bundles; the second bundle set defines the policies for application bundles. ■ security.policy—Defines the security policies for server startup and Web applications deployed to the Jetty HTTP server. This file also defines policies for the Oracle CEP Visualizer Web application. Samples of the preceding files are shipped with the product and can be found in ORACLE_CEP_HOME ocep_11.1utilssecurity, where ORACLE_CEP_HOME refers to the directory in which you installed Oracle CEP, such as oracle_home. You can enable all Java SE security features with Oracle CEP. For more information, see Section 10.1.1, Java SE Security . To configure Java SE security on the Oracle CEP server: 1. Stop the Oracle CEP server, if it is currently running. See Section 1.5.4, Starting and Stopping Oracle CEP Servers . 2. Copy policy.xml and security.policy: ■ From: ORACLE_CEP_HOMEocep_11.1utilssecurity ■ To: DOMAIN_DIRservernameconfig Where ORACLE_CEP_HOME refers to the directory in which you installed Oracle CEP such as oracle_home, DOMAIN_DIR refers to the main Oracle CEP installation directory, servername refers to the name of your server such as oracle_cepuser_projectsdomainsmydomainmyserverconfig. 3. Edit the two security policy files to suit your needs. 4. Update the server startup script for your platform located in the DOMAIN_ DIR servername directory, startwlevs.cmd Windows or startwlevs.sh UNIX, by adding the following three properties to the java command that actually starts the server: -Djava.security.manager -Djava.security.policy=.configsecurity.policy -Dcom.bea.core.security.policy=.configpolicy.xml For example in practice, the full command should be on one line: JAVA_HOME\bin\java DGC DEBUG -Djava.security.manager -Djava.security.policy=.configsecurity.policy -Dcom.bea.core.security.policy=.configpolicy.xml -Dwlevs.home=USER_INSTALL_DIR -Dbea.hoe=BEA_HOME -jar USER_INSTALL_DIR\bin\wlevs.jar 1 2 3 4 5 6 5. Update the DOMAIN_DIRservernameconfigconfig.xml file of your Oracle CEP server and edit the Jetty configuration by adding a scratch-directory child element of the jetty element to specify the directory to which Jetty Web applications are deployed. For example: jetty nameJettyServername network-io-nameNetIOnetwork-io-name work-manager-nameJettyWorkManagerwork-manager-name secure-network-io-namesslNetIosecure-network-io-name scratch-directory.JettyWorkscratch-directory jetty