1. Securing Oracle Enterprise Data Quality
  2. Integrating EDQ with a Fusion Middleware Credential Store

5 Integrating EDQ with a Fusion Middleware Credential Store

This chapter describes how to use an Oracle Fusion Middleware credential store with EDQ running on WebLogic.

This chapter includes the following sections:

Overview of the Credential Store

EDQ supports the use of the Oracle Fusion Middleware credential store to hide user names and passwords that are used by EDQ to connect to protected resources, such as a JMS broker or LDAP server.

These credentials otherwise would be exposed as clear-text in the EDQ properties files. When a credential store is used, a user name and password are replaced by a key name that serves as an alias for the credential whenever a login is required.

Using a credential store with EDQ comprises the following steps:

Parent topic: Integrating EDQ with a Fusion Middleware Credential Store

Configuring the Credential Store for EDQ

To configure a credential store, use Oracle Enterprise Manager Fusion Middleware Control.

For more information about using this browser-based console, see Administering Oracle Fusion Middleware.

In a credential store, a credential is identified by a credential map. The credential map consists of a map and one or more keys. In EDQ, the default map name is edq. The key name is specified by the person who is creating the credential map and serves as the ”alias” for the credential in the properties files. The person who creates the credential map must be an Oracle Fusion Middleware administrator.

To Configure a Credential Store for EDQ

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control as an administrator.

  2. Navigate to Domain > Security > Credentials to display the Credentials page.

  3. Click Create Map to display the Create Map dialog. Once you create a map, you can create multiple keys for it at the same time, or you can add more keys at a later date.

  4. Create a map named edq, and then click OK. The edq map name is displayed in the table.

  5. Click Create Key to display the Create Key dialog.

  6. Select the following in this dialog:

    • Select the edq map from the Select Map menu.

    • Enter a name for the key in the Key text box. This is the key name that will be entered in the properties files to replace the credential.

    • Select Password from the Type menu.

    • Enter the user name for the EDQ user in the User Name field and enter the password for that user in the Password field. Confirm the password in the Confirm Password field.

    • Optionally, you can add a description of this credential.

  7. Click OK to return to the Credentials page. The new key is displayed under the edq map icon.

Parent topic: Integrating EDQ with a Fusion Middleware Credential Store

Specifying the EDQ Credential Key in Properties Files

Once you have configured an EDQ credential map in Fusion Middleware Control, use the .cred.key property to specify the key name in place of the credential in properties files.

The syntax is this:
prefix.cred.key = keyname
It replaces the standard, non-secured username and password entries:
prefix.username = username
prefix.password = password

The following shows an entry for a credential for user ”myuser”, followed by an entry for the same credential as represented by its key name.

Non-secured Credential in director.properties

This example shows the regular way of using the username and password properties to specify the actual user name and password. 

sccs.vcs.username = myuser
sccs.vcs.password = mypassword1234

Secured Credential in director.properties

This example uses the cred.key property to specify a key name from the credential store in place of the login credential. 

sccs.vcs.cred.key = mykey1

Secured Password-Only Entry

In cases where only a password is required, for example if creating a keystore for JMX over SSL, append the .cred.key property to the property name. The following is an example: 

management.ssl.km.storepw.cred.key = mykey1

Parent topic: Integrating EDQ with a Fusion Middleware Credential Store

Examples of Specifying a Key Name

This section provides examples to specify a key name.

These examples show additional ways to specify credentials by means of a key name.

Connection to a JMS Broker

This example shows a realtime bucket definition in which a credential is required to connect to a JMS broker.

The following is the unsecured way of specifying the credential:

<messengerconfig>
  …
  username = myuser
  password = mypassword1234
 …
</messengerconfig>
…

The following is the secure specification using the key name:

…
<messengerconfig>
  …
  cred.key = mykey1
 …
</messengerconfig>
…

Connection to a JNDI Store

This example uses a credential to connect to a JNDI store.

The following is the unsecured way of specifying the credential:
…
<messengerconfig>
  …
  java.naming.security.principal   = myuser
  java.naming.security.credentials = mypassword1234
 …
</messengerconfig>
…
The following is the secure specification using the key name. In this case, the jndi prefix is required, so the .cred.key is appended to it.
…
<messengerconfig>
  …
  jndi.cred.key = mykey1
 …
</messengerconfig>
…

Connecting to an LDAP Server

This example shows the correct syntax for specifying a connection to an LDAP server in the login.properties file.

Non-secured entry:
myrealm.ldap.user = myuser
myrealm.ldap.pw = mypassword
Secured entry with credential store key:
myrealm.ldap.cred.key = mykey1

Parent topic: Integrating EDQ with a Fusion Middleware Credential Store