5 Manage Security and Audit Settings
This chapter includes the following sections:
- Manage Audit Policies with Fusion Middleware Control
- Configure the Audit Store with Fusion Middleware Control
- Manage Application Policies with Fusion Middleware Control
- Manage Application Roles with Fusion Middleware Control
- Manage System Policies with Fusion Middleware Control
- Manage Credentials with Fusion Middleware Control
- Manage Keystores with the Keystore Service
- Manage Certificates with the Keystore Service
Parent topic: Manage Oracle Fusion Middleware Infrastructure
Manage Audit Policies with Fusion Middleware Control
Fusion Middleware Audit Framework provides a centralized audit framework for the middleware family of products. Audit settings for Java components like Oracle Platform Security Services, Oracle Web Services Manager, Oracle Web Services, and other components are handled at the domain level as part of security administration.
You can perform the following tasks on this page:
-
View and update audit policies for a component
-
Select audit events for the component
-
Customize audit policies
For more information about managing audit policies, see Managing Audit Policies with Fusion Middleware Control in Securing Applications with Oracle Platform Security Services.
Parent topic: Manage Security and Audit Settings
Configure the Audit Store with Fusion Middleware Control
By default, security audit data is saved in a file. It is recommended that you configure auditing to use a database store to provide better management of the audit data.
To configure a database for the audit store (applies to Java components only):
-
Verify that you have installed the audit schema in the database, using the Repository Creation Utility (RCU). How?
-
Create a Data Source. How?
-
View the audit store settings for the domain. How?
-
Configure the domain so it uses the database as the audit store. How?
To view audit reports:
-
Configure a database for the audit store as explained above.
-
Set up Oracle Business Intelligence Publisher for audit reports. How?
-
Analyze the audit data that you have gathered. How?
Note:
Using the same database for Java components and system components ensures that your audit reports can display the audit records for all components together.
For more information about auditing, see the following topics in Securing Applications with Oracle Platform Security Services:
Parent topic: Manage Security and Audit Settings
Manage Application Policies with Fusion Middleware Control
An application policy is a functional policy that specifies a set of permissions that a principal is allowed to perform within the application, such as viewing web pages or modifying reports.
An application policy uses:
-
Principals as grantees, and must have at least one principal.
-
Either one or more permissions, or an entitlement, but not both.
Policies that use an entitlement are called entitlement-based policies; policies that use one or more permissions are called resource-based policies.
You can perform the following tasks in this page:
-
Create an application policy
-
Create an application policy based on an existing one
-
Edit an application policy
-
Display application policies matching a pattern
For more information about managing application policies, see Managing Application Policies in Securing Applications with Oracle Platform Security Services.
Parent topic: Manage Security and Audit Settings
Manage Application Roles with Fusion Middleware Control
An application role is a collection of users, groups, and other application roles; it can be hierarchical. Application roles are defined by application policies and not necessarily known to a Java EE container. Application roles can be many-to-many mapped to external roles. For example, the external group employee
(stored in the identity store) can be mapped to the application role helpdesk service request
(in one stripe) and to the application role self service HR
(in another stripe).
You can perform the following tasks in this page:
-
Create an application role
-
Create an application role based on an existing role
-
Edit an application role
-
Display application roles matching a pattern
For more information about managing application roles, see Managing Application Roles in Securing Applications with Oracle Platform Security Services.
Parent topic: Manage Security and Audit Settings
Manage System Policies with Fusion Middleware Control
A system policy is a policy that specifies a set of permissions that a principal or a code source is allowed to perform, and it holds for an entire domain. System policies grant privileges to code sources and principals, while application policies can grant privileges to principals only.
You can perform the following tasks in this page:
-
Create a system policy
-
Create a system policy based on an existing one
-
Edit a system policy
-
Display system policies matching a pattern
For more information about managing system policies, see Managing System Policies in Securing Applications with Oracle Platform Security Services.
Parent topic: Manage Security and Audit Settings
Manage Credentials with Fusion Middleware Control
Oracle Platform Security Services supports the following types of credentials according to the data they contain:
-
A password credential encapsulates a user name and a password.
-
A generic credential encapsulates any customized data or arbitrary token, such as a symmetric key.
A credential is uniquely identified by a map name and a key name. A map can hold several keys and, typically, the map name corresponds with the name of an application; all credentials with the same map name define a logical group of credentials, such as the credentials used by the application. The pair of map and key names must be unique for all entries in a credential store.
There is no limit to the number or kind of characters you can set in a password, except that it must be non-empty and non-null. The maximum size of a generic credential in an LDAP security store is 4K.
Oracle Wallet is the default file-based credential store, and it can store X.509 certificates; production environments typically use either an LDAP-based or a DB-based credential store.
You can perform the following tasks in this page:
-
Create a credential map
-
Add a key to a credential map
-
Edit a key
-
Display credentials matching a pattern
For details about managing credentials, see Managing Credentials in Securing Applications with Oracle Platform Security Services.
Parent topic: Manage Security and Audit Settings
Manage Keystores with the Keystore Service
The OPSS Keystore Service allows managing keys and certificates for SSL, message security, encryption, and similar tasks. Use this service to create and maintain keystores that contain keys, certificates, and other artifacts.
Typical tasks on a keystore are as follows:
-
Create a keystore in the context of an application stripe, directly or by importing a keystore file from the file system.
-
Update or delete keystores; a password-protected keystore updating requires that the keystore password be entered.
-
Change a keystore password.
You can perform the following tasks in this page:
-
Create a keystore
-
Delete a keystore
-
Edit the keystore password
For details about managing keystores, see the following topics in Managing Keystores with Fusion Middleware Control in Securing Applications with Oracle Platform Security Services:
-
Creating a keystore
-
Deleting a keystore
-
Changing a keystore Password
Parent topic: Manage Security and Audit Settings
Manage Certificates with the Keystore Service
Keys and certificates reside in a keystore within an application stripe; there may be more than one keystore in an application stripe, each with a unique name. Each keystore contains asymmetric keys, symmetric keys, and trusted certificates.
You can perform the following tasks in this page:
-
Create a key pair
-
Generate a Certificate Signing request
-
Export and import a certificate
-
Change a certificate password
-
Delete a certificate
For details about managing certificates, see the following topics in Managing Certificates with Fusion Middleware Control in Securing Applications with Oracle Platform Security Services:
-
Generating a Keypair
-
Generating a CSR Certificate
-
Importing a Certificate
-
Exporting a Certificate
-
Changing a Certificate Password
-
Deleting a Certificate
Parent topic: Manage Security and Audit Settings