7 Life Cycle of Security Artifacts
This chapter explains the security artifacts that can be seeded in the security store when you create or extend a WebLogic Server domain. It also describes how to backup and recover security stores.
This chapter includes the following sections:
Note:
Procedures for upgrading security artifacts from earlier releases to 14.1.2.0.0 and for upgrading a shared security store are described in Securing Datastores in Planning an Upgrade of Oracle Fusion Middleware.- How Security Artifacts Are Seeded
- About Fusion Middleware Domains
- Creating Fusion Middleware Domains
- Layered Component Security Artifacts
- Backing Up and Recovering the Security Store
Parent topic: OPSS Services
How Security Artifacts Are Seeded
In 11g domains, the specification of product-specific security artifacts is bundled in the application Enterprise ARchive (EAR) file and those artifacts are migrated to the security store at application deployment, provided the deployment descriptors are set appropriately.
In 12c domains, the specification of product-specific security artifacts is configured in a product template, which provides a way to seed those artifacts to the security store when the domain is created.
See also:
Parent topic: Life Cycle of Security Artifacts
About Fusion Middleware Domains
Fusion Middleware domains are created or extended with the Java Required Files (JRF) template. The template specifies the provisioning of artifacts in the security store. Specifically, the process creates:
-
OPSS security artifacts.
-
The
cwallet.sso
bootstrap file seeded with an encryption key. -
Keystores, including the truststore, a demonstration keystore, and a domain identity keystore used by Oracle WebLogic Server.
-
A trust service wired to the truststore.
-
Three data sources: one for the OPSS schema, one for the OPSS audit viewer schema, and one for the OPSS audit append schema.
-
Configurations for database security and audit stores.
The JRF template does not create Managed Servers. In Fusion Middleware domains, all resources are targeted only to the Administration Server. If, at a later time, you add a Managed Server to the domain, then you must apply the JRF template to the target resources to that Managed Server also. To target OPSS and audit data sources to a Managed Servers after domain reconfiguration, use the applyJRF
WebLogic Scripting Tool (WLST) command.
See also:
Layered Component Security Artifacts
applyJRF in WLST Command Reference for Infrastructure Components
Parent topic: Life Cycle of Security Artifacts
Creating Fusion Middleware Domains
Production Fusion Middleware domains require database security stores. The database can be a new database or a database associated with some other Fusion Middleware domain.
The following sections explain how to create Fusion Middleware domains:
Parent topic: Life Cycle of Security Artifacts
Using a New Database Instance
To create or expand Fusion Middleware domains associated with a new database:
Parent topic: Creating Fusion Middleware Domains
Sharing a Database Instance
The following procedure uses WLST commands only. To create an expanded Fusion Middleware domain associated with a domain database:
Note:
-
You can also use this script to create other Fusion Middleware domains like
domain1
. To do so, delete the lines starting withsetSharedSecretStoreWithPassword
from the script. -
Be sure to backup the encryption key for the domain using the
exportEncryptionKey
WLST command and keep it in a secure location in case the domain fails and needs to be recreated.
See also:
exportEncryptionKey in WLST Command Reference for Infrastructure Security
Parent topic: Creating Fusion Middleware Domains
Layered Component Security Artifacts
To streamline the seeding and processing of security artifacts, components consuming OPSS must provide a template during domain creation or extension. This template defines and bundles artifacts specific to just the components that are required for the component's execution, and includes the files listed in Table 7-1.
Table 7-1 Files in a Component Template Used by OPSS
File name | Description | Location relative to the template root folder |
---|---|---|
|
Required. Specifies the life cycle of security artifacts. |
./security/component-security-info.xml |
|
Optional. Specifies policies. |
./security/authorization/jazn-data.xml |
|
Optional. Specifies the keystore metadata. |
./security/keystore/keystore.xml |
|
Optional. Specifies the credential metadata used by the component. |
./security/credential/credentials.xml |
|
Optional. Specifies the audit data. |
./security/audit/component_events.xml |
|
Optional. Specifies the localized audit data. |
./security/audit/component_events_xlf.jar |
OPSS security artifacts bundled with a product template require the component-security-info.xml
file that indicates how artifacts are handled.
Parent topic: Life Cycle of Security Artifacts
Backing Up and Recovering the Security Store
This section describes how to back up and recover the security store.
This section contains the following topics:
Note:
You can use the migrateSecurityStore
WLST command to back up and recover security data. To back up security data, migrate security data to a file store. To recover it, migrate the file store to the target security store.
- Configuration Files for Backup
- Backing Up and Recovering a Database-Based Security Store
- Backing Up and Recovering LDAP Security Stores
- Recommendations
Parent topic: Life Cycle of Security Artifacts
Configuration Files for Backup
In addition to backing up the security store, you must also back up the following configuration and data files:
DOMAIN_HOME/config/config.xml DOMAIN_HOME/config/fmwconfig/jps-config.xml DOMAIN_HOME/config/fmwconfig/jps-config-jse.xml DOMAIN_HOME/config/fmwconfig/cwallet.sso DOMAIN_HOME/config/fmwconfig/keystores.cml DOMAIN_HOME/config/fmwconfig/audit-store.xml DOMAIN_HOME/config/fmwconfig/system-jazn-data.xml DOMAIN_HOME/config/fmwconfig/ids-config.xml DOMAIN_HOME/config/fmwconfig/mbeans/jps_mbeans.xml DOMAIN_HOME/config/fmwconfig/bootstrap/cwallet.sso
In these path names, DOMAIN_HOME represents the directory in which you created your domain. The default domain home location is ORACLE_HOME/user_projects/domains/domain_name.
Parent topic: Backing Up and Recovering the Security Store
Backing Up and Recovering a Database-Based Security Store
The procedure in this section uses Oracle Database Utility Recovery Manager (RMAN), a tool used to automate backup strategies and recoveries, and to duplicate databases.
Use the following procedure to back up a database-based security store on host A to a database-based security store on host B. The security store on host A has the jdbc
URL set to proddb
, and the security store in host B has the jdbc
URL set to testdb
. The procedure sets the domain to work with the cloned database-based security store on host B.
To back up the database-based security store:
-
Set up the
testdb
database on host B:-
Create the
inittestdb.ora
file to contain the following lines:# db_name=testdb #
-
Add
testdb
to thelistener.ora
file:SID_LIST_LISTENER = (SID_LIST=(SID_DESC=(SID_NAME=testdb)(GLOBAL_DBNAME=testdb)(ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_1))
-
Add
testdb/proddb
to thetnsnames.ora
file:proddb=(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hostA.com)(PORT=XXXX))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME= proddb)))
testdb=(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=hostB.com)(PORT=YYYY))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=testdb)))
-
Restart the listener:
lsnrctl stop, lsnrctl start
-
Start the new instance using the
pfile
file in thenomount
mode:$ export ORACLE_SID=testdb
$ sqlplus / as sysdba
SYS@testdb SQL>startup nomount pfile=/scratch/rdbms/dbs/inittestdb.ora
-
-
Use RMAN to clone the
proddb
database to thetestdb
database:-
Add add
testdb/proddb
to thetnsnames.ora
file:proddb=(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=myhostA.com)(PORT=XXXX))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME= proddb)))
testdb=(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=myhostB.com)(PORT=YYYY))(CONNECT_DATA=(SERVER=DEDICATED)(SERVICE_NAME=testdb)))
-
Make sure that the
proddb
database is using thespfile
file. If it is not, then generate a binaryspfile
from theinit
file by login in as thesysdba
user and runningcreate spfile from pfile
. Then, restart the server. -
Restart the listener:
lsnrctl stop, lsnrctl start
-
Decide how to generate the names for the duplicate database files. Specifically, how to name the control files, data files, online redo log files, and temporary files.
For example, if in the
proddb
database the files on host A are in the directory/oradata/proddb
, and you want to saved them in the/oradata/testdb
directory on host B, then you would specifyDB_FILE_NAME_CONVERT
/proddb, /testdb
, as in the sequence below.Run RMAN to clone the
proddb
database to thetestdb
database:$rman RMAN> CONNECT TARGET SYS@proddb RMAN> CONNECT AUXILIARY SYS@testdb RMAN> DUPLICATE TARGET DATABASE TO testdb FROM ACTIVE DATABASE DB_FILE_NAME_CONVERT '/proddb','/testdb' SPFILE PARAMETER_VALUE_CONVERT '/proddb','/testdb' SET LOG_FILE_NAME_CONVERT '/proddb','/testdb';
Make sure that RMAN completes with no errors.
-
-
Verify that the
testdb
database works as expected by switching your domain to use the backed up database as the security store:-
Stop WebLogic Server.
-
Change the
jdbc
URL fromproddb
totestdb
in the{domain}/config/fmwconfig/jps-config.xml,
{domain}/config/fmwconfig/jps-config-jse.xml,
and{domain}/config/jdbc/*xml
files. -
Restart WebLogic Server.
-
Ensure that the domain security works as expected.
-
Parent topic: Backing Up and Recovering the Security Store
Backing Up and Recovering LDAP Security Stores
LDAP security store is not recommended for 12c release. It may be used in environments upgraded from 11g.
Use the procedure in this section to back up a source LDAP store to a target LDAP store.
See also:
Administering Oracle Internet Directory:
Parent topic: Backing Up and Recovering the Security Store
Recommendations
Oracle recommends that you back up the security store and the configuration files periodically, and when any of the following events occurs:
-
After first install.
-
Before and after an upgrade.
-
Any time you run the
rolloverEncryptionKey
WLST command. -
After you create new security data such as policies, credentials, or keys and keystores.
For more information on the configuration files, see Configuration Files for Backup.
Parent topic: Backing Up and Recovering the Security Store