1. Administering Oracle Identity Governance
  2. Lifecycle Management
  3. Securing a Deployment

27 Securing a Deployment

Securing an Oracle Identity Manager deployment involves authorizing and hardening, and configuring secure cookies.

This chapter describes securing an Oracle Identity Manager deployment and how to configure secure cookies. It contains the following sections:

27.1 Authorizing and Hardening

Securing an Oracle Identity Manager deployment is achieved through authorization and hardening. Authorization controls the access to various components. Hardening secures the components from potential security threats.

Table 27-1 lists the various topics that you can refer for information about securing an Oracle Identity Manager deployment:

Table 27-1 Securing a Deployment

Topic Topic Type Information Covered

Managing the Scheduler

Hardening

Scheduled tasks and scheduled jobs. Ensure that only required scheduled tasks are enabled.

Default System Properties in Oracle Identity Governance

Hardening

System properties related to system behavior. Ensure that password policies and challenge questions and answers are defined.

Configuring Secure Cookies

Hardening

Enabling Oracle Identity Manager to work over SSL.

Configuring LDAP Synchronization in the Integration Guide for Oracle Identity Management Suite

Hardening

Enabling LDAP authentication.

URL Changes Related to Oracle Identity Governance

Hardening

Steps to make the corresponding changes in Oracle Identity Manager and Oracle WebLogic configuration for any change in the integrated and dependent applications

Password Changes Related to Oracle Identity Governance

Hardening

Steps to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products.

Configuring SSL for Oracle Identity Governance

Hardening

Securing Oracle Identity Manager by configuring SSL.

Managing Password Policies in Performing Self Service Tasks with Oracle Identity Governance.

Hardening

Password policy configuration.

See Also:

Installation Guide for Oracle Identity and Access Management and Enterprise Deployment Guide for Oracle Identity Management for information about Oracle Identity Management software integrations and related security aspects

27.2 Configuring Secure Cookies

Configuring secure cookies can be done in the default scenario when there is no deployment plan for the applications or when updating a current deployment plan if you have explicitly configured it.

This section describes how to configure secure cookies in the default scenario when there is no deployment plan for these applications. It also describes the configuration when updating a current deployment plan if you have explicitly configured it. This section contains the following topics:

27.2.1 About Secure Cookies

You can secure cookies by setting the cookie-secure tag to true. This tag enables the browser to send the cookie back over an HTTPS connection only. This ensures that the cookie ID is secure and is only used upon HTTPS access of Oracle Identity Manager.

Oracle Identity Manager application is not configured for SSL access by default. So, the oimjsessionid cookie used by Oracle Identity Manager web applications is not secure for HTTPS access. In other words, the cookie-secure tag is not set to true. However, when SSL access to Oracle Identity Manager is enabled, it is recommended to configure oimjsessionid as a secure cookie by setting the cookie-secure tag to true. This tag enables the browser to send the cookie back over an HTTPS connection only. This ensures that the cookie ID is secure and is only used upon HTTPS access of Oracle Identity Manager. This also implies that HTTP access to Oracle Identity Manager no longer works when this feature is enabled. In addition, the url-rewriting-enabled element must be disabled.

Secure cookies need to be configured for the following Oracle Identity Manager UI pages:

  • /identity, available in OIM_HOME/apps/oracle.iam.console.identity.self-service.ear/ oracle.iam.console.identity.self-service.war

  • /sysadmin, available in OIM_HOME/apps/oracle.iam.console.identity.sysadmin.ear/ oracle.iam.console.identity.sysadmin.war

  • /oim, available in OIM_HOME/apps/oim.ear/iam-consoles-faces.war

  • /xlWebApp, available in OIM_HOME/apps/oim.ear/xlWebApp.war

Secure cookies can be configured by updating the deployment plan for each of the applications, which are iam.console.identity.self-service.ear, oracle.iam.console.identity.sysadmin.ear, and oim.ear.

27.2.2 Configuring a New Deployment Plan

Configuring a new deployment plan to secure cookies involves creating a deployment plan and using the plan to configure the deployment.

This section describes how to configure a deployment plan in the following topics:

27.2.2.1 Sample Deployment Plans

Deployment plan specific to the applications can be configured by logging into the WebLogic Administrative Console. The following are sample deployment plans with secure cookie enabled for each of the applications:

  • Following is the sample deployment plan XML for the oracle.iam.console.identity.self-service.ear application. In this deployment plan, cookie-secure is configured to true, and url-rewriting-enabled is configured to false for the oracle.iam.console.identity.self-service.war web application: 

    <?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
 
  <application-name>oracle.iam.console.identity.self-service.ear#V2.0</application-name>
  <variable-definition>
    <variable>
      <name>SessionDescriptor_CookieSecure_identity_13909448828172</name>
      <value>true</value>
    </variable>
    <variable>
      <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>oracle.iam.console.identity.self-service.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>SessionDescriptor_CookieSecure_identity_13909448828172</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
      </variable-assignment>
      <variable-assignment>
        <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name>
        <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

  • The following is the sample deployment plan XML for the oracle.iam.console.identity.sysadmin.ear application. In this deployment plan, cookie-secure is configured to true, and url-rewriting-enabled is configured to false for the oracle.iam.console.identity.sysadmin.war web application. 

    <?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
 
  <application-name>oracle.iam.console.identity.sysadmin.ear#V2.0</application-name>
  <variable-definition>
    <variable>
      <name>SessionDescriptor_CookieSecure_sysadmin_13909448828173</name>
      <value>true</value>
    </variable>
    <variable>
      <name>SessionDescriptor_UrlRewritingEnabled_sysadmin_139095392691834</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>oracle.iam.console.identity.sysadmin.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>SessionDescriptor_CookieSecure_sysadmin_13909448828173</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
      </variable-assignment>
      <variable-assignment>
        <name>SessionDescriptor_UrlRewritingEnabled_sysadmin_139095392691834</name>
       <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>

  • The following is the sample deployment plan XML for the oim.ear application. In this deployment plan, cookie-secure is configured to true, and url-rewriting-enabled is configured to false for the iam-consoles-faces.war and xlWebApp.war web applications. 

    <?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
 
  <application-name>oim#11.1.2.0.0</application-name>
  <variable-definition>
    <variable>
      <name>SessionDescriptor_CookieSecure_oim_13909448828170</name>
      <value>true</value>
    </variable>
    <variable>
      <name>SessionDescriptor_UrlRewritingEnabled_oim_139095392691831</name>
      <value>false</value>
    </variable>
    <variable>
      <name>SessionDescriptor_CookieSecure_xlWebApp_13909448828171</name>
      <value>true</value>
    </variable>
    <variable>
      <name>SessionDescriptor_UrlRewritingEnabled_xlWebApp_139095392691832</name>
      <value>false</value>
    </variable>
  </variable-definition>
  <module-override>
    <module-name>iam-consoles-faces.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>SessionDescriptor_CookieSecure_oim_13909448828170</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
      </variable-assignment>
      <variable-assignment>
        <name>SessionDescriptor_UrlRewritingEnabled_oim_139095392691831</name>
        <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
  <module-override>
    <module-name>xlWebApp.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      <variable-assignment>
        <name>SessionDescriptor_CookieSecure_xlWebApp_13909448828171</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
      </variable-assignment>
      <variable-assignment>
        <name>SessionDescriptor_UrlRewritingEnabled_xlWebApp_139095392691832</name>
        <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
      </variable-assignment>
    </module-descriptor>
  </module-override>
</deployment-plan>
27.2.2.2 Configuring the Deployment

To configure the deployment plan(s), copy them to the host on which the Oracle Identity Manager application is deployed. Perform the following steps for all the applications, which as iam.console.identity.self-service.ear, oracle.iam.console.identity.sysadmin.ear, and oim.ear:

  1. Login to WebLogic Administrative Console.
  2. Navigate to Deployments, and then select the application.
  3. Click Update. The Update Application Assistant page is displayed.
  4. Click Change Path against the deployment plan path configuration.
  5. Specify the path to the deployment plan XML file specific to the application, and click Next.
  6. Select the Update this application in place with new deployment plan changes option. Click Finish to complete the deployment plan configuration. Activate changes if required.

    Note:

    You can ignore the following error while updating the deployment plan for iam.console.identity.self-service.ear and oracle.iam.console.identity.sysadmin.ear: 

    'weblogic.management.DeploymentException:  The application oracle.iam.console.identity.self-service.ear#V2.0 cannot have the resource WEB-INF/weblogic.xml updated dynamically. Either: 
1.) The resource does not exist.  
 or  
2) The resource cannot be changed dynamically.
  7. Perform steps 1 through 6 for all the three applications.
  8. Restart the Oracle Identity Manager Managed Server.

27.2.3 Updating an Existing Deployment Plan

If any of the applications, iam.console.identity.self-service.ear, oracle.iam.console.identity.sysadmin.ear, and oim.ear have an existing deployment plan, then you must update it to configure cookie-secure and url-rewriting-enabled.

To do so, locate the corresponding deployment plan XML file, and edit it to add the highlighted content (in bold), as shown in the sample deployment plans in Configuring a New Deployment Plan.

For example, to configure cookie-secure for oracle.iam.console.identity.self-service.war web application, add the highlighted content as follows: 

<?xml version='1.0' encoding='UTF-8'?>
<deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd">
 
  <application-name>oracle.iam.console.identity.self-service.ear#V2.0</application-name>
  …………
  …………
  <variable-definition>
   …………
    <variable>
      <name>SessionDescriptor_CookieSecure_identity_13909448828172</name>
      <value>true</value>
    </variable>
    <variable>
      <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name>
      <value>false</value>
    </variable>
    …………
  </variable-definition>
  …………
  …………
  <module-override>
    <module-name>oracle.iam.console.identity.self-service.war</module-name>
    <module-type>war</module-type>
    <module-descriptor external="false">
      <root-element>weblogic-web-app</root-element>
      <uri>WEB-INF/weblogic.xml</uri>
      ………..
      <variable-assignment>
        <name>SessionDescriptor_CookieSecure_identity_13909448828172</name>
        <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath>
      </variable-assignment>
      <variable-assignment>
        <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name>
        <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath>
      </variable-assignment>
      ………
    </module-descriptor>
  </module-override>
</deployment-plan>

Save the updated the deployment plan XML file, and then restart the Oracle Identity Manager Managed Server for the changes to take effect.