27 Securing a Deployment
This chapter describes securing an Oracle Identity Manager deployment and how to configure secure cookies. It contains the following sections:
27.1 Authorizing and Hardening
Securing an Oracle Identity Manager deployment is achieved through authorization and hardening. Authorization controls the access to various components. Hardening secures the components from potential security threats.
Table 27-1 lists the various topics that you can refer for information about securing an Oracle Identity Manager deployment:
Table 27-1 Securing a Deployment
Topic | Topic Type | Information Covered |
---|---|---|
Hardening |
Scheduled tasks and scheduled jobs. Ensure that only required scheduled tasks are enabled. |
|
Hardening |
System properties related to system behavior. Ensure that password policies and challenge questions and answers are defined. |
|
Hardening |
Enabling Oracle Identity Manager to work over SSL. |
|
Configuring LDAP Synchronization in the Integration Guide for Oracle Identity Management Suite |
Hardening |
Enabling LDAP authentication. |
Hardening |
Steps to make the corresponding changes in Oracle Identity Manager and Oracle WebLogic configuration for any change in the integrated and dependent applications |
|
Hardening |
Steps to make the changes to the password in Oracle Identity Manger and Oracle WebLogic configuration for any change in the dependent or integrated products. |
|
Hardening |
Securing Oracle Identity Manager by configuring SSL. |
|
Managing Password Policies in Performing Self Service Tasks with Oracle Identity Governance. |
Hardening |
Password policy configuration. |
See Also:
Installation Guide for Oracle Identity and Access Management and Enterprise Deployment Guide for Oracle Identity Management for information about Oracle Identity Management software integrations and related security aspects
27.2 Configuring Secure Cookies
Configuring secure cookies can be done in the default scenario when there is no deployment plan for the applications or when updating a current deployment plan if you have explicitly configured it.
This section describes how to configure secure cookies in the default scenario when there is no deployment plan for these applications. It also describes the configuration when updating a current deployment plan if you have explicitly configured it. This section contains the following topics:
27.2.1 About Secure Cookies
You can secure cookies by setting the cookie-secure tag to true. This tag enables the browser to send the cookie back over an HTTPS connection only. This ensures that the cookie ID is secure and is only used upon HTTPS access of Oracle Identity Manager.
Oracle Identity Manager application is not configured for SSL access by default. So, the oimjsessionid
cookie used by Oracle Identity Manager web applications is not secure for HTTPS access. In other words, the cookie-secure
tag is not set to true
. However, when SSL access to Oracle Identity Manager is enabled, it is recommended to configure oimjsessionid
as a secure cookie by setting the cookie-secure
tag to true
. This tag enables the browser to send the cookie back over an HTTPS connection only. This ensures that the cookie ID is secure and is only used upon HTTPS access of Oracle Identity Manager. This also implies that HTTP access to Oracle Identity Manager no longer works when this feature is enabled. In addition, the url-rewriting-enabled
element must be disabled.
Secure cookies need to be configured for the following Oracle Identity Manager UI pages:
-
/identity, available in OIM_HOME/apps/oracle.iam.console.identity.self-service.ear/ oracle.iam.console.identity.self-service.war
-
/sysadmin, available in OIM_HOME/apps/oracle.iam.console.identity.sysadmin.ear/ oracle.iam.console.identity.sysadmin.war
-
/oim, available in OIM_HOME/apps/oim.ear/iam-consoles-faces.war
-
/xlWebApp, available in OIM_HOME/apps/oim.ear/xlWebApp.war
Secure cookies can be configured by updating the deployment plan for each of the applications, which are iam.console.identity.self-service.ear
, oracle.iam.console.identity.sysadmin.ear
, and oim.ear
.
27.2.2 Configuring a New Deployment Plan
Configuring a new deployment plan to secure cookies involves creating a deployment plan and using the plan to configure the deployment.
This section describes how to configure a deployment plan in the following topics:
27.2.2.1 Sample Deployment Plans
Deployment plan specific to the applications can be configured by logging into the WebLogic Administrative Console. The following are sample deployment plans with secure cookie enabled for each of the applications:
-
Following is the sample deployment plan XML for the
oracle.iam.console.identity.self-service.ear
application. In this deployment plan,cookie-secure
is configured totrue
, andurl-rewriting-enabled
is configured tofalse
for theoracle.iam.console.identity.self-service.war
web application:<?xml version='1.0' encoding='UTF-8'?> <deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"> <application-name>oracle.iam.console.identity.self-service.ear#V2.0</application-name> <variable-definition> <variable> <name>SessionDescriptor_CookieSecure_identity_13909448828172</name> <value>true</value> </variable> <variable> <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name> <value>false</value> </variable> </variable-definition> <module-override> <module-name>oracle.iam.console.identity.self-service.war</module-name> <module-type>war</module-type> <module-descriptor external="false"> <root-element>weblogic-web-app</root-element> <uri>WEB-INF/weblogic.xml</uri> <variable-assignment> <name>SessionDescriptor_CookieSecure_identity_13909448828172</name> <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath> </variable-assignment> <variable-assignment> <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name> <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath> </variable-assignment> </module-descriptor> </module-override> </deployment-plan>
-
The following is the sample deployment plan XML for the
oracle.iam.console.identity.sysadmin.ear
application. In this deployment plan,cookie-secure
is configured totrue
, andurl-rewriting-enabled
is configured tofalse
for theoracle.iam.console.identity.sysadmin.war
web application.<?xml version='1.0' encoding='UTF-8'?> <deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"> <application-name>oracle.iam.console.identity.sysadmin.ear#V2.0</application-name> <variable-definition> <variable> <name>SessionDescriptor_CookieSecure_sysadmin_13909448828173</name> <value>true</value> </variable> <variable> <name>SessionDescriptor_UrlRewritingEnabled_sysadmin_139095392691834</name> <value>false</value> </variable> </variable-definition> <module-override> <module-name>oracle.iam.console.identity.sysadmin.war</module-name> <module-type>war</module-type> <module-descriptor external="false"> <root-element>weblogic-web-app</root-element> <uri>WEB-INF/weblogic.xml</uri> <variable-assignment> <name>SessionDescriptor_CookieSecure_sysadmin_13909448828173</name> <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath> </variable-assignment> <variable-assignment> <name>SessionDescriptor_UrlRewritingEnabled_sysadmin_139095392691834</name> <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath> </variable-assignment> </module-descriptor> </module-override> </deployment-plan>
-
The following is the sample deployment plan XML for the
oim.ear
application. In this deployment plan,cookie-secure
is configured totrue
, andurl-rewriting-enabled
is configured tofalse
for theiam-consoles-faces.war
andxlWebApp.war
web applications.<?xml version='1.0' encoding='UTF-8'?> <deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"> <application-name>oim#11.1.2.0.0</application-name> <variable-definition> <variable> <name>SessionDescriptor_CookieSecure_oim_13909448828170</name> <value>true</value> </variable> <variable> <name>SessionDescriptor_UrlRewritingEnabled_oim_139095392691831</name> <value>false</value> </variable> <variable> <name>SessionDescriptor_CookieSecure_xlWebApp_13909448828171</name> <value>true</value> </variable> <variable> <name>SessionDescriptor_UrlRewritingEnabled_xlWebApp_139095392691832</name> <value>false</value> </variable> </variable-definition> <module-override> <module-name>iam-consoles-faces.war</module-name> <module-type>war</module-type> <module-descriptor external="false"> <root-element>weblogic-web-app</root-element> <uri>WEB-INF/weblogic.xml</uri> <variable-assignment> <name>SessionDescriptor_CookieSecure_oim_13909448828170</name> <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath> </variable-assignment> <variable-assignment> <name>SessionDescriptor_UrlRewritingEnabled_oim_139095392691831</name> <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath> </variable-assignment> </module-descriptor> </module-override> <module-override> <module-name>xlWebApp.war</module-name> <module-type>war</module-type> <module-descriptor external="false"> <root-element>weblogic-web-app</root-element> <uri>WEB-INF/weblogic.xml</uri> <variable-assignment> <name>SessionDescriptor_CookieSecure_xlWebApp_13909448828171</name> <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath> </variable-assignment> <variable-assignment> <name>SessionDescriptor_UrlRewritingEnabled_xlWebApp_139095392691832</name> <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath> </variable-assignment> </module-descriptor> </module-override> </deployment-plan>
27.2.2.2 Configuring the Deployment
To configure the deployment plan(s), copy them to the host on which the Oracle Identity Manager application is deployed. Perform the following steps for all the applications, which as iam.console.identity.self-service.ear
, oracle.iam.console.identity.sysadmin.ear
, and oim.ear
:
27.2.3 Updating an Existing Deployment Plan
If any of the applications, iam.console.identity.self-service.ear
, oracle.iam.console.identity.sysadmin.ear
, and oim.ear
have an existing deployment plan, then you must update it to configure cookie-secure
and url-rewriting-enabled
.
To do so, locate the corresponding deployment plan XML file, and edit it to add the highlighted content (in bold), as shown in the sample deployment plans in Configuring a New Deployment Plan.
For example, to configure cookie-secure
for oracle.iam.console.identity.self-service.war
web application, add the highlighted content as follows:
<?xml version='1.0' encoding='UTF-8'?> <deployment-plan xmlns="http://xmlns.oracle.com/weblogic/deployment-plan" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/deployment-plan http://xmlns.oracle.com/weblogic/deployment-plan/1.0/deployment-plan.xsd"> <application-name>oracle.iam.console.identity.self-service.ear#V2.0</application-name> ………… ………… <variable-definition> ………… <variable> <name>SessionDescriptor_CookieSecure_identity_13909448828172</name> <value>true</value> </variable> <variable> <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name> <value>false</value> </variable> ………… </variable-definition> ………… ………… <module-override> <module-name>oracle.iam.console.identity.self-service.war</module-name> <module-type>war</module-type> <module-descriptor external="false"> <root-element>weblogic-web-app</root-element> <uri>WEB-INF/weblogic.xml</uri> ……….. <variable-assignment> <name>SessionDescriptor_CookieSecure_identity_13909448828172</name> <xpath>/weblogic-web-app/session-descriptor/cookie-secure</xpath> </variable-assignment> <variable-assignment> <name>SessionDescriptor_UrlRewritingEnabled_identity_139095392691833</name> <xpath>/weblogic-web-app/session-descriptor/url-rewriting-enabled</xpath> </variable-assignment> ……… </module-descriptor> </module-override> </deployment-plan>
Save the updated the deployment plan XML file, and then restart the Oracle Identity Manager Managed Server for the changes to take effect.