Friday, August 7, 2009

Deploying a Secure application wiht EM

As a reader of this blog, you probably know that Oracle Platform Security Services (OPSS) supports application life cycle from design, to deployment to monitoring etc. Now the security configuration management is exposed through Enterprise Manager - Fusion Middleware Control(names ,names, when will we use shorter names, but let me not get off track). It allows administrator to control how security related artifacts (policies, credentials etc) are deployed to the target server.

The feature is documented in the Oracle Fusion Middleware Security guide (section 7.2.1) but the doc is somewhat awkward. I recently has some email exchange with a customer about this, and I thought while we improve the doc, the clarification might be of interest to others.


The following three application security artifacts are of interest during application deployment process.

  1. Identities - Which mean users and groups and application roles to groups/users mapping. These are defined by a Developer during application development process within JDev.
    • In most scenarios, the identities should not be migrated when deploying an application to a remote WLS (it is controlled with the check box, )
      • Mapping Application role to enterprise groups/users in a remote WLS environment is a post application deployment task to be done by an Administrator.
  2. Policies - Which include Application roles and permissions granted to application roles.
    • When deploying the app for the first time, the policies should always be migrated to the Policy store, which is the option controlled by "Append" radio button
    • Upon re-deploying the app, to preserve any application policy modification made in the policy store, the admin should choose the "Ignore" radio button.
  3. Credentials - Which are username/password tuples used by the applications
    • The radio button "Append" means credentials packaged with the application will be deployed to the remote WLS's credential store. In case a credential with the same map and key names already exists in the domain credential store, the migration process will skip that credential, and continue with others.
    • The radio button "Ignore" means credentials packaged with the application will not be deployed to the remote WLS's credential store. In this case, the administrator is then expected to create a credential valid for the environment, before the application works as designed by the developer."
Shout out to my colleague Sam for reviewing this post.

No comments: