IT-Security (Part 2): WebLogic Server and Oracle Platform Security Services (OPSS)
As we discussed (http://modj.org/wls-4), OPSS is Oracle proposals regarding enterprise security services. It is as a framework that provides a comprehensive set of security services. These services based on Java technologies and have a consistent approach for design and apply security policies to Java EE and resources. We look at OPSS architecture from two different perspectives, which are connected to each other very closely. I try to review the advantages of OPSS for developers and administrators from Application’s perspective and present the cooperating of technology components such as LDAP, Application Server and Oracle Fusion Middleware from Component’s perspective. Thereby, we can determine the main OPSS’s benefits that Oracle says:
- Allows developers to focus on application and domain problems
- Supports enterprise deployments
- Supports several LDAP servers and SSO systems
- Is certified on the Oracle WebLogic Server
- Pre-integrates with Oracle products and technologies
Application’s point of view
Oracle Platform Security Services (OPSS) is both a security framework exposing security services and APIs, and a platform offering concrete implementation of security services. It includes these elements:
- Common Security Services (CSS), the internal security framework on which Oracle WebLogic Server is based
- Oracle Platform Services
- User and Role APIs
- Oracle Fusion Middleware Audit Framework
Figure 1 Application’s perspective illustrations OPSS‘s architecture from application point of view. Such architecture allows OPSS to support different security and identity systems without changing the APIs. OPSS is integrated with Oracle Fusion Middleware‘s management tools to administrate and monitor the security policies implemented in the underlying identity management infrastructure. Therefore, OFM technologies such as Oracle SOA, Oracle WebCenter Suite, Oracle Application Development Framework (ADF), Oracle Web Services Manager (OWSM) and… could use OPSS capacities.
OPSS offers abstraction layer APIs those isolate developers from security and identity management implementation details. In this way, developer can invoke the services provided by OPSS directly from the development environment (e.g. JDeveloper) using wizards. Admin can configure the services of OPSS into the WLS. As you see in Figure, the uppermost layer consists of Oracle WebLogic Server and the components and Java applications running on the server; below this is the API layer consisting of Authentication, Authorization, CSF (Credential Store Framework), and User and Role APIs, followed by the Service Provider Interface (SPI) layer and the service providers for authentication, authorization, and others. The final and bottom layer consists of repositories including LDAP and database servers.
OFM-Component’s point of view
Figure 2 OFM-Component’s perspective shows the various security components as layers. The top layer includes the OPSS security services; the next layer includes the service providers, and the bottom layer includes the OPSS security store with a repository of one of three kinds. OPSS provides auditing capabilities for components too.
The second layer [Security Services Provider Interface (SSPI)] has the capability that works with Java EE container security – named Java Authorization Contract for Containers (JACC) mode and in resource-based (non-JACC) mode, and resource-based authorization for the environment.
SSPI is a set of APIs for implementing pluggable security providers. A module implementing any of these interfaces can be plugged into SSPI to provide a particular type of security service. Therefore, OPSS has a consistent structure and is able to meet the requirements for integrating JEE Applications generally and specially OFM-Components and Oracle Security technologies, such as OAM, OID and so on.
References
- Oracle Fusion Middleware 11.1.1.5, Security Guides http://docs.oracle.com/cd/E21764_01/security.htm
- Oracle® Fusion Middleware Understanding Security for Oracle WebLogic Server 11g Release 1 (10.3.5) http://docs.oracle.com/cd/E21764_01/web.1111/e13710/toc.htm
- Oracle® Fusion Middleware Securing Oracle WebLogic Server http://docs.oracle.com/cd/E21764_01/web.1111/e13707/toc.htm
- Oracle Platform Security Services 11gR1 (White Paper) http://www.oracle.com/technetwork/middleware/id-mgmt/opss-tech-wp-131775.pdf
- IT Security Guidelines, IT Baseline Protection in brief, Federal Office for Information Security
- http://www.oracle.com/technology/tech/standards/idm/igf/index.html
- Oracle® Fusion Middleware: Understanding Security for Oracle WebLogic Server 12c Release 1, (12.1.1), E24484-02, January 2012: http://docs.oracle.com/cd/E24329_01/web.1211/e24484.pdf
- For details, see OPSS Architecture Overview in the Oracle Fusion Middleware Application Security Guide: http://docs.oracle.com/cd/E23943_01/core.1111/e10043.pdf
- Oracle® Access Manager Integration Guide: http://docs.oracle.com/cd/E12530_01/oam.1014/e10356/weblogic.htm