OPSS (Oracle Platform Security Services)

OPSS provides a security platform that provides security to Oracle Fusion

Middleware products like Weblogic Server, SOA Applications, Oracle WebCenter,
ADF applicationsetc.,
OPSS policy store is the repository for storing user roles, groups, Java
Application-specific policies, credentials and keys and provides security to them
Allows developers to change security rules without affecting application code

Policy Store Types:

A policy store can be file-Based, LDAP-Based or DB-based.
A file-based policy store is an XML file, and this store is the default policy
store provider.
The system-jazn-data.xml is an XML file installed by default in <Domain
Home>/Config/fmwconfig which is configured by the user to use as an ID store
and/or policy store.
LDAP-based policy store type supported is Oracle Internet Directory.
DB-based policy store type supported is Oracle RDBMS (releases 10.2.0.4 or
later; releases 11.1.0.7 or later; and releases 11.2.0.1 or later).

Problems with File Based Policy Store

file based store is not recommended, when using XML policy stores, the changes
made on Managed Servers are not propagated to the Administration Server
unless they use the same domain home. The Oracle FMW SOA Suite Enterprise
Deployment topology uses different domain homes for the Administration Server
and the Managed Server, thus use LDAP or Oracle DB store for integrity and
consistency.
There is a current bug where the system-jazn-data.xml is overwritten in some
cases. If a customer is using this in production, again the customer is required to
restore this from an backed up original file and need to make hand edits to this
file for policy changes.
When you restart the managed server few roles can be missed some times from
XML file

When to move to Database Policy store

In domains where several server instances are distributed across multiple

machines, it is highly recommended in production systems that the OPSS
security store be LDAP or DB-based.

It might be a better idea to move to using the database as a policy store right
after installation of a cluster by using the reassociateSecurityStore command
below. This way all application specific policy grants can be made afresh and
stored in the database.

Understanding concepts
jps-config.xml
This is the OPSS file that describes all its services. It is located through the
Doracle.security.jps.config system property, which is set in setDomainEnv.sh script
in a standard JRF (Java Required Files) domain. By the default, the property points to
${DOMAIN_HOME}/config/fmwconfig/jps-config.xml and it is defined in the variable
EXTRA_JAVA_PROPERTIES. It is NOT a good idea to change it, since jps-config.xml
holds several relative references to other files.
When a re-association operation is performed, configuration changes are made to
jps-config.xml. In many cases, a corrupted jps-config.xml can bring your domain to
a non startable state. Therefore, be very diligent and careful when making changes
to it. Do NOT perform manual changes. Instead, use either Enterprise Manager or
wlst.
System-jazn-data.xml
This consists of application users, groups and roles of a deployed application in a
domain for providing the security.
The Policy Store
The policy store holds all security policies used by applications deployed on a Fusion
Middleware instance. These include grants given to principals (users, groups,
application roles) as well as to code.
The Credential Store
The credential store securely holds credentials to be used by Fusion Middleware
applications when connecting to other systems. OWSM agents, for instance, use the
credential store service when a WSS username token needs to be attached to an
outgoing SOAP message. Another heavy user is ADF (Application Development
Framework), who uses it to store credentials required to connect to external
systems.
cwallet.sso
This file keeps credentials used by the application, credentials and identities are not
the same thing. cwallet.sso is encrypted and you cannot browse it or explicitly edit
it via JDeveloper. At design-time, different components make use of cwallet.sso and
are responsible for creating the necessary credentials in it.

Steps to enable the Oracle Database as a policy store

Here are the lists of steps to do enable the Oracle Database as a Policy store
1. Backup Domain
2. Create OPSS schema using RCU
3. Create a datasource for the OPSS schema
(This datasource is to be created with a NON-XA driver and with no global
transaction support)
4. Re-associate security store
Backup Domain
It is recommended that the whole domain be backed up before any policy store
changes are made, particularly the following files in <Domain
Home>/Config/fmwconfig/

jps-config.xml

system-jazn-data.xml

bootstrap/cwallet.sso

As a precaution, you should also back up the boot.properties file for the
Administration Server for the domain.
Create OPSS schema using RCU:
Create OPSS schema using RCU or ensure OPSS schema exists, in this process you
will create a OPSS user with OPSS schema in Database, Give these OPSS user
details while creating OPSS datasource in next step
STEP1:

STEP 2:

STEP 3:

Give Host Name, Port Service Name, username, Password (here the details are
given for local system). Please check with your environment
Hint: Collect the URL details from already created datasource from connection
pool tab .

STEP 4:

STEP 5:

STEP 6:

STEP 7:

STEP 8:

STEP 9:

STEP 10:

STEP 11:

STEP 12:

Create a datasource for the OPSS schema

1) Login to Weblogic server console and select Data Sources in Domain Structure
and then select Generic Data Source from new Button.

2) Give the Name, JNDI Name, and Database Type to for new JDBC Data Source as
shown below pic

3) Select Non-XA driver (Thin)

4) In Transaction Options screen, For Non-XA Data Source unselect Supports

Global Transactions

5) In Connection Properties Screen, give the Database Name(SID name of Database

server),
Host Name (real hostname, not Virtual server IP address), Port (Installed
Database Port) and Database User Name and Password

6) Now test the database connection details through Test Configuration button, if
all details are correct than message Connection test succeeded will be
displayed, if not an error will be thrown

7) In Select Targets Screen, Ensure the data source is targeted to the Admin Server
and all Managed Servers which have wsm-pm application deployed to them.

8) And click the button activate the changes to save the configured steps

Re-associate security store

After creating datasource, Login to SOA EM Console and select the domain in which
you want to configure OPSS then Right click and select Security > Security
Provider Configuration as shown below

Now click on Change Store Type button to change file based to DB-Based

Select store type as Oracle Database and DataSource JNDI Name from created
OPSS datasource previously and click OK

After creating Security Store successfully, the below message will appear

Steps to enable Oracle Identity Directory as a policy store

To configure LDAP as policy store, Change Store Type is Oracle Internet Directory.
For reference check below image

Debugging OPSS
If you encounter any issues doing the above, OPSS debugging can enabled by
adding the following to the SOA Managed Server and Admin Server startup scripts:
-Djps.auth.debug.enable=true
-Djps.auth.debug.enable.verbose=true
The debug information is printed in the Admin and Managed server diagnostic logs
as usual.

ERROR after creating OPSS

The below error typically seen only once on the first startup after configuring OPSS
java.security.AccessControlException: access denied
(oracle.security.jps.service.credstore.CredentialAccessPermission
context=SYSTEM,mapName=BPM-CRYPTO,keyName=BPM-CRYPTO read) at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:323
) at
java.security.AccessController.checkPermission(AccessController.java:546
...Error occurs while creating BPM-CRYPTO key in Credential Store
Please be aware that this is benign and can be suppressed by setting
oracle.jps.common logger to WARNING or ERROR. These are printed only if this
logger is set to FINE.