Friday, January 2, 2015

Credential Store Framework (CSF) API Example

Description: Shows how to use the Credential Store Framework (CSF) API to fetch credentials from the credential store.
References:
http://docs.oracle.com/cd/E40329_01/apirefs.1112/e27155/toc.htm
http://www.redheap.com/2013/06/secure-credentials-in-adf-application.html
https://thecattlecrew.wordpress.com/2013/12/17/using-credentials-store-when-communicating-with-oracle-human-workflow-api/
http://docs.oracle.com/cd/E23943_01/core.1111/e10043/devcsf.htm#JISEC3675

Adding Credentials to Store
1. Login to Oracle Enterprise Middleware Control (E.g. localhost:7001/em).


2. Expand WebLogic Domain, right click on the name of your domain, hover over to Security, and then click on Credentials.


3. Start adding keys to existing maps or create a new map with new keys. Each key can store credentials.




System Policies on Credential Store
You may need add a system policy in order to grant access for specific applications, JAR files, users or roles to read, write, or update the Credential Store.

1. Expand WebLogic Domain, right click on the name of your domain, hover over to Security, and then click on System Policies.


2. For this example, oiminternal is granted read access to all keys under a specific map. This is needed for the scheduled task code to work when running the job in OIM.



Permission Class: oracle.security.jps.service.credstore.CredentialAccessPermission
Resource Name: context=SYSTEM,mapName=oimScheduledTask,keyName=*
Permission Actions: read

Source Code
The plugin can be downloaded here.


Troubleshooting
Exception: java.security.AccessControlException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=* read)
Reason: Application or user may not have access to credential store.
Fix: You may need to add a system policy via EM console to manage access.

7 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. I am getting below exception :
    java.security.AccessControlException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=oim,keyName=* read)

    so do you know how to resolve this?

    ReplyDelete
    Replies
    1. I am also getting same error... Let me know if you found solution for that

      Delete
  3. I am also getting the same. Please mail me if you have soultion. sri.saileshkamma@gmail.com

    ReplyDelete
  4. Solution 100% works:

    a) Go to the oracle_common wlst command location, keep in mind that other wlst scripts available in other locations might not know about OPSS specific commands.

    cd $MW_HOME/oracle_common/common/bin


    b) Run wlst.sh or wlst.cmd script, depending if it is Windows or Unix
    > wlst.sh

    c) In prompt, connect to your domain:
    wls:/offline> connect()
    Please enter your username :
    Please enter your password :
    Please enter your server URL [t3://localhost:7001] :t3://:
    Connecting to t3://: with userid ...
    Successfully connected to Admin Server 'AdminServer' that belongs to domain 'domain'.

    Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.

    d) Now, grant the credential by running in a single line, the grantPermission comand on the code source we determined in step 2, and specify the map, key and action as permTarget parameter with the following syntax.
    Make sure you run this command in one single line to avoid syntax errors.

    wls://serverConfig> grantPermission(permClass="oracle.security.jps.service.credstore.CredentialAccessPermission",permTarget="context=SYSTEM,mapName=oim,keyName=*",permActions="read")


    e) Stop WebLogic Domain

    f) As a recommendation, Clear or make backup of actual log files, in order to register the latest activities.

    g) Start WebLogic Domain

    h) Test again.

    ReplyDelete
  5. Best B2B portal in India When it comes to turning visitors into buyers, the perfect B2B website makes all the difference. In this piece, we'll highlight the greatest B2B website examples we've ever encountered before diving into three site-building strategies.

    ReplyDelete