Common Criteria - Oracle...2016/07/20 · 3 Keystore – A Java-based repository that is used to...

Oracle Access Manager Suite 11g Release 2

Supplemental Administrative Guidance for Common Criteria

Version 1.0

March 2017

Security Evaluations

Oracle Corporation

500 Oracle Parkway

Redwood City, CA 94065

i

Oracle Access Manager Suite 11g Release 2 (11.1.2.3.0)

Supplemental Administrative Guidance for Common Criteria

March 2017

Authors on behalf of Oracle Corporation: Booz Allen Hamilton, Common Criteria Testing Laboratory, 900 Elkridge Landing Road, Suite 100 Linthicum, MD 21090-2950

Contributors: Oracle Corporation

Copyright © 2015, Oracle Corporation. All rights reserved. This documentation contains proprietary information of Oracle Corporation; it is protected by copyright law. Reverse engineering of the software is prohibited. If this documentation is delivered to a U.S. Government Agency of the Department of Defense, then it is delivered with Restricted Rights and the following legend is applicable:

RESTRICTED RIGHTS LEGEND

Use, duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of DFARS 252.227 - 7013, Rights in Technical Data and Computer Software (October 1988).

Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065.

The information in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error free.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. All rights reserved

ii

1. Table of Contents

ORACLE ACCESS MANAGER SUITE 11G RELEASE 2 ................................................................... 1

SUPPLEMENTAL ADMINISTRATIVE GUIDANCE FOR COMMON CRITERIA ....................... 1

1. TABLE OF CONTENTS ................................................................................................................... II

2. INTRODUCTION ............................................................................................................................... 1

PURPOSE ...................................................................................................................................................... 1

INTENDED AUDIENCE ...................................................................................................................................... 1

3. EVALUATED CONFIGURATION OF THE TOE ......................................................................... 2

TOE COMPONENTS ........................................................................................................................................ 2

SUPPORTING ENVIRONMENTAL COMPONENTS .................................................................................................... 2

CRYPTOGRAPHIC ENGINE ................................................................................................................................. 3

SECURE ACCEPTANCE OF THE TOE ................................................................................................................... 3

4. SECURE INSTALLATION AND CONFIGURATION .................................................................. 4

CONFIGURING TLS FOR OAM/OES SERVER ....................................................................................................... 4

CONFIGURING TLS FOR HTTP SERVER ............................................................................................................... 8

CONFIGURING TLS FOR REMOTE AUDIT DATABASE CONNECTIVITY (OAM AND OES) ............................................. 10

CONFIGURING TLS FOR IDENTITY STORE (OID) ................................................................................................. 13

CONFIGURING TLS FOR OES SERVER CONNECTION TO THE SECURITY MODULE ...................................................... 14

LIMITING TLS CIPHER SUITES ......................................................................................................................... 14

ASSURING SUFFICIENT ENTROPY FOR CRYPTOGRAPHIC FUNCTIONS ...................................................................... 14

5. ADMINISTRATION BY SECURITY FUNCTION....................................................................... 16

5.1 ADMINISTRATOR IDENTIFICATION AND AUTHENTICATION .......................................................................... 16

iii

5.2 ADMINISTRATIVE ROLES AND PRIVILEGES................................................................................................ 16

5.3 POLICY MANAGEMENT ........................................................................................................................ 17

5.4 AUDITING .......................................................................................................................................... 21

5.5 SELF-PROTECTION .............................................................................................................................. 36

5.6 TOE ACCESS ...................................................................................................................................... 37

6. TERMINOLOGY .............................................................................................................................. 38

7. REFERENCES .................................................................................................................................. 39

1

2. Introduction

Purpose

This Oracle Access Manager Suite 11g Release 2 Supplemental Administrative Guidance for Common Criteria document explains the manner in which the Target of Evaluation (TOE) must be configured along with the host operating system and network services so as to provide the security functionality and assurance as required under the Common Criteria for Information Technology Security Evaluation [CC].

The Oracle Access Manager Suite Version 11g Release 2 (the TOE) contains the following components:

Oracle Access Manager (OAM) 11g Release 2

Oracle Entitlements Server (OES) 11g Release 2

The Supplemental Administrative Guidance describes the functionality that OAM Suite provides which satisfies the TOE claims made within the Common Criteria evaluation. Any other functionality provided by Oracle Access Manager Suite 11g Release 2 is considered out of scope of the evaluated configuration. Thus, no security claims are made for any functionality that is not described in or referenced by this document.

Intended Audience

This document is intended for administrators responsible for installing, configuring, and/or operating Oracle Access Manager Suite 11g Release 2 in a Common Criteria (CC) compliant mode of operation. Guidance provided in this document allows the reader to deploy the product in an environment that is consistent with the configuration that was evaluated as part of the product’s CC evaluation process. It also provides the reader with instructions on how to exercise the security functions that were claimed as part of the CC evaluation.

The reader is expected to be familiar with the Security Target for OAM Suite and the general CC terminology that is referenced in it. This document references the Security Functional Requirements (SFRs) that are defined in the Security Target document and provides instructions for how to perform the security functions that are defined by these SFRs.

2

3. Evaluated Configuration of the TOE

This section lists the components that have been included in the TOE’s evaluated configuration, whether they are part of the TOE itself, environmental components that support the security behavior of the TOE, or non-interfering environmental components that were present during testing but are not associated with any security claims:

TOE Components

The TOE is the Oracle Access Manager Suite Version 11g Release 2 software consisting of Oracle Access Manager 11g Release 2 and Oracle Entitlements Server 11g Release 2. The following table describes the TOE components in the evaluated configuration:

Component Definition

Access Clients See Webgates.

OAM Console A web-based administrative GUI used to configure the behavior of Webgates.

OAM Server

A server-side application, installed on an environmental WebLogic Managed

Server, which is responsible for handling the back-end of the OAM Console. Note

that the OAM Server and OES Server may reside on the same underlying

application server.

OES Administration

Console

The web-based administrative GUI used to configure the behavior of Security

Modules. Also referred to as OES Console in this ST.

OES Server

A server-side application, installed on an environmental WebLogic Managed

Server, which is responsible for handling the back-end of the OES Console. Note

that the OAM Server and OES Server may reside on the same underlying

application server.

Security Modules

Agents provided as part of OES that are installed onto web servers (WebLogic) and

can enforce access control on specific actions or functions provided by the web

server.

Webgates Agents provided as part of OAM that are used to control access to web servers by

acting as filters for HTTP requests.

WLS IAP An agent deployed on a J2EE WebLogic server as a mechanism that allows the

server to communicate with a Webgate.

Supporting Environmental Components

The following are standalone third-party components that must be installed and configured prior to installing OAM Suite:

Operating System – the underlying platform on which all OAM Suite components are to be installed. Oracle Linux 6 UL1 was used in the evaluated configuration. Note: The TOE will receive the date/time from the server that the Operating System is installed on.

Application Server – used as the underlying platform for the OAM Suite Server Application. Oracle 11g or higher is supported.

3

Keystore – A Java-based repository that is used to store certificate data for use with public-key cryptography. In the evaluated configuration, this is the default JDK keystore that is provided with Oracle Linux 6 UL1.

Identity Store – used as a centralized repository for organizational user data that is used by OAM Suite. Oracle Internet Directory (OID) 11g Release 2 and Oracle Unified Directory (OUD) 11g Release 2 have been tested.

Database (RDBMS) – used as a storage location for configuration information related to the operation of OAM Suite. Oracle 11g is used in the evaluated configuration.

User Application(s) - Web applications that are deployed internally to an organization and used to perform various internal functions. Example include applications related to finances, personnel management, and help desk.

Refer to the OAM Suite Security Target for the specific environmental component versions that are supported as part of the evaluated configuration.

Cryptographic Engine

The OAM Suite products include the RSA BSAFE Crypto-C Micro Edition version 4.1.2 cryptographic module (FIPS 140-2 validated CMVP certificate #2300) in order to provide cryptographic functionality. This cryptographic engine is used by default and cannot be substituted or disabled, so no other cryptographic engine was evaluated or tested during the CC evaluation of the TOE. Note however that during the initial setup of OAM Suite, it is necessary to ensure that TLS communications are appropriately enabled and configured such that all remote trusted channels and paths use TLS and so TLS communications are established in a manner consistent with the claims made by the CC evaluation. Information about configuring TLS can be found throughout section 4.

The following table includes the relevant CAVP certificates for CMVP certificate #2300.

Algorithm CAVP Cert. #

AES-CBC-128, AES-CBC-256 3596

RSA 1850

HMAC_DRBG (any) 931

SHA-1 2958

HMAC-SHA-1 2293

Secure Acceptance of the TOE

The Oracle Fusion Middleware suite of products, which includes OAM and OES, is available to customers at Oracle’s website at edelivery.oracle.com. Authorized customers can register accounts for this site. As stated in the introductory materials of [4], the 11g Release 2 (R2) version of OAM Suite is also identified as version 11.1.2.3.0, so these identifications of the product versioning are synonymous. Once on the edelivery site, select the desired platform on which OAM Suite will be installed and select “Oracle Fusion Middleware Identity Management 11g R2 Media Pack”. Under this link will be several files identified as “Oracle Identity and Access Management Deployment Repository 11.1.2.3.0.” This process ensures that the correct version of the correct product is only acquired from the trusted repository owned and maintained by Oracle.

4

4. Secure Installation and Configuration

Follow the installation procedures for Oracle Access Manager Suite as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 [4]. Section 3 of this document describes the steps to install the Oracle Identity and Access Management software in which the Oracle Access Manager (OAM) and Oracle Entitlement Server (OES) are a part of. Section 5 and section 7 of this same document specifically discusses the configuration for OAM and OES. Additional visual guidance is provided in Appendix A of that guide. As part of configuring OAM, it is necessary to install and register Webgates that may reside on remote web servers and communicate back to the OAM Server. The process for doing this is described in Oracle Fusion Middleware Installing WebGates for Oracle Access Manager [9].

In order to ensure that all security-relevant events for enterprise behaviour are being audited including administrative authentication attempts mediated by OAM, ensure that section 8 in Oracle Fusion Middleware Administrator’s Guide for Oracle Access Management [2] is followed to enable auditing. For OES server and Security Module, follow section 13.4 of Fusion Middleware Administering Oracle Entitlements Server [1] to enable the auditing and configuring the OES Server to send the audit records to an external database.

Note: By default, auditing is enabled out-of-the-box, but the administrator may need to perform the other steps to ensure the TSF is in the evaluated configuration.

The following sections refer to post-install configuration steps needed to enable secure communications for OAM Suite.

Configuring TLS for OAM/OES Server

If you have not done so during the initial configuration of the OAM suite, follow the steps below to enable the environment to use TLS for its communications.

1. Enable the SSL Listen port for OAM/OES server through WebLogic console by following the steps below.

Log in to the WebLogic console of OAM domain (http://<<oam host>>:<<wls port>>/console) with valid credentials.

Under the “Domain Structure” section expand “Environment”. Click “Servers”.

Click OAM server to configure.

Make sure you can modify the settings. If you are not able to modify the settings, click the button “Lock & Edit” in the “Change Center” section to modify the settings.

Check the check box “SSL Listen Port Enabled” for oam server and provide the SSL port as shown below:

Note: Make sure the SSL port which you are specifying is free.

5

Click Save

Click the button “Activate Changes”

NOTE: The URL and port #s will be different when configuring the OAM and OES. For example, the OAM default port # is 7001 and the OES default port # is 7003. During this configuration step, the administrator is able to use any port number that is available.

2. Enable the SSL port and SSL Protocol for Access Manager through OAM Console.

Follow below steps:

Login to OAM Console (http://<<oam host>>:<<wls port>>/oamconsole) with valid credentials.

Click “Configuration” tab

Click the drop down box called “View” associated to “Settings” tab

Click the option “Access Manager”

Under the section “Load Balancing” update the text box “OAM Server Port” to contain SSL port for OAM server. This should be the same SSL port which is specified in step #1

Select “https” option for the drop down box “OAM Server Protocol”

Click Apply

6

3. Enable the TLSv1 protocol in OAM and OES domains by editing the DOMAIN_HOME/bin/setDomainEnv.sh

Ex:/oracle/OracleIDM/config/domains/IAMAccessDomain/bin/setDomainEnv.sh

Add below JAVA_OPTIONS

JAVA_OPTIONS="${JAVA_OPTIONS} ${JAVA_PROPERTIES} -Dwlw.iterativeDev=${iterativeDevFlag} -Dwlw.testConsole=${testConsoleFlag} -Dwlw.logErrorsToConsole=${logErrorsToConsoleFlag} -Dweblogic.security.SSL.protocolVersion=TLS1 -Dweblogic.security.SSL.minimumProtocolVersion=TLSv1.0 "

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.ssl.JSSEEnabled=true "

export JAVA_OPTIONS

7

Refer the below screen shot

4. Update oam-config.xml to specify OHS SSL port.

Navigate to "../idmtop/products/access/iam/common/bin" folder and launch wlst script.

Connect as administrator – weblogic_idm.

Execute below command,

updateOAMHostPort(hostName = "oamhost.us.oracle.com" , port = "4443", secureProtocol = "true")

hostName – your hostname

port – OHS SSL Port

5. Restart OAM and OES Domain servers.

8

Configuring TLS for HTTP Server

By default SSL is enabled on Oracle HTTP server. You can find the SSL port in Oracle HTTP Server mod_ossl configuration file: ssl.conf which is located at /scratch/idmqa/oam_work/idmtop/config/instances/ohs1/config/OHS/ohs1 /ssl.conf

Configuring OHS with the TLSv1 Protocol

1. Follow below wiki to enable TLSv1 protocol.

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=331773101405719&id=1936300.1&_afrWindowMode=0&_adf.ctrl-state=1a59ny0lod_53

Refer to section “Oracle HTTP Server (OHS) 11g“. As per this section we need to update files ORACLE_INSTANCE/config/OHS/<OHS name>/ssl.conf and ORACLE_INSTANCE/config/OHS/<OHS name>/admin.conf

Example: /scratch/idmqa/oam_work/idmtop/config/instances/ohs1/config/OHS/ohs1/admin.conf

TLSv1 is be enabled by adding one of the below setting in above mentioned files

SSLProtocol -All +TLSv1 (allows the one TLS protocol currently supported in this version)

or

SSLProtocol All -SSLv2 -SSLv3 (allows for future scaling to newer TLS version if later upgraded) or SSLProtocol nzos_Version_1_0



9

Screen shot for enabling the TLS1 protocol in admin.conf file

10

Screen shot for enabling the TLS1 protocol in ssl.conf file

Configuring TLS for Remote Audit Database Connectivity (OAM and OES)

This section is an overview of the steps taken to configure the OES and OAM servers to communicate with the remote audit database using TLS. For more detailed instructions please use documents [3], [6], [7], and [8] referenced in Section 7.

1. Configure TLS on Oracle DB Server

11

Refer to chapter 8 (Configuring Secure Sockets Layer Authentication) and chapter 9 (Using Oracle Wallet Manager) of "Oracle Database Advanced Security Administrator's Guide". The main steps of server side are:

1) Start Oracle Wallet Manager (with owm command on Unix) and create a new wallet on the same host of DB server.

2) Create CA certificate and import into wallet with Oracle Wallet Manager. You may use orapki (see "APPENDIX B CREATING TRUSTSTORES AND KEYSTORES" of "SSL With Oracle JDBC Thin Driver") or other utilities to create the CA certificate

3) Create a certificate request for DB server in Oracle Wallet Manager 4) Sign the certificate request with the CA certificate created above 5) Import singed certificate into wallet with Oracle Wallet Manager. This is the DB server's

certificate. (Note, SSL_SERVER_CERT_DN used below is the "Subject Name" of the certificate)

6) Check the "Auto Login" checkbox under "Wallet" menu of Oracle Wallet Manager to make the wallet be picked up by DB server

7) Save the wallet. 8) Start Oracle Net Manager (with netmgr command on Unix) on the same host of DB server 9) Select "Oracle Advanced Security" under "Oracle Net Configuration">"Local">"Profile", click

"SSL" tab 10) Under "SSL" tab, set "Wallet Directory" to the wallet created in Oracle Wallet

Manager, check "Configure SSL for Server". If you want to test 2way-ssl, check "Require Client Authentication" checkbox

11) Change to "Oracle Net Configuration">"Local">"Listeners"->"LISTENER". Add an address, set its protocol to "TCP/IP with SSL", the recommended port is "2484"

12) (Optional) If you want to create a TNS service to connect DB with SSL on the host: Change to "Oracle Net Configuration">"Local">"Service Naming", create a new service, set its protocol to "TCP/IP with SSL, set its port to the same number as listener.

13) Save Network configuration in Oracle Net Manager. 14) Follow the steps in section “Enabling Oracle’s PKI provider statically” of 15) Restart listener (run lsnrctl stop and lsnrctl start). Now the DB server should support SSL on

port 2484

NOTE: The administrator can also use “orapki” commands to create the wallet and certificates.

NOTE: The OAM and OES consoles reside in separate domains and will require these steps to be done for each domain. The wallets and certificates need to be unique to each domain.

After step 13, configuration files sqlnet.ora, listener.ora and tnsnames.ora under $ORACLE_HOME/network/admin should have corresponding lines similar to the following: sqlnet.ora: ------------------------------------ QLNET.AUTHENTICATION_SERVICES= (BEQ, TCPS)

SSL_CLIENT_AUTHENTICATION = FALSE

12

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/weiniu/app/weiniu/product/11.2.0/dbhome_1/owm/wallets/weiniu) ) ) ------------------------------------ listener.ora: ------------------------------------ SSL_CLIENT_AUTHENTICATION = FALSE

WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /home/weiniu/app/weiniu/product/11.2.0/dbhome_1/owm/wallets/weiniu) ) )

LISTENER = (DESCRIPTION_LIST = (DESCRIPTION = (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCP)(HOST = scl58123.us.oracle.com)(PORT = 1521)) ) (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = scl58123.us.oracle.com)(PORT = 2484)) ) ) ------------------------------------ tnsnames.ora: ------------------------------------ ORCLSSL = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCPS)(HOST = scl58123.us.oracle.com)(PORT = 2484)) ) (CONNECT_DATA = (SERVICE_NAME = orcl.us.oracle.com) ) ) ------------------------------------

13

2. Configure TLS on Client Side 1. With JDBC Thin driver, you needn't configure anything with Oracle Wallet Manager nor

Oracle Net Manager. Instead, you need pass the following system properties with corresponding values to your application: oracle.net.ssl_server_dn_match, javax.net.ssl.trustStore, javax.net.ssl.trustStoreType, javax.net.ssl.trustStorePassword, javax.net.ssl.keyStore, javax.net.ssl.keyStoreType, javax.net.ssl.keyStorePassword

2. Set your JDBC url as the following: Example: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS_LIST=(ADDRESS=(PROTOCOL=TCPS)(HOST=scl58123.us.oracle.com)(PORT=2484)))(CONNECT_DATA=(SERVICE_NAME=orcl.us.oracle.com))(SECURITY=(SSL_SERVER_CERT_DN="CN=dbserver,OU=OPSS,O=Oracle,ST=Beijing,C=CN"))) Here are examples for the properties: javax.net.ssl.trustStore=/scratch/weiniu/work/certs/qatestca.jks javax.net.ssl.trustStoreType=JKS javax.net.ssl.trustStorePassword=welcome1 javax.net.ssl.keyStore=/scratch/weiniu/work/certs/jksuser1.jks javax.net.ssl.keyStoreType=JKS javax.net.ssl.keyStorePassword=welcome1 For JSE application: You can add them into JVM system properties with "-D" parameter. For DataSource on WebLogic server: You can specify the properties in "Properties" box under tab "Configuration">"Connection Pool" of the DataSource.

Configuring TLS for Identity Store (OID)

The following steps are to be performed to configure TLS for OAM using the OID as the Identity Store.

Chapter 5 of Oracle Fusion Middleware Integration Guide for Oracle Access Management Suite discusses the configuration of integrating OID as the identity store on the Weblogic Server that the OAM and OES is installed on. This chapter outlines step by step procedures in the following subsections:

Prerequisites Registering Oracle Internet Directory With Access Manager Setting Up Authentication Providers with WebLogic Server Configuring Authentication Between Access Manager and Your User Identity Store Validating Authentication and Access

In order to configure the channel to use TLS communication the administrator will need to follow the steps below.

1. Create wallets and certificates for the OID (Server) and OAM/OES (client) 2. Exchange the certificates that were created.

https://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oidoam.htm#CACDDFAH

https://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oidoam.htm#CACIAHDA

https://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oidoam.htm#BABHDDAB

https://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oidoam.htm#CACBACCB

https://docs.oracle.com/cd/E27559_01/integration.1112/e27123/oidoam.htm#BABFDDDG

14

NOTE: Instructions for using Oracle Wallet Manager to create and export SSL certificates are provided in the Configure Oracle Internet Directory for SSL section of the SSL chapter in the Oracle Internet Directory Administrator's Guide. This can be done through the Oracle Wallet Manager (GUI) or via command line using “orapki” commands. OAM Console

3. Perform the steps in Chapter 5 as stated above. NOTE: Ensure the “Enable SSL” box is checked and the correct port is used. (ex. Port 3131 is default as the SSL port for OID) OES Console

4. Perform the steps in Chapter 10.3 as stated above. NOTE: Ensure the “SSL” box is checked and the correct port is used. (ex. Port 3131 is default as the SSL port for OID)

Configuring TLS for OES Server connection to the Security Module

This TLS configuration is clearly described in section 7.4 of Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) [4]. In order for this configuration to be completed, the administrator must first create and exchange certificates with the OES Server and the server that the Security Module resides on.

Limiting TLS Cipher Suites

The evaluated configuration defines TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA as the supported TLS cipher suites.

1. In order to ensure that OAM/OES only support the evaluated cipher suites, modify the SSLCipherSuite parameter in the admin.conf and ssl.conf files referenced in the above sections.

2. Modify the “jdk.tls.disabledAlgoritms” line within the java.security file. This line should include all of the algorithms and ciphersuites that are not allowed according to the Security Target. See the example below as a reference. jdk.tls.disabledAlgorithms=SSLv3, SHA256, DHE, DSS, DESede, KRB5, RC4, DES, K_NULL, M_NULL, C_NULL, DH_anon, ECDHE_anon, DH keySize < 1024, RSA keySize < 1024, EC keySize < 224

NOTE: The java.security file is located in the JAVA_HOME directory. If OES and OAM use different versions of java. This configuration will need to be completed in each java_home directories.

Assuring Sufficient Entropy for Cryptographic Functions

In order to ensure sufficient entropy to generate appropriately strong cryptographic keys, the administrator should download and install the twuewand software entropy generator, which is available at http://www.finnie.org/software/twuewand/ and available under the GNU General Public License (GPL). In order to ensure sufficient entropy strength for 256-bit key generation, twuewand must be configured to collect at least 512 bits of data.

http://www.finnie.org/software/twuewand/

16

5. Administration by Security Function

This section lists all of the Security Functional Requirements that are performed by OAM and OES as defined by its CC evaluation. For more information about each requirement refer to the OAM Suite Security Target [5].

OAM Suite claims conformance to the Enterprise Security Management Protection Profiles for Access Control and Policy Management. The evaluated configuration includes all mandatory requirements defined by this Protection Profile as well as applicable optional requirements. The following sections provide guidance for how to operate OAM and OES in a manner that satisfies the Protection Profile for each security functional requirement (SFR).

Note: In order to ensure secure administration, it is necessary to access the OAM Console and OES Console pages using HTTPS. The configuration steps in section 4 outline how this is to be set up.

5.1 Administrator Identification and Authentication

OAM and OES each provide their own web application for administration, so they are accessed by separate URLs. This is configured during the initial installation process. Authentication is based on the configured identity store so username and password as defined in the configured identity store should be used. Section 5.2 below has more information regarding identity stores.

Note: It is recommended, although not required, that OAM and OES each use the same identity store so that the same administrative credentials can be used for each interface.

5.2 Administrative Roles and Privileges

OAM Console

On initial install, the OAM Console provides a System Administrator role, which has full authority to perform administrative functions. Additional administrators can be defined based on groups that exist in the identity store. In order to configure additional administrators and roles, navigate to Configuration > Administration in the OAM Console and specify the identity of the user to designate as an administrator. From here, “System Administrator” or “Application Administrator” can be selected. If “System Administrator” is selected, the new administrator has full privileges over the OAM Console. If “Application Administrator” is selected, an Application Domain must be assigned. The Application Administrator has privileges to perform policy management activities over the assigned Application Domain.

Note: The identity store that defines administrator identities and roles must be designated as the ‘system store’. The process for doing this is described in section 4.4 of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management [2].

OES Console

17

Similar to the OAM Console, the OES Console provides a System Administrator role by default which grants full privileges to manage the OES Console. Administrative authority can also be delegated to other users. The instructions for doing this are located in section 11.5, “Delegating Policy Domain Administration” in the Oracle Fusion Middleware Administering Oracle Entitlements Server guidance [1].

Note: A domain administrator may be assigned to multiple domains.

5.3 Policy Management

The OAM Suite bundle includes both the policy management and access control components in an all-in-one package. The OAM and OES Consoles are used to administer the Webgate and Security Module that are used in the evaluated configuration respectively. Once the suite is installed and configured, the OAM and OES Consoles are the only policy management products that are authorized to manage the access control endpoints and no separate interoperability configuration is required. Therefore, the following guidance relates only to the OAM Suite and does not relate to any third-party products.

Note: For both OAM and OES, access is granted to resources on a deny-by-default basis. In the absence of any applicable rules controlling access to a protected resource, an access attempt will be rejected. Note however that a resource needs at least one rule applied to it in order for it to be considered protected. So, for example, if a Webgate exists on a server but no rules exist to control access to a particular directory on that server, the Webgate will not be aware of the existence of that directory and will not enforce any access control against it.

Defining Policies for OAM

The process for defining an access control policy using OAM consists of the following activities performed at the OAM Console:

Register and set up an OAM Webgate (Section 13 in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management)

Define one or more Application Domains (Section 17.4 in the same guidance)

Define Resources to be protected within the Application Domain (Section 17.5 in the same guidance)

Define Authentication Policies and Authorization Policies for accessing these Resources (Sections 17.6, 17.7, and 17.10-13 in the same guidance)

In summary for the purposes of this supplemental guide, installing the Webgate on a web server allows for an application running on that web server to be protected by OAM. Multiple Application Domains may be defined since multiple distinct applications may be running on the same logical server. Within an Application Domain, individual Resources (files or URLs) can be defined as being protected by OAM. When a user requests to access one of these Resources, the Webgate will intercept the request and determine, based on the user requesting access, how to respond based on the Authentication Policies and Authorization Policies defined for this resource.

For example, a valid request to access a webpage would result in the user being redirected back to the original requested page while an invalid request could be redirected to a generic “access denied” page

18

on the web server. Subject data such as user identities and group membership that is used in Authentication Policies and Authorization Policies is derived from an environmental identity store. The user identity store is specified in the same manner as the administrator identity store (used to define administrators on the OAM Console). Information on how to configure this identity store is specified below under Managing Identity Stores for OAM.

As described in section 17 of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management guidance [2], Authorization Policies rely on conditions that must be satisfied by the access request. When writing conditions, the user identity, IP address (or range), or user attributes can be specified. The user attributes available will be determined by the connected identity store and can be arbitrarily-defined. There are also includes temporal conditions, which stipulate days and/or times when the condition will apply. Multiple conditions can be combined so that, for example, a user who attempts to access a resource may be permitted to at a given time or from a given location, but is forbidden from making the same attempt at a different time or location.

Note: As part of the Common Criteria evaluation of OAM Suite, Authorization Policy testing was limited to the following:

GET and POST operations on web forms within a given web page

URL/file access based on IP range, day/time, arbitrarily chosen user attribute (as defined in the configured identity store), user identity (as defined in the configured identity store)

Association of authentication level with web page (in order to determine if user re-authentication is necessary for access)

Any other functionality is not excluded for use when the product is deployed in its evaluated configuration, but is considered to be outside the scope of the claimed Protection Profiles and was therefore not tested.

Within a given Application Domain, the Authorization Policies are uniquely identified by a Serial Number field that is displayed on the OAM Console.

Any additions or changes to an Authorization Policy will take immediate effect without administrative intervention.

Processing Contradictory Rules in OAM

OAM provides a mechanism for handling contradictory or ambiguous rules (i.e. if two rules that are applicable to an action are in conflict, which rule takes priority) in order to ensure that they always evaluate to an unambiguous result. The following are potential contradictions and guidance for how they are resolved.

When an administrator defines an Authorization Policy, the presence of explicitly contradictory

rules (e.g. the same subject-object-operation combination at the same level of detail results in

both a permit and a deny result) will prevent the policy from being saved.

19

If an Authorization Policy contains implicitly contradictory rules at the same level of detail (e.g. a

subject belongs to one group that is allowed access to an object but also belongs to a second

group that is not allowed access to the same object), the Authorization Policy will evaluate to

‘inconclusive’, which is treated as a deny.

If an Authorization Policy contains implicitly contradictory rules at differing levels of detail (e.g. a

subject is allowed access to an object individually but also belongs to a group that is not allowed

access to the same object), the more specific rule will take precedence.

If OAM is configured to process Authorization Policy rules in order, then it is not possible for

there to be contradictory rules because the higher rule will always take precedence.

An Authorization Policy may contain an expression that includes multiple rules. These are evaluated using Boolean logic. Detailed information about rule creation can be found in section 17 of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management [2].

Managing Identity Stores for OAM

In order for OAM to recognize administrators, it is necessary to configure OAM to interface with remote identity stores. Section 4.3 (“Managing User Identity Stores”) of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management provides guidance for how this is accomplished.

Note: In the Common Criteria evaluated configuration, Oracle Internet Directory (OID) and Oracle User Directory (OUD) are the supported types of identity stores. To use an external identity store in this manner, it must first be configured in the underlying WebLogic server before being configured in the console. This configuration is performed by following the instructions provided in Section 5 of Oracle Fusion Middleware Securing Oracle WebLogic Server.

Defining Policies for OES

The process for defining an access control policy using OES consists of the following activities performed at the OES Console after the initial installation of a Security Module has been performed:

Define an Application (Section 4 in the Fusion Middleware Administering Oracle Entitlements Server)

Create a Resource Type (Section 4 in the Fusion Middleware Administering Oracle Entitlements Server)

Instantiate a Resource from the Resource Type (Section 4 in the Fusion Middleware Administering Oracle Entitlements Server)

Build the Authorization Policy (Section 4 in the Fusion Middleware Administering Oracle Entitlements Server)

Bind the Application to a Security Module (Section 10 in the Fusion Middleware Administering Oracle Entitlements Server)

Distribute the Authorization Policy (Section 6 in the Fusion Middleware Administering Oracle Entitlements Server)

20

Each of these steps are described in section 4 of the Fusion Middleware Administering Oracle Entitlements Server documentation, except for policy distribution, which is described in section 6.

In summary for the purposes of this supplemental guide, an Application is an abstract representation of a specific web application to be protected. In order to enforce access control on this web application, Resource Types are defined and then individual Resources of these types are created. The Authorization Policy then determines whether or not users can access given Resources. Once the policy has been defined, the Application is associated with an actual installed Security Module on a web server and the policy is distributed to that Security Module for enforcement. Authorization Policies are given unique names within an Application.

Note: As part of the Common Criteria evaluation of OAM Suite, Authorization Policy testing was limited to the following:

File access based on user identity (as defined in the configured identity store)

Ability to execute arbitrary script based on user identity (as defined in the configured identity store)

Any other functionality is not excluded for use when the product is deployed in its evaluated configuration, but is considered to be outside the scope of the claimed Protection Profiles and was therefore not tested.

When enforcing access control policies, Security Modules rely on subject data provided by environmental identity stores. Information about how to configure an identity store to be associated with a Security Module can be found in Fusion Middleware Administering Oracle Entitlements Server under Section 10.3, “Configuring Identity Directory Service Profiles”.

Note: In the Common Criteria evaluated configuration, Oracle Internet Directory (OID) and Oracle User Directory (OUD) are the supported types of identity stores.

Unlike with OAM, new and updated policies must be manually distributed to Security Modules in order to take effect. To do this, open the Application in the OES Console, click the Policy Distribution tab, and press Distribute. When the policy has been successfully applied by the Security Module, the status of this as well as the applied policy version will be visible in the OES Console.

Note: OES provides both a ‘push’ and a ‘pull’ method for policy distribution. In the Common Criteria evaluated configuration, only the ‘push’ method as described above is supported.

Processing Contradictory Rules in OES

Unlike with OAM, OES does not enforce a complex hierarchy for how to evaluate the most appropriate rule for a given request. All rules that apply to the request are evaluated and if any rule causes a deny result, the attempt will be rejected.

Managing Identity Stores for OES

21

Similar to OAM, OES requires the use of an environmental identity store in order to authenticate administrators. Section 3.1 of the Fusion Middleware Administering Oracle Entitlements Server guide, “Before You Begin Using Oracle Entitlements Server,” provides instructions on how to configure the underlying WebLogic server to enable this functionality.

Note: In the Common Criteria evaluated configuration, Oracle Internet Directory (OID) and Oracle User Directory (OUD) are the supported types of identity stores.

5.4 Auditing

Audit Records

Audit data for OAM Suite is generated for both administrative activity and for access attempts made against resources that are being protected by the product. Each audit event that is generated by the product contains the date and time that the event occurred, the subject identity and the outcome of the event. Below is a description of each of the required fields that is present in each audit record.

Date and time of the event - 2016-07-19 21:23:40.948

Type of Event - PolicyCreation

Subject Identity – oamadmin Outcome of the event – true

The table below provides sample audit data for the auditable events required by the claimed Protection Profiles.

Note: The audit events shown in the table below have been generated by either the OAM Server, OES Server, or the Security Module. The Webgate does not generate any audit data as the OAM Server generates the data for the Webgate.

Component Event Additional Information

[PM]ESM_ACD.1 Creation or modification of policy Unique policy identifier

OAM

Policy Creation

2016-07-19 21:23:40.948 "oamadmin" "PolicyCreation" true - "oamadmin" - - - - - "oam_admin(11.1.2.0.0)" - - - "5e878626-

9b22-4b9a-a2ae-efb72ca7b3a9" - - - - - - "IAMAccessDomain" "9163ad96d8041aed:-4652ef42:1560474eb02:-8000-

00000000000008fc" "AdminConsole" - - - - - - - "linux61" - "10.209.39.114" - - - "Policy name=\"Authorization Policy1\",

id=\"5e878626-9b22-4b9a-a2ae-efb72ca7b3a9\", description=\"null\", owners=\"[]\", resources=\"[86cb5dd6-65ef-4b37-

9723-50fe3bc08d3f]\",conditions=\"[IdentityCondition: name=\"Test\", description=\"null\", identityList=\"[UserIdentity:

idDomain=\"OAMIDSTORE\",

identifier=\"test1\"]\".]\",rules=\"[]\",sessionElements=\"[]\",successResponses=\"[]\",failureResponses=\"[]\",successRedire

ctURL=\"null\",failureRedirectURL=\"null\".useImpliedConstraints=\"false\"" - "" - - "AUTHZ-POLICY:Authorization Policy1" - - -

"0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "73" - - - -

Policy Modification

2016-07-20 20:20:04.688 "oamadmin" "PolicyModification" true - "oamadmin" - - - - - "oam_admin(11.1.2.0.0)" - "10a3e34e-

e5fc-4cc4-8d16-83a9575c57d3" - - - - - - - - "IAMAccessDomain" "9163ad96d8041aed:-4652ef42:1560474eb02:-8000-

0000000000002eaa" "AdminConsole" - - - - - - - "linux61" - "10.209.39.114" - - - "AUTHN-POLICY:Policy name=\"Test Policy1\",

22

id=\"10a3e34e-e5fc-4cc4-8d16-83a9575c57d3\", description=\"null\", owners=\"[]\",

resources=\"[]\",conditions=\"null\",rules=\"null\",sessionElements=\"null\",successResponses=\"[]\",failureResponses=\"[]\"

,successRedirectURL=\"null\",failureRedirectURL=\"null\".schemeId=\"ed0e64a5-6110-4c11-80cb-

7395c4fdf744\",useDefaultAuthnScheme=\"false\"" - "AUTHN-POLICY:Policy name=\"Test Policy1\", id=\"10a3e34e-e5fc-

4cc4-8d16-83a9575c57d3\", description=\"null\", owners=\"[]\", resources=\"[dd216485-bbd7-427d-b5f0-

5f01e0717f34]\",conditions=\"null\",rules=\"null\",sessionElements=\"null\",successResponses=\"[]\",failureResponses=\"[]\

",successRedirectURL=\"null\",failureRedirectURL=\"null\".schemeId=\"ed0e64a5-6110-4c11-80cb-

7395c4fdf744\",useDefaultAuthnScheme=\"false\"" - - "AUTHN-POLICY:Test Policy1" - - - "0" - "10.209.39.114" - - - - - - - - - - -

- - "AdminServer" - - - - - - - - - - - "73" - - - -

OES

Policy Creation

2017-01-13 23:45:49.834 "weblogic" "PolicyCreation" true "Policy entry Creation successful in Library scope" "weblogic"

"oracle" - - "base_domain" "7b95023ab4b6e201:-702d2125:15999821bd0:-8000-0000000000000fff,0" "PolicyManagement"

"success" - "linux61" "10.209.39.114" - - - - - - - - - - - -

"file:/home/oracle/Oracle_IDMLCM1/products/identity/user_projects/domains/base_domain/servers/AdminServer/tmp/_W

L_user/oracle.security.apm.core.model/2fn8h8/APP-INF/lib/adflibAPMCommonModel.jar" - - - - - - - - - - - - - - - - "Library" - - -

- - - - - - - - - - - - - - - - - - - - - "LibraryDomain" - - "Policy4BookSell" "([(Name:authenticated-role) (GUID:null) (Unique

name:null) (Class name:oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl) (AppID:null) (Type:JPS_AUTHENTICATED_ROLE)] )" - - "([(Name:Policy4BookSellPOLICY_RULE) (Effect:GRANT) (Condition:null)] )" - "OR" - - -

- "" - - - - - "([(Resource((Name:Book4Sell) (ResourceType:Book) (Type:RESOURCE))) (Actions([buy] ))] )" - - - - - - - - - - - - - - - - -

- - - - - - - - - "1" "2" - - - - "AdminServer" - - - - "68" - - -

Policy Modification

2017-01-13 23:59:35.141 "weblogic" "PolicyModification" true "Policy entry modification successful in Library scope"

"weblogic" "oracle" - - "base_domain" "7b95023ab4b6e201:-702d2125:15999821bd0:-8000-0000000000001222,0"

"PolicyManagement" "success" - "linux61" "10.209.39.114" - - - - - - - - - - - -




name:null) (Class name:oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl) (AppID:null)

(Type:JPS_AUTHENTICATED_ROLE)] )" - - "([(Name:Policy4BookSellPOLICY_RULE) (Effect:GRANT) (Condition:null)] )" - - - - - - ""

- - - - - "([(Resource((Name:Book4Sell) (ResourceType:Book) (Type:RESOURCE))) (Actions([borrow] [review] ))] )" - - - - - - - - - - -

- - - - - - - - - - - - - - - "1" "2" - - - - "AdminServer" - - - - "68" - - -

[PM]ESM_ACT.1 Transmission of policy to Access Control

products Destination of policy

OES

2017-01-17 20:05:09.356 "weblogic" "PolicyDistribution" true "Policy distribution successful" "weblogic" "oracle" - -

"base_domain""386ea5e4ae770b24:3116b378:159ab5270ee:-8000-0000000000019eb,0"PolicyDistributionManagement"

"success" - "linux61" "10.209.39.114" - - - - - - - - - - - -

"file:/home/oracle/Oracle_IDMLCM1/products/identity/oracle_common/modules/oracle.jps_11.1.1/jps-internal.jar" - - - - - - -

- - - - - "true" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "1" "2" - - -

- "AdminServer" - - - - "1

[PM]ESM_ATD.1 Association of attributes with objects None

OAM

2016-07-20 20:55:18.010 "test2" "SessionCreation" true "" "anonymous" "" - "Webgate1" - "Webgate1"

"oam_server(11.1.2.0.0)" - "Protected Resource Policy" - - - - - - - - "IAMAccessDomain"

"0000LOA5pfPCWrH_QtL6id1NZbI^0001Ax" "Server" "-" "PROXY_IP_ADDRESS = unknown" - - - - - - - "10.209.39.114"

"OAMIDSTORE" - "wls_oam1" - - - - - - - - "2" "0" - "10.209.39.114" "5716635249062705043" "HTTP::Webgate1::/index.html::"

23

"Webgate1" - "HTTP::Webgate1::/index.html::" - - - "http://linux61.cctl.com:7777/index.html" - - "e019a62e-8cde-4dbf-9693-

5b8461143fdb|99nY1oKSnFs6p46hLKBQSLdC/qg=" "LDAPScheme" "wls_oam1" - - - - - "" - - - - - "12" -

"cn=test2,cn=users,dc=cctl,dc=com" "test2" -

2016-07-20 20:55:18.011 "test2" "Login" true "" "anonymous" "" - "Webgate1" - "Webgate1" "oam_server(11.1.2.0.0)" -

"Protected Resource Policy" - - - - - - - - "IAMAccessDomain" "0000LOA5pfPCWrH_QtL6id1NZbI^0001Ax" "Server" "-"

"PROXY_IP_ADDRESS = unknown" - - - - - - - "10.209.39.114" "OAMIDSTORE" - "wls_oam1" - - - - - - - - "2" "0" -

"10.209.39.114" "5716635249062705043" "HTTP::Webgate1::/index.html::" "Webgate1" - "HTTP::Webgate1::/index.html::" -

- - "http://linux61.cctl.com:7777/index.html" - - "e019a62e-8cde-4dbf-9693-

5b8461143fdb|99nY1oKSnFs6p46hLKBQSLdC/qg=" "LDAPScheme" "wls_oam1" - - - - - "" - - - - - "12" -

"cn=test2,cn=users,dc=cctl,dc=com" "test2" –

OES

2017-01-18 20:15:47.576 - "IsAccessAllowed" true "Authorization check permission succeeded." - - - - -

"0000LanE9TjC^qH_QtDCid1OVlMI000006,0" "Authorization" "success" - "iam.oracle.com" "10.209.39.56"

"(DecisionTime:1/18/17 3:15 PM) (IsAllowed:true)" - - - - - - - "[(Name:RegisteredAttribute) (Value:yes)] [(Name:isStudent)

(Value:false)] [(Name:NumberOfBorrowedBooksAttribute) (Value:0)] [(Name:forSell) (Value:true)] " - - -

"file:/home/oracle/app/mw_home/oes_client/modules/oracle.jps_11.1.1/jps-pep.jar" - - - - - - "ONCE" - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - "review" "(AppName:Library) (ResourceType:Book)

(ResourceName:AuthorResource)" "(principals([(Name:John) (Class name:weblogic.security.principal.WLSUserImpl)]

[(Name:authenticated-role) (Class name:oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl)]

[(Name:anonymous-role) (Class name:oracle.security.jps.internal.core.principals.JpsAnonymousRoleImpl)] ))" - - - - - - - - - "1"

"2" - - - - - - - - - "28" - - -

[PM]ESM_ATD.2 Association of attributes with subjects None

OES


"0000LamyPvhC^qH_QtDCid1OVvdo000005,0" "Authorization" "success" - "iam.oracle.com" "10.209.39.56"

"(DecisionTime:1/18/17 2:07 PM) (IsAllowed:true)" - - - - - - - "[(Name:RegisteredAttribute) (Value:yes)] [(Name:isStudent)



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - "borrow" "(AppName:Library) (ResourceType:Book)

(ResourceName:AttributePolicy)" "(principals([(Name:john) (Class name:weblogic.security.principal.WLSUserImpl)]



"2" - - - - - - - - - "12" - - -

[PM]ESM_EAU.2 All use of the authentication mechanism None

OAM (Failed Login Attempt)

2016-07-22 19:19:05.071 "UserName=orcladmin" "ConsoleLogin" false "UserAuthenticationFailure" "anonymous"

"SystemStore_ID=1BE98010869F79A7FE SystemStore_Name=OID" - - - - "oam_admin(11.1.2.0.0)" - - - - - - - - - -

"IAMAccessDomain" "0a5cf6222b1a8c78:32a9abf8:1560f56261f:-8000-0000000000000f3c" "AdminConsole" "Authentication

failed" - - - - - - "linux61" - "10.209.39.114" - - - - - - - - - - - - "0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - -

- "12" - - - -

OES (Successful Authentication)

2017-03-06 18:48:47.668 "admin2" "SessionValidation" true "" - "" - "Webgate1" - - "oam_server(11.1.2.0.0)" - - - - - - - - - -

"IAMAccessDomain" "005IXHOU82DCWrH_QtL6id0000LG00001e" "Server" "-" "PROXY_IP_ADDRESS = unknown" - - - - - - -

"10.209.39.114" "IDSPROFILE-OID-SSL-NEW1" - "wls_oam1" - - - - - - - - "6" "1:21134" - "10.209.39.114"

"8625866062739347239" - "Webgate1" - - - - - "/apm/faces/AuthPolicyMgr.jspx?_adf.ctrl-state=6th25icmr_5" - - "65412556-

587c-4b19-9ed7-1acb1ec7a889|XzuhJkenDvl464TtK2wybKjdEN8=" - "wls_oam1" - - - - - - - - - - - "77" -

24

"cn=admin2,cn=Users,dc=vm,dc=oracle,dc=com" "admin2" -

[AC]FAU_SEL.1 All modifications to audit configuration None

2016-07-25 22:48:59.328 "oamadmin" "AuditConfChngAdmnOp" true - "oamadmin" "ServerProfileAuditConfigModification" -

- - - "oam_admin(11.1.2.0.0)" - - - - - - - - - - "IAMAccessDomain" "10e27ab84f34a7d9:-3df525cd:156239f0489:-8000-

0000000000000e4a" "AdminConsole" - - - - - - - "linux61" - "10.209.39.114" - - - "FilterPreset=Low" - "FilterPreset=All" - - - - - -

"0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - - "JLwkPmOc6cj3DC2rBp-Rmhd5k_LbZMl05cLAXdGurvg5unEJsttf!-

1477202929!1469486883740" - - - - - "71" - - - -

[PM]FAU_SEL_EXT.1 All modifications to audit configuration None

2016-07-25 22:48:59.328 "oamadmin" "AuditConfChngAdmnOp" true - "oamadmin" "ServerProfileAuditConfigModification" -

- - - "oam_admin(11.1.2.0.0)" - - - - - - - - - - "IAMAccessDomain" "10e27ab84f34a7d9:-3df525cd:156239f0489:-8000-

0000000000000e4a" "AdminConsole" - - - - - - - "linux61" - "10.209.39.114" - - - "FilterPreset=Low" - "FilterPreset=All" - - - - - -

"0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - - "JLwkPmOc6cj3DC2rBp-Rmhd5k_LbZMl05cLAXdGurvg5unEJsttf!-

1477202929!1469486883740" - - - - - "71" - - - -

[AC+PM]FAU_STG_EXT

.1

Establishment and disestablishment of

communications with audit server Identification of audit server

OAM

####<Jan 11, 2017 1:21:58 AM GMT+00:00> <Warning> <JDBC> <linux61> <AdminServer> <[ACTIVE] ExecuteThread: '0' for

queue: 'weblogic.kernel.Default (self-tuning)'> <weblogic> <> <c8b3ed41f35c7471:-6fa1b51:15989f2a56f:-8000-

000000000000091d> <1484097718652> <BEA-001129> <Received exception while creating connection for pool "jdbc/ds3":

Listener refused the connection with the following error: ORA-12514, TNS:listener does not currently know of service

requested in connect descriptor .>

OES

####<Mar 9, 2017 7:39:43 PM GMT+00:00> <Warning> <JDBC> <linux61> <AdminServer> <AuditLoaderRunner> <<WLS

Kernel>> <> <0000Leliki5CWrH_QtL6id1OkFHq000002> <1489088383180> <BEA-001129> <Received exception while creating

connection for pool "jdbc/ds4": Listener refused the connection with the following error:

ORA-12528, TNS:listener: all appropriate instances are blocking new connections

[AC]FCO_NRR.2 The invocation of the non-repudiation service

Identification of the information,

the destination, and a copy of the

evidence provided

2017-01-17 20:05:09.356 "weblogic" "PolicyDistribution" true "Policy distribution successful" "weblogic" "oracle" - - "base_

domain" "386ea5e4ae770b24:3116b378:159ab5270ee:-8000-00000000000019eb,0" "PolicyDistributionManagement"

"success" - "linux61"

"10.209.39.114" - - - - - - - - - - - - "file:/home/oracle/Oracle_IDMLCM1/products/identity/oracle_common/modules/oracle.jps

_11.1.1/jps-internal.jar" - - - - - - - - - - - - "true" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "1" "2" - - - - "AdminServer" - - - - "1

2" - - -


"base_domain" "386ea5e4ae770b24:3116b378:159ab5270ee:-8000-00000000000019eb,1:23582"

"PolicyDistributionManagement" "success" - "linux61" "10.209.39.114" - - - - - - - - - - - - - - - - - - - - - - - - - "true" - - - - - - - - -

"https://10.209.39.56:37002/pd-client" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

"1" "2" - - - - "AdminServer" - - - - "209" - - -

[AC]FDP_ACC.1 Any changes to the enforced policy or policies

Identification of Policy

Management product making the

change

Policy Modification

25


"weblogic" "oracle" - - "base_domain" "7b95023ab4b6e201:-702d2125:15999821bd0:-8000-0000000000001222,0"





name:null) (Class name:oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl) (AppID:null)

(Type:JPS_AUTHENTICATED_ROLE)] )" - - "([(Name:Policy4BookSellPOLICY_RULE) (Effect:GRANT) (Condition:null)] )" - - - - - - ""

- - - - - "([(Resource((Name:Book4Sell) (ResourceType:Book) (Type:RESOURCE))) (Actions([borrow] [review] ))] )" - - - - - - - - - - -

- - - - - - - - - - - - - - - "1" "2" - - - - "AdminServer" - - - - "68" - - -

[AC]FDP_ACF.1 All requests to perform an operation on an

object covered by the SFP

Subject identity, object identity,

requested operation

OAM (Denied GET based on Attribute)

2016-07-21 17:54:22.216 "test1" "CheckAuthorization" false "" - - - "Webgate1" - "Webgate1" "oam_server(11.1.2.0.0)" - - -

"Attribute Policy" - - - - - - "IAMAccessDomain" "005E2^210kSCWrH_QtL6id0007eE00002Z" "Authorization" "-"

"PROXY_IP_ADDRESS = unknown" - - - - - - - "10.209.39.114" - - "wls_oam1" - - - - - - - - - "1:22036" - "10.209.39.114"

"7174743153216875881" "HTTP::Webgate1::/index.html::" "Webgate1" - "HTTP::Webgate1::/index.html::" - - - "" - - - ""

"wls_oam1" - - - - - - - - - - - "12" - - - -

OAM (Allowed POST based on IP Range)

2016-07-21 00:10:18.179 "test2" "CheckAuthorization" true "" - - - "Webgate1" - "Webgate1" "oam_server(11.1.2.0.0)" - - -

"IP Range" - - - - - - "IAMAccessDomain" "005E1c^bLKTCWrH_QtL6id0001mt000009" "Authorization" "-" "PROXY_IP_ADDRESS

= unknown" - - - - - - - "10.209.39.114" - - "wls_oam1" - - - - - - - - - "1:21013" - "10.209.39.114" "-7437291739563194507"

"HTTP::Webgate1::/post.html::[POST]" "Webgate1" - "HTTP::Webgate1::/post.html::[POST]" - - - "" - - - "" "wls_oam1" - - - - - -

- - - - - "71" - - - -

OAM (Denied Allowed Get based on Temporal)


"Temporal" - - - - - - "IAMAccessDomain" "005E2as7xs9CWrH_QtL6id0003XF000004" "Authorization" "-" "PROXY_IP_ADDRESS

= unknown" - - - - - - - "10.209.39.114" - - "wls_oam1" - - - - - - - - - "1:22112" - "10.209.39.114" "6421017556770705604"

"HTTP::Webgate1::/index.html::" "Webgate1" - "HTTP::Webgate1::/index.html::" - - - "" - - - "" "wls_oam1" - - - - - - - - - - - "12"

- - - -

OES (Denied execute script)


"0000Le_EkOaC^qH_QtDCid1OjRYA00000W,0" "Authorization" "success" - "iam.oracle.com" "10.209.39.56"

"(DecisionTime:3/6/17 3:06 PM) (IsAllowed:false)" - - - - - - - "" - - -

"file:/home/oracle/app/mw_home/oes_client/modules/oracle.jps_11.1.1/jps-az-api.jar" - - - - - - "ONCE" - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - "execute" "(AppName:Library) (ResourceType:Script)

(ResourceName:3648.mp4)" "(principals([(Name:John) (Class name:weblogic.security.principal.WLSUserImpl)] ))" - - - - - - - - -

"1" "2" - - - - - - - - - "12" - - -

OES (Allowed enable script)


"0000Le_ENuqC^qH_QtDCid1OjRYA00000M,0" "Authorization" "success" - "iam.oracle.com" "10.209.39.56"

"(DecisionTime:3/6/17 3:04 PM) (IsAllowed:true)" - - - - - - - "" - - -


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - "enable" "(AppName:Library) (ResourceType:Script)

(ResourceName:3648.mp4)" "(principals([(Name:weblogic) (Class name:weblogic.security.principal.WLSUserImpl)] ))" - - - - - -

26

- - - "1" "2" - - - - - - - - - "12" - - -

OES (Allowed Open)


"0000Le_A9rjC^qH_QtDCid1OjRYA000007,0" "Authorization" "success" - "iam.oracle.com" "10.209.39.56"

"(DecisionTime:3/6/17 2:46 PM) (IsAllowed:true)" - - - - - - - "" - - -


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - "open" "(AppName:Library) (ResourceType:File)

(ResourceName:home/oracle/app/mw_home/user_projects/domains/pulled_domain/fileRealm.properties)"

"(principals([(Name:orcladmin) (Class name:weblogic.security.principal.WLSUserImpl)] ))" - - - - - - - - - "1" "2" - - - - - - - - - "12"

- - -

OES (Denied Download)


"0000Le_AhVHC^qH_QtDCid1OjRYA000008,0" "Authorization" "success" - "iam.oracle.com" "10.209.39.56"

"(DecisionTime:3/6/17 2:48 PM) (IsAllowed:false)" - - - - - - - "" - - -


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - "download" "(AppName:Library) (ResourceType:File)

(ResourceName:home/oracle/app/mw_home/user_projects/domains/pulled_domain/bin)" "(principals([(Name:orcladmin)

(Class name:weblogic.security.principal.WLSUserImpl)] ))" - - - - - - - - - "1" "2" - - - - - - - - - "12" - - -

[PM]FIA_USB.1 Successful and unsuccessful binding of user

attributes to a subject None

OAM (user)

2016-07-25 19:17:26.018 "oamadmin" "GenericAdminOperation" true "Role:'System Administrator' Granted to:'test2'"

"oamadmin" - "System Administrator" - - - "oam_admin(11.1.2.0.0)" - - - - - - - - - - "IAMAccessDomain"

"6402bfc082b14968:6a36057d:1562344b700:-8000-000000000000059e" "AdminConsole" - - - - - - - "linux61" -

"10.209.39.114" - - - "test2" - - - - - - - - "0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "69" - - - -

2016-07-25 19:17:30.606 "" "ConsoleLogin" true "UserLogoutSuccess" "oamadmin" "SystemStore_ID=04775E31E19B1E595A

SystemStore_Name=OAMIDSTORE" - - - - "oam_admin(11.1.2.0.0)" - - - - - - - - - - "IAMAccessDomain"

"6402bfc082b14968:6a36057d:1562344b700:-8000-00000000000005a7" "AdminConsole" - - - - - - - "linux61" -

"10.209.39.114" - - - - - - - - - - - - "0" - "" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "12" - - - -

2016-07-25 19:17:44.478 "UserName=test2" "ConsoleLogin" true "UserAuthenticationSuccess" "anonymous"

"SystemStore_ID=04775E31E19B1E595A SystemStore_Name=OAMIDSTORE" - - - - "oam_admin(11.1.2.0.0)" - - - - - - - - - -

"IAMAccessDomain" "6402bfc082b14968:6a36057d:1562344b700:-8000-00000000000005b7" "AdminConsole" - - - - - - -

"linux61" - "10.209.39.114" - - - - - - - - - - - - "0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "12" - - - -

OAM (group)

2016-07-25 19:28:53.252 "oamadmin" "GenericAdminOperation" true "Role:'System Administrator' Granted

to:'OAMAdministrators'" "oamadmin" - "System Administrator" - - - "oam_admin(11.1.2.0.0)" - - - - - - - - - -

"IAMAccessDomain" "6402bfc082b14968:6a36057d:1562344b700:-8000-000000000000067d" "AdminConsole" - - - - - - -

"linux61" - "10.209.39.114" - - - "OAMAdministrators" - - - - - - - - "0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - -

- - - - - - "69" - - - -



"6402bfc082b14968:6a36057d:1562344b700:-8000-0000000000000687" "AdminConsole" - - - - - - - "linux61" -

"10.209.39.114" - - - - - - - - - - - - "0" - "" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "69" - - - -

OES (user)

2017-01-16 22:07:35.448 "weblogic" "AdminRoleGrant" true "Granting principals for admin role successful in SystemPolicy

27

scope" "weblogic" "oracle" - - "base_domain" "d735894f2a32d2f5:3ad636c3:159a9504d96:-8000-00000000000000f0,0"

"AdminRoleManagement" "success" - "linux61" "10.209.39.114" - - - "SystemAdmin" - - - - - - - -


L_user/oracle.security.apm.core.model/2fn8h8/APP-INF/lib/adflibAPMCommonModel.jar" - - - - - - - - - - - - - - - -

"SystemPolicy" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "" - - - - - - - - - - - - - - - - "([(Name:oestest1) (GUID:null)

(Unique name:null) (Class name:weblogic.security.principal.WLSUserImpl) (AppID:null) (Type:CUSTOM)] )" - - - - - - - - - - - - - - -

"1" "2" - - - - "AdminServer" - - - - "18" - - -

[AC]FMT_MOF.1 All modifications to TSF behavior None

OAM (Changing Webgate Password)

2016-07-21 21:29:57.548 "oamadmin" "AgentModification" true - "oamadmin" - - "Webgate1" "OAM" -

"oam_admin(11.1.2.0.0)" - - - - - - - - - - "IAMAccessDomain" "0a5cf6222b1a8c78:32a9abf8:1560f56261f:-8000-

0000000000000097" "AdminConsole" - - - - - - - "linux61" - "10.209.39.114" - - - "AllowManagementOperations=false

AllowMasterTokenRetrieval=false AllowCredentialCollectorOperations=false state=Enabled Values in SecondaryServerList:

debug=false security=open failoverThreshold=1 version=11.0.0.0 id=Webgate1 logoutCallbackUrl=/oam_logout_success

denyOnNotProtected=1 logoutRedirectUrl=https://linux61.cctl.com:7504/oam/server/logout cacheControlHeader=no-cache

Values in PrimaryServerList: {host=linux61, port=5575, numOfConnections=8} AllowTokenScopeOperations=false

maxConnections=1 preferredHost=Webgate1

accessClientPasswd=da6987e91ce4db360fb3b7368cad265429266ba0bb80011100a234308938a13a Values in Map

UserDefinedParameters: proxySSLHeaderVar=[IS_SSL] URLInUTF8Format=[true] client_request_retry_attempts=[1]

inactiveReconfigPeriod=[10] maxSessionTimeUnits=[minutes] aaaTimeoutThreshold=5 ConfigurationProfile=DefaultProfile

Values in logOutUrls: tokenValidityPeriod=3600 ipValidation=0

secretKey=71FF41B6E341A15DAA89EF75456377E6880EC844910F927C3644055E4E5A2ED4C855AC085652B2A7DAA57A81EE

D9C735 maxCacheElems=100000 Values in ipValidationExceptions: cachePragmaHeader=no-cache sleepFor=60

maxSessionTime=60 cacheTimeout=1800 logoutTargetUrlParamName= " - "AllowManagementOperations=false

AllowMasterTokenRetrieval=false AllowCredentialCollectorOperations=false state=Enabled Values in SecondaryServerList:

debug=false security=open failoverThreshold=1 version=11.0.0.0 id=Webgate1 logoutCallbackUrl=/oam_logout_success

denyOnNotProtected=1 logoutRedirectUrl=https://linux61.cctl.com:7504/oam/server/logout cacheControlHeader=no-cache

Values in PrimaryServerList: {host=linux61, port=5575, numOfConnections=8} AllowTokenScopeOperations=false

maxConnections=1 preferredHost=Webgate1

accessClientPasswd=8427d13cc6baf9cdeb0040ffbdbdeea9a2560a5ae2284dc0668b1c6dcbfa6156 Values in Map

UserDefinedParameters: proxySSLHeaderVar=[IS_SSL] URLInUTF8Format=[true] client_request_retry_attempts=[1]

inactiveReconfigPeriod=[10] maxSessionTimeUnits=[minutes] aaaTimeoutThreshold=5 ConfigurationProfile=DefaultProfile

Values in logOutUrls: tokenValidityPeriod=3600 ipValidation=0

secretKey=71FF41B6E341A15DAA89EF75456377E6880EC844910F927C3644055E4E5A2ED4C855AC085652B2A7DAA57A81EE

D9C735 maxCacheElems=100000 Values in ipValidationExceptions: cachePragmaHeader=no-cache sleepFor=60

maxSessionTime=60 cacheTimeout=1800 logoutTargetUrlParamName= " - - - - - - "0" - - - - - - - - - - - - - - - "AdminServer" - - - - -

- - - - - - "71" - - - -

OES (Policy Creation)


"oracle" - - "base_domain" "386ea5e4ae770b24:3116b378:159ab5270ee:-8000-00000000000012fb,0" "PolicyManagement"

"success" - "linux61" "10.209.39.114" - - - - - - - - - - - -



- - - - - - - - - - - - - - - - - - - - - "LibraryDomain" - - "TestPolicy1" "([(Name:authenticated-role) (GUID:null) (Unique name:null)

(Class name:oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl) (AppID:null)

(Type:JPS_AUTHENTICATED_ROLE)] )" - - "([(Name:TestPolicy1POLICY_RULE) (Effect:GRANT) (Condition:null)] )" - "OR" - - - - ""

- - - - - "([(Resource((Name:Book4All) (ResourceType:Book) (Type:RESOURCE))) (Actions([review] [borrow] ))] )" - - - - - - - - - - - -

- - - - - - - - - - - - - - "1" "2" - - - - "AdminServer" - - - - "66" - - -

28

[PM]FMT_MSA.1 All modifications of security attributes None

OAM (Create authorization policy)

2016-07-15 19:41:20.957 "test1" "PolicyCreation" true - "test1" - - - - - "oam_admin(11.1.2.0.0)" - - - "117c4fb0-5df3-46df-

9fa6-5ca9b9d68502" - - - - - - "IAMAccessDomain" "b2dc540aa571fb17:-70282a25:155ebc077ab:-8000-0000000000003b26"

"AdminConsole" - - - - - - - "linux61" - "10.209.39.114" - - - "Policy name=\"Authorization Policy Test\", id=\"117c4fb0-5df3-

46df-9fa6-5ca9b9d68502\", description=\"null\", owners=\"[]\",

resources=\"[]\",conditions=\"[]\",rules=\"[]\",sessionElements=\"[]\",successResponses=\"[]\",failureResponses=\"[]\",succe

ssRedirectURL=\"null\",failureRedirectURL=\"null\".useImpliedConstraints=\"false\"" - "" - - "AUTHZ-POLICY:Authorization

Policy Test" - - - "0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "12" - - - -

OES (Policy modification)


"weblogic" "oracle" - - "base_domain" "71c32f5bed45c51b:-1d20aa68:15aa559e5e9:-8000-00000000000002de,0"




- - - - - - - - - - - - - - - - - - - - - "" - - "pulled_domain_policy" "([(Name:authenticated-role) (GUID:null) (Unique name:null) (Class

name:oracle.security.jps.internal.core.principals.JpsAuthenticatedRoleImpl) (AppID:null)

(Type:JPS_AUTHENTICATED_ROLE)] )" - - "([(Name:pulled_domain_policyPOLICY_RULE) (Effect:GRANT) (Condition:null)] )" - - -

- - - "[]" - - - - - "([(Resource((Name:/home/oracle/app/mw_home/user_projects/domains/pulled_domain)

(ResourceType:File) (Type:RESOURCE))) (Actions([open] ))] )" - - - - - - - - - - - - - - - - - - - - - - - - - - "1" "2" - - - - "AdminServer" - -

- - "66" - - -

[AC]FMT_MSA.3 All modifications of the initial values of

security attributes

Attribute modified, modified

value

OAM Policy modified to “Allow All” instead of default “Deny All”

2016-07-21 23:14:04.656 "oamadmin" "PolicyModification" true - "oamadmin" - - - - - "oam_admin(11.1.2.0.0)" - - -

"61924510-e3f3-4301-a60c-fe78cb753d74" - - - - - - "IAMAccessDomain" "0a5cf6222b1a8c78:32a9abf8:1560f56261f:-8000-

000000000000048f" "AdminConsole" - - - - - - - "linux61" - "10.209.39.114" - - - "AUTHZ-POLICY:Policy name=\"AllowALL\",

id=\"61924510-e3f3-4301-a60c-fe78cb753d74\", description=\"null\", owners=\"[]\", resources=\"[86cb5dd6-65ef-4b37-

9723-50fe3bc08d3f]\",conditions=\"[IdentityCondition: name=\"Identity\", description=\"null\", identityList=\"[UserIdentity:

idDomain=\"OAMIDSTORE\", identifier=\"test2\"]\"., TrueCondition]\",rules=\"[Rule : effect =\"ALLOW\",combiner

=\"SimpleCombiner: combiner-mode = \"ALL\",conditions

=\"[TRUE]\".\".]\",sessionElements=\"[]\",successResponses=\"[]\",failureResponses=\"[]\",successRedirectURL=\"null\",failur

eRedirectURL=\"null\".useImpliedConstraints=\"false\"" - "AUTHZ-POLICY:Policy name=\"DenyALL\", id=\"61924510-e3f3-

4301-a60c-fe78cb753d74\", description=\"null\", owners=\"[]\", resources=\"[86cb5dd6-65ef-4b37-9723-

50fe3bc08d3f]\",conditions=\"[IdentityCondition: name=\"Identity\", description=\"null\", identityList=\"[UserIdentity:

idDomain=\"OAMIDSTORE\", identifier=\"test2\"]\"., TrueCondition]\",rules=\"[Rule : effect =\"DENY\",combiner

=\"SimpleCombiner: combiner-mode = \"ALL\",conditions =\"[TRUE]\".\"., Rule : effect =\"ALLOW\",combiner

=\"SimpleCombiner: combiner-mode = \"ALL\",conditions

=\"[Identity]\".\".]\",sessionElements=\"[]\",successResponses=\"[]\",failureResponses=\"[]\",successRedirectURL=\"null\",fai

lureRedirectURL=\"null\".useImpliedConstraints=\"false\"" - - "AUTHZ-POLICY:AllowALL" - - - "0" - "10.209.39.114" - - - - - - - - -

- - - - "AdminServer" - - - - - - - - - - - "71" - - - -

OES Policy Created to allow User “John” authorization instead of “Deny All”


"oracle" - - "base_domain" "2d58512b716962d3:-511821a6:15aa68e3447:-8000-00000000000002ab,0" "PolicyManagement"

"success" - "linux61" "10.209.39.114" - - - - - - - - - - - -


29


- - - - - - - - - - - - - - - - - - - - - "" - - "FilePermit_for_John" "([(Name:John) (GUID:null) (Unique name:null) (Class

name:weblogic.security.principal.WLSUserImpl) (AppID:null) (Type:CUSTOM)] )" - -

"([(Name:FilePermit_for_JohnPOLICY_RULE) (Effect:GRANT) (Condition:null)] )" - "OR" - - - - "[]" - - - - -

"([(Resource((Name:/home/oracle/app/mw_home) (ResourceType:File) (Type:RESOURCE))) (Actions([download] [open] ))] )" -

- - - - - - - - - - - - - - - - - - - - - - - - - "1" "2" - - - - "AdminServer" - - - - "64" - - -

[AC+PM]FMT_SMF.1 Use of the management functions Management function performed

Audit records for the management functions of the TOE are shown with the other SFRs.

[AC+PM]FMT_SMR.1 Modifications of the members of the

management roles None

OES (user)

2017-01-16 22:07:35.448 "weblogic" "AdminRoleGrant" true "Granting principals for admin role successful in SystemPolicy

scope" "weblogic" "oracle" - - "base_domain" "d735894f2a32d2f5:3ad636c3:159a9504d96:-8000-00000000000000f0,0"

"AdminRoleManagement" "success" - "linux61" "10.209.39.114" - - - "SystemAdmin" - - - - - - - -


L_user/oracle.security.apm.core.model/2fn8h8/APP-INF/lib/adflibAPMCommonModel.jar" - - - - - - - - - - - - - - - -

"SystemPolicy" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "" - - - - - - - - - - - - - - - - "([(Name:oestest1) (GUID:null)

(Unique name:null) (Class name:weblogic.security.principal.WLSUserImpl) (AppID:null) (Type:CUSTOM)] )" - - - - - - - - - - - - - - -

"1" "2" - - - - "AdminServer" - - - - "18" - - -

OAM (group)

2016-07-25 19:28:53.252 "oamadmin" "GenericAdminOperation" true "Role:'System Administrator' Granted

to:'OAMAdministrators'" "oamadmin" - "System Administrator" - - - "oam_admin(11.1.2.0.0)" - - - - - - - - - -

"IAMAccessDomain" "6402bfc082b14968:6a36057d:1562344b700:-8000-000000000000067d" "AdminConsole" - - - - - - -

"linux61" - "10.209.39.114" - - - "OAMAdministrators" - - - - - - - - "0" - "10.209.39.114" - - - - - - - - - - - - - "AdminServer" - - - - -

- - - - - - "69" - - - -



"6402bfc082b14968:6a36057d:1562344b700:-8000-0000000000000687" "AdminConsole" - - - - - - - "linux61" -

"10.209.39.114" - - - - - - - - - - - - "0" - "" - - - - - - - - - - - - - "AdminServer" - - - - - - - - - - - "69" - - - -

[AC]FPT_FLS_EXT.1 Failure of communication between the TOE

and Policy Management product

Identity of the Policy

Management product, reason for

the failure

OAM

016/07/22@00:04:01.013307 UTC - WebGate Multi-Process File Logger

****************************************************** BANNER INFORMATION

***************************************************

WebgateId=Webgate1

WebgateInstallDir=/home/oracle/Oracle_IDMLCM1/products/web/webgate/webgate/ohs

WebgateInstanceDir=/home/oracle/Oracle_IDMLCM1/config/instances/ohs1/config/OHS/ohs1

AgentType=WebGate

WebgateVersion=11.1.2.3.0

WebServer=OHS11g

WebServerStartTime=2016/07/21@23:55:39 UTC

WebServerVersionMode=Oracle-HTTP-Server-11g/Worker

HostName=linux61

OsInfo=Linux 2.6.32-100.34.1.el6uek.x86_64 #1 SMP Wed May 25 17:46:45 EDT 2011 x86_64

30

*******************************************************************************************************

**********************

<Year/Mon/Day@Hour:Min:Sec.Milsec> <Process_Id> <Thread_Id> <Module> <Level> <Code>

<File:Line> "<Message>" <Named_Values...>

=======================================================================================================

======================

2016/07/22@00:04:01.16821 9616 9743 ACCESS_CLIENT WARNING 0x0000153D

/ade/aime_ngamac_110154/ngamac/src/palantir/aaa_client/src/aaa_service_client.cpp:3767

ecid^005E2sfesu2CWrH_QtL6id0002Li000004 rid^0 "Severe error detected. OAM operation error will be

raised" Cause^No reply from OAM Server. Read operation timed out or socket failure occurred. Read wait timeout(in

milliseconds)^5000 msg opcode^20 total attempts performed^1 retry attempts configured^1

2016/07/22@00:04:01.16831 9616 9743 ACCESS_CLIENT ERROR 0x00002107

/ade/aime_ngamac_110154/ngamac/src/palantir/aaa_client/include/aaa_service_client.h:279

ecid^005E2sfesu2CWrH_QtL6id0002Li000004 rid^0 "Unable to read from network - probably due to remote-

side connection closure - closing local connection"

2016/07/22@00:04:01.18292 9616 9743 ACCESS_SDK ERROR 0x00000501

/ade/aime_ngamac_110154/ngamac/src/palantir/access_api/src/obuser_session.cpp:2008

ecid^005E2sfesu2CWrH_QtL6id0002Li000004 rid^0 "ObError exception caught" raw_code^124

2016/07/22@00:04:01.18356 9616 9743 WEB ERROR 0x0000151F

/ade/aime_ngamac_110154/ngamac/src/palantir/commonlib/src/apache2_req_info.cpp:285

ecid^005E2sfesu2CWrH_QtL6id0002Li000004 rid^0 "WebGate Error Report" Message^The WebGate

plug-in is unable to contact any Access Servers. ReqReq^GET /index.html HTTP/1.1 ReqProto^HTTP/1.1

ReqHost^linux61.cctl.com ReqStatLine^ ReqStatus^200 ReqRawUri^/index.html

ReqUri^/index.html

ReqFilename^/home/oracle/Oracle_IDMLCM1/config/instances/ohs1/config/OHS/ohs1/htdocs/index.html

ReqPath^ ReqArgs^

Using NPTL Threading Library.

OES

####<Jan 18, 2017 11:08:53 PM GMT+00:00> <Info> <JDBC> <linux61> <AdminServer> <[ACTIVE] ExecuteThread: '0' for

queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <4da0ace21da3b1b9:-7f9a7b38:159b3446368:-8000-

00000000000008ed> <1484780933020> <BEA-001128> <Connection for pool "opss-DBDS" has been closed.>

####<Jan 18, 2017 11:08:53 PM GMT+00:00> <Warning> <JDBC> <linux61> <AdminServer> <[ACTIVE] ExecuteThread: '0' for


00000000000008ed> <1484780933024> <BEA-001129> <Received exception while creating connection for pool "opss-DBDS":

Listener refused the connection with the following error:

ORA-12514, TNS:listener does not currently know of service requested in connect descriptor

.>

####<Jan 18, 2017 11:08:53 PM GMT+00:00> <Info> <JDBC> <linux61> <AdminServer> <[ACTIVE] ExecuteThread: '0' for


00000000000008ed> <1484780933025> <BEA-001156> <Stack trace associated with message 001129 follows:

java.sql.SQLException: Listener refused the connection with the following error:


at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:489)

at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:678)

at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:234)

at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:34)

31

at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:567)

at weblogic.jdbc.common.internal.ConnectionEnvFactory.makeConnection(ConnectionEnvFactory.java:359)

at weblogic.jdbc.common.internal.ConnectionEnvFactory.createResource(ConnectionEnvFactory.java:241)

at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1322)

at

weblogic.common.resourcepool.ResourcePoolImpl$ResourcePoolMaintanenceTask.timerExpired(ResourcePoolImpl.java:279

6)

at weblogic.timers.internal.TimerImpl.run(TimerImpl.java:284)

at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)

at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

Caused By: oracle.net.ns.NetException: Listener refused the connection with the following error:


at oracle.net.ns.NSProtocol.connect(NSProtocol.java:411)

at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1229)

at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:326)

at oracle.jdbc.driver.PhysicalConnection.<init>(PhysicalConnection.java:678)

at oracle.jdbc.driver.T4CConnection.<init>(T4CConnection.java:234)

at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:34)

at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:567)

at weblogic.jdbc.common.internal.ConnectionEnvFactory.makeConnection(ConnectionEnvFactory.java:359)

at weblogic.jdbc.common.internal.ConnectionEnvFactory.createResource(ConnectionEnvFactory.java:241)

at weblogic.common.resourcepool.ResourcePoolImpl.makeResources(ResourcePoolImpl.java:1322)

at

weblogic.common.resourcepool.ResourcePoolImpl$ResourcePoolMaintanenceTask.timerExpired(ResourcePoolImpl.java:279

6)

at weblogic.timers.internal.TimerImpl.run(TimerImpl.java:284)

at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)

at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)

at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)

>

####<Jan 18, 2017 11:08:54 PM GMT+00:00> <Info> <Common> <linux61> <AdminServer> <[ACTIVE] ExecuteThread: '0' for


00000000000008ed> <1484780934026> <BEA-000633> <Resource Pool "opss-DBDS" suspending due to consecutive number

of resource creation failures exceeding threshold of 2>

[AC]FPT_RPL.1 Detection of replay Action to be taken based on the

specific actions

Any policy data in transit between the server components and the PDPs is secured using TLS so it is not

possible for an attacker to spoof the transfer of legitimate data using an existing connection between the

server and the PDP. Refer to “OAM TLS Failed Connection OID” under [AC+PM]FTP_ITC.1 for the type

of audit record that would occur when a failed TLS connection would occur due to TLS modification.

[AC+PM]FTA_TSE.1 Denial of session establishment None

OES


"0000LajKWUuC^qH_QtDCid1OVgOf000005,0" "Authorization" "success" - "iam.oracle.com" "10.209.39.56"

"(DecisionTime:1/17/17 9:05 PM) (IsAllowed:false)" - - - - - - - "[(Name:RegisteredAttribute) (Value:yes)] [(Name:isStudent)



32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - "[]" - - - - - - - - - - - - - - - - - - - - "borrow" "(AppName:Library) (ResourceType:Book)

(ResourceName:BookOnDate)" "(principals([(Name:john) (Class name:weblogic.security.principal.WLSUserImpl)]



"2" - - - - - - - - - "12" - - -

OAM


"Temporal" - - - - - - "IAMAccessDomain" "005E2as7xs9CWrH_QtL6id0003XF000004" "Authorization" "-" "PROXY_IP_ADDRESS

= unknown" - - - - - - - "10.209.39.114" - - "wls_oam1" - - - - - - - - - "1:22112" - "10.209.39.114" "6421017556770705604"

"HTTP::Webgate1::/index.html::" "Webgate1" - "HTTP::Webgate1::/index.html::" - - - "" - - - "" "wls_oam1" - - - - - - - - - - - "12"

- - - -

[AC+PM]FTP_ITC.1 All use of the trusted channel functions Identity of the initiator and target

of the trusted channel

OAM TLS Failed Connection OID

[2017-03-07T18:18:27.155+00:00] [AdminServer] [NOTIFICATION] [] [oracle.idm.ids.config.ui.util.IDSUtils] [tid:

[ACTIVE].ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: oamadmin] [ecid:

440c1b205c979a9a:172153ec:15aa6af47c2:-8000-000000000000108e,0] [APP: oam_admin#11.1.2.0.0] [DSID:

0000LedxxiKCWrH_QtL6id1OjY2L00000J] Following error(s) were encountered:[[

For node 10.209.39.140:3131: [LDAP: error code 49 - Invalid Credentials]

oracle.idm.ids.config.ui.common.IDSMultipleErrorsException: Following error(s) were encountered:

For node 10.209.39.140:3131: [LDAP: error code 49 - Invalid Credentials]

OAM Established Connection with Remote DB

####<Mar 7, 2017 11:19:52 PM GMT+00:00> <Info> <Common> <linux61> <AdminServer> <[ACTIVE] ExecuteThread: '3' for

queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <440c1b205c979a9a:172153ec:15aa6af47c2:-8000-

0000000000001990> <1488928792640> <BEA-000628> <Created "1" resources for pool "jdbc/open2 TLS", out of which "1"

are available and "0" are unavailable.>

%% Initialized: [Session-122, TLS_RSA_WITH_AES_128_CBC_SHA]

** TLS_RSA_WITH_AES_128_CBC_SHA

[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)', READ: TLSv1 Handshake, length = 447

*** Certificate chain

chain [0] = [

[

Version: V1

Subject: CN=slc03sgq.us.oracle.com

Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4

OES Established Connection with SM


"base_domain" "7ec65d4aae7ece18:-123e862a:15ab1baf020:-8000-00000000000003ec,1:31718"

"PolicyDistributionManagement" "success" - "linux61" "10.209.39.114" - - - - - - - - - - - - - - - - - - - - - - - - - "true" - - - - - - - - -

"https://10.209.39.56:37002/pd-client" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

"1" "2" - - - - "AdminServer" - - - - "110" - - -

- -

RandomCookie: GMT: 1472143229 bytes = { 133, 33, 122, 122, 215, 247, 201, 160, 158, 12, 110, 131, 10, 76, 160, 4, 190, 166,

159, 188, 151, 183, 238, 243, 191, 132, 249, 35 }

Session ID: {}

Cipher Suites: [Unknown 0x0:0x3c, TLS_RSA_WITH_AES_128_CBC_SHA]

33

Compression Methods: { 0 }

Unsupported extension signature_algorithms, data: 00:12:06:03:06:01:05:03:05:01:04:03:04:01:02:03:02:01:02:02

Extension renegotiation_info, renegotiated_connection: <empty>

***

%% Created: [Session-8, TLS_RSA_WITH_AES_128_CBC_SHA]

*** ServerHello, TLSv1.1

RandomCookie: GMT: 1472138685 bytes = { 38, 87, 78, 99, 2, 200, 104, 229, 25, 214, 127, 215, 83, 191, 35, 54, 170, 16, 74,

220, 224, 114, 115, 79, 185, 242, 118, 234 }

Session ID: {88, 191, 14, 189, 35, 230, 54, 221, 159, 23, 198, 245, 151, 180, 75, 97, 176, 226, 113, 132, 108, 172, 208, 9, 33,

142, 100, 161, 16, 61, 179, 7}

Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA

Compression Method: 0

Extension renegotiation_info, renegotiated_connection: <empty>

***

Cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA

*** Certificate chain

chain [0] = [

[

Version: V3

Subject: CN=linux61, OU=FOR TESTING ONLY, O=MyOrganization, L=MyTown, ST=MyState, C=US

Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

OES Terminated connection with Remote DB

####<Mar 7, 2017 11:13:39 PM GMT+00:00> <Warning> <JDBC> <linux61> <AdminServer> <AuditLoaderRunner> <<WLS

Kernel>> <> <0000LeeVGDLCWrH_QtL6id1OjlbL000002> <1488928419966> <BEA-001129> <Received exception while

creating connection for pool "jdbc/ds3": Listener refused the connection with the following error:


.>

####<Mar 7, 2017 11:13:39 PM GMT+00:00> <Info> <JDBC> <linux61> <AdminServer> <AuditLoaderRunner> <<WLS Kernel>>

<> <0000LeeVGDLCWrH_QtL6id1OjlbL000002> <1488928419966> <BEA-001156> <Stack trace associated with message

001129 follows:

java.sql.SQLException: Listener refused the connection with the following error:


[PM]FTP_TRP.1 All attempted uses of the trusted path

functions

Identification of user associated

with trusted path functions, if

available

OES Administrative session established

<Mar 9, 2017 1:13:02 AM GMT+00:00> <Warning> <oracle.dms.context> <DMS-57008> <The execution context put in place

at the start of the request, 0000Lekc5OlCWrH_QtL6id1Ok91Y0000nc,0, is not the execution context in place at the end of the

request, 0000Lekc5QICWrH_QtL6id1Ok91Y0000nd,0. The request is as follows: Request URI:

/oam/server/auth_cred_submit

Request URL:

https://10.209.39.114:14101/oam/server/auth_cred_submit

(No Query String)

All Headers Names:

Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Accept-Charset, Keep-Alive, Connection, Referer, Cookie,

Content-Type, Content-Length

Selected Header Values:

Accept-Language : en-us,en;q=0.5

34

Host : 10.209.39.114:14101

Content-Length : 102

Accept-Charset : ISO-8859-1,utf-8;q=0.7,*;q=0.7

Referer :

https://10.209.39.114:14101/oam/server/obrareq.cgi?encquery%3DyWLtIqmkp7WWmcY%2BTZsAJXrgySnrXHbSHFGD9n7tPu

HEZHNEF0QeOZdyUXgUTy4y4FBeoswfltGWmSTExFe5jl42p6bM9ZAqs9dhCPzzuEyX3Vwlr%2FrN6qYoBxpQPu1ooKNVI7%2FxxC

blEdS%2FpnfCdQIPHUB%2F0pz2wihxd73xUZ9sw6x3BF1PpZ%2BjuLHiDLgmFixqLKlezA1z57pLL9u%2BSqmiT6HapB7gfU8aj2PTu

Ob7%2FpJnLXlM3c6BluGxawQ%2FEkJb9wYfqhucVDuT%2BbwwNA%3D%3D%20agentid%3DWebgate1%20ver%3D1%20crmet

hod%3D2&ECID-Context=1.005I%5E7lahm6CWrH_QtL6id0004cB0000A4%3BkXjE

Accept-Encoding : gzip,deflate

User-Agent : Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110429 Oracle/3.6.17-1.0.1.el6_0 Firefox/3.6.17

Content-Type : application/x-www-form-urlencoded

Connection : keep-alive

Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

OAM Administrative Established

<Mar 9, 2017 2:05:42 AM GMT+00:00> <Warning> <oracle.dms.context> <DMS-57008> <The execution context put in place

at the start of the request, 0000Leko8mgCWrH_QtL6id1OkBWB00002L,0, is not the execution context in place at the end of

the request, 0000Leko8nVCWrH_QtL6id1OkBWB00002M,0. The request is as follows: Request URI:

/oam/server/auth_cred_submit

Request URL:

https://10.209.39.114:14101/oam/server/auth_cred_submit

(No Query String)

All Headers Names:

Host, User-Agent, Accept, Accept-Language, Accept-Encoding, Accept-Charset, Keep-Alive, Connection, Referer, Cookie,

Content-Type, Content-Length

Selected Header Values:

Accept-Language : en-us,en;q=0.5

Host : 10.209.39.114:14101

Content-Length : 105

Accept-Charset : ISO-8859-1,utf-8;q=0.7,*;q=0.7

Referer : https://10.209.39.114:14101/oam/server/auth_cred_submit

Accept-Encoding : gzip,deflate

User-Agent : Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110429 Oracle/3.6.17-1.0.1.el6_0 Firefox/3.6.17

Content-Type : application/x-www-form-urlencoded

Connection : keep-alive

Accept : text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Configuring Audit Behavior

Note: Audit behavior is only configurable for OAM in the product’s evaluated configuration. By default, OES (both the OES Console and Security Modules) will generate audit records for all security-relevant activity. This is not configurable.

The OAM Console provides the ability to configure the audit records that are generated through configurable presets. This is performed by navigating to the Common Settings section of the OAM Console, going to Audit Configuration, and changing the “Filter Preset” field. The following choices are available.

35

All: captures and records all auditable OAM events

Low: captures and records a specific set of auditable OAM events

Medium: captures and records events covered by the Low setting plus a number of other auditable OAM events

None: no OAM events are captured and recorded

Events for each filter preset are fixed in the read-only component_events.xml file. Editing or customizing this file is not supported for Oracle Access Management. Only items that are configured for auditing at the specified filter preset can be audited. Since the Policy Decision Point for OAM is the OAM server, the audit levels affect both OAM Console auditing (for administrator activities) as well as Webgate auditing (for end user activities).

Note: Webgate behavior is only audited at MEDIUM or ALL levels.

More information about auditing can be found in section 8 of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management [2].

Secure External Audit Data Storage

All audit data that is generated by the OAM Suite product must be configured to be stored securely on an external server. This channel is protected using TLS and is configured as described below.

During the initial installation of the TOE as described in section 4 of this document, the administrator must create the audit database store as directed in chapter 8.7.1 in Oracle Fusion Middleware Administrator's Guide for Oracle Access Management [2] This document does not provide the guidance to configure this path to use TLS. The SSL with Oracle JDBC Thin Driver document [3] describes how to configure the TLS required for the communication to the remote audit database. In the evaluated configuration, the only ciphersuite that is used for this channel is TLS_RSA_WITH AES_128_CBC_SHA.

The Java.security file located in the $JAVA_HOME directory should list the algorithms and ciphersuites that are unallowed as shown in the example below.

Example:

# jdk.ls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048

jdk.tls.disabledAlgorithms=SSLv3, SHA256, DHE, DSS, DESede, KRB5, RC4, DES, K_NULL, M_NULL, C_NULL, DH_anon, ECDHE_anon, DH keySize < 1024, RSA keySize < 1024, EC keySize < 224

Note: If the OES Console and OAM Console reside on separate WebLogic servers, this configuration will need to be performed on each server. In the evaluated configuration, the OES/OAM Console and the Security Modules reside on the same version of WebLogic servers, the configuration for each connection to the remote audit database will be the same.

36

If there is any interruption in the communication between the console or SM to the remote audit database, the audit logs are still stored locally on the underlying WebLogic server. The audit records will be automatically sent to the remote audit database once the connection has been restored.

5.5 Self-Protection

Key Storage

Secret key data that resides locally on the OAM/OES Server systems will automatically be written to the secure Java keystore on the local OS. In order to establish trusted communications between the OAM Server and any remote servers that Webgates reside on, it is necessary to register Webgates to the OAM Server. This process is described in section 5 of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management [2]. As part of the registration process, the OAM server will generate obaccessclient.xml and cwallet.sso files which are transferred manually to the Webgate’s config directory as part of the initial Webgate setup. These files store key information that is used to establish the trusted channel and these files are stored encrypted using AES-256. The registration process also identifies the Webgate based on information about the web server itself, so it is not possible to simply copy the encrypted data into another web server as a means to establish unauthorized connectivity with the OAM Server.

Fault Tolerance

No specific administrative activities are required to configure fault tolerance for the OAM Suite in the event that communications between the OAM/OES server and a remote Webgate/Security Module is broken. By default, Webgates will continuously poll the OAM server for updated policy information so if policy data is updated during a communications outage, the Webgate will enforce the new policy once connections are re-established. During the actual outage, the Webgate will fail closed and not allow any activity. Security Modules do not require an active connection back to the OES server in order to function since they act as Policy Enforcement Points. Note however that during a communications outage, policy distribution will obviously not be possible and must be re-initiated following a restoration of connectivity.

Replay Detection

For remote communication of policy data, OAM Suite ensures both confidentiality and authenticity of communications. The registration process for Webgates ensures that that each endpoint (Webgate and OAM Server) recognize the other end of the connection as valid. Information about server registration in general is found in section 5 of the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management [2], and information about Webgate communications in particular is located in section 5.2.4 as well as section 2 of Oracle Fusion Middleware Installing WebGates for Oracle Access Manager [9]. Similarly, communications between the OES Server and Security Modules uses a registration process to ensure authenticity. This is described in section 6 of the Fusion Middleware Administering Oracle Entitlements Server guidance [1].

Relevant information for the identification and authentication of the distributed components is summarized below:

37

Webgate Webgates are configured on the OAM Console and require the administrator to enter their username and password for authorization. If a Webgate is installed on a remote entity, the administrator copies the configuration files of the configured Webgate and installs the files on that entity. The configuration files contain all of the specific information of the OAM Server including the administrator username and password. As mentioned under Key Storage, these configuration files are stored encrypted using AES-256. If by chance the password is changed or modified, the Webgate will be unable to communicate with the OAM Server. Chapter 2 Installing and Configuring Oracle HTTP Server 11g WebGate for OAM in the Oracle Fusion Middleware Installing WebGates for Oracle Access Manager [9] discusses how to install and configure the Webgate.

Security Module During the initial installation and configuration of the Security Module, the administrator modifies an .xml file that resides on the underlying server where the Security Module is installed. The administrator enters the OES Server information to enroll the Security Module to the OES Server. This information includes the IP/Hostname and port number. The enrolment ensures that Security Module is only able to be managed by that particular OES Server.

In addition to this, the use of TLS between distributed components secures data in transit from unauthorized modification or disclosure, preventing the ability for replayed traffic to be used to illicitly issue policy configurations or decisions. Information about setting up TLS communications can be found in section 4 of this supplemental guide.

5.6 TOE Access

[AC]FTA_TSE.1 – TOE Session Establishment

o How to write policy rules that webgate/SM enforce based on day/time of access OAM Section 25.10 Defining Authorization Policy Conditions in [2] describes how to define an Authorization Policy according to the time/day within the OAM Console. OES The administrator in the OES Console is also able to define a policy to restrict or grant access to a protected resource according to time/day. This condition is discussed in section 2.4.5 Defining a Condition in [1].

38

6. Terminology

In reviewing this document, the reader should be aware of the following terms:

SFR: stands for Security Functional Requirement. An SFR is a security capability that was tested as part of the CC process.

TOE: stands for Target of Evaluation. This refers to the aspects of the OAM Suite that contain the security functions that were tested as part of the CC evaluation process.

39

7. References

OAM and OES are part of Oracle Fusion Middleware 11g. The documentation for Oracle Fusion Middleware is located at http://docs.oracle.com/cd/E52734_01/cross/allbooksdocs.htm. The following specific documentation is referenced as part of the CC-compliant operation of OAM Suite.

Reference Document [1] Fusion Middleware Administering Oracle Entitlements Server

http://docs.oracle.com/cd/E52734_01/oes/ESADR/toc.htm [2] Oracle Fusion Middleware Administrator's Guide for Oracle Access Management

https://docs.oracle.com/cd/E52734_01/oam/AIAAG/toc.htm [3] SSL With Oracle JDBC Thin Driver

http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf [4] Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access

Management 11g Release 2 (11.1.2.3.0) https://docs.oracle.com/cd/E52734_01/core/INOAM/toc.htm

[5] Oracle Access Manager Suite Version 11g Release 2 Common Criteria Evaluation Security Target v1.0

[6] Oracle Database JDBC Developer's Guide: https://docs.oracle.com/cd/E11882_01/java.112/e16548/toc.htm

[7] Oracle Database Advanced Security Administrator's Guide: https://docs.oracle.com/cd/E11882_01/network.112/e40393/toc.htm Mainly focus on chapter 13 (Configuring Secure Sockets Layer Authentication) and chapter 14 (Using Oracle Wallet Manager)

[8] WebLogic JDBC Use of Oracle Wallet for SSL: https://blogs.oracle.com/WebLogicServer/entry/weblogic_jdbc_use_of_oracle

[9] Oracle Fusion Middleware Installing WebGates for Oracle Access Manager https://docs.oracle.com/cd/E52734_01/core/WGINS/toc.htm

[10] Oracle Fusion Middleware Securing Oracle WebLogic Server https://docs.oracle.com/cd/E15523_01/web.1111/e13707/toc.htm

http://docs.oracle.com/cd/E52734_01/cross/allbooksdocs.htm

http://docs.oracle.com/cd/E52734_01/oes/ESADR/toc.htm

https://docs.oracle.com/cd/E52734_01/oam/AIAAG/toc.htm

http://www.oracle.com/technetwork/topics/wp-oracle-jdbc-thin-ssl-130128.pdf

https://docs.oracle.com/cd/E52734_01/core/INOAM/toc.htm

https://docs.oracle.com/cd/E11882_01/java.112/e16548/toc.htm

https://docs.oracle.com/cd/E11882_01/network.112/e40393/toc.htm

https://blogs.oracle.com/WebLogicServer/entry/weblogic_jdbc_use_of_oracle

https://docs.oracle.com/cd/E52734_01/core/WGINS/toc.htm

https://docs.oracle.com/cd/E15523_01/web.1111/e13707/toc.htm

https://docs.oracle.com/cd/E15523_01/web.1111/e13707/toc.htm

Common Criteria - Oracle...2016/07/20 · 3 Keystore – A Java-based repository that is used to...

Documents

Transcript of Common Criteria - Oracle...2016/07/20 · 3 Keystore – A Java-based repository that is used to...