本文意在从总体上大致了解Oracle Fusion Applications 产品,不承担产品发布,代码,功能等相关义务,如需购买或了解产品准确features及开发,发布计划,请参见Oracle官方声明。文章内容是从Oracle官方网站对外发布的学习资料及白皮书中转载翻译而来。如有不同之处以Oracle官方文档为准。
Oracle Fusion Applications是Oracle的下一代ERP(Enterprise Resource Planning)应用程序,包含Financial Management;Human Capital Management;Customer Relationship Management;Supply Chain Management;Project Portfolio Management; Procurment;Governance,Risk and Compliance等,独立开发并整合了Oracle E-Business Suite,Oracle PeopleSoft,Oracle Siebel,Oracle JD Edwards的优点。Fusion Apps运行于Fusion Middleware之上,基于SOA,并且使用了:ADF,BI,content management,enterprise performance management,process management,security and identity management等。
Fusion Applications的安全组件
Component | Does what? |
---|---|
Oracle HTTP Server (OHS) | Takes all incoming HTTP requests |
Oracle Access Manager (OAM) | Performs single sign on (SSO) |
Web Gate (OAM component) | Intercepts requests and checks for user credentials |
Web Pass (OAM Web server plug-in) | Passes information between the web server and OAM's Identity Server |
OAM Policy Manager | Supports managing SSO, and URL-based authentication and authorization policies |
Oracle Identity Management (OIM) | Handles user provisioning |
Oracle Web Services Manager (OWSM) | Provides infrastructure for Service Oriented Architecture (SOA) and web services security |
OWSM Agent | Enforces SOA and web services security |
OWSM Policy Manager | Supports setting up policy configuration for SOA and web services security |
Oracle Platform Security Services (OPSS) | Provides framework to manage policies, identity, and audit services across the enterprise |
Oracle Virtual Directory (OVD) | Virtualizes data sources in LDAP |
Identity Governance Framework (IGF) | Manipulates users, groups, and policies in LDAP |
Authorization Policy Management (APM) | Supports managing authorization policies |
Enterprise Manager (EM) | Supports managing deployed components, services, and applications |
Oracle Virtual Private Database (VPD) | Protects personally identifiable (PII) attributes in the database from unauthorized access by privileged users such as DBAs |
Oracle Fusion Applications安全逻辑视图
Orcle Fusion Applications的安全和身份管理是基于Service-Oriented Security(SOS)框架。见图1。
[Figure1]Service-Oriented Security
SOS提供了一系列的安全服务供所有Oracle Fusion Middleware组件和Oracle Fusion Applications使用。SOS是采用SOA技术,且built upon Oracle Platform Security Services(OPSS)。见图2。
[Figure2]Oracle Platform Security Services(OPSS)in Context
OPSS是Oracle JDeveloper中的一套安全开发框架,提供了一套标准的,统一的,身份管理,审计服务的API将开发者从复杂的安全设计解放出来。 它可以部署在Weblogic Server上,包含Oracle WebLogic Server的内部安全服务,Oracle Fusion Middleware's security framework(或者称为Java Platform Security即JPS或 JAZN),Oracle Security Developer Tools(OSDT)等。OPSS 使用OSDT进行SSL配置和Oracle Wallet(OIM,Oracle Enterprise Manager, Oracle Database会使用)。OPSS也可以和其他安全组件整合,如LDAP。
OPSS的功能层包括:见图3。
1)认证Authentication
2)Identity Assertion
3)Single Sign-on(SS0):有两种实现方式,一种是基于OAM实现的企业级SSO解决方案,另外一种是基于SAML的解决方案(使用Weblogic server的SAML Credential Mapping Provider)。
4)User and role
5)Role mapping
6)Security stores:包含Identity Store(users and groups)和Credential Store。Security store通过Oracle Virtual Directory (OVD)来进行管理。
7)Audit
8)Application life cycle support
APM(Authorization Policy Manager)/OES(Oracle Entitlement Server)[Figure3]Oracle Platform Security Services Architecture
APM是一个管理基于OPSS的授权policies的图形用户工具。它管理global和application-specific artifacts。Global artificats包含users,external roles,system policies;Application-specific artifacts包含resource catalog,application policies,application roles,role categories。
APM中的一些基本概念:
External Role是存储在Identity Store LDAP中的信息;Application Role是存储在Policy Store中的。Application Policy是一组权利entitlement和授权给principal(例如Application Role,External Role)资源许可(resource permission)。System Policy是global policy将application访问权限授权给OPSS的API。Role Mapping是通过将application roles映射给external roles,从而使具备该external role(使用OIM创建)的uers可以访问受限访问的application resource。
参考:
【1】3 Security Infrastructure
http://www.orastudy.com/oradoc/selfstu/fusion/doc.1111/e16689/F323386.htm
【2】Oracle Fusion Applications Security Leveraging Oracle Identity Management. An Oracle White Paper September 2010
http://www.oracle.com/us/products/middleware/identity-management/fusion-apps-security-wp-176635.pdf