Using the Oracle Service Bus Console

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Service Accounts

A service account provides a user name and password that proxy services and business services use for outbound authentication or authentication to a local or remote resource, such as an FTP server or a JMS server. For example, if a business service is required to supply a user name and password for transport-level authentication with a Web Service, you create a service account that specifies the user name and password, then you configure the business service to include the service-account credentials in its outbound requests.

The user names and passwords that you enter in service accounts are used for outbound authentication or for providing credentials to local or remote resources. The user names and passwords that you enter in the Security Configuration module of the Oracle Service Bus Console are used for inbound authentication and for authenticating administrative requests. See Specifying Service Accounts.

Specifying Service Accounts

You can use the same service account for multiple business services and proxy services. To specify the user name and password that a service account provides, you can use any of the following techniques:

Related Topics

Creating and Configuring Business Services

Create/Edit a Proxy Service - E-Mail Transport Configuration page

Using Service Accounts Data and Sessions

Service accounts and their data participate fully in Oracle Service Bus sessions: you must be in a session to create or modify a service account, and if you discard the session, the service account and its data is also discarded. When you activate a session, Oracle Service Bus saves the user name, password, and other service account data in the user name/password credential mapping provider that is configured for the domain.

Locating Service Accounts

  1. Do either of the following:
    • Select Project Explorer to display the Projects View page or the Project/Folder View page. Then navigate through projects and folders to find the service account.
    • Select Resource Browser > Service Accounts. The Summary of Service Accounts displays the information shown in Table 14-1.
  2. To search for a service account, enter part or all of the account name in the Name field. You can also enter part or all of the account project name and folder in the Path fields. Click Search.

    3. Click View All to remove the search filters and display all service accounts.

    Table 14-1 Service Account Information 
    Property
    Description
    Service Account Name
    A unique name for the service account. Click on the name to see the View Service Account Details page. See Editing Service Accounts.
    Path
    The project name and the name of the folder in which the service account resides. Click on the name to see the project or folder that contains this resource. See Qualifying Resource Names Using Projects and Folders.
    Options
    Contains a Delete icon. If a business service or proxy service has been configured to use a service account, a Deletion Warning icon indicates that you can delete the service account with a warning confirmation. This might result in conflicts due to unresolved references from the service to the deleted service account. See Deleting Service Accounts.

Adding Service Accounts

  1. If you have not already done so, click Create to create a new session or click Edit to enter an existing session. See Using the Change Center.
  2. Select Project Explorer, then select a project or folder in which to add the service account. The Project/Folder View page is displayed.
  3. From the Create Resource drop-down list, select Service Account to display the Create a New Service Account page.
  4. In the Resource Name field, enter a unique name for this service account.
  5. In the Resource Description field, enter a description for the service account.
  6. Under Resource Type, do one of the following:
    • To create a service account that provides the user names and passwords that it receives from incoming client requests, select Pass Through.
    • To create a service account that provides a user name and password that you save with the service account configuration, select Static.
    • To create a service account that maps the user name from one or more authenticated clients to user names and passwords that you specify, select Mapping.
  7. Depending on the resource type you selected in step 6, do one of the following steps described in Table 14-2.

    8. Table 14-2 Resource Type Options 
    Selected Resource Type
    Complete These Steps
    Pass Through
    Click Last.
    Static
    1. Click Next.
    2. Enter the user name and password in the User Name field, Password, and Confirm Password fields.
    3. Click Last.
    Mapping
    To create a service account that maps the user name from one or more clients to user names and passwords that you specify, do the following:
    1. Click Next.
    2. In the Enter Authorized Remote User table, do the following:
      1. In the Remote User Name, Password, and Confirm Password fields, enter the user name and password that you want to send in outbound requests.
      2. Click Add.

        3. The user mapping is added to the Remote Users table.

      3. (Optional) Add additional remote users in the Enter Authorized Remote User table.
    3. Click Next.
    4. To map authorized clients to remote user names and passwords, do the following in the Enter Authorized Local User table:
      1. In the Local User Name field, enter the name that identifies a client that has been authenticated on its inbound request.

        2. If you have not already added this user in the Security Configuration module of the Oracle Service Bus Console, do so before you use this mapping in a runtime environment. See Adding Users. Oracle Service Bus lets you create a mapping for a non-existent local user, but the mapping will never match an authenticated user and will never be used.

      2. From the Remote User Name list, select the user name that you want to send in outbound requests for the authenticated user you specified in the Local User Name field.
      3. Click Add.
    5. To map anonymous clients to remote user names, do the following:
      1. Select the Map Anonymous Requests check box.
      2. From the Select Remote User list, select the user name that you want to send in outbound requests for all anonymous users.
    6. Click Last.

  8. Click Save. The service account is created and saved in the current session.
  9. To end the session and deploy the configuration to the run time, click Activate under Change Center.

Editing Service Accounts

  1. If you have not already done so, click Create to create a new session or click Edit to enter an existing session. See Using the Change Center.
  2. Locate the service account, as described in Locating Service Accounts.
  3. Click the service account name. The View Service Account Details page displays the information shown in Table 14-3.

    4. Table 14-3 Service Account Details  
    Property
    Description
    Last Modified By
    The user who created this service account or imported it into the configuration.
    Last Modified On
    The date and time that the user created this service account or imported it into the configuration. Click the date and time link to view the change history of this resource. See View Change History page.
    References
    The number of objects that this service account references. If such references exist, click the numeric link to view a list of the objects. See Viewing References to Resources.
    Referenced by
    The number of objects that reference this service account. If such references exist, click the numeric link to view a list of the objects. For example, if you selected this service account as the JMS service account in a proxy service with a JMS transport protocol, the proxy service is listed as a reference when you click the link. See Viewing References to Resources.
    Description
    A description of this service account, if one exists.

  4. To make a change to the fields, click Edit. See Adding Service Accounts for descriptions of the fields.

    5. You cannot change the Resource Name field.

  5. Click Save to commit the updates in the current session.
  6. To end the session and deploy the configuration to the run time, click Activate under Change Center.
Note: If the service account that you modified is used to authenticate with a WebLogic JMS server, the JMS server might not recognize your modification for up to 60 seconds. By default, WebLogic Server JMS checks permissions for each destination every 60 seconds. To change this behavior, modify the WebLogic Server startup command so that it sets the following system property to the frequency (in seconds) that you want WebLogic Server JMS to check permissions: weblogic.jms.securityCheckInterval
A value of 0 (zero) for this property ensures that a permissions check is performed for every send, receive, and getEnumeration action on a JMS resource.

Related Topics

See Ensuring the Security of Your Production Environment in Securing a Production Environment, which is available at the following URL: http://download.oracle.com/docs/cd/E12840_01/wls/docs103/lockdown/practices.html

Deleting Service Accounts

When you delete a service account, the user name, password, or local-user to remote-user mapping data that the service account contains is also deleted.

  1. If you have not already done so, click Create to create a new session or click Edit to enter an existing session. See Using the Change Center.
  2. If any business service or proxy service is configured to use the service account, remove the service account from the business service or proxy service.

    3. See Editing Business Service Configurations or Editing Proxy Service Configurations.

  3. Select Resource Browser > Service Accounts to display the Summary of Service Accounts page.
  4. Click the Delete icon in the Options field of the service account you want to delete.

    5. The service account is deleted in the current session. If a business service or proxy service has been configured to use a service account, a Deletion Warning icon indicates that you can delete the service account with a warning confirmation. This might result in conflicts due to unresolved references from the service to the deleted service account.

  5. To end the session and deploy the configuration to the run time, click Activate under Change Center.

  Back to Top       Previous  Next