Using the AquaLogic Service Bus Console

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Service Accounts

This section includes the following topics:

Overview of Service Accounts

A service account provides a user name and password that proxy services and business services use for outbound authentication or authentication to a local or remote resource, such as an FTP server or a JMS server. For example, if a business service is required to supply a user name and password for transport-level authentication with a Web Service, you create a service account that specifies the user name and password, then you configure the business service to include the service-account credentials in its outbound requests.

Note: The user names and passwords that you enter in service accounts are used for outbound authentication or for providing credentials to local or remote resources. The user names and passwords that you enter in the Security Configuration module of the AquaLogic Service Bus Console are used for inbound authentication and for authenticating administrative requests.

You can use the same service account for multiple business services and proxy services.

To specify the user name and password that a service account provides, you can use any of the following techniques:

Note: If your proxy is an active WSS intermediary, you can use WS-Security to encrypt a WS-Security Username Token or custom username/password. In this instance, username/password pass-through works because the proxy will first decrypt the request and will then have access to the clear-text username/password.

Service Account Data and Sessions

Service accounts and their data participate fully in AquaLogic Service Bus sessions: you must be in a session to create or modify a service account, and if you discard the session, the service account and its data is also discarded. When you activate a session, AquaLogic Service Bus saves the user name, password, and other service account data in the username/password credential mapping provider that is configured for the domain.

The following table lists the Service Account pages that you can access from the Resource Browser and Project Explorer modules. The tasks and help topics associated with each are provided.

Page
Associated Tasks
Help Topics
Summary of Service Accounts
View a list of service accounts
Filter the list
Delete a service account
Create a New Service Account
Add a service account
Service Account Details
View details of a specific service account
Update details of a specific service account

Listing and Locating Service Accounts

The Summary of Service Accounts page allows you to view a list of service accounts. A service account provides a user name and password that business services and proxy services use for outbound authentication. To learn more, see Overview of Service Accounts.

To List and Locate Service Accounts
  1. In the left navigation pane, select Resource Browser.
  2. In the left navigation pane, under Security, select Service Accounts.
  3. The Summary of Service Accounts displays the following information for each service account:

    Property
    Description
    Service Account Name
    A unique name for the service account.
    Click on the name to see the Service Account Details page. To learn more, see Viewing and Changing Service Account Details.
    Path
    The project name and the name of the folder in which the service account resides.
    Click on the name to see the project or folder that contains this resource. To learn more, see Viewing Project Details or Viewing Folder Details.
    Options
    Contains a Delete icon. If a business service or proxy service has been configured to use the service account, contains a Delete icon with a red X to indicate that you cannot delete the service account.
    To learn more, see Deleting a Service Account.

  4. To search for a service account, enter part or all of the account name in the Name field. You can also enter part or all of the account’s project name and folder in the Path fields. Then click Search.
  5. To clear the search results and display all service accounts, click View All.

Related Topics

Adding a Service Account

Adding a Service Account

The Create a New Service Account page allows you to add a new service account. A service account provides a user name and password that business services and proxy services use for outbound authentication. To learn more, see Overview of Service Accounts.

To Add a Service Account
  1. If you have not already done so, in the Change Center click Create to create a new session or click Edit to enter an existing session. To learn more, see Using the Change Center.
  2. In the left navigation pane, select Project Explorer. The Project View page is displayed.
  3. Select the project to which you want to add the service account. You can add a service account directly to the project, or you can add it to a selected folder that resides in the project.
  4. Note: Click the name of a folder to select it. The Folder View page is displayed.
  5. From the Project View or Folder View page, in the Create Resource field, select Service Account. The Create a New Service Account page is displayed.
  6. In the Resource Name field, enter a unique name for this service account.
  7. (Optional) In the Resource Description field, enter a description for the service account.
  8. Under Resource Type, do one of the following:
    • To create a service account that provides the user names and passwords that it receives from incoming client requests, click the Pass Through radio button.
    • To create a service account that provides a user name and password that you save with the service account configuration, click the Static radio button.
    • To create a service account that maps the user name from one or more authenticated clients to user names and passwords that you specify, click the Mapping radio button.
  9. Do one of the following depending on the radio button that you selected:
    Selected Resource Type
    Complete These Steps
    Pass Through
    1. Click Finish.
    Static
    1. Click Next.
    2. Enter the user name and password in the User Name field, Password, and Confirm Password fields.
    3. Click Finish.
    Mapping
    To create a service account that maps the user name from one or more clients to user names and passwords that you specify, do the following:
    1. Click Next.
    2. In the Enter Authorized Remote User table, do the following:
      1. In the Remote User Name, Password, and Confirm Password fields, enter the user name and password that you want to send in outbound requests.
      2. Click the Add button.
      3. The user mapping is added to the Remote Users table.

      4. (Optional) Add additional remote users in the Enter Authorized Remote User table.
    3. Click the Next button.
    4. To map authorized clients to remote user names and passwords, do the following in the Enter Authorized Local User table:
      1. In the Local User Name field, enter the name that identifies a client that has been authenticated on its inbound request.
      2. If you have not already added this user in the Security Configuration module of the AquaLogic Service Bus Console, do so before you use this mapping in a runtime environment. See Adding a User. AquaLogic Service Bus allows you to create a mapping for a non-existent local user, but the mapping will never match an authenticated user and will never be used.

      3. From the Remote User Name list, select the user name that you want to send in outbound requests for the authenticated user you specified in the Local User Name field.
      4. Click Add.
    5. To map anonymous clients to remote user names, do the following:
      1. Select the Map Anonymous Requests check box.
      2. From the Select Remote User list, select the user name that you want to send in outbound requests for all anonymous users.
    6. Click Finish.
  10. Do one of the following:
    • To save the service account, click Save.
    • The service account is created and the Project View or Folder View displays the new service account.

    • To disregard changes, click Cancel.
Note: The new service account is saved in the current session. When you have finished making changes to this configuration, in the left navigation pane, click Activate under Change Center. The session ends and the configuration is deployed to run time. Alternatively, click Discard at any time during the session to discard the changes you have made so far in the current session.

Related Topics

Listing and Locating Service Accounts

Viewing and Changing Service Account Details

Deleting a Service Account

Viewing and Changing Service Account Details

The Service Account Details page allows you to view and change details of a specific service account. A service account provides a user name and password that business services and proxy services use for outbound authentication. To learn more, see Overview of Service Accounts.

To View and Change Service Account Details
  1. Locate the service account. To learn more, see Listing and Locating Service Accounts.
  2. Click the service account name. The Service Account Details page displays the following information:
    Property
    Description
    Resource Name
    The name of this service account.
    Last Modified By
    The user who created this service account or imported it into the configuration.
    Last Modified On
    The date and time that the user created this service account or imported it into the configuration.
    References
    The number of objects that this service account references. If such references exist, click the link to view a list of the objects. To learn more, see Viewing References.
    Referenced by
    The number of objects that reference this service account. If such references exist, click the link to view a list of the objects. For example, if you selected this service account as the JMS service account in a proxy service with a JMS transport protocol, the proxy service is listed as a reference when you click the link. To learn more, see Viewing References.
    Description
    A description of this service account, if one exists.
  3. If you have not already done so, in the Change Center click Create to create a new session or click Edit to enter an existing session. To learn more, see Using the Change Center.
  4. To make a change to the fields, click Edit. See Adding a Service Account for a description of the fields.
  5. Note: You cannot change the Resource Name field.
  6. Do one of the following:
    • To update the service account, click Save.
    • The service account is updated and the Summary of Service Accounts page is displayed.

    • To disregard changes, click Cancel.
    • The updated service account is saved in the current session. When you have finished making changes to this configuration, in the left navigation pane, click Activate under Change Center. The session ends and the configuration is deployed to the run time. Alternatively, click Discard at any time during the session to discard the changes you have made so far in the current session.

Caution: If the service account that you modified is used to authenticate with a WebLogic JMS server, the JMS server might not recognize your modification for up to 60 seconds. By default, WebLogic Server JMS checks permissions for each destination every 60 seconds. To change this behavior, modify the WebLogic Server startup command so that it sets the following system property to the frequency (in seconds) that you want WebLogic Server JMS to check permissions:
weblogic.jms.securityCheckInterval
A value of 0 (zero) for this property ensures that a permissions check is performed for every send, receive, and getEnumeration action on a JMS resource.

Related Topics

Deleting a Service Account

Ensuring the Security of Your Production Environment in Securing a Production Environment, which is available at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs92/lockdown/practices.html

Deleting a Service Account

The Summary of Service Accounts page allows you to delete service accounts. A service account provides a user name and password that business services and proxy services use for outbound authentication. To learn more, see Overview of Service Accounts.

When you delete a service account, the user name, password, or local-user to remote-user mapping data that the service account contains is also deleted.

To Delete a Service Account
  1. If you have not already done so, in the Change Center click Create to create a new session or click Edit to enter an existing session. To learn more, see Using the Change Center.
  2. If any business service or proxy service is configured to use the service account, remove the service account from the business service or proxy service. You cannot delete a service account that is used by a business service or proxy service.
  3. See Viewing and Changing Business Services or Viewing and Changing Proxy Services.

  4. In the left navigation pane, select Service Accounts from under Resource Browser. The Summary of Service Accounts page is displayed.
  5. In the Options field of the service account you want to delete, click the Delete icon. The service account is removed from the list.
  6. Note: If necessary, you can undo the deletion of this resource. To learn more, see Undoing a Task.

    The service account and its data are deleted in the current session. When you have finished making changes to this configuration, in the left navigation pane, click Activate under Change Center. The session ends and the configuration is deployed. Alternatively, click Discard at any time during the session to discard the changes you have made so far in the current session.

Related Topics

Adding a Service Account

Listing and Locating Service Accounts

Viewing and Changing Service Account Details


  Back to Top       Previous  Next