Cloud Security: Seamless Federated SSO for PaaS and Fusion-based SaaS

Introduction Oracle Fusion-based SaaS Cloud environments can be extended in many ways. While customization is the standard activity to setup a SaaS environment for your business needs, chances are that you want to extend your SaaS for more sophisticated use cases. In general this is not a problem and Oracle Cloud offers a great number […]

Cloud Security: Using Fusion Application Web Services with Message Protection

Introduction Oracle Fusion Applications offers a number of WebServices to allow other applications to incorporate the Fusion Applications functionality. To prevent data leakage, these WebServices follow a common security pattern that requires access authentication and message protection using message signing and/or message encryption. To use such a WebService, the WSDL of each service provides all […]

Transport Level Security (TLS) and Java

Know Which Versions of TLS are Supported in Recent Java Versions In the twenty-plus years of the Internet’s interaction with the Secure Sockets Layer (SSL) and Transport Level Security (TLS) protocols, there have been some rough patches.  Over the years, various vulnerabilities, some of them exposed in a laboratory setting and others discovered and exploited […]

Cloud Security: Federated SSO for Fusion-based SaaS

Introduction To get you easily started with Oracle Cloud offerings, they come with their own user management. You can create users, assign roles, change passwords, etc. However, real world enterprises already have existing Identity Management solutions and want to avoid to maintain the same information in many places. To avoid duplicate identities and the related […]

Simplified Role Hierarchy in R10

Introduction Our teammate Jack Desai published an article last year about Fusion Application Roles Concept. It gives you a great overview about the design to grant access to certain functionalities to specific users. His article familiarizes you with the concepts of Abstract Roles, Duty Roles, Job Roles or Data Roles and how they are used in […]

Fusion Apps P2T Identity Synchronization Flow

Introduction: In this blog we will take a closer look at Fusion Apps (FA) P2T tool identity synchronization between source and target systems and internally within FA. Understanding the logic around the synchronization can be helpful for a successful completion of the P2T tool. Also, we will further discuss this logic with an exercise of […]

Fusion Applications User, Role Identity Flow and Initial Bulk Load

Introduction As customers work towards implementing Fusion Applications (FA) in their enterprise and prepare for go-live, the enterprise user and role identity data from various HR applications needs to be migrated to FA, so that the users can become part of FA system and be able to use the application. There are a number of […]

Mass Reset Password-part1 OID

Introduction One of the great features that customers need to be aware of and it could be used, as post-process, on many different situations such as: P2T, T2P and clone is the ability to reset multiple passwords simultaneously. Imagine the customer is scaling out their environment because they need an additional UAT environment. This customer […]

Prepare Your Fusion Applications for Security Audits – Part 1

Introduction In an enterprise environment it is very common that regulations require regular security audits of the computer systems. The company’s security officer is responsible for facilitating these and may request many reports from the administrators of the respective systems. Very often these reports include user activities for log in, log out, entering wrong passwords, […]

Extending the Oracle Sales Cloud with SOA Suite

Introduction The Oracle Sales Cloud provides an extensive set of features for extending the user interface, the underlying data model, and allows the use of Groovy scripts to extend or adjust the default business logic. If customers have requirements that go beyond these capabilities, Java Cloud Service is a viable option to build new user […]

Disabling Change Password and Forgot Password functionality in FA-IDM

Introduction Oracle Fusion Applications (FA) uses Oracle Identity Management (IDM) capabilities to implement the “change password” and “forgot password” functions. These functions, in turn, are enabled using capabilities provided by Oracle Access Management (OAM) and Oracle Identity Management (OIM). Frequently, in development and test environments, for the sake of convenience, the change password and forgot […]

Introduction to Fusion Applications Roles Concepts

Introduction   Fusion Applications Security is designed based on Role-Based Access Control (RBAC). It is an approach to restricting access to authorized users. In general, RBAC is defined based on the primary rules as per this wiki page. RBAC normalizes access to functions and data through user roles rather than only users. User access is based on […]

IDM FA Integration flows

Introduction One of the key aspects of Fusion Applications operations is the Users and Roles management. Fusion Applications uses the Oracle Identity management for its Identity store and policy store by default.This article explains how user and roles flows work from different poin of views, using ‘key’ IDM products for each flow in detail. With […]

Improve SSL Support for Your WebLogic Domains

Introduction Every WebLogic Server installation comes with SSL support. But for some reason many installations get this interesting error message at startup: Ignoring the trusted CA certificate “CN=Entrust Root Certification Authority – G2,OU=(c) 2009 Entrust, Inc. – for authorized use only,OU=See,O=Entrust, Inc.,C=US”. The loading of the trusted certificate list raised a certificate parsing exception […]

Using soapUI for secure, asynchronous web service invocations in Fusion Applications   

Using secure, asynchronous web services Fusion Applications exposes across all of its product families numerous web services that allows for querying, creating and updating of business objects. In this blog we will show how to leverage these services in a secure, asynchronous fashion from a web service client tool such as soapUI. While invoking services […]

Validating the Fusion Applications Security Components During Installations and Upgrades

Introduction   When installing or upgrading Fusion Applications, it is necessary to validate the security components to ensure that they are functioning correctly. This article provides a list of tasks that can be performed to accomplish this. The order of tasks below follow the dependency that the components have on each other so that if […]

Adding Oracle Identity Federation to an Existing Fusion Applications Deployment Part 1

Introduction This guide is meant for existing FA customers who have deployed FA without OIF and who now wish to add this security component to the deployment to provide federated SSO to FA. Customers who have not yet begun their deployment can and should follow the Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity […]

Adding Oracle Identity Federation to an Existing Fusion Applications Deployment Part 2

Introduction This is the second part of a two-part article. Click here to view Part 1. This guide is meant for existing FA customers who have deployed FA without OIF and who now wish to add this security component to the deployment to provide federated SSO to FA. Customers who have not yet begun their deployment […]

OAM and OIM Config changes for Split Profile ( Split Profile Configuration -Part 2)

In my previous post i have discussed split profile set up scenario with AD and OID in Fusion Applications IDM Environment and how to create Adapters in OVD  for consolidating the two directory servers AD and OID.Adapters configuration alone is not…

Expiration Checklist for Fusion Applications

Two main things when expired will significantly affect the operations of Fusion Applications. These are database passwords and certificates. As such these expiration dates need to be checked and maintained properly.

Check for expiring database account passwords

Fusion Applications have many schema users in the Fusion Application database.  Many of these schema users by default have no expiry date, however some do.  You can check the expiration date for these passwords using sqlplus and connecting to the FA database as sys.  Use the following command to check the expiry_date:
select username, account_status, expiry_date, sysdate from dba_users where expiry_date is not null;
TODO:  Keep track of when database accounts will expire.  When the database accounts will soon expire, update the accounts and reset the expiry_date according to your established corporate security policy requirements.  Note: You can reuse the existing password when resetting these schema accounts.

Check for expiring certificates

Fusion Application will fail when certificates expire.  It’s important to check all certificate stores (JKS for WebLogic and PKCS#12 for OHS) for expiring keys and certificates so that they can be renewed in a controlled and timely manner.


For Fusion JKS Certificates Stores

You should maintain a list of all certificate stores so that they can be located easily.  
The fusion jks stores are fusion_trust.jksand <hostname>_fusion_identity.jks in APPLICATIONS_BASE/fusionapps/wlserver_10.3/server/lib
For each JKS store, use keytool to examine the contents, noting the expiration date for each key and certificate:
$JAVA_HOME/bin/keytool -list -v -keystore <keystore filename>


Note:  fusion_trust.jks contains the keys and certificates in each of the <hostname>_fusion_identity.jks.  When replacing the key and certificates, you must replace each <hostname>_fusion_identity.jks and fusion_trust.jks separately.

For Webgate Certificate

You should note down the expiration date of the webgate certificate and replace them as appropriate.  The webgate certificate is in APPLICATIONS_CONFIG/CommonDomain_webtier/config/OHS/ohs1/webgate/config/simple. To check the certificate expiration date, use keytool to examine the contents:

$JAVA_HOME/bin/keytool -printcert -v -file aaa_cert.pem



For PKCS#12 Certificates Stores

The location of the certificate stores used by FA OHS instances can be found in the OHS configuration files. The following example shows how to determine this:
cd APPLICATIONS_CONFIG/CommonDomain_webtier/config/OHS/ohs1


cat *.conf ./moduleconf/*.conf | grep SSLWallet filename
Each of these should be opened with the orapki utility to examine the content and verify the certificate expiration. The orapki utility is described in detail here: