ERP的安全设计：Oracle Fusion Applications的安全架构

免责声明：
本文意在从总体上大致了解Oracle Fusion Applications 产品，不承担产品发布，代码，功能等相关义务，如需购买或了解产品准确features及开发，发布计划，请参见Oracle官方声明。文章内容是从Oracle官方网站对外发布的学习资料及白皮书中转载翻译而来。如有不同之处以Oracle官方文档为准。

Oracle Fusion Applications是Oracle的下一代ERP(Enterprise Resource Planning)应用程序，包含Financial Management;Human Capital Management;Customer Relationship Management;Supply Chain Management;Project Portfolio Management; Procurment;Governance,Risk and Compliance等，独立开发并整合了Oracle E-Business Suite,Oracle PeopleSoft,Oracle Siebel,Oracle JD Edwards的优点。Fusion Apps运行于Fusion Middleware之上，基于SOA，并且使用了：ADF,BI,content management,enterprise performance management,process management,security and identity management等。

Fusion Applications的安全组件

Component

Does what?

Oracle HTTP Server (OHS)	Takes all incoming HTTP requests
Oracle Access Manager (OAM)	Performs single sign on (SSO)
Web Gate (OAM component)	Intercepts requests and checks for user credentials
Web Pass (OAM Web server plug-in)	Passes information between the web server and OAM's Identity Server
OAM Policy Manager	Supports managing SSO, and URL-based authentication and authorization policies
Oracle Identity Management (OIM)	Handles user provisioning
Oracle Web Services Manager (OWSM)	Provides infrastructure for Service Oriented Architecture (SOA) and web services security
OWSM Agent	Enforces SOA and web services security
OWSM Policy Manager	Supports setting up policy configuration for SOA and web services security
Oracle Platform Security Services (OPSS)	Provides framework to manage policies, identity, and audit services across the enterprise
Oracle Virtual Directory (OVD)	Virtualizes data sources in LDAP
Identity Governance Framework (IGF)	Manipulates users, groups, and policies in LDAP
Authorization Policy Management (APM)	Supports managing authorization policies
Enterprise Manager (EM)	Supports managing deployed components, services, and applications
Oracle Virtual Private Database (VPD)	Protects personally identifiable (PII) attributes in the database from unauthorized access by privileged users such as DBAs

Oracle Fusion Applications安全逻辑视图

Orcle Fusion Applications的安全和身份管理是基于Service-Oriented Security（SOS）框架。见图1。

[Figure1]Service-Oriented Security

SOS提供了一系列的安全服务供所有Oracle Fusion Middleware组件和Oracle Fusion Applications使用。SOS是采用SOA技术，且built upon Oracle Platform Security Services（OPSS）。见图2。

[Figure2]Oracle Platform Security Services(OPSS)in Context

OPSS是Oracle JDeveloper中的一套安全开发框架，提供了一套标准的，统一的，身份管理，审计服务的API将开发者从复杂的安全设计解放出来。 它可以部署在Weblogic Server上，包含Oracle WebLogic Server的内部安全服务，Oracle Fusion Middleware's security framework（或者称为Java Platform Security即JPS或 JAZN），Oracle Security Developer Tools（OSDT）等。OPSS 使用OSDT进行SSL配置和Oracle Wallet（OIM，Oracle Enterprise Manager， Oracle Database会使用）。OPSS也可以和其他安全组件整合，如LDAP。

OPSS的功能层包括：见图3。
1）认证Authentication
2）Identity Assertion
3）Single Sign-on(SS0)：有两种实现方式，一种是基于OAM实现的企业级SSO解决方案，另外一种是基于SAML的解决方案（使用Weblogic server的SAML Credential Mapping Provider）。
4）User and role
5）Role mapping
6）Security stores：包含Identity Store（users and groups）和Credential Store。Security store通过Oracle Virtual Directory （OVD）来进行管理。
7）Audit
8）Application life cycle support

[Figure3]Oracle Platform Security Services Architecture

APM(Authorization Policy Manager)/OES(Oracle Entitlement Server)
APM是一个管理基于OPSS的授权policies的图形用户工具。它管理global和application-specific artifacts。Global artificats包含users,external roles,system policies；Application-specific artifacts包含resource catalog,application policies,application roles,role categories。
APM中的一些基本概念：
External Role是存储在Identity Store LDAP中的信息；Application Role是存储在Policy Store中的。Application Policy是一组权利entitlement和授权给principal（例如Application Role,External Role）资源许可（resource permission）。System Policy是global policy将application访问权限授权给OPSS的API。Role Mapping是通过将application roles映射给external roles,从而使具备该external role（使用OIM创建）的uers可以访问受限访问的application resource。


参考：
【1】3 Security Infrastructure
http://www.orastudy.com/oradoc/selfstu/fusion/doc.1111/e16689/F323386.htm
【2】Oracle Fusion Applications Security Leveraging Oracle Identity Management. An Oracle White Paper September 2010
http://www.oracle.com/us/products/middleware/identity-management/fusion-apps-security-wp-176635.pdf