Oracle Java Cloud Service is a complete platform and infrastructure cloud solution for building,
deploying, and managing Java EE applications. You get the industry’s best application server running
on top of an enterprise-grade cloud infrastructure. The platform is powered by Oracle WebLogic
Server, the number one application server across conventional and cloud environments. You also
have the option of adding an Oracle Coherence caching and data grid tier to your deployment.
Your environment is preinstalled and preconfigured using Oracle best practices for application
deployment that maximize performance, scalability, and reliability. The infrastructure has the same
core security capabilities as those offered by Oracle Cloud Infrastructure as a Service. With features
like elastic compute and storage, you can run any workload in Oracle Java Cloud Service and grow
your environment when your application needs to grow.
You secure all applications deployed to an Oracle Java Cloud Service instance the same way you
secure an application environment and administer security for Oracle WebLogic Server in an on
premises instance. The default security configuration makes use of users, groups, security roles, and security policies that
are configured in the default authentication, authorization, credential mapping, and role mapping
security providers. By default, the WebLogic Server security providers are configured in the default
security realm, and the WebLogic Server embedded LDAP server is used as the data store for the
security providers.
To use the default security configuration in your Oracle Java Cloud Service instance, use the
WebLogic Server Administration Console to define users, groups, and security roles for the security
realm, and create security policies to protect the WebLogic Server resources in the domain.
If the default security configuration doesn’t meet your requirements, then you can create a new
security realm with any combination of WebLogic Server and custom security providers. Then, you set
the new security realm as the default security realm. Oracle recommends that you use an identity
management system such as Oracle Identity Management for your production applications instead of
the embedded LDAP server.
Users and Roles
Oracle Java Cloud Service uses roles to control access to tasks and resources. When the Oracle Java
Cloud Service account is set up, the service administrator is given the Java administrator role and
other service roles that are required to work with related Oracle Cloud services. Before anyone can
access and use Oracle Java Cloud Service, user accounts with the Java administrator role and other
service roles, as needed, must be created. Only the identity domain administrator can create user
accounts and assign roles.
The users with the Java administrator role can perform many operations on the service instance such
as create, delete, start, stop, scale, patch, back up, and restore. These users can also administer load
balancers for service instances as well as monitor and manage the service usage in Oracle Cloud.
When Oracle Coherence is enabled for a service instance, the Java administrator can remove an
Oracle Coherence data tier from a service instance (REST API only) and add an Oracle Coherence
data tier to an existing service instance (REST API only).
When you create an Oracle Java Cloud Service instance, the following Oracle Cloud Infrastructure
Compute Classic VM and Oracle WebLogic Server administrative user accounts are created:
35 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER » The VM operating system user, opc, has root privileges on the operating system running on
a VM. The user can connect to a VM through SSH for direct VM-level access to an Oracle
Java Cloud Service instance. The opc user can create other OS accounts on a VM using the
appropriate OS tool through the SSH interface. The oracle user can’t be used to log in to a
machine. This user only has regular user permissions to start and stop Oracle products that
were installed on the machine.
» The WebLogic Server administrator can manage Oracle WebLogic Server in Oracle Java
Cloud Service, and can access and use the WebLogic Server Administration Console. The
WebLogic administrator can also manage users and groups in the embedded LDAP as well
as configure other identity providers.
Note that the WebLogic Sever administrator account and VM OS user accounts aren’t stored or
managed in Oracle Cloud. You provide the user name and password for the WebLogic Server
administrator when you create an Oracle Java Cloud Service instance. The credentials and
permissions for the WebLogic Server administrator and all user accounts that the administrator creates
are stored and managed in Oracle WebLogic Server. See the online WebLogic Server security
documents for details about securing your Oracle Java Cloud instances using the WebLogic Server
security capabilities.