This section covers tasks that you must perform after installing and completing the post-installation tasks for the WebLogic Server 8.1 Security Service Module. Note that the WebLogic Server 9.x Security Service Module uses a different security framework from the one used in the WLS 8.1 SSM and therefore has configuration procedures. See Configuring the WebLogic Server 9.x SSM for more information.
The following topics are covered in this section:
For the purposes of the example presented here, this document assumes that the WebLogic Server domain is in the following location:
BEA_HOME/user_projects/domains/
mydomain
However, your domain can be in any location you desire. If you want to create a domain, you can use the WebLogic Server Configuration Wizard to create a domain or create it manually. The domain includes a startWebLogic
file, which you are instructed to modify in Modifying the startWebLogic File.
The WebLogic startup script does the following:
Before you can start a WebLogic Server that uses BEA AquaLogic Enterprise Security, you must edit the startWebLogic
file that is located in the WebLogic Server domain directory. For example:
BEA_HOME/user_projects/domains/
mydomain
See Listing 7-1 for an example of a modified startWebLogic
file. To edit the startWebLogic
file, do the following:
CLASSPATH
is set, add a call to the set-wls-env
script file in your the bin
directory for your instance. The set-wls-env
script sets environment variables that are used in the next steps: WLES_PRE_CLASSPATH
, WLES_POST_CLASSPATH
and WLES_JAVA_OPTIONS
. For example:BEA_HOME/ales22-ssm/wls-ssm/instance/wls-ssm
/bin
ales22-ssm is the directory where you installed the Security Service Module.
instance is the directory where all instances are stored.
wls-ssm
is the name of the Security Service Module instance you created earlier.
For example, if you created an instance called myInstance
, the call looks like this:
call "C:\bea\
ales22-ssm\wls-ssm\instance\myInstance\bin\set-wls-env.bat"
. "/bea/ales22-ssm/wls-ssm/instance/myInstance
/bin/set-wls-env.sh"
CLASSPATH
: %WLES_PRE_CLASSPATH% and %WLES_POST_CLASSPATH%
${WLES_PRE_CLASSPATH} and ${WLES_POST_CLASSPATH}
%JAVA_HOME%\bin\java
in the weblogic.Server
command."%JAVA_HOME%\bin\java"
java
command that starts WebLogic Server with the weblogic.Server
class:%WLES_JAVA_OPTIONS%
${WLES_JAVA_OPTIONS}
...
set SERVER_NAME=myserver
call "C:\BEA_HOME\ales22-ssm\wls-ssm\instance\myInstance\bin\set-wls-env.bat"
set CLASSPATH=
%WLES_PRE_CLASSPATH%
;%WEBLOGIC_CLASSPATH%;
%POINTBASE_CLASSPATH%;%JAVA_HOME%\jre\lib\rt.jar;
%WL_HOME%\server\lib\webservices.jar;%CLASSPATH%;%WLES_POST_CLASSPATH%
@REM Call WebLogic Server
echo .
echo CLASSPATH=%CLASSPATH%
echo .
echo PATH=%PATH%
echo .
echo ***************************************************
echo * To start WebLogic Server, use a username and *
echo * password assigned to an admin-level user. For *
echo * server administration, use the WebLogic Server *
echo * console at http:\\[hostname]:[port]\console *
echo ***************************************************
"%JAVA_HOME%\bin\java"
%JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS%%WLES_JAVA_OPTIONS%
-Dweblogic.Name=%SERVER_NAME%
-Dweblogic.ProductionModeEnabled=%PRODUCTION_MODE%
-Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server
ENDLOCAL
You can use the security.properties
file to set the necessary security properties. To set the security properties, create a security.properties
file and put it in the WebLogic Server domain directory; for example:
BEA_HOME/user_projects/domains/mydomain
Include the information shown in Listing 7-2 in the security.properties
file, where:
You may also copy this file from the BEA_HOME/ales22-ssm/wls-ssm/instance/
myInstance/config
folder.
Note: | The security.properties file is not required if you add these parameters to Java Options. |
wles.realm=ConfigurationID
wles.default.realm=ConfigurationID
After you install the Security Service Module, create the instance, and enroll it, you must start the necessary processes by running the appropriate batch or shell scripts. Before you start these processes, make sure that the Administration Server and all of its services are running.
For each machine, you must start the following processes:
For instructions on how to start and stop the required processes, see Starting and Stopping Processes for Security Service Modules in the Administration and Deployment Guide.
When using the Database Authentication provider, ASI Authorization provider and ASI Role Mapping provider, refer to the following sections for important information:
The WebLogic Server uses the login information contained in the boot.properties
file to start the server. This file contains a username
and password
that must match a username and password in the configured authentication policy. The boot.properties
file is located in the WebLogic Server domain directory on the machine on which the Security Service Module is installed, for example:
BEA_HOME/user_projects/domains/
mydomain
If you used a username of system
and a password of weblogic
, then modify WebLogic Server boot.properties
in the domain as follows:
user = system
password = weblogic
The next time you start the WebLogic Server, the username and password you specified are encrypted.
Before you can use the ASI Authorization provider with the WebLogic Server, you need to configure a boot policy, and then distribute it to the WebLogic Server Security Service Module. The boot policy allows the user named system
to start the WebLogic Server instance. If you need instructions on how to perform any of the following tasks, see the Console Help for details. You may also want to refer to the Policy Managers Guide for information on how the policy language is constructed and how it appears in the console.
To configure and distribute a boot policy, perform the following tasks:
To create the user identity named alesusers
, perform these steps:
Create the following resources below the resource called policy
for the defined user, alesusers
:
To create these resources using the ALES Administration Console:
wlsserver
, select Binding from the Type drop-down menu, and then click OK.wlsserver
and click Configure.wlsserver
, click New, enter shared
in the name box, and then click OK.shared
, click Configure, check Allow Virtual Resources, and then click OK.shared
, click New, enter svr
in the name box, and then click OK.grant(any, //app/policy/
wlsserver
/shared/svr, //role/Admin)
if true;
any
in the Select Privileges from Group list box, and then click Add.wlsserver
and shared
nodes in the Child Resources list box, select svr, and then click Add.Admin
from the Roles List list box, click Add, and click OK.Create the following role mapping policy:
grant(//role/Admin, //app/policy/wlsserver
, //user/alesusers
/system/)
if true;
wlsserver
in the Child Resources list box, and click Add.alesusers
, select system
from the list box, click Add, and click OK.
To bind the resource //app/policy/wlsserver
to the ASI Authorization provider for this Security Service Module, perform the following steps:
alesusers
, set the Application Directory Parent to //app/policy/wlsserver
.Distribute the policies to the WebLogic Server Security Service Module.
For information on how to distribute policies, see the Administration Console help system. Be sure to verify the results of the distribution.
Before you can login into the WebLogic Server Administration Console, you need to configure a console policy and then distribute it to the WebLogic Server Security Service Module. This is needed if you want to access the WebLogic Server Administration Console.
To configure and distribute a WebLogic Server Administration Console policy, do the following on the AquaLogic Enterprise Security Administration Console:
//app/policy/wlsserver/console
//app/policy/wlsserver/console/url/console/login/bea_logo.gif
The resource represents the BEA logo image at the top-right corner on the login page of the Server Administration Console. To create this resource:
//app/policy/wlsserver/console
and select Add Resource in the context menu..url
to the new resource.//app/policy/wlsserver/console/url
and select Add Resource in the context menu..console
to the new resource.//app/policy/wlsserver/console/url/console
and select Add Resource in the context menu..login
to the new resource.//app/policy/wlsserver/console/url/console/login
and select Add Resource in the context menu..bea_logo.gif
to the new resource.console
application: grant(any, //app/policy/wlsserver/console, //role/Admin) if true;
any
in the Select Privileges from Group list box, and then click Add.wlsserver
in the Child Resources list box, select console
, and then click Add. Admin
from the Roles List list box, click Add, and then click OK.grant( //priv/GET, //app/policy/wlsserver/console/url/console/login/bea_logo.gif, //sgrp/alesusers/allusers/) if true;
wlsserver/console/url/console/login
in the Child Resources list box, select bea_logo.gif
, and then click Add. allusers
from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers
.When you secure an EJB using a WebLogic Server Security Service Module, you must follow these steps if you want to use the AquaLogic Enterprise Security providers instead of the default WebLogic providers.
ejb-jar.xml
) so that the assembly-descriptor does not have any method-permissions set to unchecked or excluded.If either of these settings is present in the deployment descriptor, then the EJB container enforces them rather than calling into the security subsystem.
WLES_JAVA_OPTIONS
in the set-wls-env
script:weblogic.security.fullyDelegateAuthorization=true
If you want to protect a cluster of WebLogic Servers using AquaLogic Enterprise Security, you must make some addition changes to the security configuration and resource configuration. For information on how to protect cluster of WebLogic Servers, see the following topics:
Figure 7-1 shows a Security Service Module configuration named myrealm
, located under a Service Control Manager named adminconfig
in the AquaLogic Enterprise Security Administration Console. Your actual Security Service Module configuration will vary from this example based on the needs of your WebLogic domain.
Figure 7-2 shows a configuration for a cluster of four WebLogic Servers: one administration server (adm
) and three managed servers (svr1
, svr2
, svr3
), with one Security Service Module instance for each server. The Service Control Manager on both machines must use the same Configuration Name (adminconfig
). Each Security Service Module must have a unique Instance Name and Port number per machine, but always shares a common Configuration ID (myrealm
) across all machines. Thus, each server uses the same security provider configuration and receives the same policy.
You must also create the following three resources shown in Figure 7-3, setting them each as virtual resources.
The myrealm/wl_management_internal1
resource is accessed on the cluster's administration server by the WebLogic Admin Console to view WebLogic Server related log files.
The myrealm/wl_management_internal2
resource is accessed on the cluster's administration server by a managed server during bootstrap and file distribution operations.
The myrealm/bea_wls_internal
resource is accessed when one managed server is synchronizing with another managed server.
The myrealm/wl_management_internal1
, myrealm/wl_management_internal2
and myrealm/bea_wls_internal
resources must be configured to allow virtual resources.
You must create the policy listed in Table 7-1.
To create this policy in the ALES Administration Console:
myrealm
in the Child Resources list box, select bea_wls_internal
, and then click Add.allusers
from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers
.any
in the Select Privileges from Group list box, and then click Add. myrealm
in the Child Resources list box, select wl_management_internal1
, and then click Add.wl_management_internal2
also and click Add.allusers
from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers
.