This section covers tasks that you must perform after completing the post-installation tasks for the WebLogic Server 9.x Security Service Module. The following topics are covered in this section:
The WebLogic Server 9.x Security Service Module integrates AquaLogic Enterprise Security with BEA WebLogic Server versions 9.1 and 9.2. It uses a different security framework from the one used in the WLS 8.1 SSM and the other ALES SSMs. When you install the WLS 9.x SSM, ALES uses the WLS 9.x security framework. As a consequence, when you use the WLS 9.x SSM, you configure security providers and other aspects of the SSM in the WebLogic Administration Console, rather than the ALES Administration Console. You still use the ALES Administration Console to configure SSMs other than the WLS 9.x SSM and to write security policies for any SSM. You must also use the ALES Administration Console to configure the ASI Authorizer and ASI Role Mapper providers.
Before you configure a WebLogic Server 9.x SSM, you must first:
To configure the ALES WebLogic Server 9.x SSM:
console-ext
directory of your WebLogic Server domain. See Console Extension for Security Providers in the WLS 9.x Console.startWebLogic
file. See Modifying the startWebLogic File.startWebLogic
file.
ALES includes an extension to the WebLogic Server 9.x Administration Console. If you are using the WebLogic Server 9.x SSM, you must install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.
To install the ALES security provider console extension, copy ales_security_provider_ext.jar
from BEA_HOME
/ales22-ssm/wls9-ssm/lib
to the BEA_HOME
/
WLS_HOME
/domains/
DOMAIN_NAME
/console-ext
directory, where DOMAIN_NAME
is the name of your WebLogic Server 9.x domain.
The WebLogic Server startup script does the following:
Before you can start a WebLogic Server instance that uses BEA AquaLogic Enterprise Security, you must edit the startWebLogic
file. This file is located in the WebLogic Server domain directory. For example:
BEA_HOME/user_projects/domains/mydomain
See Listing 8-1 for an example of a modified startWebLogic
file. To edit the startWebLogic
file, do the following:
/domains/mydomain/startWebLogic.cmd
or startWebLogic.sh
and name it startWeblogicALES.cmd
or startWebLogicALES.sh
./domains/mydomain/bin/startWebLogic.cmd
or startWebLogic.sh
and name it startWeblogicALES.cmd
or startWebLogicALES.sh
./domains/mydomain/startWebLogic
so that it calls /domains/mydomain/bin/startWebLogicALES
rather than /domains/mydomain/bin/startWebLogic
. For example:call "%DOMAIN_HOME%\bin\startWebLogicALES.cmd" %*
/domains/mydomain/bin/startWebLogicALES
. Before the CLASSPATH
is set, add a call to the set-wls-env
script file in your the bin
directory for your instance. The set-wls-env
script sets environment variables that are used in the next steps: WLES_POST_CLASSPATH
and WLES_JAVA_OPTIONS
. For example:BEA_HOME/ales22-ssm/wls9-ssm/instance/wls-ssm
/bin/set-wls-env.sh
Where:
ales22-ssm is the directory where you installed the Security Service Module.
instance is the directory where all instances are stored.
wls-ssm
is the name of the Security Service Module instance you created earlier.
For example, if you created a WLS SSM instance called myInstance
, the call looks like this:
call "C:\bea\
ales22-ssm\wls9-ssm\instance\myInstance\bin\set-wls-env.bat"
. "/bea/ales22-ssm/wls9-ssm/instance/myInstance
/bin/set-wls-env.sh"
CLASSPATH
: %WLES_POST_CLASSPATH%
${WLES_POST_CLASSPATH}
%JAVA_HOME%\bin\java
in the weblogic.Server
command."%JAVA_HOME%\bin\java"
%WLES_JAVA_OPTIONS%
${WLES_JAVA_OPTIONS}
...
. /BEA_HOME/ales22-ssm/wls9-ssm/instance/myInstance/bin/set-wls-env.sh
...
if [ "${WLS_PW}" != "" ] ; then
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.management.password=${WLS_PW}"
fi
CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}${WLES_POST_CLASSPATH}"
echo "."
if [ "${WLS_REDIRECT_LOG}" = "" ] ; then
echo "Starting WLS with line:"
echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}${WLES_JAVA_OPTIONS}
-Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS}"
${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}${WLES_JAVA_OPTIONS}
-Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS}
else
echo "Redirecting output from WLS window to ${WLS_REDIRECT_LOG}"
${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}${WLES_JAVA_OPTIONS}
-Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS} >"${WLS_REDIRECT_LOG}" 2>&1
fi
The WebLogic Server 9.x security framework includes a full set of security providers that are available out of the box. The WLS 9.x security providers are described in the WLS documentation, in the following chapters of Securing WebLogic Server:
In addition, you can use the following ALES security providers by adding them to your WebLogic Server security realm:
Note: | While you can use the WebLogic Server Administration Console to add these ALES security providers to a WebLogic Server security realm and to configure those security providers, the WLS console does not provide online help for the ALES security providers. |
See the following topics in this section for detailed information about configuring the WebLogic 9.x SSM:
When you configure a WebLogic 9.x security realm for ALES, you must include at a minimum the following ALES security providers:
To configure security providers for the WebLogic Server 9.x Security Service Module, you use the WebLogic Server Administration Console, not the ALES Administration Console. In order to create and configure ALES security provider instances using the WebLogic Server Administration Console, you must first install an extension to the console. See Console Extension for Security Providers in the WLS 9.x Console.
To configure security providers for ALES and WebLogic Server 9.x:
http://localhost:7001/console
.mywls9ssm
.mywls9ssm
security realm.mywls9ssm
security realm.ALESDatabaseAuthenticator
.myrealm
is the active security realm when you install a WebLogic Server instance. To change the default security realm:mywls9ssm
, as the default security realm and click Save.Note: | If you create a new security realm but do not configure the required security providers, the new realm will not be available in the pull-down menu. |
After you have configured security providers for the WebLogic Server 9.x Security Service Module using the WebLogic Server Administration Console, you need to make some configuration changes in the ALES Administration Console also. You need to configure the ASI Authorization and ASI Role Mapping providers and create required users and policy for the WebLogic Server 9.x SSM to start.
To configure security providers in the ALES Administration Console:
https://localhost:7010/asi
.mywls9ssm
.Note: | The WebLogic Server instance must be started after the configuration has been deployed. Other policy changes can be deployed while the WebLogic Server instance is running. |