This section describes tasks you must perform after you install Security Service Modules and discusses other considerations. For additional information about post-installation configuration and integration for use with BEA WebLogic Server, BEA WebLogic Portal, BEA AquaLogic Data Services Platform, BEA AquaLogic Service Bus, Apache Web Server, Microsoft IIS web server and Web Services, see Integrating ALES with Application Environments.
Note: | Some of the procedures described here require basic knowledge of both WebLogic Server and AquaLogic Enterprise Security products. If you need assistance with any task, see the Administration Console online help or the Administration and Deployment Guide for more details. It is assumed that you know the location of the products you have installed, including the WebLogic Server, the Security Service Module, and the Administration Server. |
Note: | If you installed and configured only Security Service Modules without an associated Service Control Manager, as described in Installing an SSM Without an Associated SCM, you do not need to enroll the Service Control Manager. |
This section describes how to enroll the Service Control Manager. Each machine on which you install a Security Service Module must have one (and only one) enrolled Service Control Manager.
Note: | You only need to follow this procedure if you installed the Security Service Module on a machine other than the one that contains the Administration Server. |
During the enrollment process, the Service Control Manager and Administration Server exchange certificates with each other. The Service Control Manager sends its identity certificate to the Administration Server, which adds the certificate to its trusted peer keystore. Likewise, the Administration Server sends a list of certificates to the SCM.
The certificates are stored in Java keystores. After the Service Control Manager is enrolled, you should be able to find the identity.jks
, peer.jks
and trust.jks
keystores in the BEA_HOME/ales26-scm/ssl
folder.
Note: | While you can use the demonstration digital certificate to enroll in a development environment, you should never use it in a production environment. |
To enroll the Service Control Manager, perform the following steps:
/bin
directory, for example:BEA_HOME/ales26-scm/bin
enrolltool demo
ENTER
>, and do one of the following:ENTER
> to register the domain, enter the following information, Type: 5 and press <ENTER>
again:Enter Enterprise Domain Name :> (For example: asi)
Enter Primary Admin URL :> (For example: https://adminmachine
:7010/asi)
Secondary Admin URL :> (This value is optional. Same format as primary URL)
SCM name :> (For example:ssmmachinename_ssm
)
SCM port :> (Default: 7010)
<ENTER>
.ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the AquaLogic Enterprise Security CA certificate used for enrollment.
For more information on enrolltool
utility options, see
Administrative Utilities in the ALES Administration Reference.
You configure a Service Control Manager (SCM) for each of the machines on which you have installed one or more Security Service Modules (SSM). Each machine must have one (and only one) configured Service Control Manager. For example, if you install an SSM on the same machine as the Administration Server, you must use the adminconfig
SCM, which was configured for you when you installed the Administration Server.
Note: | When you use the Instance Wizard to create an instance of a SSM on a machine, you link the instance to an SCM by name. When you install multiple SSMs of different types (Web Server or Web Services, WebLogic Server 8.1 or 9.x, and Java) on the same machine, they all must use the same SCM. |
You configure an SCM using the AquaLogic Enterprise Security Administration Console. For information, see "Configuring a Service Control Manager" in the Administration Server Console Help.
Configure an SSM with the security providers that you require for the SSM and bind it to the SCM. You have the option of configuring either the default security providers that ship with the product or custom security providers, which you develop or purchase from third-party security vendors.
The Security Service Module for WebLogic Server 9.x is configured differently from the Security Service Module for WebLogic Server 8.1. When you use the WLS 9.x SSM, you configure security providers and other aspects of the SSM in the WebLogic Administration Console, rather than the ALES Administration Console. You still use the ALES Administration Console to write all security policies, and to configure SSMs other than the WLS 9.x SSM. You must also use the ALES Administration Console to configure the ASI Authorizer and ASI Role Mapper providers. For information about configuring the WLS 9.x SSM, see Configuring the WebLogic Server 9.x SSM in Integrating ALES with Application Environments.
The WebLogic Server 8.1 SSM supports the following types of security providers:
ALES includes an extension to the WebLogic Server 9.x Administration Console. If you are using the WLS 9.x SSM for WLS, you must install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.
To install the ALES security provider console extension, copy ales_security_provider_ext.jar
from BEA_HOME
/ales26-ssm/wls9-ssm/lib
to the BEA_HOME
/
WLS_HOME
/domains/
DOMAIN_NAME
/console-ext
directory, where DOMAIN_NAME
is the name of your WebLogic Server 9.x domain.
At a minimum, a Web Services SSM security configuration must include the following providers:
The Java Security Service Module supports the following types of security providers:
To configure these providers and bind the configuration to the SCM, perform the following steps:
weblogic81_ssm
) and click Create.Note: | Later, when you use the Instance Wizard to create an instance of the SSM to which this security configuration will be applied, you will use the Configuration ID to link the SSM instance to this security configuration. |
Before starting a Security Service Module, you must first create an instance of the Security Service Module using the Instance Wizard. You can create any number of instances of the Security Service Module. You must then enroll each instance that you want to use. Each instance has its own set of providers.
To create an instance of a Security Service Module:
<
Type of Security Service Module> >
Create New Instance.BEA_HOME
/ales26-ssm/<
ssm-type>/adm
and enter: instancewizard.sh.
If you are not using X-windows, use a console based installer.
When you create an instance of the Apache Web Server SSM, you must also add the Apache user to the asiusers
group on the machine running the Apache Web Server SSM; otherwise, the Administration Server will not have the permissions required to access the Apache Web Server SSM instance and deploy the security policy and the security configuration.
When the Instance Wizard creates an instance of the IIS Web Server SSM, it adds the information listed in Table 5-1 to the following location in the Microsoft Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\BEA Systems\ALES\IIS Module\2.6
You must have the Administration Server running prior to enrolling the Security Service Module. When the SSM is enrolled, the SSM and Administration Server exchange certificates with each other. The SSM sends its identity certificate to the Administration Server, which adds the certificate to its trusted peer keystore. The Administration Server sends to the SSM the list of certificates the SSM must trust. In addition, the Administration Server sends the enrolled identity to other ALES servers with which the SSM is supposed to communicate, such as the SCM instance the SSM is associated with.
The certificates are stored in Java keystores. After the SSM is enrolled, you should be able to find the identity.jks
, peer.jks
and trust.jks
keystores in the BEA_HOME/ales26-ssm/wls-ssm/instance/instancename/ssl
folder.
Note: | While you can use the demonstration digital certificate in a development environment, you should never use it in a production environment. |
To enroll the Security Service Module:
/adm
directory: BEA_HOME/ales26-ssm/<
ssm-type>/instance/
instancename
/adm
, where instancename
is the name you assigned to the instance when you created it.admin
username and password. This is the username and password of the Security Administrator doing the enrollment (if you used the default values and have not yet changed them, the default username is system
and the password is weblogic
).ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the AquaLogic Enterprise Security CA certificate used for enrollment.
For more information on enrolltool
utility options, see
Administrative Utilities in the ALES Administration Reference.
After you install the Security Service Module, create the instance, and enroll it, you must start the necessary processes by running the appropriate batch or shell scripts. Before you start these processes, make sure that the Administration Server and all of its services are running.
For each machine, you must start one Service Control Manager.
For instructions on how to start and stop the required processes, see Starting and Stopping Processes for Security Service Modules in the Administration and Deployment Guide.
Note: | ALES does not include the JDBC driver for MS SQL and PointBase. If you want to use MS SQL or PointBase for your database, you must download the appropriate JDBC driver. You must use the latest MS SQL 2005 JDBC driver with all versions of MS SQL. |
If you are using MS SQL or PointBase for your database, you must set the location of the JDBC driver in the CLASSPATH environment variable for each instance the following SSMs prior to starting the SSM:
To add the JDBC driver to the CLASSPATH for the Web Services SSM, edit INSTANCE_HOME
/config/WLESws.wrapper.conf
and append the JDBC driver to the wrapper.java.classpath
parameter. For example:
wrapper.java.classpath.48=F:/bea/ales26-ssm/webservice-ssm/lib/sslclient.jar
wrapper.java.classpath.49=F:/bea/ales26-ssm/webservice-ssm/lib/pdsoap11.jar
wrapper.java.classpath.50=F:/bea/ales26-ssm/webservice-ssm/lib/antlr.jar
wrapper.java.classpath.51=F:/pbclient51.jar
To add the JDBC driver to the CLASSPATH for the Java SSM, edit INSTANCE_HOME
/bin/set-env.bat
(or set-env.sh
) and append the JDBC driver to the CLASSPATH
environment variable. For example:
set CLASSPATH=%CLASSPATH%;%INSTALL_HOME%\lib\antlr.jar
set CLASSPATH=%CLASSPATH%;%INSTALL_HOME%\lib\jaxrpc.jar
set CLASSPATH=%CLASSPATH%;f:\pbclient51.jar
To add the JDBC driver to the CLASSPATH for the WebLogic Server 8.1 or 9.x SSM, edit the INSTANCE_HOME
/bin/set-wls-env.bat
(or set-wls-env.sh)
file and append the JDBC driver location to the WLES_POST_CLASSPATH
environment variable. For example:
set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;%INSTALL_HOME%\lib\jsafeJCE.jar
set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;%INSTALL_HOME%\lib\asn1.jar
set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;%INSTALL_HOME%\lib\certj.jar
set WLES_POST_CLASSPATH=%WLES_POST_CLASSPATH%;f:\pbclient51.jar
To start an instance of the Web Services SSM on Windows:
To start an instance of the Web Services SSM on UNIX:
You have completed the installation and configuration of the ALES Security Service Modules. Your Security Administrator can now configure additional security services using the security providers for your Security Service Module, through the AquaLogic Enterprise Security Administration Console. If you configured the providers as part of the post install, you can now make changes to your configuration using the console.
Before you continue to configure security services, read the information on security configuration in the Administration Console help. This section provides additional information on how to configure the Service Control Manager, the Security Service Module, and the providers, and then deploy your changes.
For additional information about post-installation configuration and integration for use with BEA WebLogic Server, BEA WebLogic Portal, BEA AquaLogic Data Services Platform, BEA AquaLogic Service Bus, Apache Web Server, Microsoft IIS web server and Web Services, see Integrating ALES with Application Environments.