Administration Application Guide
This section provides an introduction to system administration tasks and discusses the various tools available for configuring and managing your enterprise using WebLogic® Enterprise Security. If you are not familiar with the architecture and services provided, please see the Introduction to WebLogic Enterprise Security. This document provides a starting point for System Administrators who are using the WebLogic Enterprise Security Administration Application.
This section covers the following topics:
This document describes how to use the Administration Application to configure and deploy security service modules. It is organized as follows:
This administration guide is written for Administrators who are implementing and maintaining security configurations, authentication and authorization schemes, and setting up and maintaining access to deployed application resources. Application Administrators have a general knowledge of security concepts and the Java security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.
The Administrator configures all security providers, implementing authentication, authorization, role mapping, auditing and failover policies. The Administrator may or may not be responsible for installation and configuration of the database component, but must be familiar with the enrollment process.
BEA product documentation, along with other information about BEA software, is available from the BEA dev2dev web site:
To view the documentation for a particular product, select that product from the Product Centers menu on the left side of the screen on the dev2dev page. Select More Product Centers. From the BEA Products list, choose WebLogic Enterprise Security 4.2. The home page for this product is displayed. From the Resources menu, choose Documentation 4.2. The home page for the complete documentation set for the product and release you have selected is displayed.
The BEA corporate web site provides all documentation for BEA WebLogic Enterprise Security. Other BEA WebLogic Enterprise Security documents that may be of interest to the reader include:
You manage a WebLogic Enterprise Security environment by using any of several system administration tools provided with the product. A WebLogic Enterprise Security environment can consist of a single Administration Application instance or multiple instances, each hosted on one or more physical machines; one or more Service Control Managers hosted on individual machines, with any number of Security Service Modules associated with each one. The system administration tools include the Administration Console, the Policy Import and Export tools, a Policy Distributor, Policy Database, and an API, with which you manage security, database connections, messaging, transaction processing, and the runtime configuration of your applications. You may also want to configure a meta-directory to manage users.
The basic administrative unit for a WebLogic Enterprise Security installation is called an enterprise domain. An enterprise domain is a logically related group of Security Service Modules from which the Administration Server manages resources as a unit. An enterprise domain always includes at least one Administration Server instance, one Service Control Manager, and one Security Service Module. The Administration Server serves as a central point of contact for instances and system administration tools.
Figure 1-1 Administration Server Architecture
You can configure multiple servers to be part of a cluster to support failover. A cluster is a group of server instances that work together to provide scalability and high-availability for applications. For additional information on configuring WebLogic Enterprise Security for failover, see Failover and System Reliability.
Your enterprise domain is divided into smaller domains, based on the number of Security Service Modules you have installed. Each Security Service Module may share or use different configuration or policy data, based on the business needs of an organization.
Applications across the enterprise are built on a heterogeneous infrastructure with diverse resources. With an application security infrastructure as shown in Figure 1-2, the Security Service Modules support a fully distributed architecture; all applications across the network are integrated.
Figure 1-2 Distributed Computing Security Infrastructure
The BEA WebLogic Enterprise Security products provide a variety of services that use its Security Framework, including enhanced policy-based authorization with role mapping, authentication with support for single sign-on and credential mapping, and customizable auditing features. A services-oriented strategy to application security infrastructure improves efficiency and strengthens security by providing a unified and consistent approach across the enterprise. BEA delivers security services that allow third-party security technologies to be exposed as reusable services, to further reduce integration time and costs, promote choice, and ensure investment protection.
The type of security services you implement depends on the type of the application component itself, and enforcement solutions are implemented as a set of providers delivered with each Security Service Module. The BEA WebLogic Enterprise Security services seek to provide ease of use, manageability for end users and administrators, and customizability for application developers and security developers. Administrators who configure and deploy applications can use the providers included with the product that support most standard security functions.
Supports BEA WebLogic Server, Version 8.1 and enhances the existing security services in the application server, providing customizable auditing, multi-domain standards-based single sign-on, database and Microsoft Window NT authentication, database credential mapping, and expanded policy expression capabilities for authorization and role assignments.
Supports the IIS Web Server. After installation, the security service module (SSM) binds with the web server through the web server application programming interface (ISAPI) so that the SSM can be used to protect web server application resources.
Supports the Apache Web Server. After installation, the SSM binds the web server through the web server filter so that the SSM can be used to protect web server application resources.
Supports web servers. After installation, the SSM security services can be accessed by a web server through the Web Services application programming interface and used to protect web server application resources.
An application programming interface (API) that allows security developers to develop environment interfaces or even integrate an application security infrastructure into an application. These interfaces support the most commonly required security functions and are organized into services that are logically grouped by functionality.
Each Security Service Module is delivered with a full set of security providers. Table 1-1 lists the types of providers that are available for configuration. For information on configuring providers, see Security Configuration.
System administration infrastructure in WebLogic Enterprise Security is implemented using attributes that can be configured through the Administration Console; thus, it is necessary that you understand how they are used.
Providers contain a set of attributes that define configuration parameters for various Security Service Modules. Many attributes for administration have pre-set or default values. When the Administration Server starts, it reads the configuration from the database and overrides the default attribute values of the attributes with any values found. Every time you change an attribute using the Administration Console or administration tools, its value is stored in the database. Each instance of a Security Service Module has its own configuration, although it may share its configuration with other like modules.
Attributes may be associated with users or groups (subject attributes), resources (resource attributes) or policy requests (dynamic attributes). Characteristics that define users, groups directories are called identity attributes. Attributes may be descriptive, configure policy behavior, manage delegated administration, or be used in forming policy as part of the policy condition. Attributes must have a defined type, which denotes the range of legal values that an attribute may have. A number of predefined types exist, such as string, date, time, ip address, or you can supply custom attribute types. The value of the attribute may be assigned to only one instance of an attribute. For a more complete description of how to use attributes in rules, see "Securing Resources and Defining Policy Rules," in the BEA WebLogic Enterprise Security Policy Managers Guide.
All system administration operations are protected based on the user name employed to access a system administration tool. A user (or the group a user belongs to) must be a member of one of four security roles. These roles grant or deny a user access to various sets of system administration operations. The roles are Admin, Operator, Deployer, and Monitor. For additional information on Administration roles, see Administration Policy.
The Administration Console is a web application hosted by the Administration Server. You access the Administration Console from any machine on the local network that can communicate with the Administration Server through a web browser (including a browser running on the same machine as the Administration Server). The Administration Console allows you to manage your enterprise domain containing multiple instances of Security Service Modules. For information on general use of the Administration Console, see Using the Console.
Through the Administration Application, system administrators can perform all management tasks without having to learn about the underlying management architecture. These management capabilities include: