Web Server Installation
This section covers tasks that you must perform after completing the installation of the Web Server Security Service Module.
Note: Some of the procedures described here require basic knowledge of WebLogic Enterprise Security products. If you need assistance with any task, see the Administration Console online help or the Administration Application Guide for more details. It is assumed that you know the location of the products you have installed, including the Security Service Module and the Administration Server.
This section describes how to enroll the Service Control Manager (SCM). Each machine on which you install a Security Service Module (SSM) must have one (and only one) enrolled SCM.
Note: If you installed the SSM on the same machine as the Administration Application, you do not have to perform this task. You must use the adminconfig
SCM, which was enrolled and configured for you when you installed the Administration Application.
To enroll the SCM, perform the following steps:
\bin
directory (BEA_HOME
\wles42-scm\bin
). where demo
designates the demonstration digital certificate.
Note: While you may use the demonstration digital certificate to enroll the SCM in a development environment, you should never use it in a production environment.
ENTER
> to register the domain, enter the following information, Type: 5 and press <ENTER>
again:Enter Enterprise Domain Name :> (For example: asi)
Enter Primary Admin URL :> (For example: https://adminmachine
:7010/asi)
Secondary Admin URL :> (This value is optional. Same format as primary URL)
SCM name :> (For example:ssmmachinename_ssm
)
SCM port :> (Default: 7010)
ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the WebLogic Enterprise Security CA certificate used for enrollment.
You configure a Service Control Manager (SCM) for each of the machines on which you have installed one of more Security Service Modules (SSM). Each machine must have one (and only one) configured Service Control Manager.
Note: If you installed the SSM on the same machine as the Administration Application, you do not have to perform this task. You must use the adminconfig
SCM, which was enrolled and configured for you when you installed the Administration Application.
Note: When you install multiple SSMs of different types (Web Server or Web Services, WebLogic Server 8.1, and Java) on the same machine, they all must use the same SCM.
To configure a SCM, see the Administration Application Console Help and use the WebLogic Enterprise Security Administration Console.
The instructions for performing this task are also available in Configuring a Service Control Manager" in the BEA WebLogic Enterprise Administration Application Guide.
You must configure a Web Services SSM with the necessary security providers. At a minimum, a Web Services SSM security configuration must include the following providers:
o Database Authentication provider
o ALES Identity Assertion provider
o ALES Credential Mapping provider
To configure these providers and bind the SSM configuration to the SCM, perform the following steps:
webservice_ssm
), and click Create.Note: Later, when you use the Instance Wizard to create an instance of the SSM to which this security configuration will be applied, you will use the Configuration ID to link the SSM instance to this security configuration.
On the General tab, accept the default settings, and click Create. |
|
On the General tab, accept the default settings, and click Create. At runtime, the auditing messages are directed to the Note: To change the auditing level, select the Details tab and change the Severity level and/or the context settings for each type of event. |
|
On the General tab, name the provider, accept the default settings, and click Create. Select the Details tab, and set configuration setting as follows: Note: The Identity Scope is left as the default value of
|
|
On the General tab, name the provider, accept the default settings, and click Create. Normally, you would select the Details tab, fill in detail settings, and click Apply. However, you will be directed to fill in the detail settings later in the sample Web Server SSM policy configuration instructions provided in Configuring and Deploying Policy for the Web Server SSM. |
|
On the General tab, accept the default settings, and click Create. On the Details tab, leave the Identity Directory set to Note: The Identity Directory is not changed because |
|
On the General tab, name the provider, accept the default settings, and click Create. Normally, you would select the Details tab, fill in detail settings, and click Apply. However, you will be directed to fill in the detail settings later in the sample Web Server SSM policy configuration instructions provided in Configuring and Deploying Policy for the Web Server SSM. |
|
On the General tab, accept the default settings, and click Create. On the Details tab, leave the Identity Directory set to Note: The Identity Directory is not changed because |
Note: If you installed the SSM on the same machine as the Administration Application, click the adminconfig SCM.
Using the Administration Console, distribute the security configuration to the Web Services SSM.
For information on how to distribute the security configuration, access the Administration Console Help, click Deployment in the left pane, and click Distributing Configuration. The distribution procedures appear in the right pane. Be sure to verify the results of the distribution.
Note: At this point, because you have not yet created an instance of the Web Services SSM and enrolled it with the SCM, you are only distributing the security configuration to the SCM. Your next task will be to create an instance of the Web Services SSM.
Instructions for distributing the security configuration are also provided in the "Deployment section of the Administration Application Guide.
Before you can use a Web Services Security Service Module (SSM), you must first use the Instance Wizard to create an instance of it.
Note: You can create more than one instance of Web Services SSM on a single machine, but each instance must run in a separate process.
To create an instance of a Web Services SSM, perform the following steps:
On Unix, if you are using X-windows, go to BEA_HOME
/wles42-ssm/webservice-ssm/adm
and enter: instancewizard.sh.
asi)
, and click Next.
Before you can use a Web Server Security Service Module (SSM), you must first use the Instance Wizard to create an instance of it.
Note: You can only create one instance of Web Server SSM on a single machine.
To create an instance of a Web Server SSM, perform the following steps:
On Unix, if you are using X-windows, go to BEA_HOME
/wles42-ssm/apache-ssm/adm
and enter: instancewizard.sh.
asi)
, and click Next. Note: IMPORTANT: When you create an instance of the Apache Web Server SSM, you must also add the Apache user to the asiusers
group on the machine running the Apache Web Server SSM; otherwise, the Administration Application will not have the permissions required to access the Apache Web Server SSM instance and deploy the security policy and the security configuration.
Note: When the InstanceWizard creates an instance of the IIS Web Server SSM, it adds the information listed in Table 4-2 to the following location in the Microsoft Windows Registry:
HKEY_LOCAL_MACHINE\SOFTWARE\BEA Systems\WLES\IIS Module\4.2
You must have the WebLogic Enterprise Security Administration Application running prior to enrolling the Web Services Security Service Module (SSM).
To enroll the Web Services Security Service Module, perform the following steps:
\adm
directory for the instance of the SSM. For example, BEA_HOME\wles42-ssm\webservice-ssm\instance\<
instancename
>\adm
, where instancename
is the name you assigned to the SSM instance when you created it. ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the WebLogic Enterprise Security CA certificate used for enrollment.
Before proceeding to What's Next, start the Web Service SSM.
To start the Web Service SSM, do the following:
You have completed the post-installation tasks for the Web Services and Web Server SSMs.
For additional configuration tasks, do one of the following: