|
|
Compatibility security is the capability to run security configurations developed with WebLogic Server 6.x in this release of WebLogic Server. In Compatibility security, you manage 6.x security realms, users, groups, and ACLs, protect user accounts, and configure the Realm Adapter Auditing provider and optionally the Identity Assertion provider in the Realm Adapter Authentication provider. The following sections describe how to configure Compatibility security:
| Note: | Compatibility security is deprecated in this release of WebLogic Server and will not be supported in future major releases. Oracle strongly recommends upgrading your WebLogic Server deployment to the security features in this release of WebLogic Server. You should only use Compatibility security pending such an upgrade. |
To set up Compatibility security:
config.xml file) before using Compatibility security.config.xml file if it does not exist, replacing the values with the actual names of your domain, security realm, and FileRealm:
<Security Name=”mydomain” Realm=”mysecurity”/>
<Realm Name=”mysecurity” FileRealm=”myrealm”/>
<FileRealm Name=”myrealm”/>
To verify whether you are running Compatibility security correctly, open the new WebLogic Server Administration Console. If you are running Compatibility security, a Compatibility Security node is displayed on the left in the Domain Structure pane.
All Compatibility security MBeans are marked excluded and therefore have limited visibility in the WebLogic Scripting Tool. For example, if you use a command like this:
java weblogic.WLST
connect()
ls()
then the attributes of the DomainMBean will be listed, excluding Compatibility security attributes such as FileRealmMBean. However, if you address a Compatibility MBean directly, you can access it, as in this example:
java weblogic.WLST
connect()
cmo.getFileRealms()
By default, the CompatibilityRealm is configured with a Realm Adapter Adjudication provider, a Realm Adapter Authentication provider, a WebLogic Authorization provider, a Realm Adapter Authorization provider, a WebLogic Credential Mapping provider, and a WebLogic Role Mapping provider.
CompatibilityRealm, the Realm Adapter Authentication provider is populated with users and groups from the 6.x security realm defined in the config.xml file. For information about configuring a Realm Adapter Authentication provider, see Configuring a Realm Adapter Authentication Provider
You can use implementations of the weblogic.security.acl.CertAuthenticator class in Compatibility security by configuring the Identity Assertion provider in the Realm Adapter Authentication provider. For more information, see Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider.
weblogic.security.audit.AuditProvider class from the CompatibilityRealm. For more information, see
Configure a Realm Adapter Auditing Provider in the Administration Console Online Help.
When using Compatibility security, a Realm Adapter Authentication provider is by default configured for the CompatibilityRealm. For information about using the Realm Adapter Authentication provider in the CompatibilityRealm, see The Default Security Configuration in the CompatibilityRealm.
The Realm Adapter Authentication provider also allows use of implementations of the weblogic.security.acl.CertAuthenticator class with this release of WebLogic Server. The Realm Adapter Authentication provider includes an Identity Assertion provider that asserts identity based on X.509 tokens. For information about using a CertAuthenticator with WebLogic Server, Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider.
When you add a Realm Adapter Authentication provider to a security realm with an Authentication provider already configured, WebLogic Server sets the JAAS Control Flag on the Realm Adapter Authentication provider to OPTIONAL and checks for the presence of a fileRealm.properties file in the domain directory. WebLogic Server will not add the Realm Adapter Authentication provider to the security realm if the fileRealm.properties file does not exist.
| Note: | The subjects produced by the Realm Adapter Authentication provider do not contain principals for the groups to which a user belongs. Use the weblogic.security.SubjectUtils.isUserInGroup() method to determine whether a user is in a group. When you use subjects produced by the Realm Adapter Authentication provider, you cannot iterate the complete set of groups to which a user belongs. |
The Realm Adapter Authentication provider includes an Identity Assertion provider.The Identity Assertion provider provides backward compatibility for implementations of the deprecated weblogic.security.acl.CertAuthenticator class. The identity assertion is performed on X.509 tokens. By default, the Identity Assertion provider is not enabled in the Realm Adapter Authentication provider.
For information about how to enable the Identity Assertion provider, see Enable the Identity Assertion provider in the Administration Console Online Help.
The Realm Adapter Auditing provider allows you to use implementations of the weblogic.security.audit.AuditProvider interface when using Compatibility security. In order for the Realm Adapter Auditing provider to work properly, the implementation of the AuditProvider interface must have been defined. You can define the AuditProvider class using the Administration Console, in the Audit Provider Class field on the Domain: Compatibility Security 
General page.
For information, see Configure a Realm Adapter Auditing provider in the Administration Console Online Help.
Password guessing is a common type of security attack. In this type of attack, a hacker attempts to log in to a computer using various combinations of usernames and passwords. WebLogic Server provides a set of lockout configuration options to protect user accounts from this kind of attack. By default, these options are set for maximum protection. As a system administrator, you have the option of turning off all the options, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the configuration options lessens security and leaves user accounts vulnerable to security attacks.
There are two sets of configuration options available to protect user accounts, one set at the domain and one set at the security realm. You may notice that if you set one set of configuration options (for example, the options for the security realm) and exceed any of the values, the user account is not locked. This happens because the user account lockout options at the domain override the user account options at the security realm. To avoid this situation, disable the user account lockout options at the security realm.
| WARNING: | If you disable the user lockout configuration option at the security realm, you must set the user lockout configuration options on the domain otherwise the user accounts will not be protected. |
For information, see Protect user accounts and Unlock user accounts in the Administration Console Online Help.
Using Compatibility security assumes that you have an existing config.xml file with a security realm that defines users and groups and ACLs that protect the resources in your WebLogic Server domain. WebLogic Server 6.x security management tasks such as configuring a security realm or defining ACLs should not be required and therefore those management tasks are not described in this section. However, if you corrupt an existing 6.x security realm and have no choice but to restore it, the following 6.x security management tasks are described in the Compatibility Security topic of the Administration Console Online Help:
| WARNING: | Compatibility security provides backward compatibility only and should not be considered a long-term security solution. |
|