Securing WebLogic Server

     Previous  Next    Contents    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Introduction and Roadmap

Document Scope

Document Audience

Guide to This Document

Related Information

Security Samples and Tutorials

Security Examples in the WebLogic Server Distribution

New and Changed Security Features

Overview of Security Management

Security Realms in WebLogic Server

Security Providers

Security Policies and WebLogic Resources

WebLogic Resources

Deployment Descriptors and the WebLogic Server Administration Console

The Default Security Configuration in WebLogic Server

Configuring WebLogic Security: Main Steps

Methods of Configuring Security

What Is Compatibility Security?

Management Tasks Available in Compatibility Security

Customizing the Default Security Configuration

Why Customize the Default Security Configuration?

Before You Create a New Security Realm

Creating and Configuring a New Security Realm: Main Steps

Configuring WebLogic Security Providers

When Do You Need to Configure a Security Provider?

Reordering Security Providers

Configuring an Authorization Provider

Configuring the WebLogic Adjudication Provider

Configuring a Role Mapping Provider

Configuring the WebLogic Auditing Provider

Auditing ContextHandler Elements

Configuration Auditing

Enabling Configuration Auditing

Configuration Auditing Messages

Audit Events and Auditing Providers

Configuring a WebLogic Credential Mapping Provider

Configuring a PKI Credential Mapping Provider

PKI Credential Mapper Attributes

Credential Actions

Configuring a SAML Credential Mapping Provider for SAML 1.1

Configuring Assertion Lifetime

Relying Party Registry

Configuring a SAML 2.0 Credential Mapping Provider for SAML 2.0

SAML 2.0 Credential Mapping Provider Attributes

Service Provider Partners

Partner Lookup Strings Required for Web Service Partners

Lookup String Syntax

Specifying Default Partners

Management of Partner Certificates

Java Interface for Configuring Service Provider Partner Attributes

Configuring the Certificate Lookup and Validation Framework

CertPath Provider

Certificate Registry

Configuring a WebLogic Keystore Provider

Configuring Authentication Providers

Choosing an Authentication Provider

Using More Than One Authentication Provider

Setting the JAAS Control Flag Option

Changing the Order of Authentication Providers

Configuring the WebLogic Authentication Provider

Configuring LDAP Authentication Providers

Requirements for Using an LDAP Authentication Provider

Configuring an LDAP Authentication Provider: Main Steps

Accessing Other LDAP Servers

Dynamic Groups and WebLogic Server

Configuring Failover for LDAP Authentication Providers

LDAP Failover Example 1

LDAP Failover Example 2

Improving the Performance of WebLogic and LDAP Authentication Providers

Optimizing the Group Membership Caches

Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance

Optimizing the Principal Validator Cache

Configuring the Active Directory Authentication Provider to Improve Performance

Configuring RDBMS Authentication Providers

Common RDBMS Authentication Provider Attributes

Data Source Attribute

Group Searching Attributes

Group Caching Attributes

Configuring the SQL Authentication Provider

Password Attributes

SQL Statement Attributes

Configuring the Read-Only SQL Authenticator

Configuring the Custom DBMS Authenticator

Plug-In Class Attributes

Configuring a Windows NT Authentication Provider

Domain Controller Settings

LogonType Setting

UPN Names Settings

Configuring the SAML Authentication Provider

Configuring the Password Validation Provider

Password Composition Rules for the Password Validation Provider

Using the Password Validation Provider with the WebLogic Authentication Provider

Using WLST to Create and Configure the Password Validation Provider

Creating an Instance of the Password Validation Provider

Specifying the Password Composition Rules

Configuring Identity Assertion Providers

How an LDAP X509 Identity Assertion Provider Works

Configuring an LDAP X509 Identity Assertion Provider: Main Steps

Configuring a Negotiate Identity Assertion Provider

Configuring a SAML Identity Assertion Provider for SAML 1.1

Asserting Party Registry

Certificate Registry

Configuring a SAML 2.0 Identity Assertion Provider for SAML 2.0

Identity Provider Partners

Partner Lookup Strings Required for Web Service Partners

Management of Partner Certificates

Java Interface for Configuring Identity Provider Partner Attributes

Ordering of Identity Assertion for Servlets

Configuring Identity Assertion Performance in the Server Cache

Configuring a User Name Mapper

Configuring a Custom User Name Mapper

Configuring Single Sign-On with Microsoft Clients

Overview of Single Sign-On with Microsoft Clients

System Requirements for SSO with Microsoft Clients

Single Sign-On with Microsoft Clients: Main Steps

Configuring Your Network Domain to Use Kerberos

Creating a Kerberos Identification for WebLogic Server

Configuring Microsoft Clients to Use Windows Integrated Authentication

Configuring a .NET Web Service

Configuring an Internet Explorer Browser

Configure Local Intranet Domains

Configure Intranet Authentication

Verify the Proxy Settings

Set Integrated Authentication for Internet Explorer 6.0

Creating a JAAS Login File

Configuring the Identity Assertion Provider

Using Startup Arguments for Kerberos Authentication with WebLogic Server

Verifying Configuration of SSO with Microsoft Clients

Configuring Single Sign-On with Web Browsers and HTTP Clients

Configuring SAML 1.1 Services

Enabling Single Sign-on with SAML 1.1: Main Steps

Configuring a Source Site: Main Steps

Configuring a Destination Site: Main Steps

Configuring a SAML 1.1 Source Site for Single Sign-On

Configure the SAML 1.1 Credential Mapping Provider

Configure the Source Site Federation Services

Configure Relying Parties

Configure Supported Profiles

Assertion Consumer Parameters

Replacing the Default Assertion Store

Configuring a SAML 1.1 Destination Site for Single Sign-On

Configure SAML Identity Assertion Provider

Configure Destination Site Federation Services

Enable the SAML Destination Site

Set Assertion Consumer URIs

Configure SSL for the Assertion Consumer Service

Add SSL Client Identity Certificate

Configure Single-Use Policy and the Used Assertion Cache or Custom Assertion Cache

Configure Recipient Check for POST Profile

Configuring Asserting Parties

Configure Supported Profiles

Configure Source Site ITS Parameters

Configuring Relying and Asserting Parties with WLST

Configuring SAML 2.0 Services

Configuring SAML 2.0 Services: Main Steps

Configuring SAML 2.0 General Services

About SAML 2.0 General Services

Publishing and Distributing the Metadata File

Configuring an Identity Provider Site for SAML 2.0 Single Sign-On

Configure the SAML 2.0 Credential Mapping Provider

Configure SAML 2.0 Identity Provider Services

Enable the SAML 2.0 Identity Provider Site

Specify a Custom Login Web Application

Enable Binding Types

Publish Your Site’s Metadata File

Create and Configure Web Single Sign-On Service Provider Partners

Obtain Your Service Provider Partner’s Metadata File

Create Partner and Enable Interactions

Configure How Assertions are Generated

Configure How Documents Are Signed

Configure Artifact Binding and Transport Settings

Configuring a Service Provider Site for SAML 2.0 Single Sign-On

Configure the SAML 2.0 Identity Assertion Provider

Configure the SAML Authentication Provider

Configure SAML 2.0 General Services

Configure SAML 2.0 Service Provider Services

Enable the SAML 2.0 Service Provider Site

Specify How Documents Must Be Signed

Specify How Authentication Requests Are Managed

Enable Binding Types

Set Default URL

Create and Configure Web Single Sign-On Identity Provider Partners

Obtain Your Identity Provider Partner’s Metadata File

Create Partner and Enable Interactions

Configure Authentication Requests and Assertions

Configure Redirect URIs

Configure Binding and Transport Settings

Viewing Partner Site, Certificate, and Service Endpoint Information

Web Application Deployment Considerations for SAML 2.0

Deployment Descriptor Recommendations

Use of relogin-enabled with CLIENT-CERT Authentication

Use of Non-default Cookie Name

Login Application Considerations for Clustered Environments

Migrating Security Data

Overview of Security Data Migration

Migration Concepts

Formats and Constraints Supported by WebLogic Security Providers

Migrating Data with WLST

Migrating Data Using weblogic.admin

Managing the Embedded LDAP Server

Configuring the Embedded LDAP Server

Embedded LDAP Server Replication

Viewing the Contents of the Embedded LDAP Server from an LDAP Browser

Exporting and Importing Information in the Embedded LDAP Server

LDAP Access Control Syntax

The Access Control File

Access Control Location

Access Control Scope

Access Rights

Attribute Permissions

Entry Permissions

Attributes Types

Subject Types

Grant/Deny Evaluation Rules

Managing the RDBMS Security Store

Security Providers that Use the RDBMS Security Store

Configuring the RDBMS Security Store

Create a Domain with the RDBMS Security Store

Specifying Database Connection Properties

Oracle Example

MS-SQL Example

DB2 Example

For More Information About Default Connection Properties

Testing the Database Connection

Create RDBMS Tables in the Security Datastore

Configure a JMS Topic for the RDBMS Security Store

Configuring JMS Connection Recovery in the Event of Failure

Upgrading a Domain to Use the RDBMS Security Store

Configuring Identity and Trust

Private Keys, Digital Certificates, and Trusted Certificate Authorities

Configuring Identity and Trust: Main Steps

Supported Formats for Identity and Trust

Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities

Common Keytool Commands

Using the CertGen Utility

Using Your Own Certificate Authority

Converting a Microsoft p7b Format to PEM Format

Obtaining a Digital Certificate for a Web Browser

Using Certificate Chains (Deprecated)

Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities

Guidelines for Using Keystores

Creating a Keystore and Loading Private Keys and Trusted Certificate Authorities into the Keystore

Configuring Demo Certificates for Clients

How WebLogic Server Locates Trust

Configuring Keystores for Production

Configuring SSL

SSL: An Introduction

One-Way and Two-Way SSL

Setting Up SSL: Main Steps

Using Host Name Verification

Enabling SSL Debugging

SSL Session Behavior

Configuring RMI over IIOP with SSL

SSL Certificate Validation

Controlling the Level of Certificate Validation

Accepting Certificate Policies in Certificates

Checking Certificate Chains

Using Certificate Lookup and Validation Providers

How SSL Certificate Validation Works in WebLogic Server

Troubleshooting Problems with Certificate Validation

Using the nCipher JCE Provider with WebLogic Server

Specifying the Version of the SSL Protocol

Configuring Security for a WebLogic Domain

Important Information Regarding Cross-Domain Security Support

Enabling Trust Between WebLogic Server Domains

Enabling Cross Domain Security Between WebLogic Server Domains

Configuring Cross-Domain Security

Configuring a Cross-Domain User

Configure a Credential Mapping for Cross-Domain Security

Enabling Global Trust

Using Connection Filters

Using the Java Authorization Contract for Containers

Viewing MBean Attributes

How Passwords Are Protected in WebLogic Server

Protecting User Accounts

Using Compatibility Security

Running Compatibility Security: Main Steps

Limited Visibility of Compatibility Security MBeans

The Default Security Configuration in the CompatibilityRealm

Configuring a Realm Adapter Authentication Provider

Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider

Configuring a Realm Adapter Auditing Provider

Protecting User Accounts in Compatibility Security

Accessing 6.x Security from Compatibility Security

Security Configuration MBeans

SSLMBean

ServerMBean

EmbeddedLDAPMBean

SecurityMBean

SecurityConfigurationMBean

RealmMBean

WindowsNTAuthenticatorMBean

CustomDBMSAuthenticatorMBean

ReadonlySQLAuthenticatorMBean

SQLAuthenticatorMBean

DefaultAuditorMBean

Compatibility Security MBeans

UserLockoutManagerMBean

Other Security Provider MBeans


  Back to Top       Previous  Next