Managing WebLogic Security
Using Compatibility Security
The following sections describe how to configure Compatibility security:
Note: Compatibility security is deprecated in this release of WebLogic Server. You should only use Compatibility security while upgrading your WebLogic Server deployment to the security features in this release of WebLogic Server.
Running Compatibility Security: Main Steps
To set up Compatibility security:
- Make a backup copy of your 6.x WebLogic domain (including your
config.xml file) before using Compatibility security.
- Add the following to the 6.x config.xml file if it does not exist:
- Install WebLogic Server in a new directory location. Do not overwrite your existing 6.x installation directory. For more information, see Installing WebLogic Platform.
- Modify the start script for your 6.x server to point to the new WebLogic Server installation. Specifically, you need to modify:
- The classpath to point to the
weblogic.jar file in the new WebLogic Server installation.
The JAVA_HOME variable to point to the new WebLogic Server installation.
Use the start script for your 6.x server to boot WebLogic Server.
To verify whether you are correctly running Compatibility security, do the following:
- In the WebLogic Server Administration Console, expand the Domain node.
- Select the desired WebLogic Server domain (referred to as the domain).
- Click the View the Domain Log link.
The following message appears in the log:
Security initializing using realm CompatibilityRealm
In addition, a CompatibilitySecurity node will appear in the WebLogic Server Administration Console.
The Default Security Configuration in the CompatibilityRealm
By default, the CompatibilityRealm is configured with a Realm Adapter Adjudication provider, a Realm Adapter Authentication provider, a WebLogic Authorization provider, a Realm Adapter Authorization provider, a WebLogic Credential Mapping provider, and a WebLogic Role Mapping provider.
- In the CompatibilityRealm, the Realm Adapter Authentication provider is populated with users and groups from the 6.x security realm defined in the
- If you were using the File realm in your 6.x security configuration, you can manage the users and groups in the Realm Adapter Authentication provider following the steps in "Defining Users in the CompatibiltyRealm" and "Defining Groups in the CompatibiltyRealm" topics of the Compatiblility Security section of the Administration Console online help.
- If you are using an alternate security realm (LDAP, Windows NT, RDBMS, or custom), you must use the administration tools provided by that realm to manage users and groups.
If you have large numbers of users and groups stored in a Windows NT, RDBMS, UNIX, or a custom security realm and you cannot upgrade to a WebLogic, LDAP or custom Authentication provider, you can configure a Realm Adapter Authentication provider in the new security realm to access your existing 6.x store.
Note: The Realm Adapter Authentication provider is the only Realm Adapter provider that can be configured in a realm other than the CompatibiltyRealm.
For information about configuring a Realm Adapter Authentication provider, see Configuring a Realm Adapter Authentication Provider.
You can use implementations of the
weblogic.security.acl.CertAuthenticator class in Compatibility security by configuring the Identity Assertion provider in the Realm Adapter Authentication provider. For more information, see Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider.
- Access Control Lists (ACLs) in the 6.x security realm are used to populate the Realm Adapter Authorization provider.
- The Realm Adapter Adjudication provider enables the use of both ACLs and security roles and security policies in Compatibility security. The Realm Adapter Adjudication provider can be used only with the Realm Adapter Authentication provider and the WebLogic Authorization provider. It resolves access decision conflicts between ACLs and new security policies set through the WebLogic Administration Console. The Realm Adapter Adjudication provider permits access if the one authorization provider votes PERMIT and the other authorization provider votes DENY.
- The WebLogic Credential Mapping provider allows the use of credential maps in Compatibility security. For more information, see Single Sign-On with Enterprise Information Systems.
- You can add a Realm Adapter Auditing provider to access implementations of the
weblogic.security.audit.AuditProvider class from the CompatibilityRealm. For more information, see Configuring a Realm Adapter Auditing Provider.
Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider
The Realm Adapter Authentication provider includes an Identity Assertion provider.The Identity Assertion provider provides backward compatibility for implementations of the
weblogic.security.acl.CertAuthenticator class. The identity assertion is performed on X.509 tokens. By default, the Identity Assertion provider is not enabled in the Realm Adapter Authentication provider.
To enable identity assertion in the Realm Adapter Authentication provider:
- Expand the Security-->Realms nodes.
- Select the CompatibilityRealm.
- Expand the Providers node.
- Select Authentication Providers.
- Click the Realm Adapter Authenticator link in the Realms table.
The General tab appears.
- Enter X.509 in the Active Types list box.
This step enables the use of 6.x Cert Authenticators.
Configuring a Realm Adapter Auditing Provider
The Realm Adapter Auditing provider allows you to use implementations of the
weblogic.security.audit.AuditProvider class when using Compatibility security. In order for the Realm Adapter Auditing provider to work properly, the implementation of the
weblogic.security.audit.AuditProvider class must have been defined in the Audit Provider class attribute on the Domain-->Security-->Compatibility-->General tab.
To configure a Realm Adapter Auditing provider:
- Expand the Compatibility Security-->Realms nodes.
- Expand the Providers node.
- Click Configure a Realm Adapter Auditor... link.
The General tab appears
- Click Create to save your changes.
Protecting User Accounts in Compatibilty Security
Weblogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes lessens security and leaves user accounts vulnerable to security attacks.
There are two sets of attributes available to protect user accounts, one set at the domain and one set at the security realm. You may notice that if you set one set of attributes (for example, the attributes for the security realm) and exceed any of the values, the user account is not locked. This happens because the user account attributes at the domain override the user account attributes at the security realm. To avoid this situation, disable the user account attributes at the security realm.
To protect the user accounts in your WebLogic Server domain, perform the following steps:
- Expand the Domain node (for example, mydomain).
- At the bottom of the General tab, click the View Domain-Wide Security Settings link.
- Select the Compatibility-->Passwords tab.
- Define the desired attributes on this tab by entering values at the appropriate prompts and selecting the required checkboxes. (For details, see the following table).
- Click Apply to save your choices.
The following table describes each attribute on the Passwords tab.
Table 11-1 Password Protection Attributes
Minimum Password Length
Number of characters required in a password. Passwords must contain a minimum of 8 characters. The default is 8.
Requests the locking of a user account after invalid attempts to log in to that account exceed the specified Lockout Threshold. By default, this attribute is enabled.
Number of failed password entries for a user that can be tried to log in to a user account before that account is locked. Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the
Lockout Reset Duration attribute. The default is 5.
Number of minutes that a user's account remains inaccessible after being locked in response to several invalid login attempts within the amount of time specified by the
Lockout Reset Duration attribute. In order to unlock a user account, you need to have the
unlockuser permission for the
weblogic.passwordpolicy. The default is 30 minutes.
Lockout Reset Duration
Number of minutes within which invalid login attempts must occur in order for the user's account to be locked.
An account is locked if the number of invalid login attempts defined in the
Lockout Threshold attribute happens within the amount of time defined by this attribute. For example, if the value in this attribute is five minutes and three invalid login attempts are made within a six-minute interval, then the account is not locked. If five invalid login attempts are made within a five-minute period, however, then the account is locked.
The default is 5 minutes.
Lockout Cache Size
Specifies the intended cache size of unused and invalid login attempts. The default is 5.
To disable the user account attributes at the security realm:
- Expand the Security-->Realms nodes.
- Expand the CompatibilityRealm node.
- Select the User Lockout tab.
- Uncheck the Lockout Enabled attribute.
Warning: If you disable the user lockout attribute at the security realm, you must set the user attributes on the domain otherwise the user accounts will not be protected.
Accessing 6.x Security from Compatibility Security
When using Compatibility security, it is assumed you have an existing
config.xml file with a security realm that defines users and groups and ACLs that protect the resources in your WebLogic Server domain. 6.x security management tasks such as configuring a security realm or defining ACLs should not be required therefore those management tasks are not described in this chapter. However, if you corrupt an existing 6.x security realm and have no choice but to restore it, the following 6.x security management tasks are described in the Compatibility Security section of the online help for the WebLogic Server Administration Console:
- Configuring the File realm
- Configuring the Caching realm
- Configuring the LDAP V1 security realm
- Configuring the LDAP V2 security realm
- Configuring the Windows NT security realm
- Configuring the UNIX security realm
- Configuring the RDBMS security realm
- Installing a custom security realm
- Defining users
- Deleting users
- Changing the password for a user
- Unlocking a user account
- Disabling the Guest user
- Defining groups
- Deleting groups
- Defining ACLs
Warning: Compatibility security provides backward compatibility only and should not be considered a long-term security solution.