|bea.com | products | dev2dev | support | askBEA|
|e-docs > WebLogic Server > Administration Console Online Help > Security|
Administration Console Online Help
This topic describes configuring and managing security in WebLogic Server 7.0. For more information, see Managing WebLogic Security.
For information about configuring and managing security for WebLogic Server deployments using Compatibility security, see Compatibility Securityand Using Compatibility Security in Managing WebLogic Security.
The Default Security Configuration in WebLogic Server 7.0
To simplify the configuration and management of security in WebLogic Server, a default security realm (myrealm) is provided. The default security realm has WebLogic Authentication, Identity Assertion, Authorization, Adjudication, Role Mapping, and Credential Mapping providers configured. When using the default security configuration, you only need to define groups, users, and roles for the security realm and create security policies for the WebLogic resources in the domain. You also need to verify that the configuration of the embedded LDAP server configuration is appropriate for your use. Optionally, you can configure an Auditing provider for the default realm.
If the default security configuration does not meet your requirements, you can create a new security realm with any combination of WebLogic and custom security providers and then set the new security realm as the default security realm. For more information, see Configuring a New Security Realm
Note: This section applies to the WebLogic Authentication provider only. If you customize the default security configuration to use another authentication provider, you must use the administration tools supplied by that provider to define a group.
User and group names must be unique. BEA recommends using initial capitalization and plural names for groups; for example, Administrators.
To define a group:
The Groupstab appears. This tab displays the names of all groups defined in the Weblogic Authentication provider.
To add a group to another group, highlight the desired group name and click the right arrow to move the group name to the Current Groups table.
To delete a group:
The Groupstable appears. This table displays the names of all groups defined in the WebLogic Authentication provider.
Note: This section applies to the WebLogic Authentication provider only. If you customize the default security configuration to use another authentication provider, you must use the administration tools supplied by that provider to define a user.
User and group names must be unique. Do not use the username/password combination weblogic/weblogic in production.
To define a user:
The Userstable appears. This table displays the names of all users defined in the WebLogic Authentication provider.
Note: For more efficient management, BEA recommends adding users to groups.
To add a user to a group, highlight the desired group name and click the right arrow to move the group name to the Current Groups table.
To delete a user:
The Users table appears. This table displays the names of all users defined in the WebLogic Authentication provider.
Changing the Password of a User
To change the password of a user:
Protecting User Accounts
Weblogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes lessens security and leaves user accounts vulnerable to security attacks.
To set the User Lockout attributes:
If a user account exceeds the values set for the attributes on this tab, the user account becomes locked and the table on the Users tab has the word Details in the table row for the user account.
Unlocking a User Account
To unlock a user account:
The Details tab describes the event that occurred when the user was locked out.
Defining Global Roles
Note: BEA recommends using initial capitalization, singular names for global roles; for example, SecurityEng.
To define a global role:
The Rolestab appears. This tab displays the names of all roles defined in the default Role Mapping provider.
Select the Roles-->Conditions tab. Use the following options available in the Role Condition table to grant a role to users and/or groups:
Use the Add window to grant multiple users or groups a role. As you grant users and groups a role, the users or groups are listed on the Add window.
The information is stored in a Role Mapping provider. By default, the WebLogic Role Mapping provider is configured and the role information is stored in the embedded LDAP server.
Removing a User, Group, or Time Constraint From a Global Role
Deleting Global Roles
To delete a global role:
The Roles table appears. This table displays the names of the global roles defined in the security realm.
A confirmation window appears.
Protecting WebLogic Resources
Configuring the Embedded LDAP Server
The embedded LDAP server contains user, group, group membership, role, security policy and credential information. The WebLogic Authentication, Authorization, Role Mapping, and Credential Mapping providers use the embedded LDAP server as a storage mechanism. If you use any of these WebLogic security providers, you need to configure the embedded LDAP server.
To configure the embedded LDAP server:
Note: The WebLogic Security providers stored their data in the embedded LDAP server. When you delete a WebLogic Security provider, the security data in the embedded LDAP server is not automatically deleted. The security data remains in the embedded LDAP server in case you want to use the provider again. Use an external LDAP browser to delete the security data from the embedded LDAP server.
Configuring Backups for the Embedded LDAP Server
To configure the backups of the embedded LDAP server:
Configuring a New Security Realm
To configure a new security realm:
All the security realms available for the WebLogic domain are listed in the Realms table.
The J2EE Security Mode attribute specifies whether or not security for EJBs and Web applications is defined through the Administration Console or through deployment descriptors. The following options are available:
The Deployment Descriptor Security Behavior attributes specifies whether or not WebLogic Server loads security data from the weblogic.xml and weblogic-ejb-jar.xml deployment descriptors into the Authorization and Role Mapping providers configured for the security realm each time an application is deployed. The following options are available:
Configuring an Authentication Provider: Main Steps
WebLogic Server offers the following types of Authentication providers:
In addition, you can use a Custom Authentication provider which offers different types of authentication technologies.
Note: The Administration Console refers to the WebLogic Authentication provider as the Default Authenticator.
Each security realm must have one at least one Authentication provider configured. The WebLogic Security Framework is designed to support multiple Authentication providers (and thus multiple LoginModules) for multipart authentication. Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. The Control Flag attribute determines how the LoginModules for each Authentication provider is used in the authentication process. For more information, see Setting the JAAS Control Flag.
To configure an Authentication provider:
If you are configuring multiple Authentication providers, refer to Setting the JAAS Control Flag.
Setting the JAAS Control Flag
If a security realm has multiple Authentication providers configured, the Control Flag attribute on the Authenticator-->General tab determines the ordered execution of the Authentication providers. The values for the Control Flag attribute are as follows:
Configuring the WebLogic Authentication Provider
Note: The Administration Console refers to the WebLogic Authentication provider as the Default Authenticator.
The WebLogic Authentication provider is case insensitive. Ensure user names are unique.
The WebLogic Authentication provider allows you to edit, list, and manage users and group membership. User and group membership information for the WebLogic Authentication provider is stored in the embedded LDAP server.
To configure the WebLogic Authentication provider:
Configuring an LDAP Authentication Provider
To configure an LDAP Authentication provider:
Setting LDAP Server and Caching Information
To set LDAP server and caching information:
For example, click the iPlanet LDAP tab under the iPlanet Configuration tab.
For a more secure deployment, BEA recommends using the SSL protocol to protect communications between the LDAP server and WebLogic Server. For more information, see Configuring Two-Way SSL
Locating Users in the LDAP Directory
To specify how users are located in the LDAP directory:
For example, click the Users tab under the iPlanet Configuration tab.
Locating Groups in the LDAP Directory
To specify how groups are stored and located in the LDAP directory:
For example, click the Groups tab under the iPlanet Configuration tab.
Locating Members of a Group in the LDAP Directory
Note: The iPlanet Authentication provider supports dynamic groups. To use dynamic groups, set the Dynamic Group Object Class, Dynamic Group Name Attribute, and Dynamic Member URL Attribute attributes on the Members tab.
To specify how groups members are stored and located in the LDAP directory:
For example, click the Membership tab under the iPlanet Configuration tab.
Configuring the Realm Adapter Authentication Provider
To configure the Realm Adapter Authentication provider:
Changing the Order of Authentication Providers
The way you configure multiple Authentication providers can affect the overall outcome of the authentication process, which is especially important for multipart authentication. Authentication providers are called in the order in which they are configured. The Authentication Providers table lists the authentication providers in the order they were configured. Click the Re-order the Configured Authentication Providers... link to change the order of the providers. Be aware that the way each Authentication provider's Control Flag attribute is set effects the outcome of the authentication process. For more information, see Setting the JAAS Control Flag.
To change the ordering of Authentication providers:
Configuring the WebLogic Authorization Provider
Note: The Administration Console refers to the WebLogic Authorization provider as the Default Authorizer.
To configure the WebLogic Authorization provider:
Configuring the WebLogic Credential Mapping Provider
To configure the WebLogic Credential Mapping provider:
The Credential Mapping Deployment Enabled attribute specifies whether or not this Credential Mapping provider imports credential maps from a 6.x Resource Adapter Archive (RAR). In order to support the Credential Mapping Deployment Enabled attribute, a Credential Mapping provider must implement the DeployableCredentialProvider SSPI. By default, the WebLogic Credential Mapping provider has this attribute enabled. The credential mapping information is stored in the embedded LDAP server.
Configuring the WebLogic Role Mapping Provider
To configure an Role Mapping provider:
The Role Mappers tab appears. This tab displays the name of the default Role Mapping provider for the realm that is being configured.
The General tab appears.
Configuring a WebLogic Identity Assertion Provider
Note: If you are creating a new security realm, configuring an Identity Assertion provider is an optional step.
The Administration Console refers to the WebLogic Identity Assertion provider as the Default Identity Asserter.
To configure the WebLogic Identity Assertion provider:
Configuring the WebLogic Adjudication Provider
Note: The Administration Console refers to the WebLogic Adjudication provider as the Default Adjudicator.
To configure the WebLogic Adjudication provider:
Configuring a WebLogic Auditing Provider
Warning: Using an Auditing provider affects the performance of WebLogic Server even if only a few events are logged.
If you are creating a new security realm, configuring an Auditing provider is an optional step. The Administration Console refers to the WebLogic Auditing provider as the Default Auditor.
To configure the WebLogic Auditing provider:
The General tab appears.
Configuring a Custom Security Provider
To configure a Custom security provider:
The tab for the provider appears.
where Security_Provider_Type is the name of your custom security provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF).
The Name attribute displays the name of your Custom Security provider.
Deleting a Security Provider
To delete a security provider:
Note: Deleting and modifying configured security providers by using the Administration Console may require manual clean up of the databases.
Configuring a User Name Mapper
When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to enable a user name mapper that maps the digital certificate of a Web browser or Java client to a user in a WebLogic Server security realm.
The user name mapper is an implementation the weblogic.security.providers.authentication.UserNameMapper interface. By default, WebLogic Server provides a default implementation of the weblogic.security.providers.authentication.UserNameMapper interface. You can also write your own implementation
The WebLogic Identity Assertion provider calls the user name mapper for the following types of identity assertion token types:
The default user name mapper uses the attributes from the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm. For example, the user name mapper can be configured to map a user from the Email attribute of the subject DN (firstname.lastname@example.org) to a user in the WebLogic Server security realm (smith).
To use the default user name mapper:
Configuring a Custom User Name Mapper
To install a custom user name mapper:
Importing and Export Security Data from Security Realms
When creating new security realms, security data (authentication, authorization, credential map, and role data) from one security realm can be exported into a file and then imported into another security realm. This feature allows you to develop and test new security realms without recreating all the security data (for example, when moving a development security realm to production). Only information from the WebLogic security providers can be exported and imported. Two options are available:
Note: You can only export and import security data between security realms in the same WebLogic Server release.
To export and import security data:
Note: You can specify a directory and file location on another server.
To verify the security data was imported correctly:
Importing and Exporting Security Data from Security Providers
Provider-specific security data can also be exported and imported between providers in different security realms. Each provider displays the supported formats (DefaultAtn, DefaultAtz, DefaultCreds, or DefaultRoles). The constraints define the data types (users, groups, roles, and credmaps). The constraints are only displayed for the WebLogic Authentication provider because you have the option of exporting or importing users and groups, just users, just groups, specific users, or specific groups.
To export and import security data from a security provider:
Changing the Default Security Realm
By default, WebLogic Server sets the myrealm as the default security realm.
The pull-down menu on the Default Realm attribute displays the security realms configured in the WebLogic domain.
Note: If you create a new security realm but do not configure the required security providers, the realm will not be available from the pull-down menu.
To verify you set the default security realm correctly:
The Realms table appears. All the realms available in the domain are listed. The default security realm has the Default Realm attribute set to true.
Deleting A Security Realm
The Realms table appears. All the realms available the domain are listed in a table.
Are you sure you want to permanently delete OldRealm from the domain configuration?
A confirmation message appears when the security realm is deleted.
Configuring Keystores and SSL
Note: For a complete description of configuring a keystore for use with WebLogic Server, see Managing WebLogic Security.
By default, WebLogic Server is configured with two keystores:
These keystores are located in the BEA_HOME\weblogic710\server\lib directory. For testing and development purposes, the keystore configuration is complete. Use the steps in this section to configure identity and trust keystores for production use.
Before you perform the steps in this section, you need to:
For a complete description of these steps, see Managing WebLogic Security.
To set attributes for the identity and trust keystores:
The information about the demonstration keystores is displayed in the Keystore Configuration.
If you choose Java Standard Trust, specify the password defined when creating the keystore. Confirm the password.
If you choose Custom Trust, define the following attributes:
Configuring Two-Way SSL
By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). For a more secure SSL connection, use two-way SSL. In a two-way SSL connection, the client verifies the identity and trust of the server and then passes its identity and trust to the server. The server then validates the identity and trust of the client before completing the SSL connection. The server determines whether or not two-way SSL is used.
To enable two-way SSL:
Enabling Trust Between WebLogic Domains
A trust relationship is established when principals in a Subject from one WebLogic Server domain (referred to as a domain) are accepted as principals in the local domain. If you want two 7.0 domains to interoperate, perform the following procedure in both domains.
To establish a trust relationship between WebLogic Server domains:
Configuring Connection Filtering
To configure a connection filter: