Contents for Securing WebLogic Server
Introduction and Roadmap
Document Scope
Document Audience
Guide to this Document
Related Information
Security Samples and Tutorials
Security Examples in the WebLogic Server Distribution
Additional Examples Available for Download
New and Changed Security Features in This Release
New Security Providers
Authentication Providers
Identity Assertion Providers
SAML Providers
Certificate Lookup and Validation Providers
Overview of Security Management
Security Realms in WebLogic Server
Security Providers
Security Policies and WebLogic Resources
WebLogic Resources
Deployment Descriptors and the WebLogic Administration Console
The Default Security Configuration in WebLogic Server
Configuring WebLogic Security: Main Steps
What Is Compatibility Security?
Management Tasks Available in Compatibility Security
Customizing the Default Security Configuration
Why Customize the Default Security Configuration?
Configuration Decisions When Creating a New Security Realm
Creating a New Security Realm: Main Steps
Configuring WebLogic Security Providers
When Do I Need to Configure a Security Provider?
Configuring the WebLogic Authorization Provider
Configuring the WebLogic Adjudication Provider
Configuring a WebLogic Role Mapping Provider
Configuring the WebLogic Auditing Provider
Auditing ContextHandler Elements
Configuration Auditing
Enabling Configuration Auditing
Configuration Auditing Messages
Audit Events and Auditing Providers
Configuring a WebLogic Credential Mapping Provider
Creating Credential Mappings
Configuring a PKI Credential Mapping Provider
PKI Credential Mapper Attributes
Creating PKI Credential Mappings
Credential Actions
Configuring a SAML Credential Mapping Provider
SAML Authority Configuration
Source Site Configuration
POST Profile Configuration
Artifact Profile Configuration
Produced Assertion Configuration
Example of Produced Assertion Configuration
Configuring the Credential Lookup and Validation Framework
CertPath Provider
Certificate Registry
Configuring a WebLogic Keystore Provider
Configuring Authentication Providers
Choosing an Authentication Provider
Using More than One Authentication Provider
Setting the JAAS Control Flag Option
Changing the Order of Authentication Providers
Configuring the WebLogic Authentication Provider
Configuring LDAP Authentication Providers
Requirements for Using an LDAP Authentication Provider
Accessing Other LDAP Servers
Configuring Failover for LDAP Authentication Providers
LDAP Failover Example 1
LDAP Failover Example 2
Improving the Performance of WebLogic and LDAP Authentication Providers
Optimizing the Group Membership Caches
Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance
Optimizing the Principal Validator Cache
Configuring the Active Directory Authentication Provider to Improve Performance
Configuring RDBMS Authentication Providers
Common RDBMS Authentication Provider Attributes
Data Source Attribute
Group Searching Attributes
Group Caching Attributes
Configuring the SQL Authenticator
Password Attributes
SQL Statement Attributes
Configuring the Read-Only SQL Authenticator
Configuring the Custom DBMS Authenticator
Plug-In Class Attributes
Configuring a Windows NT Authentication Provider
Domain Controller Settings
LogonType Setting
UPN Names Settings
Configuring Identity Assertion Providers
How an LDAP X509 Identity Assertion Provider Works
Configuring an LDAP X509 Identity Assertion Provider:Main Steps
Configuring a Negotiate Identity Assertion Provider
Configuring a SAML Identity Assertion Provider
POST and ARTIFACT Profiles
SAML Destination Site Configuration
Limiting the Re-use of Assertions
Certificate Registry
Consumed Assertion Configuration
Example of Consumed Assertion Configuration
Ordering of Identity Assertion for Servlets
Configuring Identity Assertion Performance in the Server Cache
Configuring a User Name Mapper
Configuring a Custom User Name Mapper
Configuring Single Sign-On with Microsoft Clients
Single Sign-on with Microsoft Clients: Main Steps
System Requirements for SSO with Microsoft Clients
Configuring your Network Domain to Use Kerberos
Creating a Kerberos Identification for WebLogic Server
Configuring Microsoft Clients to Use Windows Integrated Authentication
Configuring a .NET Web Service
Configuring an Internet Explorer Browser
Configure Local Intranet Domains
Configure Intranet Authentication
Verify the Proxy Settings
Set Integrated Authentication for Internet Explorer 6.0
Creating a JAAS Login File
Configuring the Identity Asssertion Provider
Startup Arguments for Using Kerberos Authentication with WebLogic Server
Verifying that SSO with Microsoft Clients Works
Configuring Single Sign-On with Web Browsers and HTTP Clients
Overview of SAML-Based Single Sign-On
Single Sign-on with SAML: Main Steps
Configuring a SAML Source Site for Single Sign-On
Configure SAML Authority Attributes
Configure Source Site Attributes
Configure Supported Profiles
Configure Produced Assertions
Configuring a SAML Destination Site for Single Sign-On
Configure Supported Profiles
Configure Consumed Assertions
Migrating Security Data
Overview of Security Data Migration
Migration Concepts
Formats and Constraints Supported by the WebLogic Security Providers
Migrating Data Using WLST
Migrating Data Using weblogic.admin
Managing the Embedded LDAP Server
Configuring the Embedded LDAP Server
Embedded LDAP Server Replication
Viewing the Contents of the Embedded LDAP Server from an LDAP Browser
Exporting and Importing Information in the Embedded LDAP Server
LDAP Access Control Syntax
The Access Control File
Access Control Location
Access Control Scope
Access Rights
Attribute Permissions
Entry Permissions
Attributes Types
Subject Types
Grant/Deny Evaluation Rules
Configuring Identity and Trust
Private Keys, Digital Certificates, and Trusted Certificate Authorities
Configuring Identity and Trust: Main Steps
Supported Formats for Identity and Trust
Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities
Common Keytool Commands
Using the CertGen Utility
Using Your Own Certificate Authority
Converting a Microsoft p7b Format to PEM Format
Obtaining a Digital Certificate for a Web Browser
Using Certificate Chains (Deprecated)
Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities
Guidelines for Using Keystores
Creating a Keystore and Loading Private Keys and Trusted Certificate Authorities into the Keystore
How WebLogic Server Locates Trust
Configuring Keystores For Production
Configuring SSL
SSL: An Introduction
One-Way and Two-Way SSL
Setting Up SSL: Main Steps
Using Host Name Verification
Enabling SSL Debugging
SSL Session Behavior
Configuring RMI over IIOP with SSL
SSL Certificate Validation
Controlling the Level of Certificate Validation
Checking Certificate Chains
Troubleshooting Problems with Certificate Validation
Enabling SSL Debugging
Using Certificate Lookup and Validation Providers
Using the nCipher JCE Provider with WebLogic Server
Specifying the Version of the SSL Protocol
Configuring Security for a WebLogic Domain
Enabling Trust Between WebLogic Server Domains
Using Connection Filters
Using the Java Authorization Contract for Containers
Viewing MBean Attributes
How Passwords are Protected in WebLogic Server
Protecting User Accounts
Using Compatibility Security
Running Compatibility Security: Main Steps
Compatibility Security MBeans
The Default Security Configuration in the CompatibilityRealm
Configuring a Realm Adapter Authentication Provider
Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider
Configuring a Realm Adapter Auditing Provider
Protecting User Accounts in Compatibility Security
Accessing 6.x Security from Compatibility Security
Security Configuration MBeans
SSLMBean
ServerMBean
EmbeddedLDAPMBean
SecurityMBean
SecurityConfigurationMBean
RealmMBean
WindowsNTAuthenticatorMBean
CustomDBMSAuthenticatorMBean
ReadonlySQLAuthenticatorMBean
SQLAuthenticatorMBean
DefaultAuditorMBean
Compatibility Security MBeans
UserLockoutManagerMBean
Other Security Provider MBeans