Securing a Production Environment

Introduction and Roadmap

The following sections describe the contents and organization of this guide—Securing a Production Environment.

Document Scope and Audience

This guide describes how to secure a WebLogic Server^® production environment.

It is intended for the following audiences:

Application Architects—Architects who, in addition to setting security goals and designing the overall security architecture for their organizations, evaluate WebLogic Server security features and determine how to best implement them. Application Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge, security technologies and tools.
Security Developers—Developers who focus on defining the system architecture and infrastructure for security products that integrate into WebLogic Server and on developing custom security providers for use with WebLogic Server. Security Developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX), and working knowledge of WebLogic Server and security provider functionality.
Application Developers—Java programmers who develop and add security to Web applications and Enterprise JavaBeans (EJBs), and work with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth/working knowledge of Java (including J2EE components such as servlets/JSPs and JSEE) and Java security.
Server Administrators—Administrators who work closely with Application Architects to design a security scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases. Server Administrators have in-depth knowledge of the Java security architecture, including Web services, Web application and EJB security, Public Key security, SSL, and Security Assertion Markup Language (SAML).
Application Administrators—Administrators who work with Server Administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application Administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.

Guide to This Document

This document is organized as follows:

This chapter, Introduction and Roadmap, introduces the organization of this guide.
Determining Your Security Needs explains how to determine the security needs for your particular environment and describes basic measures to ensure that those needs are being met.
Ensuring the Security of Your Production Environment highlights essential security measures to consider before you deploy WebLogic Server into a production environment and describes how to use different security settings to secure a production environment.

Related Information

The following BEA WebLogic Server documents contain information that is relevant to the WebLogic Security Service:

Securing WebLogic Server—explains how to configure security for WebLogic Server and how to use Compatibility security.
Developing Security Providers for WebLogic Server—explains how vendors and application developers can develop custom security providers that can be used with WebLogic Server.
Understanding WebLogic Security—provides an overview of the features, architecture, and functionality of the WebLogic Security Service. It is the starting point for understanding the WebLogic Security Service.
Securing WebLogic Resources—describes how to secure WebLogic resources. It primarily focuses on securing URL (Web) and Enterprise JavaBean (EJB) resources.
Upgrading WebLogic Application Environments—provides procedures and other information you need to upgrade 6.x and earlier versions of WebLogic Server to WebLogic Server 9.1. It also provides information about moving applications from a 6.x or earlier version of WebLogic Server to 9.1. For specific information on upgrading WebLogic Server security, see Upgrading a Security Provider in the Upgrading WebLogic Application Environments.
Javadocs for WebLogic Classes—is reference documentation for the WebLogic security packages that are provided with and supported by this release of WebLogic Server.

Security Samples and Tutorials

BEA Systems provides code samples for Java Authentication and Authorization Service and for Outbound and Two-way SSL for Security developers. The examples and tutorials illustrate WebLogic Server Security in action, and provide practical instructions on how to perform key Security development tasks.

BEA recommends that you run some or all of the Security examples before developing your own Security configurations.

Avitek Medical Records Application (MedRec) and Tutorials

MedRec is an end-to-end sample J2EE application shipped with WebLogic Server that simulates an independent, centralized medical record management system. The MedRec application provides a framework for patients, doctors, and administrators to manage patient data using a variety of different clients.

MedRec demonstrates WebLogic Server and J2EE features, and highlights BEA-recommended best practices. MedRec is included in the WebLogic Server distribution, and can be accessed from the Start menu on Windows machines. For Linux and other platforms, you can start MedRec from the WL_HOME\samples\domains\medrec directory, where WL_HOME is the top-level installation directory for WebLogic Platform.

MedRec includes a service tier consisting primarily of Enterprise Java Beans (EJBs) that work together to process requests from Web applications, Web services, workflow applications, and future client applications. The application includes message-driven, stateless session, stateful session, and entity EJBs.

Security Examples in the WebLogic Server Distribution

WebLogic Server 9.1 optionally installs API code examples in WL_HOME\samples\server\examples\src\examples, where WL_HOME is the top-level directory of your WebLogic Server installation. You can start the examples server, and obtain information about the samples and how to run them from the WebLogic Server 9.1 Start menu.

Additional Security Examples Available for Download

Additional API examples for download at http://dev.bea.com/code/index.jsp. These examples are distributed as ZIP files that you can unzip into an existing WebLogic Server samples directory structure.

You build and run the downloadable examples in the same manner as you would an installed WebLogic Server example. See the download pages of individual examples for more information at http://dev.bea.com/code/index.jsp.