Skip Headers
Oracle® Fusion Middleware Securing Oracle WebLogic Server
12c Release 1 (12.1.1)

Part Number E24422-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

15 Using Compatibility Security

This chapter describes Compatibility security, which is the capability to run security configurations developed with WebLogic Server 6.x in this release of WebLogic Server. In Compatibility security, you manage 6.x security realms, users, groups, and ACLs, protect user accounts, and configure the Realm Adapter Auditing provider and optionally the Identity Assertion provider in the Realm Adapter Authentication provider.

This chapter includes the following sections:

Running Compatibility Security: Main Steps

To set up Compatibility security:

  1. Make a backup copy of your 6.x WebLogic domain (including your config.xml file) before using Compatibility security.

  2. Add the following to the 6.x config.xml file if it does not exist, replacing the values with the actual names of your domain, security realm, and FileRealm:

    <Security Name="mydomain" Realm="mysecurity"/> 
    <Realm Name="mysecurity" FileRealm="myrealm"/> 
    <FileRealm Name="myrealm"/> 
    
  3. Install the current version of WebLogic Server in a new directory location. Do not overwrite your existing 6.x installation directory. For more information, see Installation Guide for Oracle WebLogic Server.

  4. Modify the start script for your 6.x server to point to the new WebLogic Server installation. Specifically, you need to modify:

    • The classpath to point to the weblogic.jar file in the new WebLogic Server installation.

    • The JAVA_HOME variable to point to the new WebLogic Server installation.

  5. Use the start script for your 6.x server to boot the new version of WebLogic Server.

To verify whether you are running Compatibility security correctly, open the new WebLogic Server Administration Console. If you are running Compatibility security, a Compatibility Security node is displayed on the left in the Domain Structure pane.

Limited Visibility of Compatibility Security MBeans

All Compatibility security MBeans are marked excluded and therefore have limited visibility in the WebLogic Scripting Tool. For example, the following command lists the attributes of the DomainMBean, excluding Compatibility security attributes such as FileRealmMBean:

java weblogic.WLST
connect()
ls()

However, if you address a Compatibility MBean directly, you can access it as in the following command:

java weblogic.WLST
connect()
cmo.getFileRealms()

The Default Security Configuration in the CompatibilityRealm

By default, the CompatibilityRealm is configured with a Realm Adapter Adjudication provider, a Realm Adapter Authentication provider, a WebLogic Authorization provider, a Realm Adapter Authorization provider, a WebLogic Credential Mapping provider, and a WebLogic Role Mapping provider.

Configuring a Realm Adapter Authentication Provider

When using Compatibility security, a Realm Adapter Authentication provider is by default configured for the CompatibilityRealm. For information about using the Realm Adapter Authentication provider in the CompatibilityRealm, see The Default Security Configuration in the CompatibilityRealm.

The Realm Adapter Authentication provider also allows use of implementations of the weblogic.security.acl.CertAuthenticator class with this release of WebLogic Server. The Realm Adapter Authentication provider includes an Identity Assertion provider that asserts identity based on X.509 tokens. For information about using a CertAuthenticator with WebLogic Server, Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider.

When you add a Realm Adapter Authentication provider to a security realm with an Authentication provider already configured, WebLogic Server sets the JAAS Control Flag on the Realm Adapter Authentication provider to OPTIONAL and checks for the presence of a fileRealm.properties file in the domain directory. WebLogic Server will not add the Realm Adapter Authentication provider to the security realm if the fileRealm.properties file does not exist.

Note:

The subjects produced by the Realm Adapter Authentication provider do not contain principals for the groups to which a user belongs. Use the weblogic.security.SubjectUtils.isUserInGroup() method to determine whether a user is in a group. When you use subjects produced by the Realm Adapter Authentication provider, you cannot iterate the complete set of groups to which a user belongs.

Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider

The Realm Adapter Authentication provider includes an Identity Assertion provider.The Identity Assertion provider provides backward compatibility for implementations of the deprecated weblogic.security.acl.CertAuthenticator class. The identity assertion is performed on X.509 tokens. By default, the Identity Assertion provider is not enabled in the Realm Adapter Authentication provider.

For information about how to enable the Identity Assertion provider, see "Enable the Identity Assertion provider" in the Oracle WebLogic Server Administration Console Help.

Configuring a Realm Adapter Auditing Provider

The Realm Adapter Auditing provider allows you to use implementations of the weblogic.security.audit.AuditProvider interface when using Compatibility security. In order for the Realm Adapter Auditing provider to work properly, the implementation of the AuditProvider interface must have been defined. You can define the AuditProvider class using the Administration Console by selecting, in the Audit Provider Class field available from the Domain: Compatibility Security > General page.

For information, see "Configure a Realm Adapter Auditing provider" in the Oracle WebLogic Server Administration Console Help.

Protecting User Accounts in Compatibility Security

Password guessing is a common type of security attack. In this type of attack, a hacker attempts to log in to a computer using various combinations of usernames and passwords. WebLogic Server provides a set of lockout configuration options to protect user accounts from this kind of attack. By default, these options are set for maximum protection. As a system administrator, you have the option of turning off all the options, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the configuration options lessens security and leaves user accounts vulnerable to security attacks.

There are two sets of configuration options available to protect user accounts, one set at the domain and one set at the security realm. You may notice that if you set one set of configuration options (for example, the options for the security realm) and exceed any of the values, the user account is not locked. This happens because the user account lockout options at the domain override the user account options at the security realm. To avoid this situation, disable the user account lockout options at the security realm.

Caution:

If you disable the user lockout configuration option at the security realm, you must set the user lockout configuration options on the domain otherwise the user accounts will not be protected.

For information, see "Protect user accounts" and "Unlock user accounts" in the Oracle WebLogic Server Administration Console Help.

Accessing 6.x Security from Compatibility Security

Using Compatibility security assumes that you have an existing config.xml file with a security realm that defines users and groups and ACLs that protect the resources in your WebLogic domain. WebLogic Server 6.x security management tasks such as configuring a security realm or defining ACLs should not be required and therefore those management tasks are not described in this section. However, if you corrupt an existing 6.x security realm and have no choice but to restore it, the following 6.x security management tasks are described in the Compatibility Security topic of the Oracle WebLogic Server Administration Console Help: