Skip Headers
Oracle® Fusion Middleware Securing Oracle WebLogic Server
12c Release 1 (12.1.1)

Part Number E24422-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Customizing the Default Security Configuration

This chapter describes how you can customize the default security configuration by creating a new security realm.

This chapter includes the following sections:

For information about configuring security providers, see Chapter 4, "Configuring WebLogic Security Providers" and Chapter 5, "Configuring Authentication Providers".

For information about migrating security data to a new security realm, see Chapter 8, "Migrating Security Data".

Why Customize the Default Security Configuration?

To simplify the configuration and management of security, WebLogic Server provides a default security configuration. In the default security configuration, myrealm is set as the default (active) security realm, and the WebLogic Adjudication, Authentication, Identity Assertion, Credential Mapping, CertPath, XACML Authorization and XACML Role Mapping providers are defined as the security providers in the security realm.

Customize the default security configuration if you want to do any of the following:

For information about configuring different types of security providers in a security realm, see Chapter 4, "Configuring WebLogic Security Providers" and Chapter 5, "Configuring Authentication Providers".

The easiest way to customize the default security configuration is to add the security providers you want to the default security realm (myrealm). However, Oracle recommends instead that you customize the default security configuration by creating an entirely new security realm. This preserves your ability to revert more easily to the default security configuration. You configure security providers for the new realm; migrate any security data, such as users as groups, from the existing default realm; and then set the new security realm as the default realm. See Creating and Configuring a New Security Realm: Main Steps.

Before You Create a New Security Realm

Before creating a new security realm, you need to decide:

For more information, see "Configure new security realms" in the Oracle WebLogic Server Administration Console Help.

Creating and Configuring a New Security Realm: Main Steps

To create a new security realm:

  1. Define a name and set the configuration options for the security realm. See Before You Create a New Security Realm and "Configure new security realms" in the Oracle WebLogic Server Administration Console Help.

  2. Configure the required security providers for the security realm. A valid security realm requires an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, a Role Mapping provider, and a CertPathBuilder. See Chapter 4, "Configuring WebLogic Security Providers" and Chapter 5, "Configuring Authentication Providers".

  3. Optionally, define Identity Assertion, Auditing, and Certificate Registry providers. See Chapter 4, "Configuring WebLogic Security Providers" and Chapter 5, "Configuring Authentication Providers".

  4. If you configured the Default Authentication, Authorization, Credential Mapping or Role Mapping provider or the Certificate Registry in the new security realm, verify that the settings of the embedded LDAP server are appropriate. See Chapter 10, "Managing the Embedded LDAP Server".

  5. Optionally, configure caches to improve the performance of the WebLogic or LDAP Authentication providers in the security realm. See Improving the Performance of WebLogic and LDAP Authentication Providers.

  6. Protect WebLogic resources in the new security realm with security policies. Creating security policies is a multi-step process with many options. To fully understand this process, read Securing Resources Using Roles and Policies for Oracle WebLogic Server in conjunction with Securing Oracle WebLogic Server to ensure security is completely configured for a WebLogic Server deployment.

  7. If the security data (users and groups, roles and policies, and credential maps) defined in the existing security realm will also be valid in the new security realm, you can export the security data from the existing realm and import it into the new security realm. See Chapter 8, "Migrating Security Data".

  8. Protect user accounts in the new security realm from dictionary attacks by setting lockout attributes. See Protecting User Accounts.

  9. Set the new realm as the default security realm for the WebLogic domain. See "Change the default security realm" in the Oracle WebLogic Server Administration Console Help.

    Note:

    You can also use the WebLogic Scripting Tool or Java Management Extensions (JMX) APIs to create a new security configuration. See Oracle WebLogic Scripting Tool.