2 Overview of Security Management

This chapter describes the basic features of the WebLogic Server security system. For a broader overview, see Understanding Security for Oracle WebLogic Server.

This chapter includes the following sections:

Note:

Throughout this document, the term 6.x refers to WebLogic Server 6.0 and 6.1 and their associated service packs.

Security Realms in WebLogic Server

The security service in WebLogic Server simplifies the configuration and management of security while offering robust capabilities for securing your WebLogic Server deployment. Security realms act as a scoping mechanism. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. You can configure multiple security realms in a domain; however, only one can be the active security realm. WebLogic Server provides two default security realms:

  • myrealm—Has the WebLogic Adjudication, Authentication, Identity Assertion, Authorization, Role Mapping, and Credential Mapping providers configured by default.

  • CompatibilityRealm—Provides backward compatibility for 6.x security configurations. You can access an existing 6.x security configuration through the CompatibilityRealm.

You can customize authentication and authorization functions by configuring a new security realm to provide the security services you want and then set the new security realm as the default security realm.

For information about the default security configuration in WebLogic Server, see The Default Security Configuration in WebLogic Server.

For information about configuring a security realm and setting it as the default security realm, see Chapter 3, "Customizing the Default Security Configuration".

For information about Compatibility security, see Chapter 16, "Using Compatibility Security".

Security Providers

Security providers are modular components that handle specific aspects of security, such as authentication and authorization. Although applications can leverage the services offered by the default WebLogic security providers, the WebLogic Security Service's flexible infrastructure also allows security vendors to write their own custom security providers for use with WebLogic Server. WebLogic security providers and custom security providers can be mixed and matched to create unique security solutions, allowing organizations to take advantage of new technology advances in some areas while retaining proven methods in others. The WebLogic Administration Console allows you to administer and manage all your security providers through one unified management interface.

The WebLogic Security Service supports the following types of security providers:

  • Authentication—Authentication is the process whereby the identity of users or system processes are proved or verified. Authentication also involves remembering, transporting, and making identity information available to various components of a system when that information is needed. Authentication providers supported by the WebLogic Security Service supply the following types of authentication:

    • Username and password authentication

    • Certificate-based authentication directly with WebLogic Server

    • HTTP certificate-based authentication proxied through an external Web server

  • Identity Assertion—An Authentication provider that performs perimeter authentication—a special type of authentication using tokens—is called an Identity Assertion provider. Identity assertion involves establishing a client's identity through the use of client-supplied tokens that may exist outside of the request. Thus, the function of an Identity Assertion provider is to validate and map a token to a username. Once this mapping is complete, an Authentication provider's LoginModule can be used to convert the username to a principal (an authenticated user, group, or system process).

  • Authorization—Authorization is the process whereby the interactions between users and WebLogic resources are limited to ensure integrity, confidentiality, and availability. In other words, once a user's identity has been established by an authentication provider, authorization is responsible for determining whether access to WebLogic resources should be permitted for that user. An Authorization provider supplies these services.

  • Role Mapping—You can assign one or more roles to multiple users and then specify access rights for users who hold particular roles. A Role Mapping provider obtains a computed set of roles granted to a requestor for a given resource. Role Mapping providers supply Authorization providers with this information so that the Authorization provider can answer the "is access allowed?" question for WebLogic resources that use role-based security (for example, Web applications and Enterprise JavaBeans (EJBs)).

  • Adjudication—When multiple Authorization providers are configured in a security realm, each may return a different answer to the "is access allowed" question for a given resource. Determining what to do if multiple Authorization providers do not agree is the primary function of an Adjudication provider. Adjudication providers resolve authorization conflicts by weighing each Authorization provider's answer and returning a final access decision.

  • Credential Mapping—A credential map is a mapping of credentials used by WebLogic Server to credentials used in a legacy or remote system, which tell WebLogic Server how to connect to a given resource in that system. In other words, credential maps allow WebLogic Server to log into a remote system on behalf of a subject that has already been authenticated. Credential Mapping providers map credentials in this way.

  • Keystore—A keystore is a mechanism for creating and managing password-protected stores of private keys and certificates for trusted certificate authorities. The keystore is available to applications that may need it for authentication or signing purposes. In the WebLogic Server security architecture, the WebLogic Keystore provider is used to access keystores.

    Note:

    The WebLogic Server Keystore provider is deprecated and is only supported for backward compatibility. Use keystores instead. For more information about configuring keystores, see Configuring Keystores for Production.

  • Certificate Lookup and Validation (CLV)—X.509 certificates need to be located and validated for purposes of identity and trust. CLV providers receive certificates, certificate chains, or certificate references, complete the certificate path (if necessary), and validate all the certificates in the path. There are two types of CLV providers:

    • A CertPath Builder looks up and optionally completes the certificate path and validates the certificates.

    • A CertPath Validator looks up and optionally completes the certificate path, validates the certificates, and performs extra validation (for example, revocation checking).

  • Certificate Registry—A certificate registry is a mechanism for adding certificate revocation checking to a security realm. The registry stores a list of valid certificates. Only registered certificates are valid. A certificate is revoked by removing it from the certificate registry. The registry is stored in the embedded LDAP server. The Certificate Registry is both a CertPath Builder and a CertPath Validator.

  • Auditing—Auditing is the process whereby information about security requests and the outcome of those security requests is collected, stored, and distributed for the purpose of non-repudiation. In other words, auditing provides an electronic trail of computer activity. An Auditing provider supplies these services.

For information about the functionality provided by the WebLogic security providers, see Chapter 4, "Configuring WebLogic Security Providers" and Chapter 5, "Configuring Authentication Providers".

For information about the default security configuration, see The Default Security Configuration in WebLogic Server.

For information about writing custom security providers, see Developing Security Providers for Oracle WebLogic Server.

Security Policies and WebLogic Resources

WebLogic Server uses security policies (which replace the ACLs and permissions used in WebLogic Server 6.x) to protect WebLogic resources. Security policies answer the question "who has access" to a WebLogic resource. A security policy is created when you define an association between a WebLogic resource and a user, group, or security role. You can also optionally associate a time constraint with a security policy. A WebLogic resource has no protection until you assign it a security policy.

Creating security policies is a multi-step process with many options. To fully understand this process, read Securing Resources Using Roles and Policies for Oracle WebLogic Server. That document should be used in conjunction with Securing WebLogic Security to ensure security is completely configured for a WebLogic Server deployment.

WebLogic Resources

A WebLogic resource is a structured object used to represent an underlying WebLogic Server entity, which can be protected from unauthorized access. WebLogic Server defines the following resources:

  • Administrative resources such as the WebLogic Server Administration Console and WebLogic Scripting Tool.

  • Application resources that represent Enterprise applications. This type of resource includes individual EAR (Enterprise Application aRchive) files and individual components, such as EJB JAR files contained within the EAR.

  • Component Object Model (COM) resources that are designed as program component objects according to Microsoft's framework. This type of resource includes COM components accessed through the Oracle bidirectional COM-Java (jCOM) bridging tool.

  • Enterprise Information System (EIS) resources that are designed as resource adapters, which allow the integration of Java applications with existing enterprise information systems. These resource adapters are also known as connectors.

  • Enterprise JavaBean (EJB) resources including EJB JAR files, individual EJBs within an EJB JAR, and individual methods on an EJB.

  • Java DataBase Connectivity (JDBC) resources including groups of connection pools, individual connection pools, and multipools.

  • Java Naming and Directory Interface (JNDI) resources.

  • Java Messaging Service (JMS) resources.

  • Server resources related to WebLogic Server instances, or servers. This type of resource includes operations that start, shut down, lock, or unlock servers.

  • URL resources related to Web applications. This type of resource can be a Web Application aRchive (WAR) file or individual components of a Web application (such as servlets and JSPs).

    Note:

    Web resources are deprecated. Use the URL resource instead.

  • Web services resources related to services that can be shared by and used as components of distributed, Web-based applications. This type of resource can be an entire Web service or individual components of a Web service (such as a stateless session EJB, particular methods in that EJB, the Web application that contains the web-services.xml file, and so on).

  • Remote resources.

Deployment Descriptors and the WebLogic Server Administration Console

WebLogic Server offers a choice of models for configuring security roles and policies. Under the standard Java Enterprise Edition model, you define role mappings and policies in the Web application or EJB deployment descriptors. The WebLogic Security Service can use information defined in deployment descriptors to grant security roles and define security policies for Web applications and EJBs. When WebLogic Server is booted for the first time, security role and security policy information stored in web.xml, weblogic.xml, ejb-jar.xml, or weblogic-ejb-jar.xml deployment descriptors is loaded into the Authorization and Role Mapping providers configured in the default security realm. You can then view the role and policy information from the Administration Console. (Optionally, you may configure the security realm to use a different security model that allows you to make changes to that information via the Administration Console as well.)

To use information in deployment descriptors, at least one Authorization and Role Mapping provider in the security realm must implement the DeployableAuthorizationProvider and DeployableRoleProvider Security Service Provider Interface (SSPI). This SSPI allows the providers to store (rather than retrieve) information from deployment descriptors. By default, the WebLogic Authorization and Role Mapping providers implement this SSPI.

If you change security role and security policy in deployment descriptors through the Administration Console and want to continue to modify this information through the Administration Console, you can set configuration options on the security realm to ensure changes made through the Console are not overwritten by old information in the deployment descriptors when WebLogic Server is rebooted.

For more information, see "Options for Securing Web Application and EJB Resources" in Securing Resources Using Roles and Policies for Oracle WebLogic Server.

The Default Security Configuration in WebLogic Server

To simplify the configuration and management of security, WebLogic Server provides a default security configuration. In the default security configuration, myrealm is set as the default security realm and the WebLogic Adjudication, Authentication, Identity Assertion, XACML Authorization, Credential Mapping, XACML Role Mapping, and CertPath providers are defined as the security providers. WebLogic Server's embedded LDAP server is used as the data store for these default security providers. To use the default security configuration, you need to define users, groups, and security roles for the security realm, and create security policies to protect the WebLogic resources in the domain.

Note:

WebLogic Server includes the WebLogic Authorization provider, which is referred to in the Administration Console and elsewhere as the Default Authorizer, and the WebLogic Role Mapping provider, which is referred to in the Administration Console and elsewhere as the Default RoleMapper. Beginning with WebLogic Server 9.1, these providers are no longer the default providers in newly-created security realms. Instead, the XACML Authorization provider and the XACML Role Mapping provider are the default providers.

For a description of the functionality provided by the WebLogic Security providers, see Understanding Security for Oracle WebLogic Server. If the WebLogic security providers do not fully meet your security requirements, you can supplement or replace them. See Developing Security Providers for Oracle WebLogic Server.

If the default security configuration does not meet your requirements, you can create a new security realm with any combination of WebLogic and custom security providers and then set the new security realm as the default security realm. See Chapter 3, "Customizing the Default Security Configuration".

Configuring WebLogic Security: Main Steps

Because WebLogic Server's security features are closely related, it is difficult to determine where to start when configuring security. In fact, configuring security for your WebLogic Server deployment may be an iterative process. Although more than one sequence of steps may work, Oracle recommends the following procedure:

  1. Determine whether or not to use the default security configuration by reading Why Customize the Default Security Configuration?

    • If you are using the default security configuration, begin at step 3.

    • If you are not using the default security configuration, begin at step 2.

  2. Configure additional security providers (for example, configure an LDAP Authentication provider instead of using the WebLogic Authentication provider) or configure custom security providers in the default security realm. This step is optional. By default, WebLogic Server configures the WebLogic security providers in the default security realm (myrealm). For information about the circumstances that require you to customize the default security configuration, see Why Customize the Default Security Configuration? For information about creating custom security providers, see Developing Security Providers for Oracle WebLogic Server.

    Note:

    You can also create a new security realm, configure security providers (either WebLogic or custom) in the security realm and set the new security realm as the default security realm. See Chapter 3, "Customizing the Default Security Configuration".

  3. Optionally, configure the embedded LDAP server. WebLogic Server's embedded LDAP server is configured with default options. However, you may want to change those options to optimize the use of the embedded LDAP server in your environment. See Chapter 10, "Managing the Embedded LDAP Server".

  4. Ensure that user accounts are properly secured. WebLogic Server provides a set of configuration options for protecting user accounts. By default, they are set for maximum security. However, during the development and deployment of WebLogic Server, you may need to weaken the restrictions on user accounts. Before moving to production, check that the options on user accounts are set for maximum protection. If you are creating a new security realm, you need to set the user lockout options. See How Passwords Are Protected in WebLogic Server and Protecting User Accounts.

  5. Protect WebLogic resources with security policies. Creating security policies is a multi-step process with many options. To fully understand this process, read Securing Resources Using Roles and Policies for Oracle WebLogic Server. Administering Security for Oracle WebLogic Server should be used in conjunction with Securing Resources Using Roles and Policies for Oracle WebLogic Server to ensure security is completely configured for a WebLogic Server deployment.

  6. Configure identity and trust for WebLogic Server. (This step is optional but recommended.) See Chapter 11, "Configuring Identity and Trust".

  7. Enable SSL for WebLogic Server. (This step is optional but recommended.) See Chapter 12, "Configuring SSL".

  8. When you have moved to production, review and implement the additional security options described in Securing a Production Environment for Oracle WebLogic Server.

In addition, you can:

Methods of Configuring Security

In many cases, this document describes how to configure WebLogic security by using the WebLogic Server Administration Console. Generally, any configuration task you can accomplish through the Console you can also accomplish by using the WebLogic Scripting Tool or the Java Management Extensions (JMX) APIs. For information about using WLST to manage WebLogic security, see "Managing Security Data (WLST Online)" in Understanding the WebLogic Scripting Tool. For information about using JMX APIs, see "Choosing an MBean Server to Manage Security Realms" in Developing Custom Management Utilities Using JMX for Oracle WebLogic Server.

When you manage security realms, you must use two different MBean servers depending on your task:

  • To set the value of a security MBean attribute, you must use the Edit MBean Server.

  • To add users, groups, roles, and policies, or to invoke other operations in a security provider MBean, you must use a Runtime MBean Server or the Domain Runtime MBean Server.

In addition, to prevent the possibility of incompatible changes, you cannot invoke operations in security provider MBeans if your client or another JMX client has an edit session currently active. The Administration Console automatically enforces this limitation and automatically accesses the proper MBean server. When you use the Administration Console, you can override this limitation by selecting the Domain > Security > General page and enabling Allow Security Management Operations if Non-dynamic Changes have been Made. Setting this attribute to true permits users to perform security management operations without restarting the server. Note that this attribute is reset to false when a new MBean edit session begins.

For example, the value of the MinimumPasswordLength attribute in DefaultAuthenticatorMBean is stored in the domain's configuration document. Because all modifications to this document are controlled by WebLogic Server, to change the value of this attribute you must use the Edit MBean Server and acquire a lock on the domain's configuration. The createUser operation in DefaultAuthenticatorMBean adds data to an LDAP server, which is not controlled by WebLogic Server. To prevent incompatible changes between the DefaultAuthenticatorMBean's configuration and the data that it uses in the LDAP server, you cannot invoke the createUser operation if you or other users are in the process of modifying the MinimumPasswordLength attribute. In addition, because changing this attribute requires you to restart WebLogic Server, you cannot invoke the createUser operation until you have restarted the server.

What Is Compatibility Security?

Compatibility security refers to the capability to run security configurations developed under WebLogic Server 6.x in this release of WebLogic Server. In Compatibility security, you manage 6.x security realms, users, groups, and ACLs, protect user accounts, and configure the Realm Adapter Auditing provider and optionally the Identity Assertion provider in the Realm Adapter Authentication provider.

The only security realm available in Compatibility security is the CompatibilityRealm. The Realm Adapter providers (Auditing, Adjudication, Authorization, and Authentication) in the Compatibility realm allow backward compatibility with the authentication, authorization, and auditing services in 6.x security realms. For more information, see Chapter 16, "Using Compatibility Security".

Note:

Compatibility security is deprecated and will not be supported in future major releases. Oracle strongly recommends upgrading your WebLogic Server deployment to the security features in this release of WebLogic Server. You should only use Compatibility security pending such an upgrade.

Management Tasks Available in Compatibility Security

Because Compatibility security allows you to access only authentication, authorization, and custom auditing implementations supported in WebLogic Server 6.x, not all 6.x security tasks are allowed in Compatibility security. Use Compatibility security to:

  • Configure the Realm Adapter Auditing provider. For more information, see Configuring a Realm Adapter Auditing Provider.

  • Configure the Identity Assertion provider in the Realm Adapter Authentication provider so that implementations of the weblogic.security.acl.CertAuthenticator class can be used. For more information, see Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider .

    Note:

    The Realm Adapter Adjudication and Authorization providers are configured by default in the CompatibilityRealm using information in an 6.x existing config.xml file. These providers can only be used in the CompatibilityRealm. The Realm Adapter Authentication provider is also automatically configured in the CompatibilityRealm. However, this provider can also be configured in other realms to provide access to users and groups stored in 6.x security realms. For more information, see Configuring RDBMS Authentication Providers.

  • Change the password of the system user to protect your WebLogic Server deployment.

  • Manage the security realm in the CompatibilityRealm.

  • Define additional users for the security realm in the CompatibilityRealm. Organize users further by implementing groups in the security realm.

  • Manage ACLs and permissions for the resources in your WebLogic Server deployment.

  • Create security roles and security policies for WebLogic resources you add to the CompatibilityRealm. For more information, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.

You can still configure identity and trust, use SSL, configure connection filters, and enable interoperability between domains; however, you use the security features available in this release of WebLogic Server to perform these tasks. See: