Contents

Title and Copyright Information

Preface

• Documentation Accessibility
• Conventions

Part I Overview of WebLogic Server Security Administration

1 Introduction and Roadmap

• Document Scope and Audience
• Guide to This Document
• Related Information
• Security Samples and Tutorials
  • Security Examples in the WebLogic Server Distribution
  • Additional Examples Available for Download
• What's New in This Guide

2 Security Management Concepts

• Security Realms in WebLogic Server
• Security Providers
• Security Policies and WebLogic Resources
  • WebLogic Resources
  • Deployment Descriptors and the WebLogic Server Administration Console
• The Default Security Configuration in WebLogic Server
• Configuring WebLogic Security: Main Steps
• Methods of Configuring Security
• How Passwords Are Protected in WebLogic Server
• What Is Compatibility Security?
  • Management Tasks Available in Compatibility Security

3 WebLogic Server Security Standards

• Supported Security Standards
• Supported FIPS Standards and Cipher Suites

4 Configuring Security for a WebLogic Domain

• Performing a Secure Installation of WebLogic Server
  • Before Installing WebLogic Server
  • While Running the Installation Program
  • Immediately After Installation is Complete
• Creating a WebLogic Domain for Production Use
• Securing the Domain After You Have Created It
• Obtaining Private Keys, Digital Certificates, and Trusted Certificate
  Authority Certificates
• Storing Private Keys, Digital Certificates, and Trusted Certificate
  Authority Certificates
• Protecting User Accounts
• Using Connection Filters

5 Customizing the Default Security Configuration

• Why Customize the Default Security Configuration?
• Before You Create a New Security Realm
• Creating and Configuring a New Security Realm: Main Steps

Part II Configuring Security Providers

6 About Configuring WebLogic Security Providers

• When Do You Need to Configure a Security Provider?
• Reordering Security Providers
• Enabling Synchronization in Security Policy and Role Modification at Deployment

7 Configuring Authorization and Role Mapping Providers

• Configuring an Authorization Provider
• Configuring the WebLogic Adjudication Provider
• Configuring a Role Mapping Provider

8 Configuring the WebLogic Auditing Provider

• Auditing Provider Overview
• Events Logged by the WebLogic Auditing Provider
• Configuration Options
• Auditing ContextHandler Elements
• Configuration Auditing
  • Enabling Configuration Auditing
• Configuration Auditing Messages
• Audit Events and Auditing Providers

9 Configuring Credential Mapping Providers

• Configuring a WebLogic Credential Mapping Provider
• Configuring a PKI Credential Mapping Provider
  • PKI Credential Mapper Attributes
  • Credential Actions
• Configuring a SAML Credential Mapping Provider for SAML 1.1
  • Configuring Assertion Lifetime
  • Relying Party Registry
• Configuring a SAML 2.0 Credential Mapping Provider for SAML 2.0
  • SAML 2.0 Credential Mapping Provider Attributes
  • Service Provider Partners
    • Partner Lookup Strings Required for Web Service Partners
    • Management of Partner Certificates
    • Java Interface for Configuring Service Provider Partner Attributes

10 Configuring the Certificate Lookup and Validation Framework

• Overview of the Certificate Lookup and Validation Framework
• CLV Security Providers Provided by WebLogic Server
  • CertPath Provider
  • Certificate Registry

11 Configuring the WebLogic Keystore Provider

• Configuring Keys and Certificates Stored in a File or JKS Keystore
  Accessed by the WebLogic Keystore Provider

Part III Configuring Authentication Providers

12 About Configuring the Authentication Providers in WebLogic Server

• Choosing an Authentication Provider
• Using More Than One Authentication Provider
  • Setting the JAAS Control Flag Option
  • Changing the Order of Authentication Providers

13 Configuring the WebLogic Authentication Provider

• About the WebLogic Authentication Provider
• Setting User Attributes

14 Configuring LDAP Authentication Providers

• LDAP Authentication Providers Included in WebLogic Server
• Requirements for Using an LDAP Authentication Provider
• Configuring an LDAP Authentication Provider: Main Steps
• Accessing Other LDAP Servers
• Enabling an LDAP Authentication Provider for SSL
• Dynamic Groups and WebLogic Server
• Use of GUID and LDAP DN Data in WebLogic Principals
• Configuring Users and Groups in the Oracle Internet Directory
  and Oracle Virtual Directory Authentication Providers
  • Configuring User and Group Name Types
    • Changing the User Name Attribute Type
    • Changing the Group Name Attribute Type
  • Configuring Static Groups
• Example of Configuring the Oracle Internet Directory Authentication Provider
• Configuring Failover for LDAP Authentication Providers
  • LDAP Failover Example 1
  • LDAP Failover Example 2
• Configuring an Authentication Provider for Oracle Unified Directory
• Following Referrals in the Active Directory Authentication Provider
• Configuring Group Search in the iPlanet Authentication Provider
  for Oracle Directory Server Enterprise Edition
• Improving the Performance of WebLogic and LDAP Authentication Providers
  • Optimizing the Group Membership Caches
  • Optimizing the Connection Pool Size and User Cache
  • Configuring Dynamic Groups in the iPlanet Authentication Provider
    to Improve Performance
  • Optimizing the Principal Validator Cache
  • Configuring the Active Directory Authentication Provider to Improve
    Performance
• Configuring an Administrator User from an External LDAP Server: an Example

15 Configuring RDBMS Authentication Providers

• About Configuring the RDBMS Authentication Providers
• Common RDBMS Authentication Provider Attributes
  • Data Source Attribute
  • Group Searching Attributes
  • Group Caching Attributes
• Configuring the SQL Authentication Provider
  • Password Attributes
  • SQL Statement Attributes
• Configuring the Read-Only SQL Authenticator
• Configuring the Custom DBMS Authenticator
  • Plug-In Class Attributes

16 Configuring the Windows NT Authentication Provider

• About the Windows NT Authentication Provider
• Domain Controller Settings
• LogonType Setting
• UPN Names Settings

17 Configuring the SAML Authentication Provider

18 Configuring the Password Validation Provider

• About the Password Validation Provider
• Password Composition Rules for the Password Validation Provider
• Using the Password Validation Provider with the WebLogic Authentication Provider
• Using the Password Validation Provider with an LDAP Authentication Provider
• Using WLST to Create and Configure the Password Validation Provider
  • Creating an Instance of the Password Validation Provider
  • Specifying the Password Composition Rules

19 Configuring Identity Assertion Providers

• About the Identity Assertion Providers
• How an LDAP X509 Identity Assertion Provider Works
• Configuring an LDAP X509 Identity Assertion Provider: Main Steps
• Configuring a Negotiate Identity Assertion Provider
• Configuring a SAML Identity Assertion Provider for SAML 1.1
  • Asserting Party Registry
  • Certificate Registry
• Configuring a SAML 2.0 Identity Assertion Provider for SAML 2.0
  • Identity Provider Partners
    • Partner Lookup Strings Required for Web Service Partners
    • Management of Partner Certificates
    • Java Interface for Configuring Identity Provider Partner Attributes
• Ordering of Identity Assertion for Servlets
• Configuring Identity Assertion Performance in the Server Cache
• Authenticating a User Not Defined in the Identity Store
  • How Virtual User Authentication Works in a WebLogic Domain
  • Configuring Two-Way SSL and Managing Certificates Securely
  • Customizing the WebLogic Identity Assertion Provider
    (DefaultIdentityAsserter)
  • Configuring the Virtual User Authentication Provider
  • Using WLST to Configure Virtual User Authentication
• Configuring a User Name Mapper
• Configuring a Custom User Name Mapper

20 Configuring the Virtual User Authentication Provider

• About the Virtual User Authentication Provider
• Adding the Virtual User Authentication Provider to the Security Realm

Part IV Configuring Single Sign-On

21 Configuring Single Sign-On with Microsoft Clients

• Overview of Single Sign-On with Microsoft Clients
• System Requirements for SSO with Microsoft Clients
  • Host Computer Requirements for Supporting SSO with Microsoft Clients
  • Client Computer Requirements for Supporting Microsoft Clients Using SSO
• Single Sign-On with Microsoft Clients: Main Steps
• Configuring Your Network Domain to Use Kerberos
• Creating a Kerberos Identification for WebLogic Server
  • Step 1: Create a User Account for the Host Computer
  • Step 2: Configure the User Account to Comply with Kerberos
  • Step 3: Define a Service Principal Name and Create a Keytab for the Service
    • Defining an SPN and Creating a Keytab on Windows Systems
    • Defining an SPN and Creating a Keytab on UNIX Systems
  • Step 4: Verify Correct Setup
  • Step 5: Update Default JDK Security Policy Files
• Configuring Microsoft Clients to Use Windows Integrated Authentication
  • Configuring a .NET Web Service
  • Configuring an Internet Explorer Browser
    • Configure Local Intranet Domains
    • Configure Intranet Authentication
    • Verify the Proxy Settings
    • Set Integrated Authentication for Internet Explorer 6.0
  • Configuring a Mozilla Firefox Browser
  • Configuring a Java SE Client Application
• Creating a JAAS Login File
• Configuring the Identity Assertion Provider
• Using Startup Arguments for Kerberos Authentication with WebLogic Server
• Verifying Configuration of SSO with Microsoft Clients

22 Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML

• Configuring SAML Services
• Configuring Single Sign-On Using SAML White Paper
• SAML for Web Single Sign-On Scenario API Example

23 Configuring SAML 1.1 Services

• Enabling Single Sign-on with SAML 1.1: Main Steps
  • Configuring a Source Site: Main Steps
  • Configuring a Destination Site: Main Steps
• Configuring a SAML 1.1 Source Site for Single Sign-On
  • Configure the SAML 1.1 Credential Mapping Provider
  • Configure the Source Site Federation Services
  • Configure Relying Parties
    • Configure Supported Profiles
    • Assertion Consumer Parameters
  • Replacing the Default Assertion Store
• Configuring a SAML 1.1 Destination Site for Single Sign-On
  • Configure SAML Identity Assertion Provider
  • Configure Destination Site Federation Services
    • Enable the SAML Destination Site
    • Set Assertion Consumer URIs
    • Configure SSL for the Assertion Consumer Service
    • Add SSL Client Identity Certificate
    • Configure Single-Use Policy and the Used Assertion Cache or Custom
      Assertion Cache
    • Configure Recipient Check for POST Profile
  • Configuring Asserting Parties
    • Configure Supported Profiles
    • Configure Source Site ITS Parameters
• Configuring Relying and Asserting Parties with WLST

24 Configuring SAML 2.0 Services

• Configuring SAML 2.0 Services: Main Steps
• Configuring SAML 2.0 General Services
  • About SAML 2.0 General Services
  • Publishing and Distributing the Metadata File
• Configuring an Identity Provider Site for SAML 2.0 Single Sign-On
  • Configure the SAML 2.0 Credential Mapping Provider
  • Configure SAML 2.0 Identity Provider Services
    • Enable the SAML 2.0 Identity Provider Site
    • Specify a Custom Login Web Application
    • Enable Binding Types
    • Publish Your Site's Metadata File
  • Create and Configure Web Single Sign-On Service Provider Partners
    • Obtain Your Service Provider Partner's Metadata File
    • Create Partner and Enable Interactions
    • Configure How Assertions are Generated
    • Configure How Documents Are Signed
    • Configure Artifact Binding and Transport Settings
• Configuring a Service Provider Site for SAML 2.0 Single Sign-On
  • Configure the SAML 2.0 Identity Assertion Provider
  • Configure the SAML Authentication Provider
  • Configure SAML 2.0 General Services
  • Configure SAML 2.0 Service Provider Services
    • Enable the SAML 2.0 Service Provider Site
    • Specify How Documents Must Be Signed
    • Specify How Authentication Requests Are Managed
    • Enable Binding Types
    • Set Default URL
  • Create and Configure Web Single Sign-On Identity Provider Partners
    • Obtain Your Identity Provider Partner's Metadata File
    • Create Partner and Enable Interactions
    • Configure Authentication Requests and Assertions
    • Configure Redirect URIs
    • Configure Binding and Transport Settings
• Viewing Partner Site, Certificate, and Service Endpoint Information
• Web Application Deployment Considerations for SAML 2.0
  • Deployment Descriptor Recommendations
    • Use of relogin-enabled with CLIENT-CERT Authentication
    • Use of Non-default Cookie Name
  • Login Application Considerations for Clustered Environments
  • Enabling Force Authentication and Passive Attributes is Invalid

25 Enabling Debugging for SAML 1.1 and 2.0

• About SAML Debug Scopes and Attributes
• Enabling Debugging Using the Command Line
• Enabling Debugging Using the WebLogic Server Administration Console
• Enabling Debugging Using the WebLogic Scripting Tool
• Sending Debug Messages to Standard Out

Part V Managing Security Information

26 Migrating Security Data

• Overview of Security Data Migration
• Migration Concepts
• Formats and Constraints Supported by WebLogic Security Providers
• Migrating Data with WLST

27 Managing the RDBMS Security Store

• Security Providers that Use the RDBMS Security Store
• Configuring the RDBMS Security Store
  • Create a Domain with the RDBMS Security Store
    • Specifying Database Connection Properties
    • Testing the Database Connection
  • Create RDBMS Tables in the Security Datastore
  • Configure a JMS Topic for the RDBMS Security Store
    • Configuring JMS Connection Recovery in the Event of Failure
• Upgrading a Domain to Use the RDBMS Security Store

28 Managing the Embedded LDAP Server

• Configuring the Embedded LDAP Server
• Embedded LDAP Server Replication
• Viewing the Contents of the Embedded LDAP Server from an LDAP Browser
• Exporting and Importing Information in the Embedded LDAP Server
• LDAP Access Control Syntax
  • The Access Control File
  • Access Control Location
  • Access Control Scope
  • Access Rights
    • Attribute Permissions
    • Entry Permissions
  • Attributes Types
  • Subject Types
  • Grant/Deny Evaluation Rules
• Backup and Recovery

Part VI Configuring SSL

29 Overview of Configuring SSL in WebLogic Server

• SSL: An Introduction
  • One-Way and Two-Way SSL
  • Java Secure Socket Extension (JSSE) SSL Implementation Supported
• Setting Up SSL: Main Steps
• SSL Session Behavior

30 Configuring Keystores

• About Configuring Keystores in WebLogic Server
  • About Private Keys, Digital Certificates, and Trusted Certificate Authorities
  • Using Separate Keystores for Identity and Trust
  • Configuring Keystores: Main Steps
  • How WebLogic Server Locates Trust
• Creating a Keystore
  • Keystore File Name Requirements
  • Creating a Keystore Using Keytool
  • Creating a Keystore Using ImportPrivateKey
• Using Keystores and Certificates in a Development Environment
  • Using the Demonstration Keystores
  • Creating Demonstration Certificates Using CertGen
    • About CertGen
    • Using CertGen to Create a Certificate and Private Key
    • CertGen Usage Notes
    • Limitation on CertGen Usage
  • Using Your Own Certificate Authority
  • Converting a Microsoft p7b Format to PEM Format
  • Configuring Demo Certificates for Clients
• Obtaining and Storing Certificates for Production Environments
  • Generating a Certificate Signing Request
  • Importing Certificates into the Trust and Identity Keystores
• Configuring Keystores with WebLogic Server
  • Configuring Keystores Using the Administration Console
  • Configuring a Keystore Using WLST
• Viewing Keystore Contents
• Replacing Expiring Certificates
• Creating a Keystore: An Example
• Supported Formats for Identity and Trust Certificates
• Obtaining a Digital Certificate for a Web Browser

31 Configuring Oracle OPSS Keystore Service

• Prerequisites for Using the OPSS Keystore Service
• Where is the OPSS Keystore Service Documented?
• Configuring the OPSS Keystore Service for Demo Identity and Trust: Main Steps
• Configuring the OPSS Keystore Service for Custom Identity and Trust: Main Steps

32 Using Host Name Verification

• Using the Default WebLogic Server Host Name Verifier
  • Using the Default Host Name Verifier on Mac OS X Platforms
• Using the Wildcarded Host Name Verifier
  • How the Wildcarded Host Name Verifier Works
  • Configuring the Wildcarded Host Name Verifier
• Using a Custom Host Name Verifier

33 Specifying a Client Certificate for an Outbound Two-Way SSL Connection

• Overview
• Add a Client Certificate to the Identity Keystore
• Initiate the Outbound Two-Way SSL Connection
• Restore the Use of the Server Identity Certificate

34 SSL Debugging

• About the SSL Debug Trace
• Command-Line Properties for Enabling SSL Debugging

35 SSL Certificate Validation

• Controlling the Level of Certificate Validation
• Accepting Certificate Policies in Certificates
• Checking Certificate Chains
• Using Certificate Lookup and Validation Providers
• How SSL Certificate Validation Works in WebLogic Server
• Troubleshooting Problems with Certificate Validation

36 Using JCE Providers with WebLogic Server

• Using the RSA JCE Provider
• Using the JDK JCE Provider
• Using nCipher JCE Provider
  • Installing the nCipher JCE Provider

37 Enabling FIPS Mode

• FIPS Overview
• Enabling FIPS 140-2 Mode From Java Options
• Enabling FIPS 140-2 Mode From java.security
• Verifying JCE When FIPS 140-2 Mode is Enabled
• Important Considerations When Using Web Services
  • SHA-1 Secure Hash Algorithm Not Supported
  • X509PKIPathv1 token Not Supported

38 Specifying the SSL Protocol Version

• About the SSL Version Used in the Handshake
• Using the weblogic.security.SSL.protocolVersion System Property
• Using the weblogic.security.SSL.minimumProtocolVersion System Property
  • Protocols Enabled with the JSSE-Based SSL Implementation

39 Using the JSSE-Based SSL Implementation

• System Property Differences Between the JSSE-Based
  and Certicom SSL Implementations
• SSL Performance Considerations
• Cipher Suites
  • List of Supported Cipher Suites
  • Backward Compatibility of Supported Cipher Suites
  • Using Anonymous Ciphers
  • Cipher Suite Name Equivalents
  • Setting Cipher Suites Using WLST: An Example
• Using Debugging with JSSE SSL
• Using the RSA JSSE Provider in WebLogic Server

40 X.509 Certificate Revocation Checking

• Certificate Revocation Checking Overview
• Enabling the Default CR Checking Configuration
  • Configuring Default CR Checking
  • Customizing the CR Checking Configuration
• Choosing the CR Checking Methods to Be Used by WebLogic Server
• Failing SSL Certificate Path Validation if Revocation Status Cannot Be
  Determined
• Using the Online Certificate Status Protocol
  • Using Nonces in OCSP Requests
  • Setting the Response Timeout Interval
  • Enabling and Configuring the OCSP Response Local Cache
• Using Certificate Revocation Lists
  • Enabling Updates from Distribution Points
  • Configuring the CRL Local Cache
• Configuring Certificate Authority Overrides
  • General Certificate Authority Overrides
  • Configuring OCSP Properties in a Certificate Authority Override
    • Identifying the OCSP Responder URL
  • Configuring CRL Properties in a Certificate Authority Override

41 Configuring an Identity Keystore Specific to a Network Channel

• About Network Channels
• Channel-Specific SSL Configuration Attributes
• Steps to Configure a Channel-Specific Identity Keystore
• Using WLST to Configure a Channel-Specific Identity Keystore

42 Configuring RMI over IIOP with SSL

43 Using a Certificate Callback Handler to Validate End User Certificates

• How End User Certificate Callback Handlers Work
• Creating a Certificate Callback Implementation
• Configuring the Certificate Callback with WebLogic Server

Part VII Advanced Security Topics

44 Configuring Cross-Domain Security

• Important Information Regarding Cross-Domain Security Support
• Enabling Trust Between WebLogic Server Domains
  • Enabling Cross-Domain Security Between WebLogic Server Domains
    • Configuring Cross-Domain Security
    • Excluding Domains From Cross-Domain Security
    • Configuring Cross-Domain Users
    • Configure a Credential Mapping for Cross-Domain Security
  • Enabling Global Trust
• Using the Java Authorization Contract for Containers
• Viewing MBean Attributes
• Configuring a Domain to Use JAAS Authorization

45 Configuring JASPIC Security

• JASPIC Mechanisms Override WebLogic Server Defaults
• Prerequisites for Configuring JASPIC
  • Server Authentication Module Must Be in Classpath
  • Custom Authentication Configuration Providers Must Be in Classpath
• Location of Configuration Data
• Configuring JASPIC for a Domain
• Displaying Authentication Configuration Providers
• Configuring JASPIC for a Web Application
• Configuring JASPIC with WLST
  • Creating a WLS Authentication Configuration Provider
  • Creating a Custom Authentication Configuration Provider
  • Listing All WLS and Custom Authentication Configuration Providers
  • Enabling JASPIC for a Domain
  • Disabling JASPIC for a Domain

46 Using Compatibility Security

• Running Compatibility Security: Main Steps
• Limited Visibility of Compatibility Security MBeans
• The Default Security Configuration in the CompatibilityRealm
• Configuring a Realm Adapter Authentication Provider
• Configuring the Identity Assertion Provider in the Realm Adapter
  Authentication Provider
• Configuring a Realm Adapter Auditing Provider
• Protecting User Accounts in Compatibility Security
• Accessing 6.x Security from Compatibility Security

47 Security Configuration MBeans

• SSLMBean
• ServerMBean
• EmbeddedLDAPMBean
• RDBMSSecurityStoreMBean
• SecurityMBean
• SecurityConfigurationMBean
• RealmMBean
• WindowsNTAuthenticatorMBean
• CustomDBMSAuthenticatorMBean
• ReadonlySQLAuthenticatorMBean
• SQLAuthenticatorMBean
• DefaultAuditorMBean
• Compatibility Security MBeans
• UserLockoutManagerMBean
• Other Security Provider MBeans

Part VIII Appendixes

A Keytool Command Summary

B Using Certificate Chains (Deprecated)

C Interoperating With Keystores From Prior Versions