Go to main content
1/59
Contents
Title and Copyright Information
Preface
Documentation Accessibility
Conventions
Part I Overview of WebLogic Server Security Administration
1
Introduction and Roadmap
Document Scope and Audience
Guide to This Document
Related Information
Security Samples and Tutorials
Security Examples in the WebLogic Server Distribution
Additional Examples Available for Download
What's New in This Guide
2
Security Management Concepts
Security Realms in WebLogic Server
Security Providers
Security Policies and WebLogic Resources
WebLogic Resources
Deployment Descriptors and the WebLogic Server Administration Console
The Default Security Configuration in WebLogic Server
Configuring WebLogic Security: Main Steps
Methods of Configuring Security
How Passwords Are Protected in WebLogic Server
3
WebLogic Server Security Standards
Supported Security Standards
Supported FIPS Standards and Cipher Suites
4
Configuring Security for a WebLogic Domain
Performing a Secure Installation of WebLogic Server
Before Installing WebLogic Server
While Running the Installation Program
Immediately After Installation is Complete
Creating a WebLogic Domain for Production Use
Securing the Domain After You Have Created It
Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authority Certificates
Storing Private Keys, Digital Certificates, and Trusted Certificate Authority Certificates
Protecting User Accounts
Using Connection Filters
5
Customizing the Default Security Configuration
Why Customize the Default Security Configuration?
Before You Create a New Security Realm
Creating and Configuring a New Security Realm: Main Steps
Part II Configuring Security Providers
6
About Configuring WebLogic Security Providers
When Do You Need to Configure a Security Provider?
Reordering Security Providers
Enabling Synchronization in Security Policy and Role Modification at Deployment
7
Configuring Authorization and Role Mapping Providers
Configuring an Authorization Provider
Configuring the WebLogic Adjudication Provider
Configuring a Role Mapping Provider
8
Configuring the WebLogic Auditing Provider
Auditing Provider Overview
Events Logged by the WebLogic Auditing Provider
Configuration Options
Auditing ContextHandler Elements
Configuration Auditing
Enabling Configuration Auditing
Configuration Auditing Messages
Audit Events and Auditing Providers
9
Configuring Credential Mapping Providers
Configuring a WebLogic Credential Mapping Provider
Configuring a PKI Credential Mapping Provider
PKI Credential Mapper Attributes
Credential Actions
Configuring a SAML Credential Mapping Provider for SAML 1.1
Configuring Assertion Lifetime
Relying Party Registry
Configuring a SAML 2.0 Credential Mapping Provider for SAML 2.0
SAML 2.0 Credential Mapping Provider Attributes
Service Provider Partners
Partner Lookup Strings Required for Web Service Partners
Lookup String Syntax
Specifying Default Partners
Management of Partner Certificates
Java Interface for Configuring Service Provider Partner Attributes
10
Configuring the Certificate Lookup and Validation Framework
Overview of the Certificate Lookup and Validation Framework
CLV Security Providers Provided by WebLogic Server
CertPath Provider
Certificate Registry
Part III Configuring Authentication Providers
11
About Configuring the Authentication Providers in WebLogic Server
Choosing an Authentication Provider
Using More Than One Authentication Provider
Setting the JAAS Control Flag Option
Changing the Order of Authentication Providers
12
Configuring the WebLogic Authentication Provider
About the WebLogic Authentication Provider
Setting User Attributes
13
Configuring LDAP Authentication Providers
LDAP Authentication Providers Included in WebLogic Server
Requirements for Using an LDAP Authentication Provider
Configuring an LDAP Authentication Provider: Main Steps
Accessing Other LDAP Servers
Enabling an LDAP Authentication Provider for SSL
Dynamic Groups and WebLogic Server
Use of GUID and LDAP DN Data in WebLogic Principals
Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers
Configuring User and Group Name Types
Changing the User Name Attribute Type
Changing the Group Name Attribute Type
Configuring Static Groups
Example of Configuring the Oracle Internet Directory Authentication Provider
Configuring Failover for LDAP Authentication Providers
LDAP Failover Example 1
LDAP Failover Example 2
Configuring an Authentication Provider for Oracle Unified Directory
Following Referrals in the Active Directory Authentication Provider
Configuring Group Search in the LDAP Authentication Provider for Oracle Directory Server Enterprise Edition
Improving the Performance of LDAP Authentication Providers
Optimizing the Group Membership Caches
Optimizing the Connection Pool Size and User Cache
Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance
Optimizing the Principal Validator Cache
Configuring the Active Directory Authentication Provider to Improve Performance
Analyzing the Generic LDAP Authenticator Cache Statistics
Testing the LDAP Connection During Configuration
Configuring an Administrator User from an External LDAP Server: an Example
14
Configuring RDBMS Authentication Providers
About Configuring the RDBMS Authentication Providers
Common RDBMS Authentication Provider Attributes
Data Source Attribute
Group Searching Attributes
Group Caching Attributes
Configuring the SQL Authentication Provider
Password Attributes
SQL Statement Attributes
Configuring the Read-Only SQL Authenticator
Configuring the Custom DBMS Authenticator
Plug-In Class Attributes
15
Configuring the Windows NT Authentication Provider
About the Windows NT Authentication Provider
Domain Controller Settings
LogonType Setting
UPN Names Settings
16
Configuring the SAML Authentication Provider
17
Configuring the Password Validation Provider
About the Password Validation Provider
Password Composition Rules for the Password Validation Provider
Using the Password Validation Provider with the WebLogic Authentication Provider
Using the Password Validation Provider with an LDAP Authentication Provider
Using WLST to Create and Configure the Password Validation Provider
Creating an Instance of the Password Validation Provider
Specifying the Password Composition Rules
18
Configuring Identity Assertion Providers
About the Identity Assertion Providers
How an LDAP X509 Identity Assertion Provider Works
Configuring an LDAP X509 Identity Assertion Provider: Main Steps
Configuring a Negotiate Identity Assertion Provider
Configuring a SAML Identity Assertion Provider for SAML 1.1
Asserting Party Registry
Certificate Registry
Configuring a SAML 2.0 Identity Assertion Provider for SAML 2.0
Identity Provider Partners
Partner Lookup Strings Required for Web Service Partners
Management of Partner Certificates
Java Interface for Configuring Identity Provider Partner Attributes
Ordering of Identity Assertion for Servlets
Configuring Identity Assertion Performance in the Server Cache
Authenticating a User Not Defined in the Identity Store
How Virtual User Authentication Works in a WebLogic Domain
Configuring Two-Way SSL and Managing Certificates Securely
Customizing the WebLogic Identity Assertion Provider (DefaultIdentityAsserter)
Configuring the Virtual User Authentication Provider
Using WLST to Configure Virtual User Authentication
Configuring a User Name Mapper
Configuring a Custom User Name Mapper
19
Configuring the Virtual User Authentication Provider
About the Virtual User Authentication Provider
Adding the Virtual User Authentication Provider to the Security Realm
Part IV Configuring Single Sign-On
20
Configuring Single Sign-On with Microsoft Clients
Overview of Single Sign-On with Microsoft Clients
System Requirements for SSO with Microsoft Clients
Host Computer Requirements for Supporting SSO with Microsoft Clients
Client Computer Requirements for Supporting Microsoft Clients Using SSO
Single Sign-On with Microsoft Clients: Main Steps
Configuring Your Network Domain to Use Kerberos
Creating a Kerberos Identification for WebLogic Server
Step 1: Create a User Account for the Host Computer
Step 2: Configure the User Account to Comply with Kerberos
Step 3: Define a Service Principal Name and Create a Keytab for the Service
Defining an SPN and Creating a Keytab on Windows Systems
Defining an SPN and Creating a Keytab on UNIX Systems
Step 4: Verify Correct Setup
Step 5: Update Default JDK Security Policy Files
Configuring Microsoft Clients to Use Windows Integrated Authentication
Configuring a .NET Web Service
Configuring an Internet Explorer Browser
Configure Local Intranet Domains
Configure Intranet Authentication
Verify the Proxy Settings
Set Integrated Authentication for Internet Explorer 6.0
Configuring a Mozilla Firefox Browser
Configuring a Java SE Client Application
Creating a JAAS Login File
Configuring the Identity Assertion Provider
Using Startup Arguments for Kerberos Authentication with WebLogic Server
Verifying Configuration of SSO with Microsoft Clients
21
Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML
Configuring SAML Services
Configuring Single Sign-On Using SAML White Paper
SAML for Web Single Sign-On Scenario API Example
22
Configuring SAML 1.1 Services
Enabling Single Sign-on with SAML 1.1: Main Steps
Configuring a Source Site: Main Steps
Configuring a Destination Site: Main Steps
Configuring a SAML 1.1 Source Site for Single Sign-On
Configure the SAML 1.1 Credential Mapping Provider
Configure the Source Site Federation Services
Configure Relying Parties
Configure Supported Profiles
Assertion Consumer Parameters
Replacing the Default Assertion Store
Configuring a SAML 1.1 Destination Site for Single Sign-On
Configure SAML Identity Assertion Provider
Configure Destination Site Federation Services
Enable the SAML Destination Site
Set Assertion Consumer URIs
Configure SSL for the Assertion Consumer Service
Add SSL Client Identity Certificate
Configure Single-Use Policy and the Used Assertion Cache or Custom Assertion Cache
Configure Recipient Check for POST Profile
Configuring Asserting Parties
Configure Supported Profiles
Configure Source Site ITS Parameters
Configuring Relying and Asserting Parties with WLST
23
Configuring SAML 2.0 Services
Configuring SAML 2.0 Services: Main Steps
Configuring SAML 2.0 General Services
About SAML 2.0 General Services
Publishing and Distributing the Metadata File
Configuring an Identity Provider Site for SAML 2.0 Single Sign-On
Configure the SAML 2.0 Credential Mapping Provider
Configure SAML 2.0 Identity Provider Services
Enable the SAML 2.0 Identity Provider Site
Specify a Custom Login Web Application
Enable Binding Types
Publish Your Site's Metadata File
Create and Configure Web Single Sign-On Service Provider Partners
Obtain Your Service Provider Partner's Metadata File
Create Partner and Enable Interactions
Configure How Assertions are Generated
Configure How Documents Are Signed
Configure Artifact Binding and Transport Settings
Configuring a Service Provider Site for SAML 2.0 Single Sign-On
Configure the SAML 2.0 Identity Assertion Provider
Configure the SAML Authentication Provider
Configure SAML 2.0 General Services
Configure SAML 2.0 Service Provider Services
Enable the SAML 2.0 Service Provider Site
Specify How Documents Must Be Signed
Specify How Authentication Requests Are Managed
Enable Binding Types
Set Default URL
Create and Configure Web Single Sign-On Identity Provider Partners
Obtain Your Identity Provider Partner's Metadata File
Create Partner and Enable Interactions
Configure Authentication Requests and Assertions
Configure Redirect URIs
Configure Binding and Transport Settings
Viewing Partner Site, Certificate, and Service Endpoint Information
Web Application Deployment Considerations for SAML 2.0
Deployment Descriptor Recommendations
Use of relogin-enabled with CLIENT-CERT Authentication
Use of Non-default Cookie Name
Login Application Considerations for Clustered Environments
Enabling Force Authentication and Passive Attributes is Invalid
24
Enabling Debugging for SAML 1.1 and 2.0
About SAML Debug Scopes and Attributes
Enabling Debugging Using the Command Line
Enabling Debugging Using the WebLogic Server Administration Console
Enabling Debugging Using the WebLogic Scripting Tool
Sending Debug Messages to Standard Out
Part V Managing Security Information
25
Migrating Security Data
Overview of Security Data Migration
Migration Concepts
Formats and Constraints Supported by WebLogic Security Providers
Migrating Data with WLST
26
Managing the RDBMS Security Store
Security Providers that Use the RDBMS Security Store
Configuring the RDBMS Security Store
Create a Domain with the RDBMS Security Store
Specifying Database Connection Properties
Oracle Example
MS-SQL Example
DB2 Example
For More Information About Default Connection Properties
Testing the Database Connection
Create RDBMS Tables in the Security Datastore
Configure a JMS Topic for the RDBMS Security Store
Configuring JMS Connection Recovery in the Event of Failure
Upgrading a Domain to Use the RDBMS Security Store
27
Managing the Embedded LDAP Server
Configuring the Embedded LDAP Server
Embedded LDAP Server Replication
Viewing the Contents of the Embedded LDAP Server from an LDAP Browser
Exporting and Importing Information in the Embedded LDAP Server
LDAP Access Control Syntax
The Access Control File
Access Control Location
Access Control Scope
Access Rights
Attribute Permissions
Entry Permissions
Attributes Types
Subject Types
Grant/Deny Evaluation Rules
Backup and Recovery
Part VI Configuring SSL
28
Overview of Configuring SSL in WebLogic Server
SSL: An Introduction
One-Way and Two-Way SSL
Java Secure Socket Extension (JSSE) SSL Implementation Supported
Setting Up SSL: Main Steps
SSL Session Behavior
29
Configuring Keystores
About Configuring Keystores in WebLogic Server
About Private Keys, Digital Certificates, and Trusted Certificate Authorities
Using Separate Keystores for Identity and Trust
Configuring Keystores: Main Steps
How WebLogic Server Locates Trust
Creating a Keystore
Keystore File Name Requirements
Creating a Keystore Using Keytool
Creating a Keystore Using ImportPrivateKey
Using Keystores and Certificates in a Development Environment
Using the Demonstration Keystores
Creating Demonstration Certificates Using CertGen
About CertGen
Using CertGen to Create a Certificate and Private Key
CertGen Usage Notes
Limitation on CertGen Usage
Using Your Own Certificate Authority
Converting a Microsoft p7b Format to PEM Format
Configuring Demo Certificates for Clients
Obtaining and Storing Certificates for Production Environments
Generating a Certificate Signing Request
Importing Certificates into the Trust and Identity Keystores
Configuring Keystores with WebLogic Server
Configuring Keystores Using the Administration Console
Configuring a Keystore Using WLST
Viewing Keystore Contents
Replacing Expiring Certificates
Creating a Keystore: An Example
Supported Formats for Identity and Trust Certificates
Obtaining a Digital Certificate for a Web Browser
30
Configuring Oracle OPSS Keystore Service
Prerequisites for Using the OPSS Keystore Service
Where is the OPSS Keystore Service Documented?
Configuring the OPSS Keystore Service for Demo Identity and Trust: Main Steps
Configuring the OPSS Keystore Service for Custom Identity and Trust: Main Steps
31
Using Host Name Verification
Using the Default WebLogic Server Host Name Verifier
Using the Default Host Name Verifier on Mac OS X Platforms
Using the Wildcarded Host Name Verifier
How the Wildcarded Host Name Verifier Works
Configuring the Wildcarded Host Name Verifier
Using a Custom Host Name Verifier
32
Specifying a Client Certificate for an Outbound Two-Way SSL Connection
Overview
Add a Client Certificate to the Identity Keystore
Initiate the Outbound Two-Way SSL Connection
Restore the Use of the Server Identity Certificate
33
SSL Debugging
About the SSL Debug Trace
Command-Line Properties for Enabling SSL Debugging
34
SSL Certificate Validation
Controlling the Level of Certificate Validation
Accepting Certificate Policies in Certificates
Checking Certificate Chains
Using Certificate Lookup and Validation Providers
How SSL Certificate Validation Works in WebLogic Server
Troubleshooting Problems with Certificate Validation
35
Using JCE Providers with WebLogic Server
Using the RSA JCE Provider
Using the JDK JCE Provider
Using nCipher JCE Provider
Installing the nCipher JCE Provider
36
Enabling FIPS Mode
FIPS Overview
Enabling FIPS 140-2 Mode From Java Options
Enabling FIPS 140-2 Mode From java.security
Verifying JCE When FIPS 140-2 Mode is Enabled
Important Considerations When Using Web Services
SHA-1 Secure Hash Algorithm Not Supported
X509PKIPathv1 token Not Supported
37
Specifying the SSL Protocol Version
About the SSL Version Used in the Handshake
Using the weblogic.security.SSL.protocolVersion System Property
Using the weblogic.security.SSL.minimumProtocolVersion System Property
Protocols Enabled with the JSSE-Based SSL Implementation
38
Using the JSSE-Based SSL Implementation
System Property Differences Between the JSSE-Based and Certicom SSL Implementations
SSL Performance Considerations
Cipher Suites
List of Supported Cipher Suites
Backward Compatibility of Supported Cipher Suites
Using Anonymous Ciphers
Cipher Suite Name Equivalents
Setting Cipher Suites Using WLST: An Example
Using Debugging with JSSE SSL
Using the RSA JSSE Provider in WebLogic Server
39
X.509 Certificate Revocation Checking
Certificate Revocation Checking Overview
Enabling the Default CR Checking Configuration
Configuring Default CR Checking
Customizing the CR Checking Configuration
Choosing the CR Checking Methods to Be Used by WebLogic Server
Failing SSL Certificate Path Validation if Revocation Status Cannot Be Determined
Using the Online Certificate Status Protocol
Using Nonces in OCSP Requests
Setting the Response Timeout Interval
Enabling and Configuring the OCSP Response Local Cache
Using Certificate Revocation Lists
Enabling Updates from Distribution Points
Configuring the CRL Local Cache
Configuring Certificate Authority Overrides
General Certificate Authority Overrides
Configuring OCSP Properties in a Certificate Authority Override
Identifying the OCSP Responder URL
Configuring CRL Properties in a Certificate Authority Override
40
Configuring an Identity Keystore Specific to a Network Channel
About Network Channels
Channel-Specific SSL Configuration Attributes
Steps to Configure a Channel-Specific Identity Keystore
Using WLST to Configure a Channel-Specific Identity Keystore
41
Configuring RMI over IIOP with SSL
42
Using a Certificate Callback Handler to Validate End User Certificates
How End User Certificate Callback Handlers Work
Creating a Certificate Callback Implementation
Configuring the Certificate Callback with WebLogic Server
Part VII Advanced Security Topics
43
Configuring Cross-Domain Security
Important Information Regarding Cross-Domain Security Support
Enabling Trust Between WebLogic Server Domains
Enabling Cross-Domain Security Between WebLogic Server Domains
Configuring Cross-Domain Security
Excluding Domains From Cross-Domain Security
Configuring Cross-Domain Users
Configure a Credential Mapping for Cross-Domain Security
Enabling Global Trust
Using the Java Authorization Contract for Containers
Viewing MBean Attributes
Configuring a Domain to Use JAAS Authorization
44
Configuring JASPIC Security
JASPIC Mechanisms Override WebLogic Server Defaults
Prerequisites for Configuring JASPIC
Server Authentication Module Must Be in Classpath
Custom Authentication Configuration Providers Must Be in Classpath
Location of Configuration Data
Configuring JASPIC for a Domain
Displaying Authentication Configuration Providers
Configuring JASPIC for a Web Application
Configuring JASPIC with WLST
Creating a WLS Authentication Configuration Provider
Creating a Custom Authentication Configuration Provider
Listing All WLS and Custom Authentication Configuration Providers
Enabling JASPIC for a Domain
Disabling JASPIC for a Domain
45
Security Configuration MBeans
SSLMBean
ServerMBean
EmbeddedLDAPMBean
RDBMSSecurityStoreMBean
SecurityConfigurationMBean
RealmMBean
WindowsNTAuthenticatorMBean
CustomDBMSAuthenticatorMBean
ReadonlySQLAuthenticatorMBean
SQLAuthenticatorMBean
DefaultAuditorMBean
UserLockoutManagerMBean
Other Security Provider MBeans
Part VIII Appendixes
A
Keytool Command Summary
B
Using Certificate Chains (Deprecated)
C
Interoperating With Keystores From Prior Versions
Scripting on this page enhances content navigation, but does not change the content in any way.