|
|
| |
The following sections describe how to implement security in WebLogic Server:
Steps for Configuring Security
Implementing security in a WebLogic Server deployment largely consists of configuring attributes that define the security policy for that deployment. WebLogic Server provides an Administration Console to help you define the security policy for your deployment. Using the Administration Console, you specify security-specific values for the following elements of your deployment:
Because security features are closely related, it is difficult to determine where to start when configuring security. In fact, defining security for your WebLogic Server deployment may be an iterative process. Although more than one sequence of steps may work, BEA Systems recommends the following procedure:
system
User to protect your WebLogic Server deployment. See Changing the System Password.
For a complete description of WebLogic Server security features, see Introduction to WebLogic Security and Security Fundamentals.
Note: All configuration steps in this topic are based on the use of the Administration Console.
For information about assigning security roles to WebLogic EJBs, see WebLogic Server 6.1 Deployment Properties.
For information about security in WebLogic web applications, see Assembling and Configuring Web Applications.
During installation you specify a password for the system
User. The specified password is associated with the system
User in WebLogic Server and is stored in the fileRealm.properties
file in the \wlserver6.1\config\
domain
directory where domain
is the name specified as the WebLogic Administration domain name during installation. The specified password corresponds to the Administration Server for the domain and all the Managed Servers associated with that Administration Server.
Note: The system
User is the only user account under which WebLogic Server can be started.
The password of the system
User is encrypted and is further protected when WebLogic Server applies a hash to it. To improve security, BEA recommends frequently changing the system password that was set during installation. Each WebLogic Server deployment must have a unique password.
To change the system password, do the following:
system
in the Name attribute field.
When you use an Administration Server and Managed Servers in a domain, the Managed Server must always use the password for the Administration Server in the domain. Always change the password for the Administration Server through the Administration Console. After changing the password, restart all servers in the domain. The process is as follows:
Maintaining the secrecy of WebLogic passwords is critical to keeping your WebLogic Server deployment and data secure. For your protection, BEA recommends keeping the password of WebLogic Server secret.
This section describes configuring a security realm for your WebLogic Server deployment. For an introduction of security realms and how they are used in WebLogic Server, see Security Realms in Programming WebLogic Security. The following sections describe specifying a security realm:
Configuring the File Realm
By default WebLogic Server is installed with the File realm in place. Before using the File realm, you need to define several attributes that govern the use of the File realm. You set these attributes on the Filerealm tab in the Security window of the Administration Console.
The following table describes each attribute on the Filerealm tab.
Table 14-1 File Realm Attributes
Use the Manage Caching Realm button to clear the user, group, and ACL caches.
Caution: If the fileRealm.properties
file becomes corrupted or is destroyed, you must reconfigure the security information for WebLogic Server. WebLogic Server cannot boot without a fileRealm.properties
file.
The fileRealm.properties
file contains default ACLs used to boot WebLogic Server. Even if you write a custom security realm, you still need a fileRealm.properties
file to boot WebLogic Server since the custom security realm is not initially called during the start-up sequence.
Therefore, BEA recommends that you take the following steps:
Make a backup copy of the fileRealm.properties
file and put it in a secure place.
Set the permissions on the fileRealm.properties
file such that the administrator of the WebLogic Server deployment has write and read privileges and no other users have any privileges.
Note: Also make a backup copy of the SerializedSystemIni.dat
file for the File realm. For more information about the SerializedSystemIni.dat
file, see Protecting Passwords.
If, instead of the File realm, you want to use one of the alternate security realms provided by WebLogic Server or a custom security realm, set the attributes for the desired realm and reboot WebLogic Server.
Caution: If you use one of the alternate security realms, you must configure and enable the Caching realm; otherwise the alternate security realm will not work.
For more information about security realms in WebLogic Server, see Security Realms.
The Caching realm works with the File realm, alternate security realms, or custom security realms to fulfill client requests with the proper authentication and authorization. The Caching realm stores the results of both successful and unsuccessful realm lookups. It manages separate caches for Users, Groups, permissions, ACLs, and authentication requests. The Caching realm improves the performance of WebLogic Server by caching lookups, thereby reducing the number of calls into other security realms. For more information about security realms in WebLogic Server, see Security Realms.
The Caching realm is installed automatically when you install WebLogic Server: the cache is set up to delegate to the other security realms however caching is not enabled. You have to enable caching through the Administration Console.
Caution: If you use one of the alternate security realms, you must configure and enable the Caching realm; otherwise the alternate security realm will not work.
When you enable caching, the Caching realm saves the results of a realm lookup in its cache. Lookup results remain in the cache until either the specified number of seconds defined for the time-to-live (TTL) attributes has passed (the lookup result has expired) or the cache has filled. When the cache is full, new lookup results replace the oldest cached results. The TTL attributes determine how long a cached object is valid. The higher you set these attributes, the less often the Caching realm calls the secondary security realm. Reducing the frequency of such calls improves the performance. The trade-off is that changes to the underlying security realm are not recognized until the cached object expires.
Note: When you obtain an object from a security realm, the object reflects a snapshot of the object. To update the object, call the object's get()
method again. For example, the membership of a Group is set when the Group is retrieved from the security realm with a call to the getGroup()
method. To update the members of the Group, you must call the getGroup()
method again.
By default, the Caching realm operates on the assumption that the alternate security realm is case-sensitive. In a case-sensitive security realm, the owners of usernames bill
and Bill
, for example are treated as two distinct Users. The Windows NT Security realm and the LDAP Security realm are examples of security realms that are not case-sensitive. If you are using a security realm that is not case-sensitive, you must disable the CacheCaseSensitive attribute. When this attribute is set, the Caching realm converts usernames to lowercase so that WebLogic Server gives correct results for the security realm when it performs case-sensitive comparisons. When defining or referencing Users or Groups in a case-sensitive security realm, type usernames in lowercase.
To configure the Caching realm:
The following table describes the attributes you set on the General tab.
Table 14-2 Caching Realm Attributes on the General Tab
The following table describes the attributes you set on the ACL tab.
The following table describes the attributes you set on the Authentication tab.
The following table describes the attributes you set on the Group tab.
The following table describes the attributes you set on the User tab.
The following table describes each attribute on the Permission tab.
Configuring the LDAP Security Realm
The LDAP security realm provides authentication through a Lightweight Directory Access Protocol (LDAP) server. This server allows you to manage all the users for your organization in one place: the LDAP directory. The LDAP security realm supports Open LDAP, Netscape iPlanet, Microsoft Site Server, and Novell NDS.
In this release of WebLogic Server, you can choose between two versions of the LDAP security realm:
getUsers()
or getGroups()
due to the fact that allocating memory to fulfill those requests can cause a denial of service vulernability. If you want to use those functions, BEA recommends using LDAP realm V1 When running Windows 2000, BEA recommends using LDAP realm V2 to authenticate against the Windows 2000 User and Group store.
Note: When using LDAP realm V1 you can view Users and members of a Group stored in the LDAP directory server through the Administration Console. However, when using LDAP realm V2, you can only view the Groups stored in the LDAP directory server through the Administration Console.
You need to use the administration tools available with the LDAP server to manage Users and Groups (for example, adding or deleting Users or Groups or adding members to Groups). If you make a change in the LDAP directory store, reset the User cache and the Group cache to immediately view your changes in the Administration Console.
The following suggestions are ways to improve the performance of the LDAP Security realm:
ldaprealm.props
file to obtain smaller and more specific results sets from the LDAP server (supported for LDAP realm V2 only).
Configuring the LDAP security realm involves defining attributes that enable the LDAP Security realm in WebLogic Server to communicate with the LDAP server and attributes that describe how Users and Groups are stored in the LDAP directory. The LDAP tree and schema is different for every LDAP server. Therefore, the LDAP realm V2 provides a set of templates that define default attributes for the supported LDAP servers.
Restrictions When Using the LDAP Security Realm
The LDAP security realm has the following restrictions:
NTGroups
with a default Group named Administrators
, which is empty. By default, WebLogic Server also provides a Group called Administrators
that contains a member System
which is the User under which WebLogic Server is started. If you use the defaults in Microsoft Site Server and start creating your own Groups under the default organizational unit, WebLogic Server will not start. In order to start WebLogic Server with the LDAP security realm, you need to create your own unique organizational unit in the LDAP directory and create Groups for your WebLogic Server deployment under that organizational unit.
getGroups()
method for large numbers of groups (more than 300). This problem is due to caching bugs in Open LDAP.
Locating Users and Groups in the LDAP Directory
The LDAP security realm needs to know where the Users and Groups are stored in the LDAP directory used with the security realm. This is done by specifying the distinguished names (DNs) of the LDAP directories that contain the Users and Groups.
In LDAP, a DN starts with a leaf node and goes to the root node. For example:
root | | | o=acme.com | | | ou=Groups
The DN for this branch would be specified as ou=Groups, o=acme.com
.
In LDAP realm V1, you specify DNs via the GroupDN and UserDN attributes when configuring the security realm. However, you must reverse the DNs. For example, the sample DN would be specified as groupDN="o=acme.com, ou=Groups"
.
In LDAP realm V2, you specify DNs by adding user.dn
and group.dn
properties to the Configuration attribute of the CustomRealm MBean. Unlike LDAP realm V1, you do not have to reverse the DN. For example, the user.dn
and group.dn
properties for a LDAP realm V2 are specified as follows:
ConfigurationData="..., group.dn=ou=Groups, o=acme.com, ..."
A common error when switching between the LDAP realm V1 and LDAP realm V2 is copying over the reverse DNs thus causing the LDAP security realm to stop working. Check your DN specifications when migrating from LDAP realm V1 to LDAP realm V2.
Configuring an LDAP Realm V1
To use the LDAP Security realm V1 instead of the File realm:
The name of the class that implements the LDAP Security realm is displayed.
The following table describes the attributes you set on the LDAP Realm V1 tab.
The following table describes the attributes you set on the Users tab.
The following table describes the attributes you set on the Groups tab.
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
When configuring the Caching realm, select LDAP Realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP Realm V1).
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
The Caching realm caches Users and Groups internally to avoid frequent lookups in the LDAP directory. Each object in the Users and Groups caches has a TTL attribute that you set when you configure the Caching realm. If you make changes in the LDAP directory, those changes are not reflected in the LDAP Security realm until the cached object expires or is flushed from the cache. The default TTL is 10 seconds for unsuccessful lookups and 60 seconds for successful lookups. Unless you change the TTL attributes for the User and Group caches, changes in the LDAP directory should be reflected in the LDAP Security realm in 60 seconds.
If some server-side code has performed a lookup in the LDAP Security realm, such as a getUser()
call on the LDAP Security realm, the object returned by the realm cannot be released until the code releases it. Therefore, a User authenticated by WebLogic Server remains valid as long as the connection persists, even if you delete the user from the LDAP directory.
Configuring an LDAP Realm V2
Configuring the LDAP Realm V2 involves defining attributes that enable the security realm to communicate with the LDAP server and describe where users and groups are stored in the LDAP directory. The LDAP tree and schema is different for every LDAP server. WebLogic Server provides templates for the supported LDAP servers. These templates specify default configuration information used to represent Users and Groups in each of the supported LDAP servers. For more information, see Supported LDAP Server Templates.
To configure a LDAP security realm V2, you choose the template that corresponds to the LDAP server you want to use and modify it to specify information about your specific configuration.
To use a LDAP Security realm V2:
The configuration window for the chosen LDAP server appears.
server.host
—The host name of the LDAP server.
server.port
—The port number on which the LDAP server listens.
useSSL
—Specifies whether or not to use SSL to protect communications between the LDAP server and WebLogic Server. Set the value to true
to enable the use of SSL.
server.principal
—The LDAP user used by WebLogic Server to connect to the LDAP server.
server.credential
—The password of the LDAP user used by WebLogic Server to connect to the LDAP server.
user.dn
—The base DN of the tree in the LDAP directory that contains users.
user.filter
—The LDAP search filter for finding a user given the name of the user.
group.dn
—The base DN of the tree in the LDAP directory that contains groups.
group.filter
—The LDAP search filter for finding a group given the name of the group.
membership.filter
—The LDAP search filter for finding the members of a group given the name of the group.
For more information, see Supported LDAP Server Templates.
Note: When using the LDAP v2 realm for Microsoft Site server, you must also specify membership.search=true
and the following must be added to the user.filter
value so that Microsoft Site server does not authenticate disabled users:
user.filter=(&(sAMAccountName=%u)(objectclassname=user)
(!userAccountControl:1.2.840.113556.1.4.803:=2))
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
When configuring the Caching realm, select the defaultLDAPRealmforLDAPserver (for example, defaultLDAPRealmforOpenLDAPDirectoryServices) from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP Realm).
Supported LDAP Server Templates
Listing 14-1 through Listing 14-5 are templates used to configure LDAP servers supported by the LDAP V2 Realm.
Warning: Each line in the following code examples must appear on a single line. The code in the code examples has been formatted to fit the margins of this document and some lines have been broken to facilitate that formatting.
Listing 14-1 Default Netscape Directory Server Template
<CustomRealmName="defaultLDAPRealmForNetscapeDirectoryServer" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=uid=admin, ou=Administrators,ou=TopologyManagement,o=NetscapeRoot; server.credential=*secret*; user.dn=ou=people,o=beasys.com; user.filter=(&(uid=%u)(objectclass=person)); group.dn=ou=groups,o=beasys.com; group.filter=(&(cn=%g)(objectclass=groupofuniquenames)); membership.filter=(&(uniquemember=%M) (objectclass=groupofuniquenames)); "Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Listing 14-2 Default Microsoft Site Server Template
<CustomRealmName="defaultLDAPRealmForMicrosoftSiteServer" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=cn=Administrator,ou=Members, o=ExampleMembershipDir; server.credential=*secret* user.dn=ou=Members, o=ExampleMembershipDir; user.filter=(&(cn=%u)(objectclass=member)(!userAccountControl:1.2.840.113556.1.4.803:=2)))
; group.dn=ou=Groups, o=ExampleMembershipDir; group.filter=(&(cn=%g)(objectclass=mgroup)); membership.scope.depth=1;microsoft.membership.scope=sub; membership.filter=(|(&(memberobject=%M) (objectclass=memberof))(&(groupobject=%M) (objectclass=groupmemberof))); membership.search=true;
"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Listing 14-3 Default Novell Directory Services Template
<CustomRealmName="defaultLDAPRealmForNovellDirectoryServices" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=cn=Admin, DC=BEASYS server.credential= *secret*; user.dn=ou=people,o=example.com; user.filter=(&(cn=%u)(objectclass=person)); group.dn=ou=groups,o=example.com; group.filter=(&(cn=%g)(objectclass=groupofuniquenames)); membership.filter=(&(member=%M) (objectclass=groupofuniquenames));"
"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Listing 14-4 Default Open LDAP Directory Services Template
<CustomRealmName="defaultLDAPRealmForOpenLDAPDirectoryServices" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=cn=Manager, dc=example, dc=com; server.credential= *secret*; user.dn=ou=people, dc=example,dc=com; user.filter=(&(uid=%u)(objectclass=person)); group.dn=ou=groups,dc=example,c=com; group.filter=(&(cn=%g)(objectclass=groupofuniquenames)); membership.filter=(&(uniquemember=%M) (objectclass=groupofuniquenames));" "Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Using Microsoft Active Directory with WebLogic Server
By default, WebLogic Server does not support Microsoft Active Directory LDAP server. To use Microsoft Active Directory with WebLogic Server, perform the following steps:
The configuration window for the chosen LDAP server appears.
server.host
—The host name of the LDAP server.
server.port
—The port number on which the LDAP server listens.
useSSL
—Specifies whether or not to use SSL to protect communications between the LDAP server and WebLogic Server. Set the value to true
to enable the use of SSL.
server.principal
—The LDAP user used by WebLogic Server to connect to the LDAP server.
server.credential
—The password of the LDAP user used by WebLogic Server to connect to the LDAP server.
user.dn
—The base DN of the tree in the LDAP directory that contains users.
user.filter
—The LDAP search filter for finding a user given the name of the user.
group.dn
—The base DN of the tree in the LDAP directory that contains groups.
group.filter
—The LDAP search filter for finding a group given the name of the group.
membership.filter
—The LDAP search filter for finding the members of a group given the name of the group.
WebLogic Server authenticates by binding to the LDAP server and passing the DN and password of the user. Even if you have disabled a user account by setting the LDAP userAccountControl
attribute to ACCOUNTDISABLE
, the authentication will succeed unless you have modified the user.filter
value to ignore accounts that have been disable. Modify the user.filter
value to only return accounts that do not have the UF_ACCOUNTDISABLE
bit set. For example:
user.filter=(&(sAMAccountName=%u)(objectclassname=user)
(!userAccountControl:1.2.840.113556.1.4.803:=2))
When specifying the group.filter
value, CN
must be specified as CN=%G
otherwise the filter fails to find the members of a group.
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
When configuring the Caching realm, select the defaultLDAPRealmforLDAPserver (for example, defaultLDAPRealmforOpenLDAPDirectoryServices) from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP Realm).
Configuring the Windows NT Security Realm
The Windows NT Security realm uses account information defined for a Windows NT domain to authenticate Users and Groups. You can view Users and Groups in the Windows NT Security realm through the Administration Console, but you must manage Users and Groups through the facilities provided by Windows NT.
The Windows NT Security realm provides authentication (Users and Groups) but not authorization (ACLs). To update the ACL information in the filerealm.properties
file that WebLogic Server uses, click the Refresh button on the General tab in the Security node after you change an ACL. If you use Groups with your ACLs, you can reduce the frequency with which you must refresh the information in WebLogic Server. Changing the members of a Windows NT Group allows you to manage individual Users' access to WebLogic Server resources dynamically.
It is possible to use the Windows NT Security realm to authenticate against a Windows 2000 Active Directory primary domain controller. However, the authentication must be from a machine which is a member of the domain not the domain controller itself. There is no way to authenticate to the local User and Group store if the machine running the Windows NT Security realm is a member of another domain.
The Windows NT Security realm can be run on the primary domain controller, on a machine that is a member of a Windows NT domain, or on a machine that is a member of the Windows NT domain and wants to use a mutually trusted domain.
To use the Windows NT Security realm:
The following table describes the attributes you set in the NT Realm Configuration window.
Note: When you use an Windows NT Security realm, you must configure and enable the Caching realm; otherwise, the Windows NT Security realm will not work.
When configuring the Caching realm, select your Windows NT Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the Windows NT Security realm).
Note: When you use an Windows NT Security realm, you must configure and enable the Caching realm; otherwise, the Windows NT Security realm will not work.
Use the following command to verify that you have the correct privileges to run WebLogic Server as the specified Windows NT user:
java weblogic.security.ntrealm.NTRealm
username
password
where username
and password
are the username and password of the Windows NT account under which WebLogic Server runs.
The output from this command will tell if the specified username and password authenticated properly.
Command Output |
Meaning |
---|---|
|
The entered username and password authenticated correctly. |
|
The entered username and password did not authenticate properly. |
If the test comes up with an immediate failure stating that the client or user running WebLogic Server does not have the privileges to run the Windows NT Security realm, you need to update the permissions (referred to as rights) for the Windows user running WebLogic Server.
To update the rights in Windows NT:
To update the rights in Windows 2000:
The following are common Windows NT error codes that occur when using the Windows NT Security realm:
A full explanation of the Windows NT error codes is found in the winerror.h
file.
Configuring the UNIX Security Realm
Note: The UNIX Security realm runs only on the Solaris platform.
The UNIX Security realm executes a small native program, wlauth
, to look up Users and Groups and to authenticate Users on the basis of their UNIX login names and passwords. The wlauth
program uses PAM (Pluggable Authentication Modules) which allows you to configure authentication services in the operating system without altering applications that use the service.
In UNIX, a user is defined as a member of a group in the following ways:
etc/passwd
.
etc/group
entry for a specific group. The UNIX Security realm supports only this method of determining the members of a group.
After you change an ACL, click the Refresh button on the General tab in the Security to update the information in the filerealm.properties
file that WebLogic Server uses. If you use Groups with your ACLs, you can reduce the frequency with which you must refresh the information in WebLogic Server. Changing the members of a UNIX Group allows you to manage individual Users' access to WebLogic Server resources dynamically.
It is possible to run wlauth
to verify authentication. At a UNIX command prompt:
If the command returns a 0, the authentication check was successful. If the command returns a 1, the authentication check failed.
To use the UNIX Security realm:
The following table describes the attributes you set in the UNIX Realm Create window.
Note: When you use an UNIX Security realm, you must configure and enable the Caching realm; otherwise, the UNIX Security realm will not work.
When configuring the Caching realm, select your UNIX Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the UNIX Security realm).
Note: When you use an UNIX Security realm, you must configure and enable the Caching realm; otherwise, the UNIX Security realm will not work.
If wlauth
is not in the WebLogic Server class path or if you have given the program a name other than wlauth
, you must add a Java command-line property when you start WebLogic Server. Edit the script you use to start WebLogic Server and add the following option after the java
command:
-Dweblogic.security.unixrealm.authProgram=
wlauth_prog
Replace wlauth_prog
with the name of the wlauth
program, including the full path if the program is not in the search path. Start WebLogic Server. If the wlauth
program is in the WebLogic Server path and is named wlauth
, this step is not needed.
Configuring the RDBMS Security Realm
The RDBMS Security realm is a BEA-provided custom security realm that stores Users, Groups and ACLs in a relational database.The RDBMS Security realm is an example and is not ment to be used in a production environment. You can perform the following managment functions on the RDBMS Security realm through the Administration Console:
SQL scripts that populate a database are used to create Groups for the RDBMS Security realm
The RDBMS Security realm can be used as a starting point for creating a production security realm. You can extend the RDBMS Security realm by using the following interfaces in the weblogic.security.acl
package to add management capabilities to the RDBMS Security realm:
ManageableRealm
—Create Groups, create and delete ACLs, and perform lookups of Users, Groups, and ACLs.
User
—Change the password.
ACL
—Add and remove permissions for Users and Groups.
If you extend the RDBMS Security realm with any of these interfaces, you may also need to update the database schema.
Note: The RDBMS example does not work with databases that have an autocommit feature enabled. If you use the RDBMS example as a starting point for your RDBMS implementation, use explicit commit statements in your code and make sure the autocommit feature in the database you are using is disabled.
To use the RDBMS Security realm:
The following table describes the attributes you set on the General tab.
The following table describes the attributes you set on the Database tab.
Listing 14-5 contains the database statements entered in the Schema properties for the RDBMS code example shipped with WebLogic Server in the /samples/examples/security/rdbmsrealm
directory.
Listing 14-5 Sample Schema for RDBMS Security Realm
"getGroupNewStatement=true;getUser=SELECT U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?; getGroupMembers=SELECT GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP = ?; getAclEntries=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE A_NAME = ? ORDER BY A_PRINCIPAL; getUsers=SELECT U_NAME, U_PASSWORD FROM users; getGroups=SELECT GM_GROUP, GM_MEMBER FROM groupmembers; getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY A_NAME, A_PRINCIPAL; getPermissions=SELECT DISTINCT A_PERMISSION FROM aclentries; getPermission=SELECT DISTINCT A_PERMISSION FROM aclentries WHERE A_PERMISSION = ?; newUser=INSERT INTO users VALUES ( ? , ? ); addGroupMember=INSERT INTO groupmembers VALUES ( ? , ? ); removeGroupMember=DELETE FROM groupmembers WHERE GM_GROUP = ? AND GM_MEMBER = ?; deleteUser1=DELETE FROM users WHERE U_NAME = ?; deleteUser2=DELETE FROM groupmembers WHERE GM_MEMBER = ?; deleteUser3=DELETE FROM aclentries WHERE A_PRINCIPAL = ?; deleteGroup1=DELETE FROM groupmembers WHERE GM_GROUP = ?; deleteGroup2=DELETE FROM aclentries WHERE A_PRINCIPAL = ?"
Note: When you use an RDBMS Security realm, you must configure and enable the Caching realm; otherwise, the RDBMS Security realm will not work.
When configuring the Caching realm, select the RDBMS Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the RDBMS Security realm).
Note: When you use an RDBMS Security realm, you must configure and enable the Caching realm; otherwise, the RDBMS Security realm will not work.
Installing a Custom Security Realm
You can create a custom security realm that draws from an existing store of Users such as directory server on the network. To use a custom security realm, you create an implementation of the weblogic.security.acl.AbstractListableRealm
interface or the weblogic.security.acl.AbstractManageableRealm
interface and then use the Administration Console to install your implementation.
To install a custom security realm:
The following table describes the attributes you set on the Custom Security Realm Configuration window.
Note: When you use an custom security realm, you must configure and enable the Caching realm; otherwise, the custom security realm will not work.
When configuring the Caching realm, select the Custom Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the custom security realm.
Note: When you use an custom security realm, you must configure and enable the Caching realm; otherwise, the custom security realm will not work.
For information about writing a custom security realm, see Writing a Custom Security Realm.
Migrating Security Realms
WebLogic Server provides a management architecture for security realms. The management architecture implemented through MBeans allows you to manage security realms through the Administration Console. If you have a security realm from a previous release of WebLogic Server, use the following information to migrate to the new architecture:
\samples\examples\security\rdbmsrealm
directory as a guide to converting your RDBMS security realm. Once you have converted your RDBMS security realm to MBeans, follow the instructions inConfiguring the RDBMS Security Realm to define information about the JDBC driver being used to connect to the database and the schema used by the security realm.
Note: This section explains how to add Users to the File realm. If you are using an alternate security realm, you must use the administration tools provided in that realm to define a User.
User and group names must be unique. You can use multibyte characters and all special characters except a comma (,
) in user and group names.
Users are entities that can be authenticated in a WebLogic Server security realm. A User can be a person or a software entity, such as a Java client. Each User is given a unique identity within a WebLogic Server security realm. As a system administrator you must guarantee that no two Users in the same security realm are identical.
Defining Users in a security realm involves specifying a unique name and password for each User that will access resources in the WebLogic Server security realm in the Users window of the Administration Console.
WebLogic Server has two special users, system
and guest
:
system
User is the administrative user who controls system-level WebLogic Server operations, such as starting and stopping servers, and locking and unlocking resources. The system
User and its password are defined during the WebLogic Server installation procedure. As a security precaution, BEA recommends changing the password for the system
User. For more information, see Changing the System Password.
guest
User is automatically provided by WebLogic Server. When authorization is not required, WebLogic Server assigns the guest
identity to a client, thus giving the client access to any resources that are available to the guest
user. A client can log in as the guest
User by entering guest
as the username and guest
as the password when prompted by a Web browser or by supplying the guest
username and password in a Java client. By default, the guest
account is enabled.
For a more secure deployment, BEA recommends running WebLogic Server with the guest
account disabled. To disable the guest
account, select the Guest Disabled attribute on the General tab of the Security Configuration window. Disabling the guest
account just disables the ability to log in into the account guest
; it does not disable the ability for unauthenticated users to access a WebLogic Server deployment.
Warning: Be advised it is still possible to access a deployment through an anonymous user if the ACLs on the anonymous user are not set properly. Set ACLs so that unauthorized access is not possible.
The system
and guest
Users are like other Users in a WebLogic Server security realm:
To define a User:
The User Configuration window appears.
To delete a User:
To change the password of a User:
While using WebLogic Server, you may have Users that are locked. Perform the following steps to unlock a User:
For more information about Users and the access control model in WebLogic Server, see Introduction to WebLogic Security and Security Fundamentals.
Note: This section describes how to add Groups to the File realm. If you are using an alternate security realm, you need to use the management tools provided in that realm to define a Group.
User and group names must be unique. You can use multibyte characters and all special characters except a comma (,
) in user and group names.
A Group represents a set of Users who usually have something in common, such as working in the same department in a company. Groups are a means of managing a number of Users in an efficient manner. When a Group is granted a permission in an ACL, all members of the Group effectively receive that permission. BEA recommends assigning permissions to Groups rather than to individual Users.
By default, WebLogic Server has the following Groups:
everyone
Group.
guest
user are automatically members of the users
Group.
system
User is a member of the Administrators
Group. This Group should be given the permissions appropriate for a user responsible for starting and stopping servers and maintaining a running WebLogic Server deployment. Access to this group should be limited.
You can register a Group with the WebLogic Server security realm by performing the following steps:
The Group Configuration window appears.
To delete Groups, enter the name of the Group in the Remove These Groups list box on the Group Configuration window and click Remove.
For more information about Groups and the access control model in WebLogic Server, see Introduction to WebLogic Security and Security Fundamentals.
Users access resources in a WebLogic Server security realm. Whether or not a User can access a resource is determined by the access control lists ACLs for that resource. An ACL defines the permissions by which a User can interact with the resource. To define ACLs, you create an ACL for a resource, specify the permission for the resource and then grant the permission to a specified set of Users and Groups. BEA recommends assigning ACLs to Groups.
Each WebLogic Server resource has one or more permissions that can be granted. The following table summarizes the functions for various WebLogic Server resources for which permissions can be restricted with an ACL.
Note: When you specify an ACL for a JDBC connection pool, you must specifically define access to the JDBC connection pool for the system
and guest
user in the filerealm.properties
file. For example:
acl.reserve.poolforsecurity=system, guest
acl.reset.poolforsecurity=system, guest
To create ACLs for a WebLogic Server resource, open the Administration Console and perform the following steps:
The ACL Configuration window appears.
For example, create an ACL for a JDBC connection pool named demopool
.
You can either create separate ACLs for each permission available for a resource or one ACL that grants all the permissions for a resource. For example, you can create three ACLs for the JDBC connection pool, demopool
: one with reserve
permission, one with reset
permission, and one with shrink
permission. Or you can create one ACL with reserve
, reset
, and shrink
permissions.
When creating ACLs for resources in WebLogic Server you need to use the syntax in Table 14-16 to refer to the resource.
If you modify an existing ACL, click the Refresh button on the General tab in the Security node to update the information in the filerealm.properties
file that WebLogic Server uses.
Before you can boot WebLogic Server, you need to give boot permission for the server to a specific Group. This security measure prevents unauthorized users from booting WebLogic Server.
By default, only the system user can modify MBeans. BEA recommends limiting the number of users that can access and modify MBeans. Use the following ACL to access to all the WebLogic Server MBeans:
access.weblogic.admin.mbean=
Group or User name
If a user or group fails in an attempt to access a MBean, a weblogic.management.NoAccessRuntimeException
is returned. The server log contains the details indicating which user attempted to access what MBean.
Before you can grant permissions to Users or Groups through the Administration Console, you need to give the Administrators Group the following permission:
acl.modify.weblogic.admin=Administrators
The following sections describe how to obtain digital certificates and configure the SSL protocol:
For a complete description of the SSL Protocol, see Introduction to WebLogic Security and Security Fundamentals.
This release of WebLogic Server supports SSL v3.0.
Obtaining a Private Key and Digital Certificate
You need a private key and digital certificate for each deployment of WebLogic Server that will use the SSL protocol. To acquire a digital certificate from a certificate authority, you must submit your request in a particular format called a Certificate Signature Request (CSR). WebLogic Server includes a Certificate Request Generator servlet that creates a CSR. The Certificate Request Generator servlet collects information from you and generates a private key file and a certificate request file. You can then submit the CSR to a certificate authority such as VeriSign or Entrust.net. Before you can use the Certificate Request Generator servlet, WebLogic Server must be installed and running.
Note: If you obtain a private key file from a source other than the Certificate Request Generator servlet, verify that the private key file is in PKCS#5/PKCS#8 PEM format.
To generate a CSR, perform the following steps:
.war
file for the servlet is located in the \wlserver6.1\config\\applications
directory. The .war
file is automatically installed when you start WebLogic Server.
https://
hostname:port
/certificate/
The components of this URL are defined as follows:
hostname
is the DNS name of the machine running WebLogic Server.
port
is the number of the port at which WebLogic Server listens for SSL connections. The default is 7002.
For example, if WebLogic Server is running on a machine named ogre
and it is configured to listen for SSL communications at the default port 7002
to run the Certificate Request Generator servlet, you must enter the following URL in your Web browser:
https://ogre:7002/certificate/
The Certificate Request Generator servlet displays messages informing you if any required attributes are empty or if any attributes contain invalid values. Click the Back button in your browser and correct any errors.
When all attributes have been accepted, the Certificate Request Generator servlet generates the following files in the startup directory of your WebLogic Server:
www__com-key.der
—The private key file. The name of this file should go into the Server Key File Name attribute field on the SSL tab in the Administration Console.
www__com-request.dem
—The certificate request file, in binary format.
www__com-request.pem
—The CSR file that you submit to the certificate authority. It contains the same data as the .dem
file but is encoded in ASCII so that you can copy it into e-mail or paste it into a Web form.
BEA WebLogic Server
to ensure that you receive a digital certificate that is compatible with WebLogic Server.
\wlserver6.1\config\
directory.
For more information about configuring the SSL protocol, see Defining Attributes for the SSL Protocol.
-Dweblogic.management.pkpassword=
password
where password
is the password for the private key.
Storing Private Keys and Digital Certificates
Once you have a private key and digital certificate, copy the private key file generated by the Certificate Request Generator servlet and the digital certificate you received from the certificate authority into the \wlserver6.1\config\
directory.
Private key files and digital certificates are generated in either PEM or Definite Encoding Rules (DER) format. The filename extension identifies the format of the digital certificate file.
A PEM (.pem)
format private key file begins and ends with the following lines, respectively:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
A PEM(.pem)
format digital certificate begins and ends with the following lines, respectively:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Note: Your digital certificate may be one of several digital certificates in the file, each of which is bounded by the BEGIN CERTIFICATE
and END CERTIFICATE
lines. Typically, the digital certificate file for a WebLogic Server is in one file, with either a .pem
or .der
extension, and the WebLogic Server certificate chain is in another file. Two files are used because different WebLogic Servers may share the same certificate chain.
The first digital certificate in the certificate authority file is the first digital certificate in the WebLogic Server's certificate chain. The next certificates in the file are the next digital certificates in the certificate chain. The last certificate in the file is a self-signed digital certificate that ends the certificate chain.
A DER (.der)
format file contains binary data. WebLogic Server requires that the file extension match the contents of the certificate file so be sure to save the file you receive from your certificate authority with the correct file extension.
Assign protections to the private key file and digital certificates so that only the system
User of WebLogic Server has read privileges and all other users have no privileges to access the private key file or digital certificate. If you are creating a file with the digital certificates of multiple certificate authorities or a file that contains a certificate chain, you must use PEM format. WebLogic Server provides a tool to for converting DER-format files to PEM format, and visa versa. For more information, see WebLogic Utilities.
Defining Trusted Certificate Authorities
When establishing an SSL connection, WebLogic Server checks the identity of the certificate authority against a list of trusted certificate authorities to ensure the certificate authority currently being used is trusted.
Copy the root certificate of the certificate authority into the \wlserver6.1\config\
directory of your WebLogic Server and set the attributes described in Defining Attributes for the SSL Protocol.
If you want to use a certificate chain, append the additional PEM-encoded digital certificates to the digital certificate of the certificate authority that issued the digital certificate for WebLogic Server. The last digital certificate in the file should be a digital certificate that is self-signed (that is, the rootCA certificate).
If you want to use mutual authentication, take the root certificates for the certificate authorities you want to accept and include them to the trusted CA file.
Defining Attributes for the SSL Protocol
The Secure Sockets Layer (SSL) protocol provides secure connections by allowing two applications connecting over a network connection to authenticate the other's identity and by encrypting the data exchanged between the applications. The SSL protocol provides server authentication and optionally client authentication, confidentiality, and data integrity.
To define attributes for the SSL protocol, perform the following steps:
Note: If you are using a PKCS-8 protected private key, you need to specify the password for the private key on the command line when you start WebLogic Server.
The following table describes each attribute on the SSL tab of the Server Configuration window.
Attribute |
Description |
---|---|
Enabled |
Enables the use of the SSL protocol. By default, this attribute is enabled. |
Listen Port |
Number of the dedicated port on which WebLogic Server listens for SSL connections. The default is 7002. |
Server Key File Name |
Directory location and name of the private key file for WebLogic Server. Start the directory location needs at the root of the WebLogic Server installation. For example: The file extension ( |
Server Certificate File Name |
Full directory location and name of the digital certificate file that establishes the identity of WebLogic Server. Start the directory location at the root of the WebLogic Server installation. For example: The file extension ( |
Server Certificate Chain File Name |
Full directory location of the digital certificate used to sign the digital certificate for WebLogic Server. Start the directory location at the root of the WebLogic Server installation. For example: The file extension ( When using a certificate chain with WebLogic Server, the file should contain as its first member the digital certificate used to sign the digital certificate for WebLogic Server, the second member should contain a digital certificate used to sign the first digital certificate in the file and so on. The last digital certificate in the file should be self-signed. The Server Certificate Chain File Name attribute is required to have at least one digital certificate. If there is only one digital certificate in the file, the digital certificate must be self-signed (i.e., it must be a root CA digital certificate). When obtaining a digital certificate from a certificate authority, you should receive the digital certificate of the certificate authority and other immediate digital certificates from the certificate authority. |
Client Certificate Enforced |
Defines whether or not clients must present digital certificates from a trusted certificate authority to WebLogic Server. |
Trusted CA File Name |
Name of the file that contains the digital certificate for the certificate authorities trusted by WebLogic Server. The file specified in this attribute can contain a single digital certificate or multiple digital certificates for certificate authorities. The file extension ( |
CertAuthenticator |
Name of the Java class that implements the CertAuthenticator interface. For more information about using the |
Key Encrypted |
Specifies that the private key for WebLogic Server is encrypted with a password. The default is false. If you specify this attribute, you need to use protected keys with WebLogic Server. Also, when you boot WebLogic Server, use the following command-line option to start WebLogic Server. -Dweblogic.management.pkpassword=password where |
Use Java |
When selected, enables the use of native Java libraries. WebLogic Server provides a pure-Java implementation of the SSL protocol: native Java libraries enhance the performance for SSL operations on the Solaris, Windows NT, and IBM AIX platforms. By default, this attribute is not enabled. |
Handler Enabled |
Specifies whether or not WebLogic Server rejects SSL connections that fail client authentication for one of the following reasons:
By default, the SSL Handler allows one WebLogic Server instance to make outgoing SSL connections to another WebLogic Server instance. For example, an EJB in a WebLogic Server may open an HTTPS stream on another Web server. With the Disable this attribute only if you want to provide your own implementation for outgoing SSL connections. Note: The SSL Handler has no effect on the ability of WebLogic Server to manage incoming SSL connections. |
Export Key Lifespan |
Number of times WebLogic Server uses an exportable key between a domestic server and an exportable client before generating a new one. The more secure you want WebLogic Server to be, the fewer times the key should be used before a new one is generated. The default is to use it 500 times. |
Login Timeout Millis |
Number of milliseconds that WebLogic Server should wait for an SSL connection before timing out. SSL connections take longer to negotiate than regular connections. If clients are connecting over the Internet, raise the default number to accommodate additional network latency. The default value is 25,000 milliseconds. |
Certificate Cache Size |
Number of digital certificates that are tokenized and stored by WebLogic Server. The default is 3. |
Ignore HostName Verification |
Disables the default Host Name Verifier. The Host Name Verifier compares the Subject DN of a digital certificate to the host name of the server that initiated the SSL connection. Check this attribute if you do not want host name verification performed (for example, if you are using the demonstration digital certificates shipped with WebLogic Server). Disabling this attribute leaves WebLogic Server vulnerable to man-in-the-middle attacks. BEA does not recommend using the demonstration digital certificates or disabling host name verification in any type of production environment. |
HostName Verifier |
Name of the Java class that implements the Host Name Verifier interface. For more information about using the |
Note: In previous releases of WebLogic Server, it was possible to define digital certificates that were self-signed and not validated in the Server Certificate File Name attribute (or in the weblogic.security.certificate.server
property). This was not a good security policy. Now WebLogic Server requires that both the Server Certificate File Name and the Server Certificate Chain File Name attributes be defined.
Using PKCS#7 Files
PKCS#7 files can be used with WebLogic Server. However, the certificate chain in the file must be separated into individual pb7
format files, convert the pb7
files to PEM format, and append the files into a single PEM file. Each PKCS#7 file has the following parts:
The digital certificate for the server and the trusted CA certificate need to be separated into pb7 files.
Before performing the steps in this section, verify that the file is PKCS#7 format by opening the file in a text editor and locating the following information:
"Base 64 encoded certificate with CA certificate chain in pkcs7 format"
To use the PKCS#7 file with WebLogic Server:
servername
.p7b
and CA.p7b
).
p7b
files.
A Certificates window appears.
p7b
file you want to convert.
The resulting file is in PEM format.
pb7
file.
You cannot have blank lines between digital certificates.
Modifying Parameters for SSL Session Caching
As of WebLogic Server 6.1 Service Pack 2, the SSL code includes parameters for SSL session caching. Using a cached SSL session eliminates the need for the connection to go through the SSL handshake again. The connection can simply pick up where it left off. By using a cached SSL session, an application significantly reduces the time spent establishing SSL connections, greatly improving performance. To use a cached SSL session, both the client and the server must have the ability to do SSL session caching. All browsers have the ability to do SSL session-caching.
The server-session caching is saved in the TTL Cache. For more information about TTL Cache, see Configuring the Caching Realm. The client-side SSL session cache will only hold one SSL session on the thread of execution.
SSL session caching is turned on by default. You can modify the server-session caching default size and time-to-live by using the following command line flags:
-Dweblogic.security.SSL.sessionCache.size=211 -Dweblogic.security.SSL.sessionCache.ttl=600
parameters |
min |
max |
default |
---|---|---|---|
|
1 |
65537 |
211 |
|
1 |
max Integer.MAX_VALUE |
600 |
Configuring Mutual Authentication
When WebLogic Server is configured for mutual authentication, clients are required to present their digital certificates to WebLogic Server, which validates digital certificates against a list of trusted certificate authorities.
To configure your WebLogic Server for the SSL protocol and certificate authentication, complete the procedures in Configuring the SSL Protocol section.
Copy the root certificates for the certificate authorities to be used by WebLogic Server to the \wlserver6.1\config\
directory. During mutual authentication, clients are required to present a digital certificate issued by one of these trusted certificate authorities.
To configure mutual authentication, select the Client Certificate Enforced option on the SSL tab in the Server Configuration window of the Administration Console. By default, this option is not enabled.
Configuring RMI over IIOP with SSL
You can use the SSL protocol to protect IIOP connections to RMI remote objects. The SSL protocol secures connections through authentication and encrypts the data exchanged between objects. To use the SSL protocol to protect RMI over IIOP connections, do the following:
host2ior
utility to print the WebLogic Server IOR to the console. The host2ior
utility prints two versions of the interoperable object reference (IOR), one for SSL connections and one for non-SSL connections. The header of the IOR specifies whether or not the IOR can be used for SSL connections.
For more information about using RMI over IIOP, see Programming WebLogic RMI Over IIOP.
It is important to protect the passwords that are used to access resources in WebLogic Server. In the past, usernames and passwords were stored in clear text in a WebLogic Server security realm. Now WebLogic Server hashes all passwords. When WebLogic Server receives a client request, the password presented by the client is hashed and WebLogic Server compares it to the already hashed password for matching.
Each filerealm.properties
file has an associated SerializedSystemIni.dat
file that is used to hash the passwords. During installation, the SerializedSystemIni.dat
file is put in the \wlserver6.1\config\
directory.
If for any reason the SerializedSystemIni.dat
file is corrupted or destroyed, you must reconfigure WebLogic Server.
Take the following precautions:
SerializedSystemIni.dat
file and put it in the same location as a copy of its associated filerealm.properties
file.
SerializedSystemIni.dat
file protections such that the administrator of the WebLogic Server deployment has write and read privileges and no other users have any privileges.
weblogic.properties
file with passwords that you want to hash, use the Convert weblogic.properties
option on the main window in the Administration Console to convert the weblogic.properties
file to a config.xml
file. Once the file is converted, all existing passwords are protected.
The config.xml
file no longer has clear text passwords. In place of clear text passwords, the config.xml
file has encrypted, hashed passwords. You cannot copy encrypted passwords from one domain to another. Instead, you can edit the config.xml
file and replace the existing encrypted and hashed passwords with clear text passwords and then copy the file to the new domain. The Administration Console will encrypt and hash the passwords the next time it writes to the file.
Password guessing is a common type of security attack. In this type of attack, a hacker attempts to log in to a computer using various combinations of usernames and passwords. WebLogic Server has strengthened its protection against password guessing by providing a set of attributes designed to protect passwords.
To protect the passwords in your WebLogic Server deployment, you must perform the following steps:
The following table describes each attribute on the Passwords tab.
WebLogic Server enables you to create an audit provider to receive and process notifications of security events such as authentication requests, failed or successful authorization attempts, and receipt of invalid digital certificates.
To use an audit provider, you create an implementation of the weblogic.security.audit.AuditProvider
interface. Then use the Administration Console to install and activate your implementation.
To install an audit provider, enter the name of your implementation of the AuditProvider
class in the Audit Provider Class attribute on the General tab under the Security node in the Administration Console. Reboot WebLogic Server.
For more information about writing an audit provider, see Auditing Security Events. For an example of creating a connection filter, see the LogAuditProvider example in the \samples\examples\security
directory of the WebLogic Server installation.
Installing a Connection Filter
You can create connection filters that allow you to reject or accept client connections based on a client's origin and protocol. After the client connects, and before any work is performed on its behalf, WebLogic Server passes the client's IP number and port, protocol (HTTP, HTTPS, T3, T3S, or IIOP), and WebLogic Server port number to the connection filter. By examining this information, you can choose to allow the connection or throw a FilterException
to terminate it.
To use a connection filter, you must first create an implementation of the weblogic.security.net.ConnectionFilter
interface. Then use the Administration Console to install your implementation.
To install a connection filter, enter the name of your implementation of the weblogic.security.net.ConnectionFilter
interface, in the Connection Filter attribute on the Advanced tab under Security in the Administration Console. Reboot WebLogic Server.
For information about writing a connection filter, see Filtering Network Connections. For an example of creating a connection filter, see the SimpleConnectionFilter example in the \samples\examples\security
directory of the WebLogic Server installation.
Setting Up the Java Security Manager
When you run WebLogic Server under Java 2 (JDK 1.2 or 1.3), WebLogic Server can use the Java Security Manager in Java 2 to provide additional access control for WebLogic Server resources. The Java Virtual Machine (JVM) has security mechanisms built into it that you which manage through a security policy file. The Java Security Manager can enforce a set of permissions granted to CodeSource or SignedBy classes. The permissions allow certain classes running in that instance of the JVM to do or not do certain runtime operations. In many cases, where the threat model does not include malicious code being run on the JVM, the Java Security Manager is unnecessary. In cases such as when an Application Service Provider uses WebLogic Server and unknown classes are being run, the Java Security Manager is necessary.
Note: In pre-6.0 releases of WebLogic Server, you enabled the Java Security Manager by using the -Dweblogic.security.manager
property when starting WebLogic Server. Please note the change in the property for WebLogic Server version 6.0 and greater.
To use the Java Security Manager with WebLogic Server, specify the -Djava.security.manager
property when starting WebLogic Server.
The Java Security Manager uses a security policy file that defines permissions. The full pathname of security policy is specified in the -Djava.security.policy
property when you start WebLogic Server. If you enable the Java Security Manager but do not specify a security policy file, the Java Security Manager uses the default security policies defined in the java.security
and java.policy
files in the $JAVA_HOME/lib/security
directory.
WebLogic Server includes an example security policy file named weblogic.policy
. This file contains a set of default permissions.
To use the Java Security Manager security policy file with your WebLogic Server deployment:
weblogic.policy
file, replacing the specified location with the location of your WebLogic Server installation:
grant codebase "file://BEA/-"{
permission java.io.FilePermission "D:${/}BEA${/}=", ...
Note: This change assumes your installation directory structure is the same as the one described in the BEA WebLogic Server Installation Guide.
weblogic.policy
file:
grant {
permission java.io.FilePermission "D:{/}BEA${/}wlserver6.1${/}weblogic${/}management${/}console${ /}-", "read";
permission java.io.FilePermission "D:{/}BEA${/}wlserver6.1${/}config${/}${/}applications${/}.wl_t emp_do_not_delete${/}weblogic${/}management${/}console${/}-", "read";
permission java.util.PropertyPermission "user.*", "read";
};
CLASSPATH
or if you are deploying applications in extra directories, add specific permissions for those directories to your weblogic.policy
file.
weblogic.policy
file and put the backup copy in a secure location.
weblogic.policy
file such that the administrator of the WebLogic Server deployment has write and read privileges and no other users.
weblogic.policy
file with your WebLogic Server deployment, use the following properties when starting WebLogic Server:
$java... -Djava.security.manager\
-Djava.security.policy==D:/BEA/wlserver6.1/lib/weblogic.policy
Caution: The Java security manager is partially disabled during the booting of Administration and Managed Servers. During the boot sequence, the current Java security manager is disabled and replaced with a variation of the Java security manager that has the checkRead()
method disabled. While disabling this method greatly improves the performance of the boot sequence, it also minimally diminishes security. The startup classes for WebLogic Server are run with this partially disabled Java security manager and therefore the classes need to be carefully scrutinized for security considerations involving the reading of files.
For more information about the Java Security Manager, see the Javadoc shipped with Java 2.
Modifying the weblogic.policy File for Third Party or User-Written Classes
The best location for your server-side user code is the weblogic/myserver/serverclasses
directory. If you have third party or user-written classes that are not in that directory, perform the following steps to protect them:
weblogic.policy
file from "grant codeBase..."
to the closing bracket and semicolon.
weblogic.policy
file below the section you just copied.
grant codeBase
and the permission.java.io.FilePermission
statements so that the directories point to the location of your third party or user-written code.
This procedure creates a security policy for your code that contains exactly the same permissions as those for WebLogic Server. You should examine these permissions closely to make sure that this is the security policy you want for those directories.
Caution: JavaSoft JDK version 1.2.1 on UNIX systems applies security policies improperly if your WebLogic Server software is not installed in the root directory of the file system or disk drive. Policy is only applied correct if the path in a grant codeBase
URL has just one component. For example, if you install WebLogic Server in c:\test\weblogic
(or even /home/weblogic
on Solaris), you will see AccessControlException
even though you use the correct URL in your security policy file.
To workaround this limitation, you can either install WebLogic in the root directory (recommended) or modify the URL so that it contains only the first component of the path to your WebLogic installation. For example:
grant codeBase "file:/c:/test/" {
Problems occur when using the "/-
" in the specified URL. This problem has been acknowledged by Sun Microsystems as bug #4261298, but they have determined that this is not a bug in the JDK. They state, "when a path is trailed with "/-
" it means that the element preceding it is a directory and that grant functions for all elements below it. It does not mean that you can read the directory itself." The workaround for this nuance is to add an additional FilePermission
entry that consists of just the directory itself (with no trailing "/-
').
Using the Recording Security Manager Utility
The Recording Security Manager utility can be used to detect permission problems that occur when starting and running WebLogic Server. The utility outputs permissions that can be added to your security policy file to resolve the permission problems that the utility finds. The Recording Security Manager is available at the BEA Developer's Center.
Configuring Security Context Propagation
Security context propagation enables Java applications running in a WebLogic Server environment to access objects and operations in BEA Tuxedo domains. The BEA WebLogic Enterprise Connectivity component of WebLogic Server provides the security context propagation capability.
With security context propagation, the security identity of a User defined in a WebLogic Server security realm is propagated as part of the service context of an Internet Inter-ORB Protocol (IIOP) request sent to the BEA Tuxedo domain over a network connection that is part of a WLEC connection pool. Each network connection in the WLEC connection pool has been authenticated using a defined User identity.
To use security context propagation, create a WLEC connection pool for each BEA Tuxedo domain you want to access from WebLogic Server. WebLogic Server populates each WLEC connection pool with IIOP connections. Java applications in a WebLogic Server environment obtain IIOP connections from a WLEC connection pool and use those connections to call objects and invoke operations in BEA Tuxedo domains.
Before using security context propagation, add TUXDIR
/lib/wleorb.jar
and TUXDIR
/lib/wlepool.jar
to the CLASSPATH
variable in the startAdminWebLogic.sh
or startAdminWebLogic.cmd
file.
For more information, see Using WebLogic Enterprise Connectivity..
To implement security context propagation:
tpusradd
command to define the WebLogic Server User as an authorized User in the WebLogic Enterprise domain.
-E
option of the ISL
command to configure the IIOP Listener/Handler to detect and utilize the propagated security context from the WebLogic Server realm. The -E
option of the ISL
command requires you to specify a principal name. The principal name defines the principal used by the WLEC connection pool to log in to the WebLogic Enterprise domain. The principal name should match the name defined in the User Name attribute when creating a WLEC connection pool.
Using certificate authentication between the WebLogic Server environment and the BEA Tuxedo environment implies performing a new SSL handshake when establishing a connection from the WebLogic Server environment to a BEA Tuxedo CORBA object. To support multiple client requests over the same SSL network connection, you must set up certificate authentication so that it operates as follows:
TUXDIR/udataobj/security/keys
directory of BEA Tuxedo.
UBBCONFIG
file for the BEA Tuxedo CORBA application, use the tpusradd
command to define the WebLogic Server User as a BEA Tuxedo user.
UBBCONFIG
file with the -E
option to indicate the WebLogic Server User is to be used for authentication.
SEC_PRINCIPAL_NAME
option of the ISL command and use the -S
option to indicate that a secure port should be used for communication between the BEA Tuxedo domain and the WebLogic Server security realm.
For more information about the UBBCONFIG
file, see Creating a Configuration File in the BEA Tuxedo documentation.
For more information about the corbalocs
prefix, see Understanding the Address Formats of the Bootstrap Object in the BEA Tuxedo documentation.
For information about BEA Tuxedo security levels, see Defining a Security Level in the BEA Tuxedo documentation.
SSL Certificate Validation
In previous releases, WebLogic Server did not ensure each certificate in a certificate chain was issued by a certificate authority. This problem meant anyone could get a personal certificate from a trusted CA, use that certificate to issue other certificates and WebLogic Server would not detect the invalid certificates. A patch (CR090101_610sp4
) was made so that all X509 V3 CA certificates used with WebLogic Server must have the Basic Constraint extension defined as CA thus ensuring all certificates in a certificate chain were issued by a certificate authority. By default, any CA certificates not meeting this criteria are rejected. This section provides installation instructions for the patch and describes the command-line argument that controls the level of certificate validation.
Installation Instructions
To install patch CR090101_610sp4
:
%WL_HOME%\common\nodemanager\config\democert.pem
%WL_HOME%\common\nodemanager\config\demokey.pem
%WL_HOME%\samples\server\config\examples\demo.crt
%WL_HOME%\samples\server\config\examples\democert.pem
%WL_HOME%\samples\server\config\examples\demokey.pem
%WL_HOME%\samples\server\examples\trusted.crt
%WL_HOME%\samples\server\config\petstore\demo.crt
%WL_HOME%\samples\server\config\petstore\democert.pem
%WL_HOME%\samples\server\config\petstore\demokey.pem
%WL_HOME%\samples\server\config\petstore\trusted.crt
%WL_HOME%\server\lib\cacerts
%WL_HOME%\server\lib\demo.crt
%WL_HOME%\server\lib\trusted.crt
Generally these files have not be modified. However, if you modified these files you will need to decide how to proceed with installing the updated certificates, private keys, and keystores from the patch. For example, you may decide to only select and install the service pack JAR files from the patch.
WL_HOME
and retaining the directory structure in the zip file.
The following files are added to the WebLogic Server installation:
%WL_HOME%\server\lib\CR090101_610sp4_.jar
The following files in the WebLogic Server installation are modified:
%WL_HOME%\common\nodemanager\config\democert.pem
%WL_HOME%\common\nodemanager\config\demokey.pem
%WL_HOME%\samples\server\config\examples\demo.crt
%WL_HOME%\samples\server\config\examples\democert.pem
%WL_HOME%\samples\server\config\examples\demokey.pem
%WL_HOME%\samples\server\examples\trusted.crt
%WL_HOME%\samples\server\config\petstore\demo.crt
%WL_HOME%\samples\server\config\petstore\democert.pem
%WL_HOME%\samples\server\config\petstore\demokey.pem
%WL_HOME%\samples\server\config\petstore\trusted.crt
%WL_HOME%\server\lib\cacerts
%WL_HOME%\server\lib\demo.crt
%WL_HOME%\server\lib\trusted.crt
To avoid name conflicts, the new demo CA certificates have Subject DNs that differ from existing demo CA certificates. The modified Subject DN also makes it easier to differentiate between old and new certificate chains. New demo and demo1024 CA certificates have Constraints
in the Common Name of their Subject DN.
If you only have the end entity certificate, you can also tell whether it is old or new by looking at the Issuer DN.
%WL_HOME%\server\bin\setWLSEnv.cmd
%WL_HOME%\server\bin\startWLS.cmd
%WL_HOME%\server\bin\startNodeManager.cmd
Add the following to the CLASSPATH before the we
blogic_sp.jar:
%WL_HOME%\server\lib\CR090101_610sp4_webservice.jar;
%WL_HOME%\server\lib\CR090101_610sp4_.jar;
$WL_HOME/server/bin/setWLSEnv.sh
$WL_HOME/server/bin/startWLS.sh
$WL_HOME/server/bin/startNodeManager.sh
Add the following to the CLASSPATH before the weblogic_sp.jar :
$WL_HOME/server/lib/CR090101_610sp4_webservice.jar;
$WL_HOME/lib/CR090101_610sp4.jar;
Older unpatched applications will not trust the new demo CA certificates that are installed by this patch. For example, a client that is still trusting the old demo CA certificate, will reject a server that has a new demo certificate chain. Resolve this problem by updating the client's trusted CA list to include the new demo CA supplied by this patch.
Controlling the Level of Certificate Validation
By default WebLogic Server will reject any certificates in a certificate chain that do not have the Basic Constraint extension defined as CA. However, you may be using certificates that do not meet this requirement or you may want to increase the level of security to conform to the IETF RFC 2459 standard. Use the following command-line argument to control the level of certificate validation performed by WebLogic Server:
-Dweblogic.security.SSL.enforceConstraints
Table 14-23 describes the options for the command-line argument.
Table 14-23 Options for -Dweblogic.security.SSL.enforceConstraints
Checking Certificate Chains
WebLogic Server provides a ValidateCertChain command-line utility to check whether or not an existing certificate chain will be rejected by WebLogic Server. The utility uses certificate chains from PEM files, PKCS-12 files, PKCS-12 keystores, and JDK keystores. A complete certificate chain must be used with the utility. The following is the syntax for the ValidateCertChain command-line utility:
java utils.ValidateCertChain -file pemcertificatefilename java utils.ValidateCertChain -pem pemcertificatefilename java utils.ValidateCertChain -pkcs12store pkcs12storefilename java utils.ValidateCertChain -pkcs12file pkcs12filename password java utils.ValidateCertChain -jks alias storefilename [storePass]
Example of valid certificate chain:
java utils.ValidateCertChain -pem zippychain.pem Cert[0]: CN=zippy,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US Cert[1]: CN=CertGenCAB,OU=FOR TESTING ONLY,O=MyOrganization,L=MyTown,ST=MyState,C=US
Certificate chain appears valid
Example of invalid certificate chain:
java utils.ValidateCertChain -jks mykey mykeystore Cert[0]: CN=corba1,OU=FOR TESTING ONLY, O=MyOrganization,L=MyTown,ST=MyState,C=US
CA cert not marked with critical BasicConstraint indicating it is a CA Cert[1]: CN=CACERT,OU=FOR TESTING ONLY, O=MyOrganization,L=MyTown,ST=MyState,C=US Certificate chain is invalid
Troubleshooting Problems with Certificates
If SSL communications were working before the patch but are failing after installing the patch, the problem is mostly likely because the certificate chain used by WebLogic Server is failing the validation.
Determine where the certificate chain is being rejected, and decide whether to update the certificate chain with one that will be accepted or change the setting of the -Dweblogic.security.SSL.enforceConstraints command-line argument.
To troubleshoot problems with certificates, use one of the following methods:
-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true
The following message indicates the SSL failure is due to problems in the certificate chain:
<CA certificate rejected. The basic constraints for a CA certificate were not marked for being a CA, or were not marked as critical>
When using one-way SSL, look for this error in the client log. When using two-way SSL, look for this error in the client and server logs.
|
Copyright © 2001 BEA Systems, Inc. All rights reserved.
|