> ALES Integration Guide > Securing Administrative Access to WebLogic Servers

ALES Integration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Securing Administrative Access to WebLogic Servers

In order to secure application resources on a WebLogic Server, ALES must also secure administrative access to the WebLogic Server itself. This chapter describes the SSM configuration and ALES policies needed to do this. It contains the following sections:

 

Overview

This chapter describes how to integrate ALES with WebLogic Server and define a policy for secure administrative access to the server and the WebLogic console.

 

Prerequisites

This chapter assumes the following:

 

Integration Tasks

The major tasks to perform are:

  1. Define the security providers.
  2. Define the WebLogic administrative user in ALES as described in Define the Administrative User in ALES.
  3. Define the WebLogic Server resources as described in Define the WebLogic Server Resources in ALES.
  4. Define the administrative policy as described in Define the Administrative Policies.
  5. Distribute the configuration and policy to the SSM.

 

Define Security Providers for WebLogic 8.1

This section provides information about the recommended security providers for securing administrative access to WebLogic 8.1. For step-by-step instructions using the ALES administration console, see the console’s help system.

Table 3-1 Portal Security Configuration 
Security Provider
Configuration Settings
ASI Adjudication Provider
Clear the Require Unanimous Permit checkbox.
Log4j Auditor
Use the default settings
Database Authentication
Set the Control Flag to SUFFICIENT.
On the Details tab, set Identity scope to myusers.
For other settings, use the defaults.
WebLogic Authentication
Define this provider only after defining the Database Authenticator.
Set the Control Flag to SUFFICIENT.

Note: The WebLogic Authentication provider can be replaced with another authentication provider that supports write access to users and groups.
ASI Authorization
On the General tab, accept the default settings.
On the Details tab, set the Identity Scope to myusers and the Application Deployment Parent to //app/policy/myrealm.
On the Bindings tab, bind to //app/policy/myrealm.
WebLogic Authorization Provider
Clear the Policy Deployment Enabled checkbox.
WebLogic Credential Mapper
Clear the Credential Mapping Deployment Enabled checkbox.
ASI Role Mapping Provider
On the General tab, accept the default settings.
On the Details tab, set the Identity Scope to myusers.
WebLogic Role Mapper Provider
Clear the Role Deployment Enabled checkbox.

 

Define Security Providers for WebLogic 9.x/10.0

Defining the security providers for securing administrative access to WebLogic Server 9.2/10.0 involves tasks in both the WebLogic and the ALES consoles.

The ALES security providers plugin is required to manage ALES security providers from within the WebLogic administration console. For instructions, see the next section.

ALES Security Providers Extension

To install the plugin:

  1. Make a copy of ales_security_provider_ext.jar located in the following directory:
    2. BEA_HOME/ales30-ssm/wls9-ssm/lib
  2. Move the file to BEA_HOME/WLS_HOME/domains/<domain_name>/console-ext, where <domain_name> is the domain name.

Using the WebLogic Console

This section describes how to define the security providers for using the WebLogic console. At a minimum an ASI Authorizer, ASI Role Mapper, and Log4J Auditor provider is needed.

Notes:

To define ALES security providers using the WebLogic Server 9.x/10.0 administration console:

  1. Make a backup copy of the config.xml file in the domain directory.
  2. Start the WebLogic Server instance and log into the administration console.

    3. The default URL for the console is http://localhost:7001/console.

  3. In the Change Center, click Lock & Edit in the upper left part of the page.
  4. In the left pane under Domain Structure, select Security Realms.
  5. On the Summary of Security Realms page, click New and create a security realm using the same name as the configuration ID used by the WLS SSM instance. For the purposes of this procedure, the security realm name is mywls9ssm.
  6. On the Summary of Security Realms page, select the mywls9ssm security realm.
  7. On the Configuration: General page, set Security Model Default to Advanced and clear the Combined Role Mapping Enabled checkbox. Then click Save.
  8. If Check Role and Policies is not visible, click Advanced and set Set Check Role and Policies to All Web applications and EJBs. Then click Save.
  9. Select the Providers tab and define the following providers:

    10. Provider Type
    Settings
    ASI Database Authenticator
    Provide a name and set the type as Database Authenticator.
    On the Configuration: Common page, set Control Flag to REQUIRED.
    On the Configuration: Provider Specific page, set the database login, password, JDBC driver class name and JDBC Connection URL.
    ASI Authorization
    Provide a name and set the type as ASIAuthorizationProvider.
    On the Configuration: Provider Specific page, set Identity Directory and Application Deployment Parent.
    ASI Role Mapper
    Provide a name and set the type as ASIRoleMapperProvider.
    On the Configuration: Provider Specific page, set the Identity Directory and Application Deployment Parent.
    Log4j Auditing\
    Provide a name and set the type as Log4jAuditor.
    This provider is required in order to support logging for ALES providers.
    ASI Adjudicator
    (If using multiple ASI Authorizers)
    Provide a name and set the type as ASIAdjudicator.
    On the Configuration: Provider Specific page, clear Require Unanimous Permit.

    Note: Because WLS and ASI adjudicators may return different results, the ASI Adjudicator is recommended in order to obtain appropriate adjudication results. For example, if unanimous permit is false and multiple authorization providers return abstain, the ASI Adjudicator returns false (denying access), while the WLS Adjudicator returns true (allowing access).

    Credential Mapping
    Provide a name and set the type as DefaultCredentialMapper.
    Certification Path
    Set the type as WebLogicCertPathProvider and use it to replace the existing builder.
    XACML Authorizer
    When securing WebLogic Portal, define a XACML Authorizer and make sure it is the first authorization provider in the list.
    XACML Role Mapper
    (For WebLogic Portal)
    When securing WebLogic Portal, define a XACML Role Mapper and make sure it is the first role mapping provider in the list.

  10. Return to the console’s left pane and select the domain.
  11. On the Settings page, expand Security > General and select mywls9ssm as the default security realm and click Save.
  12. Click Activate Changes.

Using the ALES Console

After defining the providers in the WebLogic console, perform the following steps in the ALES console:

  1. Log into the ALES Administration Console. The default URL for the console is https://<host_name>:7010/asi.
  2. Create an Identity directory using the same name specified in the WebLogic console.
  3. Create an SSM configuration using the same name as the WebLogic Server security realm and define the following providers in this configuration.

    4. Provider Type
    Settings
    ASI Authorizer
    Set the Identity Directory to the directory created in step 1.
    Set the Application Deployment Parent to //app/policy/<directory> where <directory> is the directory name.
    ASI Role Mapper
    Set the Identity Directory to the directory created in step 1.
    Set the Application Deployment Parent to //app/policy/<directory> where <directory> is the directory name.

 

Define the Administrative User in ALES

The WebLogic administrative user must be defined in ALES in order to start the WebLogic Server instance. To create this user:

  1. Launch the ALES Administration Console.
  2. In the left pane, select the Identity node and click New at the bottom of the right pane.
  3. On the Create Directory dialog, enter alesusers as the name and click OK.
  4. Under this directory, create a user with the same name and password as the WebLogic administrative user. For example, if you are using the WebLogic defaults, you would use weblogic for both the username and password.
    5. Note: The same username and password must be specified in the WebLogic domain’s boot.properties file.

 

Define the WebLogic Server Resources in ALES

WebLogic Server components must be defined in ALES as ALES resources. To create these resources using the ALES Administration Console:

  1. In the left pane, select the Resources node and click New at the bottom of the right pane.
  2. In the Name box, type wlsserver, select binding from the Type dropdown list and click OK.
    3. Note: This resource will serve as the parent resource for WebLogic Server components.
  3. Select wlsserver and click Configure. Then select the Distribution Point checkbox and click OK.
  4. Select wlsserver and click New. Then enter shared in the Name box and then click OK.
  5. Select shared and click Configure. Then select the Allow Virtual Resources checkbox and click OK.
  6. Select shared, and click New. Then enter svr in the Name box and click OK.
  7. Select wlsserver and create the following resource tree under it. These resources are necessary for logging into the WebLogic console.



  8. Return to the left pane, expand the SSM configuration containing the defined security providers and select the ASIAuthorizer. Then open the Bindings tab in the right pane.
  9. Select //app/policy/wlsserver from the dropdown list and click Bind.

 

Define the Administrative Policies

A number of Authorization and Role Mapping policies must be defined to give the administrative user the necessary rights to start and manage the WebLogic Server instance. After defining these policies, distribute them to the WLS 8.1 SSM.

Authorization Policies

This policy grants the Admin role access to the svr resource: 

grant(any, //app/policy/wlsserver/shared/svr, //role/Admin) if true;

To create this policy:

  1. Expand the Policy node in the left pane and click Authorization Policies.
  2. On the Authorization Policies page, click New.
  3. On the Create Authorization Policy dialog, select the Privileges tab. Then select the any privilege and click Add.
  4. On the Resources tab, expand the wlsserver and shared nodes in the Child Resources list box, select svr, and then click Add.
  5. On the Policy Subjects tab, select Admin from the Roles List list box and click Add.
  6. To define access to the WebLogic console:, repeat these steps to create the following policies:
    7. grant(any, //app/policy/wlsserver/console, //role/Admin) if true;
    grant( //priv/GET, //app/policy/wlsserver/console/url/console/login/bea_logo.gif, //sgrp/alesusers/allusers/) if true;

Role Mapping Policies

This policy assigns the weblogic user to the Admin role. 

grant(//role/Admin, //app/policy/wlsserver, //user/alesusers/weblogic/)
   if true;
Note: When creating this policy, replace weblogic with the actual user name.

To create this policy:

  1. Expand the Policy node in the left pane and click Role Mapping Policies.
  2. On the Role Mapping Policies page, click New.
  3. On the Create Role Mapping Policy dialog, select the Roles tab. Then select Admin from the Available Roles list and click Add.
  4. On the Resources tab, select wlsserver in the Child Resources list and click Add.
  5. On the Policy Subjects tab, select Users from the Select Policy Subjects From dropdown field and change the directory to alesusers. Then select weblogic from the list and click Add.

 

Distribute the Policies

To distribute information to the SSM:

  1. To make sure the providers are bound to the Web Server resources, expand the SSM configuration in the left pane and select the ASIAuthorizationProvider. Then open the Bindings tab, select //app/policy/wlsserver from the dropdown field and click Bind.
  2. Select Deployment in the left pane. Then use the Policy and Configuration tabs to distribute the policy and configuration information to the SSM.

  Back to Top       Previous  Next