Integration Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Securing WebLogic Servers

In addition to providing links to other documents containing information about securing applications on WebLogic Servers, this chapter describes how to secure administrative access to WebLogic servers, how to run WebLogic server as a service, how to set up the WLS SSM to secure a WebLogic Server cluster.

 

Securing WebLogic Server Applications

General instructions for securing applications hosted on WebLogic servers can be found in the following documents:

 

Securing Administrative Access to WebLogic Server

This chapter describes how to integrate OES with WebLogic Server and define a policy to secure administrative access to the server and the WebLogic console.

Prerequisites

This chapter assumes the following:

Integration Tasks

The major tasks to perform are:

  1. Define the security providers.
  2. Define the WebLogic administrative user in OES as described in WebLogic Administrative User.
  3. Define the WebLogic Server resources as described in WebLogic Server Resources.
  4. Define the administrative policy as described in Policies.
  5. Distribute the configuration and policy to the SSM.

WebLogic 8.1 Security Providers

This section provides information about the recommended security providers for securing administrative access to WebLogic 8.1. For step-by-step instructions using the Administration Console administration console, see the console’s help system.

Table 3-1 Portal Security Configuration 
Security Provider
Configuration Settings
ASI Adjudication Provider
Clear the Require Unanimous Permit checkbox.
Log4j Auditor
Use the default settings
Database Authentication
Set the Control Flag to SUFFICIENT.
On the Details tab, set Identity scope to myusers.
For other settings, use the defaults.
WebLogic Authentication
Define this provider only after defining the Database Authenticator.
Set the Control Flag to SUFFICIENT.

Note: The WebLogic Authentication provider can be replaced with another authentication provider that supports write access to users and groups.
ASI Authorization
On the General tab, accept the default settings.
On the Details tab, set the Identity Scope to myusers and the Application Deployment Parent to //app/policy/myrealm.
On the Bindings tab, bind to //app/policy/myrealm.
WebLogic Authorization Provider
Clear the Policy Deployment Enabled checkbox.
WebLogic Credential Mapper
Clear the Credential Mapping Deployment Enabled checkbox.
ASI Role Mapping Provider
On the General tab, accept the default settings.
On the Details tab, set the Identity Scope to myusers.
WebLogic Role Mapper Provider
Clear the Role Deployment Enabled checkbox.

WebLogic 9.x/10.0 Security Providers

Defining the security providers for securing administrative access to WebLogic Server 9.2/10.0 involves tasks in both the WebLogic and the OES consoles.

The security providers plugin is required to manage OES security providers from within the WebLogic administration console. For instructions, see the next section.

Security Providers Extension

To install the plugin:

  1. Make a copy of ales_security_provider_ext.jar located in the following directory:
    2. BEA_HOME/ales32-ssm/wls-ssm/lib
  2. Move the file to BEA_HOME/WLS_HOME/domains/<domain_name>/console-ext, where <domain_name> is the domain name.

Using the WebLogic Console

This section describes how to define the security providers for using the WebLogic console. At a minimum an ASI Authorizer, ASI Role Mapper, and Log4J Auditor provider is needed.

Notes:

To define OES security providers using the WebLogic Server 9.x/10.x administration console:

  1. Make a backup copy of the config.xml file in the domain directory.
  2. Start the WebLogic Server instance and log into the administration console.

    3. The default URL for the console is http://localhost:7001/console.

  3. In the Change Center, click Lock & Edit in the upper left part of the page.
  4. In the left pane under Domain Structure, select Security Realms.
  5. On the Summary of Security Realms page, click New and create a security realm using the same name as the configuration ID used by the WLS SSM instance. For the purposes of this procedure, the security realm name is mywls9ssm.
  6. On the Summary of Security Realms page, select the mywls9ssm security realm.
  7. On the Configuration: General page, set Security Model Default to Advanced and clear the Combined Role Mapping Enabled checkbox. Then click Save.
  8. If Check Role and Policies is not visible, click Advanced and set Set Check Role and Policies to All Web applications and EJBs. Then click Save.
  9. Select the Providers tab and define the following providers:

    10. Provider Type
    Settings
    ASI Database Authenticator
    Provide a name and set the type as Database Authenticator.
    On the Configuration: Common page, set Control Flag to REQUIRED.
    On the Configuration: Provider Specific page, set the database login, password, JDBC driver class name and JDBC Connection URL.
    ASI Authorization
    Provide a name and set the type as ASIAuthorizationProvider.
    On the Configuration: Provider Specific page, set Identity Directory and Application Deployment Parent.
    ASI Role Mapper
    Provide a name and set the type as ASIRoleMapperProvider.
    On the Configuration: Provider Specific page, set the Identity Directory and Application Deployment Parent.
    Log4j Auditing\
    Provide a name and set the type as Log4jAuditor.
    This provider is required in order to support logging for OES providers.
    ASI Adjudicator
    (If using multiple ASI Authorizers)
    Provide a name and set the type as ASIAdjudicator.
    On the Configuration: Provider Specific page, clear Require Unanimous Permit.

    Note: Because WLS and ASI adjudicators may return different results, the ASI Adjudicator is recommended in order to obtain appropriate adjudication results. For example, if unanimous permit is false and multiple authorization providers return abstain, the ASI Adjudicator returns false (denying access), while the WLS Adjudicator returns true (allowing access).

    Credential Mapping
    Provide a name and set the type as DefaultCredentialMapper.
    Certification Path
    Set the type as WebLogicCertPathProvider and use it to replace the existing builder.
    XACML Authorizer
    When securing WebLogic Portal, define a XACML Authorizer and make sure it is the first authorization provider in the list.
    XACML Role Mapper
    (For WebLogic Portal)
    When securing WebLogic Portal, define a XACML Role Mapper and make sure it is the first role mapping provider in the list.

  10. Return to the console’s left pane and select the domain.
  11. On the Settings page, expand Security > General and select mywls9ssm as the default security realm and click Save.
  12. Click Activate Changes.

Using the OES Administration Console

After defining the providers in the WebLogic console, perform the following steps in the OES console:

  1. Log into the Administration Console. The default URL for the console is https://<host_name>:7010/asi.
  2. Create an Identity directory using the same name specified in the WebLogic console.
  3. Create an SSM configuration using the same name as the WebLogic Server security realm and define the following providers in this configuration.

    4. Provider Type
    Settings
    ASI Authorizer
    Set the Identity Directory to the directory created in step 1.
    Set the Application Deployment Parent to //app/policy/wlsserver
    ASI Role Mapper
    Set the Identity Directory to the directory created in step 1.
    Set the Application Deployment Parent to //app/policy/wlsserver

WebLogic Administrative User

The WebLogic administrative user must be defined in OES in order to start the WebLogic Server instance. To create this user:

  1. Launch the Administration Console.
  2. In the left pane, select the Identity node and click New at the bottom of the right pane.
  3. On the Create Directory dialog, enter alesusers as the name and click OK.
  4. Under this directory, create a user with the same name and password as the WebLogic administrative user. For example, if you are using the WebLogic defaults, you would use weblogic for both the username and password.
    5. Note: The same username and password must be specified in the WebLogic domain’s boot.properties file.

WebLogic Server Resources

WebLogic Server components must be defined in OES as resources. To create these resources using the Administration Console:

  1. In the left pane, select the Resources node and click New at the bottom of the right pane.
  2. In the Name box, type wlsserver, select binding from the Type dropdown list and click OK.
    3. Note: This resource will serve as the parent resource for WebLogic Server components.
  3. Select wlsserver and click Configure. Then select the Distribution Point checkbox and click OK.
  4. Select wlsserver and click New. Then enter shared in the Name box and then click OK.
  5. Select shared and click Configure. Then select the Allow Virtual Resources checkbox and click OK.
  6. Select shared, and click New. Then enter svr in the Name box and click OK.
  7. Select wlsserver and create the following resource tree under it. These resources are necessary for logging into the WebLogic console.



  8. Return to the left pane, expand the SSM configuration containing the defined security providers and select the ASIAuthorizer. Then open the Bindings tab in the right pane.
  9. Select //app/policy/wlsserver from the dropdown list and click Bind.

Policies

A number of Authorization and Role Mapping policies must be defined to give the administrative user the necessary rights to start and manage the WebLogic Server instance. After defining these policies, distribute them to the WLS 8.1 SSM.

Authorization Policies

This policy grants the Admin role access to the svr resource: 

grant(any, //app/policy/wlsserver/shared/svr, //role/Admin) if true;

To create this policy:

  1. Expand the Policy node in the left pane and click Authorization Policies.
  2. On the Authorization Policies page, click New.
  3. On the Create Authorization Policy dialog, select the Privileges tab. Then select the any privilege and click Add.
  4. On the Resources tab, expand the wlsserver and shared nodes in the Child Resources list box, select svr, and then click Add.
  5. On the Policy Subjects tab, select Admin from the Roles List list box and click Add.
  6. To define access to the WebLogic console:, repeat these steps to create the following policies:
    7. grant(any, //app/policy/wlsserver/console, //role/Admin) if true;
    grant( //priv/GET, //app/policy/wlsserver/console/url/console/login/bea_logo.gif, //sgrp/alesusers/allusers/) if true;

Role Mapping Policies

This policy assigns the weblogic user to the Admin role. 

grant(//role/Admin, //app/policy/wlsserver, //user/alesusers/weblogic/)
   if true;
Note: When creating this policy, replace weblogic with the actual user name.

To create this policy:

  1. Expand the Policy node in the left pane and click Role Mapping Policies.
  2. On the Role Mapping Policies page, click New.
  3. On the Create Role Mapping Policy dialog, select the Roles tab. Then select Admin from the Available Roles list and click Add.
  4. On the Resources tab, select wlsserver in the Child Resources list and click Add.
  5. On the Policy Subjects tab, select Users from the Select Policy Subjects From dropdown field and change the directory to alesusers. Then select weblogic from the list and click Add.

Distribute the Policies

To distribute information to the SSM:

  1. To make sure the providers are bound to the Web Server resources, expand the SSM configuration in the left pane and select the ASIAuthorizationProvider. Then open the Bindings tab, select //app/policy/wlsserver from the dropdown field and click Bind.
  2. Select Deployment in the left pane. Then use the Policy and Configuration tabs to distribute the policy and configuration information to the SSM.

 

Running WebLogic Server as a Service

The domain directory for a WebLogic Server normally contains a boot startWebLogic.cmd file that runs as part of a command or shell prompt. In order to make the server run as a service or daemon process, perform the following steps:

  1. Using an editor, modify <WLS_SSM_INSTANCE_HOME>/config/WLESWebLogic.conf as described in Table 3-2.

    2. The parameters to modify have comments that start and end with ***.

    Table 3-2 Updates to WLESWebLogic.conf
    Parameter
    Description
    wrapper.working.dir
    Specify the WebLogic working directory, for example BEA_HOME/weblogic92.
    weblogic.RootDirectory
    Specify the WebLogic working directory, for example BEA_HOME/weblogic92.
    wles.user.alias
    The boot user specified when the domain was created.
    Note: Make sure to use the asipassword.bat|sh tool to add the password for this alias to the password.xml file.
    weblogic.Name
    The WebLogic server that is part of the domain.

  2. Depending on the operating system, edit <WLS_SSM_INSTANCE_HOME>/bin/WLESWebLogic.bat|sh as described in Table 3-3.

    3. Table 3-3 Modifying WLESWebLogic.bat | sh
    Operating System
    		 
    Windows

    In WLESWebLogic.bat, uncomment the @rem goto beenedited line, for example:

    goto beenedited

    UNIX

    In WLESWebLogic.sh, comment out the exit 1 line, for example:

    # exit 1

  3. Open a command prompt or unix shell and go to the <WLS_SSM_INSTANCE_HOME>/bin directory.
  4. Run WLESWebLogic.bat|sh register.

After this, the server can be started or stopped by executing WLESWebLogic.bat|sh start or WLESWebLogic.bat|sh stop.

 

Setting Up WLS SSM on a WebLogic Cluster

This document provides the high-level steps for setting up OES to protect a cluster of WebLogic Server 9.x/10.x domain instances.

Topology

This document assumes the following deployment of OES components:

Steps

  1. Install Administration Server and verify the installation by logging in to the Administration Console.
  2. Create a domain called cluster_admin on cluster server 1. Verify correct setup by starting the server and logging in to the WebLogic administration console. Then stop the server.
  3. Install the WLS SSM on both cluster server 1 and cluster server 2 in the same BEA_HOME as the WebLogic server. When prompted for the SCM instance, use the same name on both machines (for example, cluster_scm).
  4. If necessary, perform the enrollment process and run the asipassword utility as described in chapter 3 of the SSM Installation and Configuration Guide.
  5. Make a copy of BEA_HOME/ales32-ssm/wls-ssm/adm\myssm_config.properties and name it something like cluster_admin_config.properties.
  6. Edit cluster_admin_config.properties so that it points to the WebLogic domain directory on cluster server 1. Then edit other properties as needed.
    7. Note: For the Config ID, use a name similar to cluster_ssm.
  7. Run ConfigTool -check cluster_admin_config.properties to verify that all settings are correct. When there are no errors, run ConfigTool -process cluster_admin_config.properties.

    8. This enables OES on the WebLogic domain.

  8. Start the WebLogic server using startWebLogic.cmd located in the domain’s /bin directory.
  9. Log in to the WebLogic console and create the cluster (ales_cluster) and managed servers (managed server 1 is also located on cluster server 1; managed server 2 is located on cluster server 2).

    10. Instructions for WebLogic 9.x can be found at http://e-docs.bea.com/wls/docs92/ConsoleHelp/taskhelp/clusters/ClusterRoadmap.html. For WebLogic 10.0, see http://e-docs.bea.com/wls/docs100/ConsoleHelp/taskhelp/clusters/ClusterRoadmap.html

  10. On cluster server 1:
    1. Run the WLS SSM instance wizard and create the SSM instance with the same Config ID used in step 6.
    2. Make a copy of managed server 1’s startWebLogic.cmd named startWeblogicM1.cmd. Update the file so that the file references set-wls-env.cmd in the WLS SSM instance’s /bin directory.
    3. Make a copy of startManagedServer.cmd named startM1Server.cmd so that it references startWebLogicM1.cmd and its arguments when calling that file are M1 http://<cluster_server1_IP>:<port>.

      4. This allows you to start the managed server by running startM1Server.cmd.

  11. On cluster server 2:
    1. Run the WLS SSM instance wizard and create the WLS SSM instance using the same Config ID used in step 6 above (for example, cluster_ssm).
    2. Make a copy of startWebLogic.cmd named startWeblogicM2.cmd. Update the file so that it references set-wls-env.cmd in the SSM instance’s /bin directory.

      Note: Also update the CLASSPATH and JAVA_OPTIONS to be similar to those in startWebLogicM1.cmd.
    3. Make a copy of startManagedServer.cmd named startM2Server.cmd so that it references startWebLogicM2.cmd and its arguments when calling that file are M1 http://<cluster_server1_IP>:<port>.

      4. This allows you to start the managed server by running startM1Server.cmd.

  12. Start the managed servers on both servers. They should be able to locate the cluster_admin instance, obtain the realm information, and boot up correctly.
    13. Note: The realm name will be the same Config ID name used in step 6 above (for example, cluster_ssm).

  Back to Top       Previous  Next