Installing WebLogic Server v8.1 Security Service Module
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
This section describes each task you must perform after you install the product software and discusses other considerations.
Note: If you want to use the WebLogic Server 8.1 Security Service Module to integrate AquaLogic Enterprise Security with WebLogic Portal server and portal applications, skip this section and go to Integrating with WebLogic Portal.
Note: Some of the procedures described here require basic knowledge of both WebLogic Server and AquaLogic Enterprise Security products. If you need assistance with any task, see the Administration Console online help or the Administration and Deployment Guide for more details. It is assumed that you know the location of the products you have installed, including the WebLogic Server, the Security Service Module, and the Administration Server.
This section describes how to enroll the Service Control Manager. Each machine on which you install a Security Service Module must have one (and only one) enrolled Service Control Manager. You only need to follow this procedure if you installed the Security Service Module on a machine other than the one that contains the Administration Server.
Note: While you can use the demonstration digital certificate to enroll in a development environment, you should never use it in a production environment.
To enroll the Service Control Manager, perform the following steps:
BEA_HOME/ales21-scm/bin
ENTER
> to register the domain, enter the following information, Type: 5 and press <ENTER>
again:Enter Enterprise Domain Name :> (For example: asi)
Enter Primary Admin URL :> (For example: https://adminmachine
:7010/asi)
Secondary Admin URL :> (This value is optional. Same format as primary URL)
SCM name :> (For example:ssmmachinename_ssm
)
SCM port :> (Default: 7010)
ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the AquaLogic Enterprise Security CA certificate used for enrollment.
You configure a Service Control Manager (SCM) for each of the machines on which you have installed one of more Security Service Modules (SSM). Each machine must have one (and only one) configured Service Control Manager. For example, if you install an SSM on the same machine as the Administration Server, you must use the adminconfig
SCM, which was configured for you when you installed the Administration Server.
Note: When you use the Instance Wizard to create an instance of a SSM on a machine, you link the instance to a SCM by name. When you install multiple SSMs of different types (Web Server or Web Services, WebLogic Server 8.1, and Java) on the same machine, they all must use the same SCM.
To configure a SCM, see the Administration Server Console Help and use the AquaLogic Enterprise Security Administration Console.
Configure a SSM with the security providers that you require for the WebLogic Server 8.1 SSM and bind it to the SCM. You have the option of configuring either the default security providers that ship with the product or custom security providers, which you develop or purchase from third-party security vendors. The WebLogic Server 8.1 SSM supports the following types of security providers:
To configure these providers and bind the configuration to the SCM, perform the following steps:
weblogic81_ssm
) and click Create.Note: Later, when you use the Instance Wizard to create an instance of the SSM to which this security configuration will be applied, you will use the Configuration ID to link the SSM instance to this security configuration.
Before starting a WebLogic Server Security Service Module, you must first create an instance of the Security Service Module using the Instance Wizard. You can create any number of instances of the Security Service Module. You must then enroll each instance that you want to use. Each instance has its own set of providers.
To create an instance of a Security Service Module:
On Unix, if you are using X-windows, go to BEA_HOME
/ales21-ssm/wls-ssm/adm
and enter: instancewizard.sh.
You must have the Administration Server running prior to enrolling the Security Service Module.
Note: While you can use the demonstration digital certificate in a development environment, you should never use it in a production environment.
To enroll the Security Service Module:
/adm
directory: BEA_HOME/ales21-ssm/wls-ssm/instance/
instancename
/adm
, where instancename
is the name you assigned to the instance when you created it.admin
username and password. This is the username and password of the Security Administrator doing the enrollment (if you used the default values and have not yet changed them, the default username is system
and the password is weblogic
).ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the AquaLogic Enterprise Security CA certificate used for enrollment.
For the purposes of the example presented here, this document assumes that the WebLogic Server domain is in the following location:
BEA_HOME/user_projects/domains/
mydomain
However, your domain can be in any location you desire. If you want to create a domain, you can use the WebLogic Server Configuration Wizard to create a domain or create it manually. The domain includes a startWebLogic
file, which you are instructed to modify in Modifying the startWebLogic File.
The WebLogic startup script does the following:
Before you can start a WebLogic Server that uses BEA AquaLogic Enterprise Security, you must edit the startWebLogic
file that is located in the WebLogic Server domain directory, for example:
BEA_HOME/user_projects/domains/
mydomain
where:
See Listing 4-1 for an example of a modified startWebLogic.cmd
file. To edit the startWebLogic
file, do the following:
CLASSPATH
is set, add a call to the set-wls-env
script file in your the bin
directory for your instance. For example:BEA_HOME/ales21-ssm/wls-ssm/instance/
wls81ssm
/bin
Where:
call "C:\bea\
ales21-ssm\wls-ssm\instance\
myInstance
\bin\set-wls-env.bat"
. "/bea/ales21-ssm/wls-ssm/instance/
myInstance
/bin/set-wls-env.sh"
"%JAVA_HOME%\bin\java"
Listing 4-1 Modifying the startWebLogic.cmd File for Windows
...
set SERVER_NAME=myserver
call "C:\BEA_HOME\ales21-ssm\wls-ssm\instance\myInstance\bin\set-wls-env.bat"
set CLASSPATH=
%WLES_PRE_CLASSPATH%
;%WEBLOGIC_CLASSPATH%;
%POINTBASE_CLASSPATH%;%JAVA_HOME%\jre\lib\rt.jar;
%WL_HOME%\server\lib\webservices.jar;%CLASSPATH%;%WLES_POST_CLASSPATH%
@REM Call WebLogic Server
echo .
echo CLASSPATH=%CLASSPATH%
echo .
echo PATH=%PATH%
echo .
echo ***************************************************
echo * To start WebLogic Server, use a username and *
echo * password assigned to an admin-level user. For *
echo * server administration, use the WebLogic Server *
echo * console at http:\\[hostname]:[port]\console *
echo ***************************************************
"%JAVA_HOME%\bin\java"
%JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS%%WLES_JAVA_OPTIONS%
-Dweblogic.Name=%SERVER_NAME%
-Dweblogic.ProductionModeEnabled=%PRODUCTION_MODE%
-Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server
ENDLOCAL
You can use the security.properties
file to set the necessary security properties. To set the security properties, create a security.properties
file and put it in the WebLogic Server domain directory; for example:
BEA_HOME/user_projects/domains/
mydomain
Include the information shown in Listing 4-2 in the security.properties
file, where:
Note: The security.properties
file is not required if you add these parameters to Java Options.
Listing 4-2 Security.properties File
wles.realm=
ConfigurationID
wles.default.realm=ConfigurationID
After you install the Security Service Module, create the instance, and enroll it, you must start the necessary processes by running the appropriate batch or shell scripts. Before you start these processes, make sure that the Administration Server and all of its services are running.
For each machine, you must start the following processes:
For instructions on how to start and stop the required processes, see Starting and Stopping Processes for Security Service Modules in the Administration and Deployment Guide.
When using the Database Authentication provider, ASI Authorization provider and ASI Role Mapping provider, refer to the following sections for important information:
The WebLogic Server uses the login information contained in the boot.properties
file to start the server. This file contains a username
and password
that must match a username and password in the configured authentication policy. The boot.properties
file is located in the WebLogic Server domain directory on the machine on which the Security Service Module is installed, for example:
BEA_HOME/user_projects/domains/
mydomain
If you used a username of system
and a password of weblogic
, then modify WebLogic Server boot.properties
in the domain as follows:
The next time you start the WebLogic Server, the username and password you specified are encrypted.
Before you can use the ASI Authorization provider with the WebLogic Server, you need to configure a boot policy, and then distribute it to the WebLogic Server 8.1 Security Service Module. If you need instructions on how to perform any of these tasks, see the Console Help for details. You may also want to refer to the Policy Managers Guide for information on how the policy language is constructed and how it appears in the console.
To configure and distribute a boot policy, perform the following tasks:
To create the user identity named alesusers
, perform these steps:
system
and set the password for system to weblogic
. Replace system
and weblogic
with the values used in boot.properties
file. To create resources for the defined user, alesusers
, create the following resources below the resource called policy
:
grant(any, //app/policy/
wlsserver
/shared/svr, //role/Admin)
if true;
any
in the Select Privileges from Group list box, and then click Add.Create the following role mapping policy:
grant(//role/Admin, //app/policy/
wlsserver
, //user/alesusers
/system/)
if true;
To bind the resource //app/policy/wlsserver
to the ASI Authorization provider for this Security Service Module, perform the following steps:
Distribute the policies to the WebLogic Server v8.1 Security Service Module.
For information on how to distribute policies, see the Administration Console help system. Be sure to verify the results of the distribution.
Before you can login into the WebLogic Server Administration Console, you need to configure a console policy and then distribute it to the WebLogic Server 8.1 Security Service Module. This is needed if you want to access the WebLogic Server Administration Console.
To configure and distribute a WebLogic Server Administration Console policy, do the following on the AquaLogic Enterprise Security Administration Console:
When you secure an EJB using a WebLogic Server 8.1 Security Service Module, you must follow these steps if you want to use the AquaLogic Enterprise Security providers instead of the default WebLogic providers.
ejb-jar.xml
) so that the assembly-descriptor does not have any method-permissions set to unchecked or excluded.If either of these settings is present in the deployment descriptor, then the EJB container enforces them rather than calling into the security subsystem.
weblogic.security.fullyDelegateAuthorization=true
If you want to protect a cluster of WebLogic Servers using AquaLogic Enterprise Security, you must make some addition changes to the security configuration and resource configuration. For information on how to protect cluster of WebLogic Servers, see the following topics:
Figure 4-1 shows a Security Service Module configuration named myrealm
, located under a Service Control Manager named adminconfig
in the AquaLogic Enterprise Security Administration Console. Your actual Security Service Module configuration will vary from this example based on the needs of your WebLogic domain.
Figure 4-1 Service Control Manager Configuration
Figure 4-2 shows a configuration for a cluster of four WebLogic Servers: one administration server (adm
) and three managed servers (svr1
, svr2
, svr3
), with one Security Service Module instance for each server. The Service Control Manager on both machines must use the same Configuration Name (adminconfig
). Each Security Service Module must have a unique Instance Name and Port number per machine, but always shares a common Configuration ID (myrealm
) across all machines. Thus, each server uses the same security provider configuration and receives the same policy.
Figure 4-2 WebLogic Server Clusters
You must also create the following two resources shown in Figure 4-3, setting them both to virtual.
The myrealm/wl_management_internal1
resource is accessed on the cluster's administration server by the WebLogic Admin Console to view WebLogic Server related log files.
The myrealm/wl_management_internal2
resource is accessed on the cluster's administration server by a managed server during bootstrap and file distribution operations.
The myrealm/bea_wls_internal
is accessed when one managed server is synchronizing with another managed server.
The myrealm/wl_management_internal1
, myrealm/wl_management_internal2
and myrealm/bea_wls_internal
resources must be configured to allow virtual resources.
Figure 4-3 Resources for Managing WebLogic Server Clusters
You must create the policy listed in Table 4-1. Also, ensure that there is a role policy that maps the Everyone
role to the group allusers
in your identity directory.
You have completed the installation and configuration of the WebLogic Server 8.1 Security Service Module. Your Security Administrator can now configure additional security services using the security providers for your Security Service Module, through the AquaLogic Enterprise Security Administration Console. If you configured the providers as part of the post install, you can now make changes to your configuration using the console.
Before you continue to configure security services, read the information on security configuration in the Administration Console help. This section provides additional information on how to configure the Service Control Manager, the Security Service Module, and the providers, and then deploy your changes.
![]() ![]() |
![]() |
![]() |