> Integrating ALES with Application Environments > Configuring the WebLogic Server 8.1 SSM

Integrating ALES with Application Environments

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Configuring the WebLogic Server 8.1 SSM

This section covers tasks that you must perform after installing and completing the post-installation tasks for the WebLogic Server 8.1 Security Service Module. Note that the WebLogic Server 9.x Security Service Module uses a different security framework from the one used in the WLS 8.1 SSM and therefore has configuration procedures. See Configuring the WebLogic Server 9.x SSM for more information.

The following topics are covered in this section:

 

Location of the WebLogic Server Domain

For the purposes of the example presented here, this document assumes that the WebLogic Server domain is in the following location: 

BEA_HOME/user_projects/domains/mydomain

However, your domain can be in any location you desire. If you want to create a domain, you can use the WebLogic Server Configuration Wizard to create a domain or create it manually. The domain includes a startWebLogic file, which you are instructed to modify in Modifying the startWebLogic File.

 

Modifying the startWebLogic File

The WebLogic startup script does the following:

Before you can start a WebLogic Server that uses BEA AquaLogic Enterprise Security, you must edit the startWebLogic file that is located in the WebLogic Server domain directory. For example: 

BEA_HOME/user_projects/domains/mydomain

where:

See Listing 7-1 for an example of a modified startWebLogic file. To edit the startWebLogic file, do the following:

  1. Before the CLASSPATH is set, add a call to the set-wls-env script file in your the bin directory for your instance. The set-wls-env script sets environment variables that are used in the next steps: WLES_PRE_CLASSPATH, WLES_POST_CLASSPATH and WLES_JAVA_OPTIONS. For example:
    2. BEA_HOME/ales25-ssm/wls-ssm/instance/wls-ssm/bin

    Where:

    ales25-ssm is the directory where you installed the Security Service Module.

    instance is the directory where all instances are stored.

    wls-ssm is the name of the Security Service Module instance you created earlier.

    For example, if you created an instance called myInstance, the call looks like this:

    On Windows: 

    call "C:\bea\ales25-ssm\wls-ssm\instance\myInstance\bin\set-wls-env.bat"

    On UNIX: 

    . "/bea/ales25-ssm/wls-ssm/instance/myInstance/bin/set-wls-env.sh"
  2. Add the following line to the CLASSPATH:

    3. On Windows: 

    %WLES_PRE_CLASSPATH% and %WLES_POST_CLASSPATH%

    On UNIX: 

    ${WLES_PRE_CLASSPATH} and ${WLES_POST_CLASSPATH}
  3. On Windows, add quotes to %JAVA_HOME%\bin\java in the weblogic.Server command.
    4. "%JAVA_HOME%\bin\java"
  4. Add the following to the java command that starts WebLogic Server with the weblogic.Server class:

    5. On Windows: 

    %WLES_JAVA_OPTIONS%

    On UNIX: 

    ${WLES_JAVA_OPTIONS}
    Listing 7-1 Modifying the startWebLogic.cmd File for Windows 
    ...
    set SERVER_NAME=myserver
    call "C:\BEA_HOME\ales25-ssm\wls-ssm\instance\myInstance\bin\set-wls-env.bat"
    set CLASSPATH=%WLES_PRE_CLASSPATH%;%WEBLOGIC_CLASSPATH%;
    %POINTBASE_CLASSPATH%;%JAVA_HOME%\jre\lib\rt.jar;
    %WL_HOME%\server\lib\webservices.jar;%CLASSPATH%;
    %WLES_POST_CLASSPATH%
    @REM Call WebLogic Server
    echo .
    echo CLASSPATH=%CLASSPATH%
    echo .
    echo PATH=%PATH%
    echo .
    echo ***************************************************
    echo *  To start WebLogic Server, use a username and   *
    echo *  password assigned to an admin-level user.  For *
    echo *  server administration, use the WebLogic Server *
    echo *  console at http:\\[hostname]:[port]\console    *
    echo ***************************************************
    "%JAVA_HOME%\bin\java" %JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS% %WLES_JAVA_OPTIONS% 
    -Dweblogic.Name=%SERVER_NAME% 
    -Dweblogic.ProductionModeEnabled=%PRODUCTION_MODE% 
    -Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server
    ENDLOCAL

 

Defining Security Properties

You can use the security.properties file to set the necessary security properties. To set the security properties, create a security.properties file and put it in the WebLogic Server domain directory; for example: 

BEA_HOME/user_projects/domains/mydomain

Include the information shown in Listing 7-2 in the security.properties file, where:

You may also copy this file from the BEA_HOME/ales25-ssm/wls-ssm/instance/myInstance/config folder.

Note: The security.properties file is not required if you add these parameters to Java Options.
Listing 7-2 Security.properties File 
wles.realm=ConfigurationID
wles.default.realm=ConfigurationID

 

Starting and Stopping Processes

After you install the Security Service Module, create the instance, and enroll it, you must start the necessary processes by running the appropriate batch or shell scripts. Before you start these processes, make sure that the Administration Server and all of its services are running.

For each machine, you must start the following processes:

For instructions on how to start and stop the required processes, see Starting and Stopping Processes for Security Service Modules in the Administration and Deployment Guide.

 

Additional Post-Installation Considerations

When using the Database Authentication provider, ASI Authorization provider and ASI Role Mapping provider, refer to the following sections for important information:

Setting the Boot Login for WebLogic Server

The WebLogic Server uses the login information contained in the boot.properties file to start the server. This file contains a username and password that must match a username and password in the configured authentication policy. The boot.properties file is located in the WebLogic Server domain directory on the machine on which the Security Service Module is installed, for example: 

BEA_HOME/user_projects/domains/mydomain

If you used a username of system and a password of weblogic, then modify WebLogic Server boot.properties in the domain as follows: 

user = system
password = weblogic

The next time you start the WebLogic Server, the username and password you specified are encrypted.

Creating a WebLogic Boot Policy

Before you can use the ASI Authorization provider with the WebLogic Server, you need to configure a boot policy, and then distribute it to the WebLogic Server Security Service Module. The boot policy allows the user named system to start the WebLogic Server instance. If you need instructions on how to perform any of the following tasks, see the Console Help for details. You may also want to refer to the Policy Managers Guide for information on how the policy language is constructed and how it appears in the console.

To configure and distribute a boot policy, perform the following tasks:

Creating the User Identity

To create the user identity named alesusers, perform these steps:

  1. Using the ALES Administration Console, create an Identity directory called alesusers.
    1. Open the Identity folder and click Identity.
    2. Click New. In the Name text box, enter alesusers, and then click OK.
  2. Within this directory, create a user named system and set the password for system to weblogic. Replace system and weblogic with the values used in boot.properties file.
    1. Click Users, click New, enter system, and click OK.
    2. Click Edit, click Set Password, enter weblogic, and click OK.
    3. Click OK.

Creating Resources for WebLogic Server

Create the following resources below the resource called policy for the defined user, alesusers:

To create these resources using the ALES Administration Console:

  1. Click Resources and then click New.
  2. In the Name box, type wlsserver, select Binding from the Type drop-down menu, and then click OK.
  3. Select wlsserver and click Configure.
  4. From the Type drop-down menu, select Binding Application, check Distribution Point, and then click OK.
  5. Select wlsserver, click New, enter shared in the name box, and then click OK.
  6. Select shared, click Configure, check Allow Virtual Resources, and then click OK.
  7. Select shared, click New, enter svr in the name box, and then click OK.

Grant Server Resource to Admin Role

Create the following policy: 

grant(any, //app/policy/wlsserver/shared/svr, //role/Admin) if true;
  1. Expand the Policy node in the left pane, and click Authorization Policies.
  2. In the Authorization Policies page, click New.
  3. In the Create Authorization Policy dialog page, select the Privileges tab, select any in the Select Privileges from Group list box, and then click Add.
  4. Select the Resources tab, expand the wlsserver and shared nodes in the Child Resources list box, select svr, and then click Add.
  5. Select the Policy Subjects tab, select Admin from the Roles List list box, click Add, and click OK.

Grant Admin Role to WebLogic User/Group

Create the following role mapping policy: 

grant(//role/Admin, //app/policy/wlsserver, //user/alesusers/system/)
   if true;
  1. Click Role Mapping Policies.
  2. In the Role Mapping Policies page, click New.
  3. In the Create Role Mapping Policy dialog page, select the Roles tab, select Admin from the Available Roles list box, and click Add.
  4. Select the Resources tab, select wlsserver in the Child Resources list box, and click Add.
  5. Select the Policy Subjects tab, select Users from the Select Policy Subjects From: drop-down menu, change the directory to alesusers, select system from the list box, click Add, and click OK.

Binding the Resource to the ASI Authorization Provider

To bind the resource //app/policy/wlsserver to the ASI Authorization provider for this Security Service Module, perform the following steps:

  1. Open the Security Configuration and Security Control Manager folders.
  2. Open the Security Service Module folder and click Authorization.
  3. The Authorization page appears.
  4. Click Create a new ASI Authorization Provider.
  5. The Edit ASI Authorization Provider page appears.
  6. Enter a name for the provider in the Name text box, and then click Create.
  7. Click the Details tab, set the Identity Directory to alesusers, set the Application Directory Parent to //app/policy/wlsserver.
  8. Click Apply.
  9. Click the Bindings tab and select the resource you want to bind to the provider from the Bind drop-down menu, and then click Bind.

Distributing the Policies to the Security Service Module

Distribute the policies to the WebLogic Server Security Service Module.

For information on how to distribute policies, see the Administration Console help system. Be sure to verify the results of the distribution.

Creating a WebLogic Console Policy

Before you can login into the WebLogic Server Administration Console, you need to configure a console policy and then distribute it to the WebLogic Server Security Service Module. This is needed if you want to access the WebLogic Server Administration Console.

To configure and distribute a WebLogic Server Administration Console policy, do the following on the AquaLogic Enterprise Security Administration Console:

  1. Create the following resource:
    2. //app/policy/wlsserver/console
    1. Click Resources. The Resources page appears.
    2. Select wlsserver, click New, enter console in the name box, and then click OK.
    3. Select console, click Configure, check Allow Virtual Resources, and then click OK.
  2. Create the following resource:
    3. //app/policy/wlsserver/console/url/console/login/bea_logo.gif

    The resource represents the BEA logo image at the top-right corner on the login page of the Server Administration Console. To create this resource:

    1. Click Resources. The Resources page appears.
    2. Right-click on resource //app/policy/wlsserver/console and select Add Resource in the context menu..
    3. In the Create Resource dialog window, give the name url to the new resource.
    4. Right-click on the resource //app/policy/wlsserver/console/url and select Add Resource in the context menu..
    5. In the Create Resource dialog window, give the name console to the new resource.
    6. Right-click on the resource //app/policy/wlsserver/console/url/console and select Add Resource in the context menu..
    7. In the Create Resource dialog window, give the name login to the new resource.
    8. Right-click on the resource //app/policy/wlsserver/console/url/console/login and select Add Resource in the context menu..
    9. In the Create Resource dialog window, give the name bea_logo.gif to the new resource.
  3. Create the following authorization policy, which allows a user with role Admin to access all the resources associated with the console application: 
    4. grant(any, //app/policy/wlsserver/console, //role/Admin) if true;
    1. Click Authorization Policies.
    2. In the Authorization Policies page, click New.
    3. In the Create Authorization Policy dialog page, select the Privileges tab, click any in the Select Privileges from Group list box, and then click Add.
    4. Select the Resources tab, expand wlsserver in the Child Resources list box, select console, and then click Add.
    5. Select the Policy Subjects tab, select Admin from the Roles List list box, click Add, and then click OK.
  4. Create the following authorization policy, which allows any user to see the BEA logo image at the top-right corner on the login page of the Server Administration Console:
    5. grant( //priv/GET, //app/policy/wlsserver/console/url/console/login/bea_logo.gif, //sgrp/alesusers/allusers/) if true;
    1. Click Authorization Policies.
    2. In the Authorization Policies page, click New.
    3. In the Create Authorization Policy dialog page, select the Privileges tab, click GET in the Select Privileges from Group list box, and then click Add.
    4. Select the Resources tab, expand wlsserver/console/url/console/login in the Child Resources list box, select bea_logo.gif, and then click Add.
    5. Select the Policy Subjects tab, select allusers from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers.
  5. Distribute the policies to the WebLogic Server Security Service Module. For information on how to distribute policy, see the Administration Console's help system. Be sure to verify the results of the distribution.

Protecting Resources

When you secure an EJB using a WebLogic Server Security Service Module, you must follow these steps if you want to use the AquaLogic Enterprise Security providers instead of the default WebLogic providers.

  1. Modify the EJB deployment descriptor (ejb-jar.xml) so that the assembly-descriptor does not have any method-permissions set to unchecked or excluded.

    2. If either of these settings is present in the deployment descriptor, then the EJB container enforces them rather than calling into the security subsystem.

  2. Set the following system property to true, indicating that the EJB container delegates other security checks to the security subsystem, by adding this line to the WLES_JAVA_OPTIONS in the set-wls-env script:
    3. weblogic.security.fullyDelegateAuthorization=true

 

Protecting a Cluster of WebLogic Servers

If you want to protect a cluster of WebLogic Servers using AquaLogic Enterprise Security, you must make some addition changes to the security configuration and resource configuration. For information on how to protect cluster of WebLogic Servers, see the following topics:

Security Configuration

Figure 7-1 shows a Security Service Module configuration named myrealm, located under a Service Control Manager named adminconfig in the AquaLogic Enterprise Security Administration Console. Your actual Security Service Module configuration will vary from this example based on the needs of your WebLogic domain.

Figure 7-1 Service Control Manager Configuration

Service Control Manager Configuration

Figure 7-2 shows a configuration for a cluster of four WebLogic Servers: one administration server (adm) and three managed servers (svr1, svr2, svr3), with one Security Service Module instance for each server. The Service Control Manager on both machines must use the same Configuration Name (adminconfig). Each Security Service Module must have a unique Instance Name and Port number per machine, but always shares a common Configuration ID (myrealm) across all machines. Thus, each server uses the same security provider configuration and receives the same policy.

Figure 7-2 WebLogic Server Clusters

WebLogic Server Clusters

Resource Configuration

You must also create the following three resources shown in Figure 7-3, setting them each as virtual resources.

The myrealm/wl_management_internal1 resource is accessed on the cluster's administration server by the WebLogic Admin Console to view WebLogic Server related log files.

The myrealm/wl_management_internal2 resource is accessed on the cluster's administration server by a managed server during bootstrap and file distribution operations.

The myrealm/bea_wls_internal resource is accessed when one managed server is synchronizing with another managed server.

The myrealm/wl_management_internal1, myrealm/wl_management_internal2 and myrealm/bea_wls_internal resources must be configured to allow virtual resources.

Figure 7-3 Resources for Managing WebLogic Server Clusters

Policy Configuration

You must create the policy listed in Table 7-1.

Table 7-1 Policy Configuration
Privileges
Resources
Policy Subjects
Conditions
any
myrealm/bea_wls_internal
//sgrp/alesusers/allusers/
none
any
myrealm/wl_management_internal1,
myrealm/wl_management_internal2
//sgrp/alesusers/allusers/
none

To create this policy in the ALES Administration Console:

  1. Click Authorization Policies.
  2. On the Authorization Policies page, click New.
  3. In the Create Authorization Policy dialog, select the Privileges tab, click any in the Select Privileges from Group list box, and then click Add.
  4. Select the Resources tab, expand myrealm in the Child Resources list box, select bea_wls_internal, and then click Add.
  5. Select the Policy Subjects tab, select allusers from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers.
  6. On the Authorization Policies page, click New.
  7. In the Create Authorization Policy dialog, select the Privileges tab, click any in the Select Privileges from Group list box, and then click Add.
  8. Select the Resources tab, expand myrealm in the Child Resources list box, select wl_management_internal1, and then click Add.
  9. Select wl_management_internal2 also and click Add.
  10. Select the Policy Subjects tab, select allusers from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers.

  Back to Top       Previous  Next