This section covers tasks that you must perform after completing the post-installation tasks for the WebLogic Server 9.x Security Service Module. The following topics are covered in this section:
The WebLogic Server 9.x Security Service Module integrates AquaLogic Enterprise Security with BEA WebLogic Server versions 9.1 and 9.2. It uses a different security framework from the one used in the WLS 8.1 SSM and the other ALES SSMs. When you install the WLS 9.x SSM, ALES uses the WLS 9.x security framework. As a consequence, when you use the WLS 9.x SSM, you configure security providers and other aspects of the SSM in the WebLogic Administration Console, rather than the ALES Administration Console. You still use the ALES Administration Console to configure SSMs other than the WLS 9.x SSM and to write security policies for any SSM. You must also use the ALES Administration Console to configure the ASI Authorizer and ASI Role Mapper providers.
Prerequisites for Configuring the WebLogic Server 9.x SSM
Before you configure a WebLogic Server 9.x SSM, you must first:
Install WebLogic Server 9.x and create a WebLogic domain. See the WebLogic Server Installation Guide.
Using the ALES Administration Console, create an instance of the WebLogic Server 9.x SSM, enroll the instance, and set the password for the SSM's ASI database.
Configuring the WebLogic Server 9.x SSM: Main Steps
Start WebLogic Server, using the modified startWebLogic file.
Using the WebLogic Server Administration Console, create a new security realm in WebLogic Server. See Configure new security realms in the WebLogic Server Console Help.
Make the new security realm the active security realm for WebLogic Server. See Change the default security realm in the WebLogic Server Console Help.
In the ALES Administration Console, create an SSM configuration using the same name as you used for the WLS security realm.
In the ALES Administration Console, create an instance of the ASI Authorizer and ASI Role Mapper providers. Set the Identity Directory attribute of the ASI Authorizer and ASI Role Mapper to the same value in the ALES Administration Console and the WebLogic Server Administration Console.
Distribute policy and configuration. The WLS 9 SSM instance must be started after the configuration has been deployed. Policy changes can be deployed while the WLS 9 SSM instance is running.
Restart the WebLogic Server instance.
Console Extension for Security Providers in the WLS 9.x Console
ALES includes an extension to the WebLogic Server 9.x Administration Console. If you are using the WebLogic Server 9.x SSM, you must install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.
To install the ALES security provider console extension, copy ales_security_provider_ext.jar from BEA_HOME/ales25-ssm/wls9-ssm/lib to the BEA_HOME/WLS_HOME/domains/DOMAIN_NAME/console-ext directory, where DOMAIN_NAME is the name of your WebLogic Server 9.x domain.
Modifying the startWebLogic File
The WebLogic Server startup script does the following:
Sets environment variables.
Invokes the java weblogic.Server command, which starts a JVM that is configured to run a WebLogic Server instance.
Before you can start a WebLogic Server instance that uses BEA AquaLogic Enterprise Security, you must edit the startWebLogic file. This file is located in the WebLogic Server domain directory. For example:
BEA_HOME/user_projects/domains/mydomain
where:
user_projects is the directory where your WebLogic Server user projects are located.
domains is the directory where your WebLogic Server domain instances are located.
mydomain is the name of the WebLogic Server domain instance you are using.
See Listing 8-1 for an example of a modified startWebLogic file. To edit the startWebLogic file, do the following:
Make a copy of /domains/mydomain/startWebLogic.cmd or startWebLogic.sh and name it startWebLogicALES.cmd or startWebLogicALES.sh.
Make a copy of /domains/mydomain/bin/startWebLogic.cmd or startWebLogic.sh and name it startWebLogicALES.cmd or startWebLogicALES.sh.
Edit /domains/mydomain/startWebLogic so that it calls /domains/mydomain/bin/startWebLogicALES rather than /domains/mydomain/bin/startWebLogic. For example:
call "%DOMAIN_HOME%\bin\startWebLogicALES.cmd" %*
Edit /domains/mydomain/bin/startWebLogicALES. Before the CLASSPATH is set, add a call to the set-wls-env script file in your the bin directory for your instance. The set-wls-env script sets environment variables that are used in the next steps: WLES_POST_CLASSPATH and WLES_JAVA_OPTIONS. For example:
else echo "Redirecting output from WLS window to ${WLS_REDIRECT_LOG}" ${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} ${WLES_JAVA_OPTIONS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS} >"${WLS_REDIRECT_LOG}" 2>&1
fi
Configuring Security Providers for the WebLogic Server 9.x SSM
The WebLogic Server 9.x security framework includes a full set of security providers that are available out of the box. The WLS 9.x security providers are described in the WLS documentation, in the following chapters of Securing WebLogic Server:
In addition, you can use the following ALES security providers by adding them to your WebLogic Server security realm:
ASI Authorizer
ASI Role Mapper
ASI Adjudicator
ALES Identity Asserter
Log4J Auditor
PerfDB Auditor
Database Authenticator
Note:
While you can use the WebLogic Server Administration Console to add these ALES security providers to a WebLogic Server security realm and to configure those security providers, the WLS console does not provide online help for the ALES security providers.
See the following topics in this section for detailed information about configuring the WebLogic 9.x SSM:
When you configure a WebLogic 9.x security realm for ALES, you must include at a minimum the following ALES security providers:
ASI Authorizer—In order to take advantage of the ALES Authorization and Role Mapping Engine (ARME), your WLS security realm must include an instance of the ASI Authorizer.
ASI Role Mapper—Your WLS security realm must also include an instance of the ASI Role Mapper in order to take advantage of the ALES Authorization and Role Mapping Engine.
Log4J Auditor—The ALES security providers use a different logging system than the system used by WLS security providers. In order to support logging from any ALES security providers that are present, your WLS security realm must include an instance of the Log4J Auditor.
ASI Adjudicator—If there are multiple authorization providers configured and unanimous permit is false and all authorization providers return ABSTAIN, then the ASI Adjudicator returns false, denying access. The default WLS Adjudicator returns true in the same scenario. Therefore, it is recommended that you use the ASI Adjudicator in order to obtain an appropriate adjudication result.
If you plan to use WebLogic Portal (WLP), your security realm must include the XACML Authorizer and XACML Role Mapper providers in addition to the ones listed above.
Using the WebLogic Server Console to Configure Security Providers
To configure security providers for the WebLogic Server 9.x Security Service Module, you use the WebLogic Server Administration Console, not the ALES Administration Console. In order to create and configure ALES security provider instances using the WebLogic Server Administration Console, you must first install an extension to the console. See Console Extension for Security Providers in the WLS 9.x Console.
Before starting the procedure you might want to make a backup copy of the config/config.xml file in your domain directory. If you make a mistake following the steps below and the domain refuses to boot, you can undo the changes by restoring the config/config.xml file.
To configure security providers for ALES and WebLogic Server 9.x:
Start the WebLogic Server instance and log into the WebLogic Server Administration Console. The default URL for the console is http://localhost:7001/console .
In the Change Center in the upper left corner, click Lock & Edit.
In the left panel of the WebLogic Server Administration Console, under Domain Structure, select Security Realms.
On the Summary of Security Realms page, click New to create a new security realm. Create a new realm using a name that matches the configuration ID you used when you created the WebLogic Server 9.x SSM instance. For the purposes of this procedure, we will assume that the new security realm is named mywls9ssm.
On the Summary of Security Realms page, select the mywls9ssm security realm.
On the Configuration: General page:
Set Security Model Default to Advanced.
Uncheck Combined Role Mapping Enabled.
Click Save.
If Check Role and Policies is not visible, click Advanced.
Set Check Role and Policies to All Web applications and EJBs.
Click Save.
Select the Providers tab. You will configure new authentication, authorization, adjudication, role mapping, and auditing providers for the mywls9ssm security realm.
On the Providers: Authentication page, configure a new Database Authenticator security provider. To do this:
Click New.
Give the new Database Authenticator a name, such as ALESDatabaseAuthenticator.
Select Database Authenticator as the Type.
Click OK.
Select the new Database Authenticator. On its Configuration: Common page, set the Control Flag to REQUIRED and click Save.
On the new Database Authenticator's Configuration: Provider Specific page, set the database login, password, JDBC driver class name and JDBC Connection URL. Click Save.
This step is required only if you are securing a WebLogic Portal (WLP) domain (that is, if you selected the "portal" option when creating the WebLogic domain). Make sure that your security realm's providers include a XACML Authorizer and a XACML Role Mapper.
On the Providers: Authorization tab, check to make sure that a XACML Authorizer is present in your security realm. If it is missing, create a XACML Authorizer:
Click New.
Select XACML Authorizer and enter a name, such as XACMLAuthorizer, then click OK.
If the XACML Authorizer is not the first authorization provider in the list, click the Reorder button, change the order, and click OK.
On the Providers: Role Mapping tab, check to make sure that a XACML RoleMapper is present in your security realm. If it is missing, create a XACML Role Mapper:
Click New.
Select XACML RoleMapper and enter a name, such as XACMLRoleMapper, then click OK
If the XACML RoleMapper is not the first role mapping provider in the list, click the Reorder button, change the order, and click OK.
Select the Providers: Authorization page and configure a new ASI Authorization provider:
Click New.
Give the new ASI Authorization provider a name, such as ASIAuthorizationProvider.
Select ASIAuthorizationProvider as the Type.
On the new ASI Authorization provider's Configuration: Provider Specific page, set Identity Directory and Application Deployment Parent. Click Save.
Select the Providers: Adjudication page and configure a new ASI Adjudication provider:
Click Replace.
Give the new ASI Adjudication provider a name, such as ASIAdjudicator.
Select ASIAdjudicator as the Type.
On the ASIAdjudicator's Configuration: Provider Specific page, uncheck Require Unanimous Permit and click Save.
Select the Providers: Role Mapping page and configure a new ASI Role Mapper provider:
Click New.
Give the new ASI Role Mapper provider a name, such as ASIRoleMapperProvider.
Select ASIRoleMapperProvider as the Type.
On the new ASI Role Mapper provider's Configuration: Provider Specific page, set Identity Directory and Application Deployment Parent. Click Save.
Select the Providers: Auditing page and configure a new Log4j Auditing provider:
Click New.
Give the new Log4j Auditing provider a name, such as Log4jAuditor.
Select Log4jAuditor as the Type.
Select the Providers: Credential Mapping page and configure a new Credential Mapping provider:
Click New.
Give the new Credential Mapping provider a name, such as DefaultCredentialMapper.
Select DefaultCredentialMapper as the Type.
Select the Providers: Certification Path page and configure a Certification Path provider:
Click New.
Select WebLogicCertPathProvider and click Next.
Click Next.
Check Replace Existing Builder.
Click Finish.
Change the default (active) security realm to your newly configured security realm. By default, a realm named myrealm is the active security realm when you install a WebLogic Server instance. To change the default security realm:
In the left pane of the WebLogic Server Administration Console, select your domain to open the Settings page for the domain.
On the Settings page for the domain, expand Security > General.
Select your new security realm, mywls9ssm, as the default security realm and click Save.
Note:
If you create a new security realm but do not configure the required security providers, the new realm will not be available in the pull-down menu.
In the Change Center in the upper left corner, click Activate Changes.
Using the ALES Administration Console to Configure Security Providers
After you have configured security providers for the WebLogic Server 9.x Security Service Module using the WebLogic Server Administration Console, you need to make some configuration changes in the ALES Administration Console also. You need to configure the ASI Authorization and ASI Role Mapping providers and create required users and policy for the WebLogic Server 9.x SSM to start.
To configure security providers in the ALES Administration Console:
Log into the ALES Administration Console. The default URL for the console is https://localhost:7010/asi.
Create an SSM configuration using the same name as you used for the WebLogic Server security realm. The default used previously was mywls9ssm.
Create an instance of the ASI Authorizer and ASI Role Mapper providers. Set the Identity Directory attribute of the ASI Authorizer and ASI Role Mapper to the same value in the ALES Administration Console and the WebLogic Server Administration Console.
The WebLogic Server instance must be started after the configuration has been deployed. Other policy changes can be deployed while the WebLogic Server instance is running.