Integrating ALES with Application Environments

Configuring the WebLogic Server 9.x SSM

This section covers tasks that you must perform after completing the post-installation tasks for the WebLogic Server 9.x Security Service Module. The following topics are covered in this section:

Overview of the WebLogic Server 9.x SSM

The WebLogic Server 9.x Security Service Module integrates AquaLogic Enterprise Security with BEA WebLogic Server versions 9.1 and 9.2. It uses a different security framework from the one used in the WLS 8.1 SSM and the other ALES SSMs. When you install the WLS 9.x SSM, ALES uses the WLS 9.x security framework. As a consequence, when you use the WLS 9.x SSM, you configure security providers and other aspects of the SSM in the WebLogic Administration Console, rather than the ALES Administration Console. You still use the ALES Administration Console to configure SSMs other than the WLS 9.x SSM and to write security policies for any SSM. You must also use the ALES Administration Console to configure the ASI Authorizer and ASI Role Mapper providers.

Simplified Procedure for Configuring WebLogic Server 9.x SSM

The manual (advanced) procedure for setting up the WebLogic Server 9.x SSM, described in Manual (Advanced) Procedure for Configuring WebLogic Server 9.x SSM has several configuration options. Although these options increase flexibility, they make setup cumbersome for simple configurations. The ConfigTool provides a simplified procedure for setting up the WLS 9.x SSM for commonly-used configurations.

You can use this tool either in silent or interactive mode. In silent (or non-interactive) mode, all required configuration parameters are placed in ConfigTool.properties. In interactive mode, the tool prompts the user for configuration parameters.

The configuration tool does the following:

Creates the WLS 9.x SSM instance.
Generates random passwords for enrollment.
Enrolls the instance.
Creates the SSM configuration on the ALES Administration Console.
Edits the startWeblogic script for the WLS 9.x domain, to include ALES classpath and options.
Creates a new security realm on the WLS 9.x domain.

Prerequisites for Configuring the WebLogic Server 9.x SSM

Before you configure a WebLogic Server 9.x SSM, you must:

Install WebLogic Server 9.x . See the WebLogic Server Installation Guide.
Install the ALES Administration Server. See Installing the Administration Server.
Install the WebLogic Server 9.x SSM. See Installing Security Service Modules.
Create a WebLogic Server 9.x domain.

Configuring the WebLogic Server 9.x SSM

To configure the WLS9.x SSM:

Make sure ALES Administration Server is started. You can verify this by logging into ALES Administration Console Web page using Microsoft Internet Explorer. The default URL is https://your-host:7010/asi.
Make sure the WLS 9.x domain is not running. You can verify this by accessing the WebLogic Server Administration Console URL, at http://your-host:7001/console/.
Change the directory to BEA_HOME/ales26-ssm/wls9-ssm/adm.
Make sure that variables JAVA_HOME and SSM_HOME in the file ConfigTool.bat|sh are set correctly.
Make sure that file log4j.properties has the parameter log4j.appender.ASIlogFile.File, which is used for logging the output, set correctly.

Silent Configuration Mode

In this mode, you create the file ConfigTool.properties with the required options described in Table 8-1, and run ConfigTool ConfigTool.properties.

Table 8-1 Information Required in Silent Configuration Mode
Option Name	Description
instance.name:	Name of SSM instance
arme.port:	Authorization and role mapping engine (ARME) port number. You can use default value of 8000.
ales.admin.name:	Name of ALES Administrative user. You can use the default value system.
ales.admin.password:	Password used for ALES Administrative user
wls9.admin.name:	Name of Weblogic Administrative user. You can use the default value weblogic.
wls9.admin.password:	Password used for Weblogic Administrative user
domainDir:	Location of the new WLS9 domain
weblogic.home:	Location of weblogic server

Sample Contents of File ConfigTool.Properties:

A sample ConfigTool.Properties file is shown in Listing 8-1.

Listing 8-1 Sample ConfigTool.Properties File

instance.name = new_ssm
arme.port = 8000
ales.admin.name = system
ales.admin.password = weblogic
wls9.admin.name = weblogic
wls9.admin.password = weblogic
domainDir = D:/bea_home/user_projects/domains/new_wls_domain
weblogic.home = D:/bea_home/weblogic92

ConfigTool Interactive Mode Sample Output

Sample output from the ConfigTool is shown in Listing 8-4. User input is shown in bold.

Listing 8-2 Sample ConfigTool Output

D:\bea_home\ales26-ssm\wls9-ssm\adm>.\ConfigTool.bat configTool.properties

=====================================================================

AquaLogic Enterprise Security WLS9 SSM Configuration Utility

=====================================================================

====Creating WLS9.X SSM instance.....

Creating WLS9X SSM instance [new_ssm] ok

====WLS9 SSM Instance was Created====

====Enrolling SSM Instance ......

=====================================================================

Enrollment Tool Menu

=====================================================================

1.) Enroll SSM with generated random password

2.) Enroll SSM with input password

Select an option :> 1

Submitting enrollment request

Processing enrollment response

Updating trusted CA keystore

Updating peer keystore

====SSM Enrollment was Done====

====Creating ALES Security Realm ......

====ALES Security Realm was created====

====Creating WLS9 Domain Security Realm ......

running [D:/bea_home/ales26-ssm/wls9-ssm/instance/new_ssm\..\..\adm\build.xml]

running default target[run]

configureing WLS9 domain is done.

====WLS9 Domain Security Realm was created====

=====================================================================

AquaLogic Enterprise Security WLS9 SSM Configuration Finished

=====================================================================

D:\bea_home\ales26-ssm\wls9-ssm\adm>

Interactive Configuration Mode

Run ConfigTool.bat|sh. The configuration tool prompts you to enter specific information about your system and configuration, as described in Table 8-2.

Table 8-2 Data Required in Interactive Configuration Mode
Data Element Name	Description	Default Values Available
SSM Instance Name	Provide a name which is used as: `Configuration ID` of SSM instance Parent resource on ALES admin console Identity directory name
ARME Port	SSM instance will use this port to communicate with ALES Admin.	8000
ALES Admin User Name	The name used to log in to ALES admin console	system
ALES Admin Password	The password used to log in to ALES admin console
SSM private key password	Password to protect SSM private key, used in enrollment
password for identity.jks	Password to protect identity key store, used in enrollment
password for peer.jks	Password to protect peer key store, used in enrollment
password for trust.jks	Password to protect trusted key store, used in enrollment
WLS 9.x domain admin username	The user name used to log in to WLS console. This value is set when creating WLS 9.x domain	weblogic
WLS 9.x domain admin password	The password used to log in to WLS console. This value is set when creating WLS 9.x domain
database user name	Database username of ALES policy database.
We will use ALES policy database to store user information for Authentication & meta directory for Authorization
database password	Database password of ALES policy database
WLS 9.x domain's admin server name	WebLogic domain admin server name, the value by default is "AdminServer". This value can be obtained by looking up "admin-server-name" in file DOMAINPATH/config/config.xml	AdminServer
WLS 9.x domain's location (with domain name)	The directory where the WLS 9.x domain was created (for e.g. BEA-HOME/wlp92/user_projects/domains/my-domain)
WLS 9.x domain name	This value is set when creating WLS 9.x domain
WLS 9.x domain listening port	This value is set when creating WLS 9.x domain	7001

ConfigTool Interactive Mode Sample Output

Listing 8-3 shows the sample output when runing the ConfigTool in interactive mode. User input is shown in bold.

Listing 8-3 Interactive Mode Sample Output

D:\bea_home\ales26-ssm\wls9-ssm\adm> .\ConfigTool.bat

=====================================================================

AquaLogic Enterprise Security WLS9 SSM Configuration Utility

=====================================================================

====Creating WLS9.X SSM instance.....

please input ssm instance name:> new_ssm

please input arme port number:> 8000

Creating WLS9X SSM instance [new_ssm] ok

====WLS9 SSM Instance was Created====

====Enrolling SSM Instance ......

============================================================================

Enrollment Tool Menu

============================================================================

1.) Enroll SSM with generated random password

2.) Enroll SSM with input password

Select an option :> 1

please enter ales administration username:> system

Enter ales administration password:> password

Confirm ales administration password:> password

Submitting enrollment request

Processing enrollment response

Updating trusted CA keystore

Updating peer keystore

====SSM Enrollment was Done====

====Creating ALES Security Realm ......

please enter wls9 domain administration username:> weblogic

Enter wls9 domain administration password:> password

Confirm wls9 domain administration password:> password

====ALES Security Realm was created====

====Creating WLS9 Domain Security Realm ......

please input wls9 domain's location(with domain name):>D:/bea_home/user_projects/domains/new_wls_domain

please input weblogic9 server's location:> D:/bea_home/weblogic92

running [D:/bea_home/ales26-ssm/wls9-ssm/instance/new_ssm\..\..\adm\build.xml]

running default target[run]

configureing WLS9 domain is done.

====WLS9 Domain Security Realm was created====

============================================================================

AquaLogic Enterprise Security WLS9 SSM Configuration Finished

============================================================================

D:\bea_home\ales26-ssm\wls9-ssm\adm>

Post ConfigTool Tasks

Perform the following steps after you run the ConfigTool:

Start the WLS 9.x domain that is now secured by ALES. To do this, run startWebLogic from the WLS domain home.
Deploy an application or service that needs to be protected by ALES on this domain.

Manual (Advanced) Procedure for Configuring WebLogic Server 9.x SSM

The procedure described in Simplified Procedure for Configuring WebLogic Server 9.x SSM is the preferred method for configuring the WebLogic Server 9.x SSM. However, the procedure described in this section is available as an alternate method for advanced users.

Prerequisites for Configuring the WebLogic Server 9.x SSM

Before you configure a WebLogic Server 9.x SSM, you must first:

Install WebLogic Server 9.x and create a WebLogic domain. See the WebLogic Server Installation Guide.
Install the ALES Administration Server and the ALES policy and configuration database. See Installing the Administration Server.
Install the WebLogic Server 9.x SSM. See Installing Security Service Modules.
Using the ALES Administration Console, create an instance of the WebLogic Server 9.x SSM, enroll the instance, and set the password for the SSM's ASI database.

Configuring the WebLogic Server 9.x SSM: Main Steps

To configure the ALES WebLogic Server 9.x SSM:

Copy the WLS 9.x console extension for the ALES security providers into the console-ext directory of your WebLogic Server domain. See Console Extension for Security Providers in the WLS 9.x Console.
Modify the WebLogic Server startWebLogic file. See Modifying the startWebLogic File.
Start WebLogic Server, using the modified startWebLogic file.
Using the WebLogic Server Administration Console, create a new security realm in WebLogic Server. See Configure new security realms in the WebLogic Server Console Help.
Configure security providers in the new WebLogic Server security realm. See Configuring Security Providers for the WebLogic Server 9.x SSM.
Make the new security realm the active security realm for WebLogic Server. See Change the default security realm in the WebLogic Server Console Help.
In the ALES Administration Console, create an SSM configuration using the same name as you used for the WLS security realm.
In the ALES Administration Console, create an instance of the ASI Authorizer and ASI Role Mapper providers. Set the Identity Directory attribute of the ASI Authorizer and ASI Role Mapper to the same value in the ALES Administration Console and the WebLogic Server Administration Console.
In the ALES Administration Console, create the Resource tree. See Additional Post-Installation Considerations.
In the ALES Administration Console, create users, groups, attributes and policy. See Additional Post-Installation Considerations.
Distribute policy and configuration. The WLS 9 SSM instance must be started after the configuration has been deployed. Policy changes can be deployed while the WLS 9 SSM instance is running.
Restart the WebLogic Server instance.

Console Extension for Security Providers in the WLS 9.x Console

ALES includes an extension to the WebLogic Server 9.x Administration Console. If you are using the WebLogic Server 9.x SSM, you must install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.

To install the ALES security provider console extension, copy ales_security_provider_ext.jar from BEA_HOME/ales26-ssm/wls9-ssm/lib to the BEA_HOME/WLS_HOME/domains/DOMAIN_NAME/console-ext directory, where DOMAIN_NAME is the name of your WebLogic Server 9.x domain.

Modifying the startWebLogic File

The WebLogic Server startup script does the following:

Sets environment variables.
Invokes the java weblogic.Server command, which starts a JVM that is configured to run a WebLogic Server instance.

Before you can start a WebLogic Server instance that uses BEA AquaLogic Enterprise Security, you must edit the startWebLogic file. This file is located in the WebLogic Server domain directory. For example:

BEA_HOME/user_projects/domains/mydomain

where:

user_projects is the directory where your WebLogic Server user projects are located.
domains is the directory where your WebLogic Server domain instances are located.
mydomain is the name of the WebLogic Server domain instance you are using.

See Listing 8-4 for an example of a modified startWebLogic file. To edit the startWebLogic file, do the following:

Make a copy of /domains/mydomain/startWebLogic.cmd or startWebLogic.sh and name it startWebLogicALES.cmd or startWebLogicALES.sh.
Make a copy of /domains/mydomain/bin/startWebLogic.cmd or startWebLogic.sh and name it startWebLogicALES.cmd or startWebLogicALES.sh.
Edit /domains/mydomain/startWebLogic so that it calls /domains/mydomain/bin/startWebLogicALES rather than /domains/mydomain/bin/startWebLogic. For example:

call "%DOMAIN_HOME%\bin\startWebLogicALES.cmd" %*

Edit /domains/mydomain/bin/startWebLogicALES. Before the CLASSPATH is set, add a call to the set-wls-env script file in your the bin directory for your instance. The set-wls-env script sets environment variables that are used in the next steps: WLES_POST_CLASSPATH and WLES_JAVA_OPTIONS. For example:

BEA_HOME/ales26-ssm/wls9-ssm/instance/wls-ssm/bin/set-wls-env.sh

Where:

ales26-ssm is the directory where you installed the Security Service Module.

instance is the directory where all instances are stored.

wls-ssm is the name of the Security Service Module instance you created earlier.

For example, if you created a WLS SSM instance called myInstance, the call looks like this:

On Windows:

call "C:\bea\ales26-ssm\wls9-ssm\instance\myInstance\bin\set-wls-env.bat"

On UNIX:

. "/bea/ales26-ssm/wls9-ssm/instance/myInstance/bin/set-wls-env.sh"

Append the following to the CLASSPATH:

On Windows:

%WLES_POST_CLASSPATH%

On UNIX:

${WLES_POST_CLASSPATH}

On Windows, add quotes to %JAVA_HOME%\bin\java in the weblogic.Server command.

"%JAVA_HOME%\bin\java"

Add the following to the command that starts the server application:

On Windows:

%WLES_JAVA_OPTIONS%

On UNIX:

${WLES_JAVA_OPTIONS}

Listing 8-4 Modified startWebLogic File

...

. /BEA_HOME/ales26-ssm/wls9-ssm/instance/myInstance/bin/set-wls-env.sh

...
if [ "${WLS_PW}" != "" ] ; then
        JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.management.password=${WLS_PW}"
fi

CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}${WLES_POST_CLASSPATH}"

echo "."

if [ "${WLS_REDIRECT_LOG}" = "" ] ; then
        echo "Starting WLS with line:"
        echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}  ${WLES_JAVA_OPTIONS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy  ${PROXY_SETTINGS} ${SERVER_CLASS}"

        ${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} ${WLES_JAVA_OPTIONS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS} 

else

        echo "Redirecting output from WLS window to ${WLS_REDIRECT_LOG}"
        ${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS} ${WLES_JAVA_OPTIONS} -Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS} >"${WLS_REDIRECT_LOG}" 2>&1

fi

Configuring Security Providers for the WebLogic Server 9.x SSM

The WebLogic Server 9.x security framework includes a full set of security providers that are available out of the box. The WLS 9.x security providers are described in the WLS documentation, in the following chapters of Securing WebLogic Server:

In addition, you can use the following ALES security providers by adding them to your WebLogic Server security realm:

ASI Authorizer
ASI Role Mapper
ASI Adjudicator
ALES Identity Asserter
Log4J Auditor
PerfDB Auditor
Database Authenticator

Note:

While you can use the WebLogic Server Administration Console to add these ALES security providers to a WebLogic Server security realm and to configure those security providers, the WLS console does not provide online help for the ALES security providers.

See the following topics in this section for detailed information about configuring the WebLogic 9.x SSM:

Configuring a WLS 9.x Security Realm for ALES

When you configure a WebLogic 9.x security realm for ALES, you must include at a minimum the following ALES security providers:

ASI Authorizer—In order to take advantage of the ALES Authorization and Role Mapping Engine (ARME), your WLS security realm must include an instance of the ASI Authorizer.
ASI Role Mapper—Your WLS security realm must also include an instance of the ASI Role Mapper in order to take advantage of the ALES Authorization and Role Mapping Engine.
Log4J Auditor—The ALES security providers use a different logging system than the system used by WLS security providers. In order to support logging from any ALES security providers that are present, your WLS security realm must include an instance of the Log4J Auditor.
ASI Adjudicator—If there are multiple authorization providers configured and unanimous permit is false and all authorization providers return ABSTAIN, then the ASI Adjudicator returns false, denying access. The default WLS Adjudicator returns true in the same scenario. Therefore, it is recommended that you use the ASI Adjudicator in order to obtain an appropriate adjudication result.
If you plan to use WebLogic Portal (WLP), your security realm must include the XACML Authorizer and XACML Role Mapper providers in addition to the ones listed above.

Using the WebLogic Server Console to Configure Security Providers

To configure security providers for the WebLogic Server 9.x Security Service Module, you use the WebLogic Server Administration Console, not the ALES Administration Console. In order to create and configure ALES security provider instances using the WebLogic Server Administration Console, you must first install an extension to the console. See Console Extension for Security Providers in the WLS 9.x Console.

Before starting the procedure you might want to make a backup copy of the config/config.xml file in your domain directory. If you make a mistake following the steps below and the domain refuses to boot, you can undo the changes by restoring the config/config.xml file.

To configure security providers for ALES and WebLogic Server 9.x:

Start the WebLogic Server instance and log into the WebLogic Server Administration Console. The default URL for the console is http://localhost:7001/console .
In the Change Center in the upper left corner, click Lock & Edit.
In the left panel of the WebLogic Server Administration Console, under Domain Structure, select Security Realms.
On the Summary of Security Realms page, click New to create a new security realm. Create a new realm using a name that matches the configuration ID you used when you created the WebLogic Server 9.x SSM instance. For the purposes of this procedure, we will assume that the new security realm is named mywls9ssm.
On the Summary of Security Realms page, select the mywls9ssm security realm.
On the Configuration: General page:

Set Security Model Default to Advanced.
Uncheck Combined Role Mapping Enabled.
Click Save.
If Check Role and Policies is not visible, click Advanced.
Set Check Role and Policies to All Web applications and EJBs.
Click Save.

Select the Providers tab. You will configure new authentication, authorization, adjudication, role mapping, and auditing providers for the mywls9ssm security realm.
On the Providers: Authentication page, configure a new Database Authenticator security provider. To do this:

Click New.
Give the new Database Authenticator a name, such as ALESDatabaseAuthenticator.
Select Database Authenticator as the Type.
Click OK.
Select the new Database Authenticator. On its Configuration: Common page, set the Control Flag to REQUIRED and click Save.
On the new Database Authenticator's Configuration: Provider Specific page, set the database login, password, JDBC driver class name and JDBC Connection URL. Click Save.

This step is required only if you are securing a WebLogic Portal (WLP) domain (that is, if you selected the "portal" option when creating the WebLogic domain). Make sure that your security realm's providers include a XACML Authorizer and a XACML Role Mapper.

On the Providers: Authorization tab, check to make sure that a XACML Authorizer is present in your security realm. If it is missing, create a XACML Authorizer:

Click New.
Select XACML Authorizer and enter a name, such as XACMLAuthorizer, then click OK.
If the XACML Authorizer is not the first authorization provider in the list, click the Reorder button, change the order, and click OK.

On the Providers: Role Mapping tab, check to make sure that a XACML RoleMapper is present in your security realm. If it is missing, create a XACML Role Mapper:

Click New.
Select XACML RoleMapper and enter a name, such as XACMLRoleMapper, then click OK
If the XACML RoleMapper is not the first role mapping provider in the list, click the Reorder button, change the order, and click OK.

Select the Providers: Authorization page and configure a new ASI Authorization provider:

Click New.
Give the new ASI Authorization provider a name, such as ASIAuthorizationProvider.
Select ASIAuthorizationProvider as the Type.
On the new ASI Authorization provider's Configuration: Provider Specific page, set Identity Directory and Application Deployment Parent. Click Save.

Select the Providers: Adjudication page and configure a new ASI Adjudication provider:

Click Replace.
Give the new ASI Adjudication provider a name, such as ASIAdjudicator.
Select ASIAdjudicator as the Type.
On the ASIAdjudicator's Configuration: Provider Specific page, uncheck Require Unanimous Permit and click Save.

Select the Providers: Role Mapping page and configure a new ASI Role Mapper provider:

Click New.
Give the new ASI Role Mapper provider a name, such as ASIRoleMapperProvider.
Select ASIRoleMapperProvider as the Type.
On the new ASI Role Mapper provider's Configuration: Provider Specific page, set Identity Directory and Application Deployment Parent. Click Save.

Select the Providers: Auditing page and configure a new Log4j Auditing provider:

Click New.
Give the new Log4j Auditing provider a name, such as Log4jAuditor.
Select Log4jAuditor as the Type.

Select the Providers: Credential Mapping page and configure a new Credential Mapping provider:

Click New.
Give the new Credential Mapping provider a name, such as DefaultCredentialMapper.
Select DefaultCredentialMapper as the Type.

Select the Providers: Certification Path page and configure a Certification Path provider:

Click New.
Select WebLogicCertPathProvider and click Next.
Click Next.
Check Replace Existing Builder.
Click Finish.

Change the default (active) security realm to your newly configured security realm. By default, a realm named myrealm is the active security realm when you install a WebLogic Server instance. To change the default security realm:

In the left pane of the WebLogic Server Administration Console, select your domain to open the Settings page for the domain.
On the Settings page for the domain, expand Security > General.
Select your new security realm, mywls9ssm, as the default security realm and click Save.

Note:

If you create a new security realm but do not configure the required security providers, the new realm will not be available in the pull-down menu.

In the Change Center in the upper left corner, click Activate Changes.

Using the ALES Administration Console to Configure Security Providers

After you have configured security providers for the WebLogic Server 9.x Security Service Module using the WebLogic Server Administration Console, you need to make some configuration changes in the ALES Administration Console also. You need to configure the ASI Authorization and ASI Role Mapping providers and create required users and policy for the WebLogic Server 9.x SSM to start.

To configure security providers in the ALES Administration Console:

Log into the ALES Administration Console. The default URL for the console is https://localhost:7010/asi.
Create an SSM configuration using the same name as you used for the WebLogic Server security realm. The default used previously was mywls9ssm.
Create an instance of the ASI Authorizer and ASI Role Mapper providers.

Set the Identity Directory attribute of the ASI Authorizer and ASI Role Mapper to the same value you specified when configuring the provider in the WebLogic Server Administration Console, as described in Using the WebLogic Server Console to Configure Security Providers.

Identity Directory is the only attribute that you need to explicitly set; you can accept the default for the other attributes.

Create the Resource tree. For information about how to do this, see Additional Post-Installation Considerations.
Create users, groups, attributes and policy. For information about how to do this, see Additional Post-Installation Considerations.
Distribute policy.

Note:

The WebLogic Server instance must be started after the configuration has been deployed. Other policy changes can be deployed while the WebLogic Server instance is running.