This section covers tasks that you must perform after completing the post-installation tasks for the WebLogic Server 9.x Security Service Module. The following topics are covered in this section:
The WebLogic Server 9.x Security Service Module integrates AquaLogic Enterprise Security with BEA WebLogic Server versions 9.1 and 9.2. It uses a different security framework from the one used in the WLS 8.1 SSM and the other ALES SSMs. When you install the WLS 9.x SSM, ALES uses the WLS 9.x security framework. As a consequence, when you use the WLS 9.x SSM, you configure security providers and other aspects of the SSM in the WebLogic Administration Console, rather than the ALES Administration Console. You still use the ALES Administration Console to configure SSMs other than the WLS 9.x SSM and to write security policies for any SSM. You must also use the ALES Administration Console to configure the ASI Authorizer and ASI Role Mapper providers.
The manual (advanced) procedure for setting up the WebLogic Server 9.x SSM, described in Manual (Advanced) Procedure for Configuring WebLogic Server 9.x SSM has several configuration options. Although these options increase flexibility, they make setup cumbersome for simple configurations. The ConfigTool provides a simplified procedure for setting up the WLS 9.x SSM for commonly-used configurations.
You can use this tool either in silent or interactive mode. In silent (or non-interactive) mode, all required configuration parameters are placed in ConfigTool.properties. In interactive mode, the tool prompts the user for configuration parameters.
The configuration tool does the following:
startWeblogic
script for the WLS 9.x domain, to include ALES classpath and options.Before you configure a WebLogic Server 9.x SSM, you must:
https://your-host:7010/asi
.http://your-host:7001/console/
. BEA_HOME
/ales26-ssm/wls9-ssm/adm.
JAVA_HOME
and SSM_HOME
in the file ConfigTool.bat|sh
are set correctly.log4j.properties
has the parameter log4j.appender.ASIlogFile.File
, which is used for logging the output, set correctly.
In this mode, you create the file ConfigTool.properties
with the required options described in Table 8-1, and run ConfigTool ConfigTool.properties
.
A sample ConfigTool.Properties file is shown in Listing 8-1.
instance.name = new_ssm
arme.port = 8000
ales.admin.name = system
ales.admin.password = weblogic
wls9.admin.name = weblogic
wls9.admin.password = weblogic
domainDir = D:/bea_home/user_projects/domains/new_wls_domain
weblogic.home = D:/bea_home/weblogic92
Sample output from the ConfigTool is shown in Listing 8-4. User input is shown in bold.
D:\bea_home\ales26-ssm\wls9-ssm\adm>.\ConfigTool.bat configTool.properties
=====================================================================
AquaLogic Enterprise Security WLS9 SSM Configuration Utility
=====================================================================
====Creating WLS9.X SSM instance.....
Creating WLS9X SSM instance [new_ssm] ok
====WLS9 SSM Instance was Created====
====Enrolling SSM Instance ......
=====================================================================
Enrollment Tool Menu
=====================================================================
1.) Enroll SSM with generated random password
2.) Enroll SSM with input password
Select an option :> 1
Submitting enrollment request
Processing enrollment response
Updating trusted CA keystore
Updating peer keystore
====SSM Enrollment was Done====
====Creating ALES Security Realm ......
====ALES Security Realm was created====
====Creating WLS9 Domain Security Realm ......
running [D:/bea_home/ales26-ssm/wls9-ssm/instance/new_ssm\..\..\adm\build.xml]
running default target[run]
configureing WLS9 domain is done.
====WLS9 Domain Security Realm was created====
=====================================================================
AquaLogic Enterprise Security WLS9 SSM Configuration Finished
=====================================================================
D:\bea_home\ales26-ssm\wls9-ssm\adm>
Run ConfigTool.bat|sh
. The configuration tool prompts you to enter specific information about your system and configuration, as described in Table 8-2.
Listing 8-3 shows the sample output when runing the ConfigTool in interactive mode. User input is shown in bold.
D:\bea_home\ales26-ssm\wls9-ssm\adm> .\ConfigTool.bat
=====================================================================
AquaLogic Enterprise Security WLS9 SSM Configuration Utility
=====================================================================
====Creating WLS9.X SSM instance.....
please input ssm instance name:> new_ssm
please input arme port number:> 8000
Creating WLS9X SSM instance [new_ssm] ok
====WLS9 SSM Instance was Created====
====Enrolling SSM Instance ......
============================================================================
Enrollment Tool Menu
============================================================================
1.) Enroll SSM with generated random password
2.) Enroll SSM with input password
Select an option :> 1
please enter ales administration username:> system
Enter ales administration password:> password
Confirm ales administration password:> password
Submitting enrollment request
Processing enrollment response
Updating trusted CA keystore
Updating peer keystore
====SSM Enrollment was Done====
====Creating ALES Security Realm ......
please enter wls9 domain administration username:> weblogic
Enter wls9 domain administration password:> password
Confirm wls9 domain administration password:> password
====ALES Security Realm was created====
====Creating WLS9 Domain Security Realm ......
please input wls9 domain's location(with domain name):>D:/bea_home/user_projects/domains/new_wls_domain
please input weblogic9 server's location:> D:/bea_home/weblogic92
running [D:/bea_home/ales26-ssm/wls9-ssm/instance/new_ssm\..\..\adm\build.xml]
running default target[run]
configureing WLS9 domain is done.
====WLS9 Domain Security Realm was created====
============================================================================
AquaLogic Enterprise Security WLS9 SSM Configuration Finished
============================================================================
D:\bea_home\ales26-ssm\wls9-ssm\adm>
Perform the following steps after you run the ConfigTool:
The procedure described in Simplified Procedure for Configuring WebLogic Server 9.x SSM is the preferred method for configuring the WebLogic Server 9.x SSM. However, the procedure described in this section is available as an alternate method for advanced users.
Before you configure a WebLogic Server 9.x SSM, you must first:
To configure the ALES WebLogic Server 9.x SSM:
console-ext
directory of your WebLogic Server domain. See Console Extension for Security Providers in the WLS 9.x Console.startWebLogic
file. See Modifying the startWebLogic File.startWebLogic
file.
ALES includes an extension to the WebLogic Server 9.x Administration Console. If you are using the WebLogic Server 9.x SSM, you must install the console extension in order for the ALES security providers to be visible in the WebLogic Server 9.x Administration Console.
To install the ALES security provider console extension, copy ales_security_provider_ext.jar
from BEA_HOME
/ales26-ssm/wls9-ssm/lib
to the BEA_HOME
/
WLS_HOME
/domains/
DOMAIN_NAME
/console-ext
directory, where DOMAIN_NAME
is the name of your WebLogic Server 9.x domain.
The WebLogic Server startup script does the following:
Before you can start a WebLogic Server instance that uses BEA AquaLogic Enterprise Security, you must edit the startWebLogic
file. This file is located in the WebLogic Server domain directory. For example:
BEA_HOME/user_projects/domains/mydomain
See Listing 8-4 for an example of a modified startWebLogic
file. To edit the startWebLogic
file, do the following:
/domains/mydomain/startWebLogic.cmd
or startWebLogic.sh
and name it startWebLogicALES.cmd
or startWebLogicALES.sh
./domains/mydomain/bin/startWebLogic.cmd
or startWebLogic.sh
and name it startWebLogicALES.cmd
or startWebLogicALES.sh
./domains/mydomain/startWebLogic
so that it calls /domains/mydomain/bin/startWebLogicALES
rather than /domains/mydomain/bin/startWebLogic
. For example:call "%DOMAIN_HOME%\bin\startWebLogicALES.cmd" %*
/domains/mydomain/bin/startWebLogicALES
. Before the CLASSPATH
is set, add a call to the set-wls-env
script file in your the bin
directory for your instance. The set-wls-env
script sets environment variables that are used in the next steps: WLES_POST_CLASSPATH
and WLES_JAVA_OPTIONS
. For example:BEA_HOME/ales26-ssm/wls9-ssm/instance/wls-ssm
/bin/set-wls-env.sh
Where:
ales26-ssm is the directory where you installed the Security Service Module.
instance is the directory where all instances are stored.
wls-ssm
is the name of the Security Service Module instance you created earlier.
For example, if you created a WLS SSM instance called myInstance
, the call looks like this:
call "C:\bea\
ales26-ssm\wls9-ssm\instance\myInstance\bin\set-wls-env.bat"
. "/bea/ales26-ssm/wls9-ssm/instance/myInstance
/bin/set-wls-env.sh"
CLASSPATH
: %WLES_POST_CLASSPATH%
${WLES_POST_CLASSPATH}
%JAVA_HOME%\bin\java
in the weblogic.Server
command."%JAVA_HOME%\bin\java"
%WLES_JAVA_OPTIONS%
${WLES_JAVA_OPTIONS}
...
. /BEA_HOME/ales26-ssm/wls9-ssm/instance/myInstance/bin/set-wls-env.sh
...
if [ "${WLS_PW}" != "" ] ; then
JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.management.password=${WLS_PW}"
fi
CLASSPATH="${CLASSPATH}${CLASSPATHSEP}${MEDREC_WEBLOGIC_CLASSPATH}${WLES_POST_CLASSPATH}"
echo "."
if [ "${WLS_REDIRECT_LOG}" = "" ] ; then
echo "Starting WLS with line:"
echo "${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}${WLES_JAVA_OPTIONS}
-Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS}"
${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}${WLES_JAVA_OPTIONS}
-Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS}
else
echo "Redirecting output from WLS window to ${WLS_REDIRECT_LOG}"
${JAVA_HOME}/bin/java ${JAVA_VM} ${MEM_ARGS} ${JAVA_OPTIONS}${WLES_JAVA_OPTIONS}
-Dweblogic.Name=${SERVER_NAME} -Djava.security.policy=${WL_HOME}/server/lib/weblogic.policy ${PROXY_SETTINGS} ${SERVER_CLASS} >"${WLS_REDIRECT_LOG}" 2>&1
fi
The WebLogic Server 9.x security framework includes a full set of security providers that are available out of the box. The WLS 9.x security providers are described in the WLS documentation, in the following chapters of Securing WebLogic Server:
In addition, you can use the following ALES security providers by adding them to your WebLogic Server security realm:
Note: | While you can use the WebLogic Server Administration Console to add these ALES security providers to a WebLogic Server security realm and to configure those security providers, the WLS console does not provide online help for the ALES security providers. |
See the following topics in this section for detailed information about configuring the WebLogic 9.x SSM:
When you configure a WebLogic 9.x security realm for ALES, you must include at a minimum the following ALES security providers:
To configure security providers for the WebLogic Server 9.x Security Service Module, you use the WebLogic Server Administration Console, not the ALES Administration Console. In order to create and configure ALES security provider instances using the WebLogic Server Administration Console, you must first install an extension to the console. See Console Extension for Security Providers in the WLS 9.x Console.
Before starting the procedure you might want to make a backup copy of the config/config.xml
file in your domain directory. If you make a mistake following the steps below and the domain refuses to boot, you can undo the changes by restoring the config/config.xml
file.
To configure security providers for ALES and WebLogic Server 9.x:
http://localhost:7001/console
.mywls9ssm
.mywls9ssm
security realm.mywls9ssm
security realm.ALESDatabaseAuthenticator
.On the Providers: Authorization tab, check to make sure that a XACML Authorizer is present in your security realm. If it is missing, create a XACML Authorizer:
On the Providers: Role Mapping tab, check to make sure that a XACML RoleMapper is present in your security realm. If it is missing, create a XACML Role Mapper:
myrealm
is the active security realm when you install a WebLogic Server instance. To change the default security realm:mywls9ssm
, as the default security realm and click Save.Note: | If you create a new security realm but do not configure the required security providers, the new realm will not be available in the pull-down menu. |
After you have configured security providers for the WebLogic Server 9.x Security Service Module using the WebLogic Server Administration Console, you need to make some configuration changes in the ALES Administration Console also. You need to configure the ASI Authorization and ASI Role Mapping providers and create required users and policy for the WebLogic Server 9.x SSM to start.
To configure security providers in the ALES Administration Console:
https://localhost:7010/asi
.mywls9ssm
.Set the Identity Directory attribute of the ASI Authorizer and ASI Role Mapper to the same value you specified when configuring the provider in the WebLogic Server Administration Console, as described in Using the WebLogic Server Console to Configure Security Providers.
Identity Directory is the only attribute that you need to explicitly set; you can accept the default for the other attributes.
Note: | The WebLogic Server instance must be started after the configuration has been deployed. Other policy changes can be deployed while the WebLogic Server instance is running. |