> Integrating ALES with Application Environments > Post-Installation Considerations for WLS 8.1 SSM and WLS 9.x SSM

Integrating ALES with Application Environments

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Post-Installation Considerations for WLS 8.1 SSM and WLS 9.x SSM

This section describes to post-installation steps that you perform for both the WLS 8.1 SSM and the WLS 9.x SSM.

 

Additional Post-Installation Considerations

When using the Database Authentication provider, ASI Authorization provider and ASI Role Mapping provider, refer to the following sections for important information:

Setting the Boot Login for WebLogic Server

The WebLogic Server uses the login information contained in the boot.properties file to start the server. This file contains a username and password that must match a username and password in the configured authentication policy. The boot.properties file is located in the WebLogic Server domain directory on the machine on which the Security Service Module is installed, for example: 

BEA_HOME/user_projects/domains/mydomain

If you used a username of system and a password of weblogic, then modify WebLogic Server boot.properties in the domain as follows: 

user = system
password = weblogic

The next time you start the WebLogic Server, the username and password you specified are encrypted.

Creating a WebLogic Boot Policy

Before you can use the ASI Authorization provider with the WebLogic Server, you need to configure a boot policy, and then distribute it to the WebLogic Server Security Service Module. The boot policy allows the user named system to start the WebLogic Server instance. If you need instructions on how to perform any of the following tasks, see the Console Help for details. You may also want to refer to the Policy Managers Guide for information on how the policy language is constructed and how it appears in the console.

To configure and distribute a boot policy, perform the following tasks:

Creating the User Identity

To create the user identity named alesusers, perform these steps:

  1. Using the ALES Administration Console, create an Identity directory called alesusers.
    1. Open the Identity folder and click Identity.
    2. Click New. In the Name text box, enter alesusers, and then click OK.
  2. Within this directory, create a user named system and set the password for system to weblogic. Replace system and weblogic with the values used in boot.properties file.
    1. Click Users, click New, enter system, and click OK.
    2. Click Edit, click Set Password, enter weblogic, and click OK.
    3. Click OK.

Creating Resources for WebLogic Server

Create the following resources below the resource called policy for the defined user, alesusers:

To create these resources using the ALES Administration Console:

  1. Click Resources and then click New.
  2. In the Name box, type wlsserver, select Binding from the Type drop-down menu, and then click OK.
  3. Select wlsserver and click Configure.
  4. From the Type drop-down menu, select Binding Application, check Distribution Point, and then click OK.
  5. Select wlsserver, click New, enter shared in the name box, and then click OK.
  6. Select shared, click Configure, check Allow Virtual Resources, and then click OK.
  7. Select shared, click New, enter svr in the name box, and then click OK.

Grant Server Resource to Admin Role

Create the following policy: 

grant(any, //app/policy/wlsserver/shared/svr, //role/Admin) if true;
  1. Expand the Policy node in the left pane, and click Authorization Policies.
  2. In the Authorization Policies page, click New.
  3. In the Create Authorization Policy dialog page, select the Privileges tab, select any in the Select Privileges from Group list box, and then click Add.
  4. Select the Resources tab, expand the wlsserver and shared nodes in the Child Resources list box, select svr, and then click Add.
  5. Select the Policy Subjects tab, select Admin from the Roles List list box, click Add, and click OK.

Grant Admin Role to WebLogic User/Group

Create the following role mapping policy: 

grant(//role/Admin, //app/policy/wlsserver, //user/alesusers/system/)
   if true;
  1. Click Role Mapping Policies.
  2. In the Role Mapping Policies page, click New.
  3. In the Create Role Mapping Policy dialog page, select the Roles tab, select Admin from the Available Roles list box, and click Add.
  4. Select the Resources tab, select wlsserver in the Child Resources list box, and click Add.
  5. Select the Policy Subjects tab, select Users from the Select Policy Subjects From: drop-down menu, change the directory to alesusers, select system from the list box, click Add, and click OK.

Binding the Resource to the ASI Authorization Provider

To bind the resource //app/policy/wlsserver to the ASI Authorization provider for this Security Service Module, perform the following steps:

  1. Open the Security Configuration and Security Control Manager folders.
  2. Open the Security Service Module folder and click Authorization.
  3. The Authorization page appears.
  4. Click Create a new ASI Authorization Provider.
  5. The Edit ASI Authorization Provider page appears.
  6. Enter a name for the provider in the Name text box, and then click Create.
  7. Click the Details tab, set the Identity Directory to alesusers, set the Application Directory Parent to //app/policy/wlsserver.
  8. Click Apply.
  9. Click the Bindings tab and select the resource you want to bind to the provider from the Bind drop-down menu, and then click Bind.

Distributing the Policies to the Security Service Module

Distribute the policies to the WebLogic Server Security Service Module.

For information on how to distribute policies, see the Administration Console help system. Be sure to verify the results of the distribution.

Creating a WebLogic Console Policy

Before you can login into the WebLogic Server Administration Console, you need to configure a console policy and then distribute it to the WebLogic Server Security Service Module. This is needed if you want to access the WebLogic Server Administration Console.

To configure and distribute a WebLogic Server Administration Console policy, do the following on the AquaLogic Enterprise Security Administration Console:

  1. Create the following resource:
    2. //app/policy/wlsserver/console
    1. Click Resources. The Resources page appears.
    2. Select wlsserver, click New, enter console in the name box, and then click OK.
    3. Select console, click Configure, check Allow Virtual Resources, and then click OK.
  2. Create the following resource:
    3. //app/policy/wlsserver/console/url/console/login/bea_logo.gif

    The resource represents the BEA logo image at the top-right corner on the login page of the Server Administration Console. To create this resource:

    1. Click Resources. The Resources page appears.
    2. Right-click on resource //app/policy/wlsserver/console and select Add Resource in the context menu..
    3. In the Create Resource dialog window, give the name url to the new resource.
    4. Right-click on the resource //app/policy/wlsserver/console/url and select Add Resource in the context menu..
    5. In the Create Resource dialog window, give the name console to the new resource.
    6. Right-click on the resource //app/policy/wlsserver/console/url/console and select Add Resource in the context menu..
    7. In the Create Resource dialog window, give the name login to the new resource.
    8. Right-click on the resource //app/policy/wlsserver/console/url/console/login and select Add Resource in the context menu..
    9. In the Create Resource dialog window, give the name bea_logo.gif to the new resource.
  3. Create the following authorization policy, which allows a user with role Admin to access all the resources associated with the console application: 
    4. grant(any, //app/policy/wlsserver/console, //role/Admin) if true;
    1. Click Authorization Policies.
    2. In the Authorization Policies page, click New.
    3. In the Create Authorization Policy dialog page, select the Privileges tab, click any in the Select Privileges from Group list box, and then click Add.
    4. Select the Resources tab, expand wlsserver in the Child Resources list box, select console, and then click Add.
    5. Select the Policy Subjects tab, select Admin from the Roles List list box, click Add, and then click OK.
  4. Create the following authorization policy, which allows any user to see the BEA logo image at the top-right corner on the login page of the Server Administration Console:
    5. grant( //priv/GET, //app/policy/wlsserver/console/url/console/login/bea_logo.gif, //sgrp/alesusers/allusers/) if true;
    1. Click Authorization Policies.
    2. In the Authorization Policies page, click New.
    3. In the Create Authorization Policy dialog page, select the Privileges tab, click GET in the Select Privileges from Group list box, and then click Add.
    4. Select the Resources tab, expand wlsserver/console/url/console/login in the Child Resources list box, select bea_logo.gif, and then click Add.
    5. Select the Policy Subjects tab, select allusers from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers.
  5. Distribute the policies to the WebLogic Server Security Service Module. For information on how to distribute policy, see the Administration Console's help system. Be sure to verify the results of the distribution.

Protecting Resources

When you secure an EJB using a WebLogic Server Security Service Module, you must follow these steps if you want to use the AquaLogic Enterprise Security providers instead of the default WebLogic providers.

  1. Modify the EJB deployment descriptor (ejb-jar.xml) so that the assembly-descriptor does not have any method-permissions set to unchecked or excluded.

    2. If either of these settings is present in the deployment descriptor, then the EJB container enforces them rather than calling into the security subsystem.

  2. Set the following system property to true, indicating that the EJB container delegates other security checks to the security subsystem, by adding this line to the WLES_JAVA_OPTIONS in the set-wls-env script:
    3. weblogic.security.fullyDelegateAuthorization=true

  Back to Top       Previous  Next