![]() ![]() ![]() ![]() ![]() ![]() ![]() |
This section describes to post-installation steps that you perform for both the WLS 8.1 SSM and the WLS 9.x SSM.
When using the Database Authentication provider, ASI Authorization provider and ASI Role Mapping provider, refer to the following sections for important information:
The WebLogic Server uses the login information contained in the boot.properties
file to start the server. This file contains a username
and password
that must match a username and password in the configured authentication policy. The boot.properties
file is located in the WebLogic Server domain directory on the machine on which the Security Service Module is installed, for example:
BEA_HOME/user_projects/domains/
mydomain
If you used a username of system
and a password of weblogic
, then modify WebLogic Server boot.properties
in the domain as follows:
user = system
password = weblogic
The next time you start the WebLogic Server, the username and password you specified are encrypted.
Before you can use the ASI Authorization provider with the WebLogic Server, you need to configure a boot policy, and then distribute it to the WebLogic Server Security Service Module. The boot policy allows the user named system
to start the WebLogic Server instance. If you need instructions on how to perform any of the following tasks, see the Console Help for details. You may also want to refer to the Policy Managers Guide for information on how the policy language is constructed and how it appears in the console.
To configure and distribute a boot policy, perform the following tasks:
To create the user identity named alesusers
, perform these steps:
Create the following resources below the resource called policy
for the defined user, alesusers
:
To create these resources using the ALES Administration Console:
wlsserver
, select Binding from the Type drop-down menu, and then click OK.wlsserver
and click Configure.wlsserver
, click New, enter shared
in the name box, and then click OK.shared
, click Configure, check Allow Virtual Resources, and then click OK.shared
, click New, enter svr
in the name box, and then click OK.grant(any, //app/policy/
wlsserver
/shared/svr, //role/Admin)
if true;
any
in the Select Privileges from Group list box, and then click Add.wlsserver
and shared
nodes in the Child Resources list box, select svr, and then click Add.Admin
from the Roles List list box, click Add, and click OK.Create the following role mapping policy:
grant(//role/Admin, //app/policy/wlsserver
, //user/alesusers
/system/)
if true;
wlsserver
in the Child Resources list box, and click Add.alesusers
, select system
from the list box, click Add, and click OK.
To bind the resource //app/policy/wlsserver
to the ASI Authorization provider for this Security Service Module, perform the following steps:
alesusers
, set the Application Directory Parent to //app/policy/wlsserver
.Distribute the policies to the WebLogic Server Security Service Module.
For information on how to distribute policies, see the Administration Console help system. Be sure to verify the results of the distribution.
Before you can login into the WebLogic Server Administration Console, you need to configure a console policy and then distribute it to the WebLogic Server Security Service Module. This is needed if you want to access the WebLogic Server Administration Console.
To configure and distribute a WebLogic Server Administration Console policy, do the following on the AquaLogic Enterprise Security Administration Console:
//app/policy/wlsserver/console
//app/policy/wlsserver/console/url/console/login/bea_logo.gif
The resource represents the BEA logo image at the top-right corner on the login page of the Server Administration Console. To create this resource:
//app/policy/wlsserver/console
and select Add Resource in the context menu..url
to the new resource.//app/policy/wlsserver/console/url
and select Add Resource in the context menu..console
to the new resource.//app/policy/wlsserver/console/url/console
and select Add Resource in the context menu..login
to the new resource.//app/policy/wlsserver/console/url/console/login
and select Add Resource in the context menu..bea_logo.gif
to the new resource.console
application: grant(any, //app/policy/wlsserver/console, //role/Admin) if true;
any
in the Select Privileges from Group list box, and then click Add.wlsserver
in the Child Resources list box, select console
, and then click Add. Admin
from the Roles List list box, click Add, and then click OK.grant( //priv/GET, //app/policy/wlsserver/console/url/console/login/bea_logo.gif, //sgrp/alesusers/allusers/) if true;
wlsserver/console/url/console/login
in the Child Resources list box, select bea_logo.gif
, and then click Add. allusers
from the Groups List list box, click Add, and then click OK. Be sure that the selected identity store is alesusers
.When you secure an EJB using a WebLogic Server Security Service Module, you must follow these steps if you want to use the AquaLogic Enterprise Security providers instead of the default WebLogic providers.
ejb-jar.xml
) so that the assembly-descriptor does not have any method-permissions set to unchecked or excluded.If either of these settings is present in the deployment descriptor, then the EJB container enforces them rather than calling into the security subsystem.
WLES_JAVA_OPTIONS
in the set-wls-env
script:weblogic.security.fullyDelegateAuthorization=true
![]() ![]() ![]() |