Creating WebLogic Configurations Using the Configuration Wizard

Configuring Security

To make sure that security is always provided for your configurations, even when they are booted for the first time, the Configuration Wizard and Configuration Template Builder provide basic security features. Whenever you create a new domain or configuration template, you are prompted to define an administrative username and password, as described in Configuring an Administrative Username and Password. In some cases, you can provide additional security for an application resource by using the following security features:

• Users and groups—Classification of individuals and collections of individuals who may be granted a security role. Typically, a group is a collection of users who share a role or function within a company, such as working in the same department.
• Global security roles—Dynamically computed privileges that are used to restrict access to WebLogic resources. These privileges are granted to or withheld from users according to which roles they are assigned.

For example, to leverage individual skills, many development teams divide system administration responsibilities into distinct roles. A team may then assign a different level of permission to each role. Each project might give only one or two team members permission to deploy components, but allow all team members to view the WebLogic Server configuration.

WebLogic Server supports such role-based development by providing four default global roles that determine access privileges for system administration operations: Admin, Deployer, Operator, and Monitor.

Warning: Do not make the default global security roles for Administrative and Server resources more restrictive. If you eliminate any existing security roles, you risk degrading WebLogic Server operation. You can, however, make the default security roles more inclusive (for example, by adding new security roles).

The following table describes the actions you can take to provide basic security for the resources in your configuration.

For this task . . .	You . . .
Configuring an Administrative Username and Password	Define the username and password to be used for starting the Administration Server.
Configuring Users and Groups	Define users and groups for authentication purposes. (Configuration Wizard only)
Configuring Users, Groups, and Global Roles	Define users, groups, and global roles for authentication purposes.
Assigning Users to Groups	Designate individuals as members of a particular group. Groups allow you to manage multiple users simultaneously. This is generally more efficient than managing each user individually.
Assigning Groups to Groups	Designate one group a subgroup of another, to refine security management.
Assigning Users and Groups to Global Roles	Assign users and groups to predefined WebLogic Server global security roles.

 

Related Topics

Securing WebLogic Resources at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/index.html

 

---

Configuring an Administrative Username and Password

The Configure Administrative Username and Password window prompts you to specify a username and password to be used for starting the Administration Server.

To configure an administrative username and password:

Enter a valid value in the User name field. This name is used to boot the Administration Server and connect to it.

Do not use commas or any other characters in this comma-separated list: \t, < >, #, |, &, ?, ( ), { }. User names are case sensitive.

Enter a valid value in the User password field: a string of at least 8 case-sensitive characters. Space characters are not supported. The password value is encrypted.

Note: Do not use the name/password combination weblogic/weblogic in a production environment.

Reenter the password in the Confirm user password field.
Optionally, enter a login description for this username.
If you are creating a configuration using the custom option, or a configuration template, you can configure additional security resources. If you want to configure additional users, groups, and global roles, select Yes. This option is not enabled in express mode.
Click Next to proceed to the next configuration window.

What Is the Next Step?

If you are creating a  . . .	Go to . . .
New domain, using the express option	Specifying the Server Start Mode and Java SDK
New domain, using the custom option, and you want to configure additional security resources	Configuring Users and Groups
Configuration template and you want to configure additional resources	Configuring Users, Groups, and Global Roles

 

 

---

Configuring Users and Groups

This window is displayed in the Configuration Wizard only.

A user is an entity that can be authenticated. It can be a person or a software entity, such as a Java client. Each user is given a unique identity within a security realm. A group is a collection of users who usually have something in common, such as working in the same department in a company.

The Configure Users and Groups window prompts you to define users and groups for authentication purposes. You must define at least one user. Depending on the configuration template selected, there may be one or more users and/or groups already defined. In addition, WebLogic Server defines a default set of groups. For a list of the default groups defined in WebLogic Server, see "Default Groups" in "Users and Groups" in Securing WebLogic Resources at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/usrs_grps.html

To configure users and groups:

Select the User tab and review the current list of user configurations. Add or modify the entries required by your configuration, using the guidelines provided in the following table. (Fields marked with an asterisk are required.) To delete a user, click in one of its fields and click Delete.

In this field . . .	Do the following . . .
User name*	Enter a valid username. Do not use commas or any other characters in this comma-separated list: \t, < >, #, |, &, ?, ( ), { }. User names are case sensitive. The default value in this field is new_user_n, where n specifies a numeric value that is used to differentiate among all default user names; the value of n for the first user is 1. The value is incremented by 1 for each user that is added.
User password*	Enter a password for the user. A valid password is a string containing a minimum of 8 case-sensitive characters; space characters are not supported. The password value is encrypted. Note: Do not use the name/password combination weblogic/weblogic in a production environment
Confirm user password*	Reenter the password to confirm the value entered.
Description (Optional)	Enter a description of the user that is used for informational purposes only; for example, full name of user.


 
Select the Group tab and review the current list of group configurations. Add or modify the entries required by your configuration using the guidelines provided in the following table. To delete a group, click in one of its fields and click Delete. When you finish updating your settings, click Next.

In this field . . .	Do the following . . .
Name*	Enter a valid name for the group. Do not use commas or any other characters in this comma-separated list: \t, < >, #, |, &, ?, ( ), { }. Group names are case sensitive. The default value in this field is new_group_n, where n specifies a numeric value that is used to differentiate among all default group names; the value of n for the first group is 1. The value is incremented by 1 for each group that is added.
Description (Optional)	Enter a description of the group that is used for informational purposes only.


 

Related Topics

"Users and Groups," in Securing WebLogic Resources at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/usrs_grps.html

 

---

Configuring Users, Groups, and Global Roles

The Configure Users, Groups and Global Roles window is displayed in the Configuration Template Builder and when you are extending a domain using the Configuration Wizard.

Users, groups, and global roles are defined as follows:

• A user is an entity that can be authenticated. It can be a person or a software entity, such as a Java client. Each user is given a unique identity within a security realm.
• A group is a collection of users who usually have something in common, such as working in the same department in a company.
• A security role is a privilege granted to users or groups based on specific conditions. Like groups, security roles allow you to restrict access to WebLogic resources for multiple users simultaneously. A security role that applies to all WebLogic resources deployed within a security realm (and, thus, within the entire WebLogic Server domain) is called a global role.

The Configure Users, Groups and Global Roles window prompts you to define users, groups, and roles for authentication purposes. You must define at least one user.

Depending on the template or domain selected, one or more users, groups, and/or roles may be defined already. In addition, WebLogic Server defines a default set of groups and roles. For a description of the default groups and roles, see the following topics in Securing WebLogic Server:

• "Default Groups" in "Users and Groups" at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/usrs_grps.html
• "Default Global Roles" in "Security Roles" at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/secroles.html

To configure users, groups, and global roles:

Select the User tab and review the current list of user configurations. Add or modify entries as required by your configuration, using the guidelines provided in the following table. (Fields marked with an asterisk are required.) To delete a user, click in one of its fields and click Delete.

In this field . . .	Do the following . . .
User name*	Enter a valid username. Do not use commas or any other characters in this comma-separated list: \t, < >, #, |, &, ?, ( ), { }. User names are case sensitive. The default value in this field is new_user_n, where n specifies a numeric value that is used to differentiate among all default user names; the value of n for the first user is 1. The value is incremented by 1 for each user that is added.
User password*	Enter a password for the user. A valid password is a string containing a minimum of 8 case-sensitive characters; space characters are not supported. The password value is encrypted. Note: Do not use the name/password combination weblogic/weblogic in a production environment
Confirm user password*	Reenter the password to confirm the value entered.
Description (Optional)	Enter a description of the user to be used for informational purposes only; for example, full name of user.


 
Select the Group tab and review the current list of group configurations. Add or modify the entries required by your configuration, using the guidelines provided in the following table. To delete a group, click in one of its fields and click Delete. When you finish updating your settings, click Next.

In this field . . .	Do the following . . .
Name*	Enter a valid name for the group. Do not use commas or any other characters in this comma-separated list: \t, < >, #, |, &, ?, ( ), { }. Group names are case sensitive. The default value in this field is new_group_n, where n specifies a numeric value that is used to differentiate among all default group names; the value of n for the first group is 1. The value is incremented by 1 for each group that is added.
Description (Optional)	Enter a description of the group to be used for informational purposes only.


 
Select the Role tab and review the current list of role configurations. The predefined list of WebLogic Server global security roles is shown. Add or modify the entries required by your configuration using the guidelines provided in the following table. To delete a role, click in one of its fields and click Delete. When you finish updating your settings, click Next.

Warning: Do not make the default global security roles for Administrative and Server resources more restrictive. If you eliminate any existing security roles, you risk degrading WebLogic Server operation. You can, however, make the default security roles more inclusive (for example, by adding new security roles).

In this field . . .	Do the following . . .
Name*	Enter a valid name for the role: a string of characters that are case sensitive. Space characters are not supported. The default value in this field is new_role_n, where n specifies a numeric value that is used to differentiate among all default role names; the value of n for the first role is 1. The value is incremented by 1 for each role that is added.
Description (Optional)	Enter a description of the role to be used for informational purposes only.


 

Related Topics

"Users and Groups" in Securing WebLogic Resources at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/usrs_grps.html

"Security Roles" in Securing WebLogic Resources at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/secroles.html

 

---

Assigning Users to Groups

BEA recommends adding users to groups because groups allow you to manage multiple users simultaneously.

The Assign Users to Groups window prompts you to assign users to groups.

To assign users to groups:

In the Group pane, select the group to which you want to assign users.

The current assignments for the selected group are displayed in the left pane.

In the left pane, do one of the following:
• To assign a user to the selected group, select the check box for the user.
• To remove a user from the selected group, clear the check box for the user.

To select all users in the list, choose Select All. To unselect all users in the list, choose Unselect All.

The list of groups associated with each user is updated to reflect your changes.

Repeat steps 1 and 2 for each user that you want to assign to a group. You can assign a user to more than one group.
Click Next to proceed to the next configuration window.

 

---

Assigning Groups to Groups

The Assign Groups to Groups window prompts you to designate one group as a subgroup of another group, as a means of refining the management of security for your domain.

Note: You should not assign groups recursively. For example, do not assign groupA as a subgroup of groupB and groupB as a subgroup of groupA. WebLogic Server does not support this type of recursion.

To assign groups to other groups:

In the Group pane, select the group to which you want to assign a subgroup.

The current assignments for the selected group are displayed in the left pane.

In the left pane, do one of the following:
• To assign a group, as a subgroup, to the selected group, select the check box for the group.
• To remove a subgroup from the selected group, clear the check box for the group.

To select all groups in the list, choose Select All. To unselect all groups in the list, choose Unselect All.

The list of subgroups associated with each group is updated to reflect your changes.

Repeat steps 1 and 2 for each group that you want to designate a subgroup. You can make a group a subgroup of more than one group.
Click Next to proceed to the next configuration window.

 

---

Assigning Users and Groups to Global Roles

The Assign Users and Groups to Global Roles window prompts you to assign users and groups to the global security roles defined by WebLogic Server. The following table shows the operations that may be performed by users assigned to each of these roles.

In this role . . .	You can . . .
Admin	View and modify the server configuration. Deploy applications, EJBs, startup and shutdown classes, J2EE Connectors, and Web Service components. Edit deployment descriptors.
Deployer	View the server configuration. Deploy applications, EJBs, startup and shutdown classes, J2EE Connectors, and Web Service components. Edit deployment descriptors.
Monitor	View the server configuration.
Operator	View the server configuration. Start, resume, and stop servers by default.
Anonymous	Default convenience role for all users (the group Everyone). This role can be specified in security deployment descriptors in weblogic.xml and weblogic-ejb-jar.xml files.

 

You must assign one or more users or groups (containing one or more users) to the Admin role to ensure that there is at least one user who can boot WebLogic Server.

To assign users and groups to global security roles:

In the Role pane, select the global role to which you want to assign users and groups.

The current assignments for the selected role are displayed in the left pane.

In the left pane, do one of the following:
• To assign a user or group to the selected role, select the associated check box.
• To remove a user or group from the selected role, clear the associated check box.

To select all users and groups in the list, choose Select All. To unselect all users and groups in the list, choose Unselect All.

The Role list corresponding to each user and group is updated to reflect the global roles to which the user and group are assigned.

Repeat steps 1 and 2 for each user or group that you want to assign to a global role. You can assign a user or group to more than one global role.
Click Next to proceed to the next configuration window.

Related Topics

"Security Roles" in Securing WebLogic Resources at http://download.oracle.com/docs/cd/E13222_01/wls/docs81/secwlres/secroles.html