Deploying WebLogic Platform Applications
|
 |
 |
|
 |
 |
WebLogic Platform 8.1 provides a single, unified security framework for all deployments, including portal applications, integration applications, and J2EE applications running on WebLogic Server.
This section summarizes the ways that you can secure the target environment, provides considerations for configuring security, and describes how to promote embedded LDAP security data to the target database. This section also describes how to maintain security policy files under version control.
For more details about WebLogic security features, see the following resources:
Note: BEA strongly recommends that you maintain an archive of your user information in the event of a machine failure or other problem. For more information, see "Backing Up User Information" in "Configuring WebLogic Platform Security" in Managing WebLogic Platform Security in Security in WebLogic Platform 8.1.
Table 5-1 lists ways you can secure a target environment, and includes recommendations for securing a production environment, in particular.
The following figure illustrates a WebLogic domain within a typical network configuration. Refer to this diagram when reviewing the security areas in Table 5-1.
Figure 5-1 WebLogic Domain Within a Typical Network Configuration
|
A firewall limits traffic between two networks. Firewalls can be a combination of software and hardware, including routers and dedicated gateway machines. Placing a firewall in front of your load balancing hardware enables you to set up a De-Militarized Zone (DMZ) for your web application using minimal firewall policies. The DMZ is a logical collection of hardware and services that is made available to outside, untrusted sources. For best practice tips when setting up a firewall, see "Firewall Considerations" in "Avoiding Problems" in Clustering Best Practices in Using WebLogic Server Clusters. |
|
|
A load balancer or Web proxy server distributes client connection requests, provides load balancing and failover across a WebLogic cluster, and provides security by concealing the local area network addresses from external users. For more information, see Using Load Balancers and Web Proxy Servers. |
|
|
When designing network connections, you balance the need for a security solution that is easy to manage with the need to protect strategic WebLogic resources. You need to determine whether to set up firewalls and connection filters, for example, to secure network access. For tips on securing the network connections, review "Securing Network Connections" in Ensuring the Security of Your Production Environment in Securing a Production Environment. |
|
|
A WebLogic Server production environment is only as secure as the security of the machine on which it is running. Therefore, it is important that you lock down the physical machine, the operating system, and all other software that is installed on the host machine. For tips on securing the WebLogic Server host, review Securing the WebLogic Server Host in Securing a Production Environment. |
|
|
Install the Administration Server on its own machine and target applications on Managed Servers to insulate the application and its users from the production environment infrastructure. Do not target applications (other than WebLogic Portal applications and modules) on the Administration Server. |
|
|
A WebLogic resource represents an underlying WebLogic Server entity that can be protected from unauthorized access. Examples of WebLogic resources include Enterprise Applications (EARs), EJBs (JARs), and Web Applications (WARs). A security realm comprises mechanisms for protecting WebLogic resources. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. A user must be defined in a security realm in order to access the WebLogic resources. For an overview of how resources are secured in WebLogic in a security realm, see Security Realms in Introduction to WebLogic Security. For information about customizing the default security realm, see Customizing the Default Security Configuration in Managing WebLogic Security. For more information about securing WebLogic resources, see:
|
|
|
WebLogic Portal entitlements let you define rules (roles) to identify who can access specific portal resources. When a portal administrator logs in to the WebLogic Administration portal, the administrator sees only the areas that the administrator is allowed to administrator. When a visitor logs in to a portal, the visitor sees only the books, pages, and portlets to which the visitor is entitled.
|
|
|
You need to configure and manage security for trading partners for which security management is particularly important. Trading partners produce digital certificates for sending and receiving business messages in a secure environment.
|
|
|
A security provider database contains the users, groups, security roles, security policies, and credentials used by some types of security providers to provide security services. The security provider database can be the embedded LDAP server, a properties file, or a production-quality, customer-supplied database. The embedded LDAP server is the default security provider database for the WebLogic Authentication, Authorization, Credential Mapping and Role Mapping providers. The use of an external user store, such as an external LDAP or Relational Database Management System (RDBMS), enables centralized user management by security administrators across multiple domains. Also review the following information, as it applies to your environment:
|
|
|
Although most of the responsibility for securing the WebLogic resources in a WebLogic Server domain fall within the scope of the server, some security responsibilities lie within the scope of individual applications. For tips on securing the applications, review the following:
|
|
|
BEA recommends that you enable auditing in a production environment. An auditing provider stores operating requests and the results of those requests are collected, stored, and distributed for the purposes of non-repudiation. For more information about configuring auditing, see Configuring Security Providers in Managing WebLogic Security. |
Consider the following when configuring security:
prod. For more information, see Configuring Servers to Start in Production Mode.
The following sections describe how you can promote existing embedded LDAP data to the target embedded LDAP database:
Note: WebLogic Platform does not support an automated process for promoting embedded LDAP server data to an external user store, such as an external LDAP server or RDBMS. If you develop a custom tool to handle this process, you should be aware that the existing password information is not maintained during the promotion.
The embedded LDAP server is the default security provider database for the WebLogic Authentication, Authorization, Credential Mapping and Role Mapping providers. The embedded LDAP server contains user, group, group membership, security role, security policy, and credential map information. By default, each WebLogic Server domain has an embedded LDAP server configured with the default values set for each attribute.
If you have created security information, or configured security providers, in development that you expect to be used in the target environment, you will want to promote that information and security provider configuration to the target environment. Promoting this data ensures that your application will work correctly in the target environment. WebLogic Server provides utilities you can use to export the following security data from one security realm, and import them into a new security realm:
You can migrate security data for each security provider individually, or migrate security data for all the WebLogic security providers for an entire security realm at once. You migrate security data through the WebLogic Server Administration Console or by using the weblogic.admin utility. For information about importing and exporting security data from security realms and security providers, see:
Note: Optionally, you can use an LDAP browser to export and import data stored in the embedded LDAP Server.
When you set up the production database, you must define the database tables required by your application. In some cases, you can promote existing security data to the target environment. For information about configuring and promoting WebLogic Portal and WebLogic Integration data, see Promoting Database Information to the Production Database.
You can maintain the security policy files using a source control tool, such as Perforce or CVS, by performing the following steps:
|
|
|