WebLogic Server v8.1 Installation
This section describes each task you must perform after you install the product software and discusses other considerations.
Note: If you want to use the WebLogic Server 8.1 Security Service Module to integrate WebLogic Enterprise Security with WebLogic Portal server and portal applications, skip this section and go to Integrating WebLogic Enterprise Security with WebLogic Portal.
Note: Some of the procedures described here require basic knowledge of both WebLogic Server and WebLogic Enterprise Security products. If you need assistance with any task, see the Administration Console online help or the Administration Application Guide for more details. It is assumed that you know the location of the products you have installed, including the WebLogic Server, the Security Service Module, and the Administration Server.
This section describes how to enroll the Service Control Manager. Each machine on which you install a Security Service Module must have one (and only one) enrolled Service Control Manager. You only need to follow this procedure if you installed the Security Service Module on a machine other then the one that contains the Administration Application.
Note: While you can use the demonstration digital certificate to enroll in a development environment, you should never use it in a production environment.
To enroll the Service Control Manager, perform the following steps:
BEA_HOME/wles42-scm/bin
ENTER
> to register the domain, enter the following information, Type: 5 and press <ENTER>
again:Enter Enterprise Domain Name :> (For example: asi)
Enter Primary Admin URL :> (For example: https://adminmachine
:7010/asi)
Secondary Admin URL :> (This value is optional. Same format as primary URL)
SCM name :> (For example:ssmmachinename_ssm
)
SCM port :> (Default: 7010)
ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the WebLogic Enterprise Security CA certificate used for enrollment.
You configure a Service Control Manager (SCM) for each of the machines on which you have installed one of more Security Service Modules (SSM). Each machine must have one (and only one) configured Service Control Manager. For example, if you install an SSM on the same machine as the Administration Application, you must use the adminconfig
SCM, which was configured for you when you installed the Administration Application.
Note: When you use the Instance Wizard to create an instance of a SSM on a machine, you link the instance to a SCM by name. When you install multiple SSMs of different types (Web Server or Web Services, WebLogic Server 8.1, and Java) on the same machine, they all must use the same SCM.
To configure a SCM, see the Administration Application Console Help and use the WebLogic Enterprise Security Administration Console.
The instructions for performing this task are also available in Configuring a Service Control Manager" in the BEA WebLogic Enterprise Administration Application Guide.
Configure a SSM with the security providers that you require for the WebLogic 8.1 SSM and bind it to the SCM. You have the option of configuring either the default security providers that ship with the product or custom security providers, which you develop or purchase from third-party security vendors. The Java Security Service Module supports the following types of security providers:
To configure these providers and bind the configuration to the SCM, perform the following steps:
weblogic81_ssm
) and click Create.Note: Later, when you use the Instance Wizard to create an instance of the SSM to which this secruity configuration will be applied, you will use the Configuration ID to link the SSM instance to this security configuration.
Before starting a WebLogic Server Security Service Module, you must first create an instance of the Security Service Module using the Instance Wizard. You can create any number of instances of the Security Service Module. You must then enroll each instance that you want to use. Each instance has its own set of providers.
To create an instance of a Security Service Module:
instancewizard.sh
You must have the Administration Server running prior to enrolling the Security Service Module.
Note: While you can use the demonstration digital certificate in a development environment, you should never use it in a production environment.
To enroll the Security Service Module:
/adm
directory: BEA_HOME/wles42-ssm/wls-ssm/instance/
instancename
/adm
, where instancename
is the name you assigned to the instance when you created it.admin
username and password. This is the username and password of the Security Administrator doing the enrollment (if you used the default values and have not yet changed them, the default username is system
and the password is weblogic
).ssl\identity.jks
keystore. This keystore contains the identities for all the components you are enrolling.ssl\peer.jks
keystore. This keystore contains the certificates of components with which this Security Service Module can communicate.ssl\trust.jks
keystore. This keystore contains the WebLogic Enterprise Security CA certificate used for enrollment.
The Security Service Module requires that you create a WebLogic Server domain in the following location:
BEA_HOME/user_projects/domains/
mydomain
You can use the WebLogic Server Configuration Wizard to create a domain or create it manually. The domain includes a startWebLogic
file, which you are instructed to modify in Modifying the startWebLogic File.
The WebLogic startup script does the following:
Before you can start a WebLogic Server that uses BEA WebLogic Enterprise Security, you must edit the startWebLogic
file that is located in the WebLogic Server domain directory, for example:
BEA_HOME/user_projects/domains/
mydomain
where:
BEA_HOME is the directory where your BEA products are installed.
user_projects
is the directory where your WebLogic Server user projects are located.
domains
is the directory where your WebLogic Server domain instances are located.
mydomain
is the name of the WebLogic Server domain instance you are using.
See Listing 4-1 for an example of a modified startWebLogic.cmd
file. To edit the startWebLogic
file, do the following:
CLASSPATH
is set, add a call to the set-wls-env
script file in your the bin
directory for your instance. For example:BEA_HOME/wles42-ssm/wls-ssm/instance/
wls81ssm
/bin
Where:
call "C:\bea\wles42-ssm\wls-ssm\instance\
myInstance
\bin\set-wls-env.bat"
. "/bea/wles42-ssm/wls-ssm/instance/
myInstance
/bin/set-wls-env.sh"
"%JAVA_HOME%\bin\java"
Listing 4-1 Modifying the startWebLogic.cmd File for Windows
...
set SERVER_NAME=myserver
call "C:\BEA_HOME\wles42-ssm\wls-ssm\instance\myInstance\bin\set-wls-env.bat"
set CLASSPATH=
%WLES_PRE_CLASSPATH%
;%WEBLOGIC_CLASSPATH%;
%POINTBASE_CLASSPATH%;%JAVA_HOME%\jre\lib\rt.jar;
%WL_HOME%\server\lib\webservices.jar;%CLASSPATH%;%WLES_POST_CLASSPATH%
@REM Call WebLogic Server
echo .
echo CLASSPATH=%CLASSPATH%
echo .
echo PATH=%PATH%
echo .
echo ***************************************************
echo * To start WebLogic Server, use a username and *
echo * password assigned to an admin-level user. For *
echo * server administration, use the WebLogic Server *
echo * console at http:\\[hostname]:[port]\console *
echo ***************************************************
"%JAVA_HOME%\bin\java"
%JAVA_VM% %MEM_ARGS% %JAVA_OPTIONS%%WLES_JAVA_OPTIONS%
-Dweblogic.Name=%SERVER_NAME%
-Dweblogic.ProductionModeEnabled=%PRODUCTION_MODE%
-Djava.security.policy="%WL_HOME%\server\lib\weblogic.policy" weblogic.Server
ENDLOCAL
You can use the security.properties
file to set the necessary security properties. To set the security properties, create a security.properties
file and put it in the WebLogic Server domain directory; for example:
BEA_HOME/user_projects/domains/
mydomain
Include the information shown in Listing 4-2 in the security.properties
file, where:
wles.realm
is the value of the Configuration ID entered for Security Service Module using the Administration Console (see Security Configuration in your Console Help or in the Administration Application Guide).
wles.default.realm
must be set to the same value as wles.realm
.
Note: The security.properties
file is not required if you add these parameters to Java Options.
Listing 4-2 Security.properties File
wles.realm=
ConfigurationID
wles.default.realm=ConfigurationID
After you install the Security Service Module, create the instance, and enroll it, you must start the necessary processes by running the appropriate batch or shell scripts. Before you start these processes, make sure that the Administration Server and all of its services are running.
For each machine, you must start the following processes:
For instructions on how to start and stop the required processes, see Starting and Stopping Processes for Security Service Modules in the Administration Application Guide.
When using the Database Authentication provider, ASI Authorization provider and ASI Role Mapping provider, refer to the following sections for important information:
The WebLogic Server uses the login information contained in the boot.properties
file to start the server. This file contains a username
and password
that must match a username and password in the configured authentication policy. The boot.properties
file is located in the WebLogic Server domain directory on the machine on which the Security Service Module is installed, for example:
BEA_HOME/user_projects/domains/
mydomain
If you used a username of system
and a password of weblogic
, then modify WebLogic Server boot.properties
in the domain as follows:
The next time you start the WebLogic Server, the username and password you specified are encrypted.
Before you can use the ASI Authorization provider with the WebLogic Server, you need to configure a boot policy, and then distribute it to the WebLogic Server 8.1 Security Service Module. If you need instructions on how to perform any of these tasks, see the Console Help for details. You may also want to refer to the Policy Managers Guide for information on how the policy language is constructed and how it appears in the console.
To configure and distribute a boot policy, perform the following tasks:
To create the user identity named wlesusers
, perform these steps:
system
and set the password for system to weblogic
. Replace system
and weblogic
with the values used in boot.properties
file. To create resources for the defined user, wlesusers
, create the following resources below the resource called policy
:
grant(any, //app/policy/
wlsserver
/shared/svr, //role/Admin)
if true;
any
in the Select Privileges from Group list box, and then click Add.grant(//role/Admin, //app/policy/
wlsserver
, //user/wlesusers
/system/)
if true;
To bind the resource //app/policy/wlsserver
to the ASI Authorization provider for this Security Service Module, perform the following steps:
Distribute the policy to the WebLogic Server v8.1 Security Service Module.
For information on how to distribute policy, see Deployment in the Administration Console Help or in the Administration Application Guide. Make sure to verify the results of your distribution.
Before you can login into the WebLogic Server Administration Console, you need to configure a console policy and then distribute it to the WebLogic Server 8.1 Security Service Module. This is needed if you want to access the WebLogic Server Administration Console.
To configure and distribute a WebLogic Server Administration Console policy, do the following on the WebLogic Enterprise Security Administration Console:
any
in the Select Privileges from Group list box, and then click Add.When you secure an EJB using a WebLogic Server 8.1 Security Service Module, you must follow these steps if you want to use the WebLogic Enterprise Security providers instead of the default WebLogic providers.
ejb-jar.xml
) so that the assembly-descriptor does not have any method-permissions set to unchecked or excluded.If either of these settings is present in the deployment descriptor, then the EJB container enforces them rather than calling into the security subsystem.
weblogic.security.fullyDelegateAuthorization=true
If you want to protect a cluster of WebLogic Servers using WebLogic Enterprise Security, you must make some addition changes to the security configuration and resource configuration. For information on how to protect cluster of WebLogic Servers, see the following topics:
Figure 4-1 shows a Security Service Module configuration named myrealm
, located under a Service Control Manager named adminconfig
in the WebLogic Enterprise Security Administration Console. Your actual Security Service Module configuration will vary from this example based on the needs of your WebLogic domain.
Figure 4-1 Service Control Manager Configuration
Figure 4-2 shows a configuration for a cluster of four WebLogic Servers: one administration server (adm
) and three managed servers (svr1
, svr2
, svr3
), with one Security Service Module instance for each server. The Service Control Manager on both machines must use the same Configuration Name (adminconfig
). Each Security Service Module must have a unique Instance Name and Port number per machine, but always shares a common Configuration ID (myrealm
) across all machines. Thus, each server uses the same security provider configuration and receives the same policy.
Figure 4-2 WebLogic Server Clusters
You must also create the following two resources shown in Figure 4-3, setting them both to virtual.
The myrealm/wl_management_internal1
resource is accessed on the cluster's administration server by the WebLogic Admin Console to view WebLogic Server related log files.
The myrealm/wl_management_internal2
resource is accessed on the cluster's administration server by a managed server during bootstrap and file distribution operations.
The myrealm/bea_wls_internal
is accessed when one managed server is synchronizing with another managed server.
The myrealm/wl_management_internal1
, myrealm/wl_management_internal2
and myrealm/bea_wls_internal
resources must be configured to allow virtual resources.
Figure 4-3 Resources for Managing WebLogic Server Clusters
You must create the policy listed in Table 4-1. Also, ensure that there is a role policy that maps the Everyone
role to the group allusers
in your identity directory.
You have completed the installation and configuration of the WebLogic Server 8.1 Security Service Module. Your Security Administrator can now configure additional security services using the security providers for your Security Service Module, through the WebLogic Enterprise Security Administration Console. If you configured the providers as part of the post install, you can now make changes to your configuration using the console.
Before you continue to configure security services, read the information on security configuration in the Administration Console help or in the Administration Application Guide. This section provides additional information on how to configure the Service Control Manager, the Security Service Module, and the providers, and then deploy your changes.