Administering the WebLogic Windows NT security realm
This document describes how to set up and configure the WebLogic Windows NT security realm (NTRealm) for your WebLogic Server. NTRealm is an alternative authenticating realm for WebLogic Server. Instead of using weblogic.password and weblogic.security.group properties in the weblogic.properties file, the NTRealm and WebLogic Server query a Windows NT domain controller for information on users and groups. Note, however, that Access Control Lists (ACLs) are still defined in the weblogic.properties file. IntroductionUsing NTRealm, you can manage Windows and WebLogic Server users in one place. You do not have to edit the weblogic.properties file whenever a user joins or leaves. You also do not have to restart WebLogic Server whenever you make a change. NTRealm provides authentication (users and groups), but not authorization (ACLs). ACLs are defined in the weblogic.properties file with properties that begin with 'weblogic.allow'.WebLogic Server accesses NTRealm through CachingRealm, a realm that hosts alternative realms such as NTRealm. CachingRealm also caches information it looks up to improve performance. The cache is disabled by default. See Administering the WebLogic Caching Realm for information on enabling and tuning the cache. CachingRealm uses the default realm, WLPropertyRealm, for ACLs and as a backup for users not found in NTRealm. Users defined in the weblogic.properties file are valid unless overridden in the Windows NT domain. CachingRealm always queries NTRealm first, so a user defined in NTRealm overrides a user with the same name in the properties file. The "system" user must be declared in the properties file to allow WebLogic Server to start. The "system" user may also be declared in the Windows NT domain. If it is, clients must supply the Windows NT "system" user password to authenticate successfully. NTRealm requires that you run the WebLogic Server as a Windows administrative user who can read security-related data from the Windows NT Domain Controller. To use NTRealm, you must run WebLogic Server as a Windows NT service on a computer in the Windows NT domain. You do not have to run it on a domain controller.
If you run WebLogic Server from the command line, NTRealm authentication will not succeed. See Using WebLogic Server as an NT 4.0 Service at http://www.weblogic.com/docs51/admindocs/ntservice.html for instructions on running WebLogic Server as a Windows NT service. Since the WebLogic Server reads ACLs from the weblogic.properties file at startup time, you must restart the WebLogic Server after you change an ACL. If you use groups with your ACLs, it is possible to avoid having to restart. Change your Windows NT group membership to allow yourself to manage individual users' access to WebLogic Server resources dynamically. Setting up the WebLogic Windows NT realm
weblogic.security.realmClass=weblogic.security.ntrealm.NTRealm weblogic.security.ntrealm.domains=hostname1 Please note that hostname1 is the DNS name of your Primary Domain Controller. If you enter the domain name itself, NTRealms will not start correctly. For most configurations, you will only need to specify a single hostname, unless you are setting up NTRealms to search multiple trusted domains. In the case that you require trusted domains, enter the string of trusted domain names delimited by commas. For example: weblogic.security.ntrealm.domains=hostname1, hostname2
Trusted RelationshipsYou may wish to set up a trusted relationship between two NT Servers so that they can share user and group information. If you set up a trusted relationship, WebLogic can then query both domains to get a combined list of users and groups from both stations. A trusting relationship has the following structure: One of the two members of the relationship will be designated as being "Trusted" while the other member of the relationship is "Trusting." Setting this up requires some extra steps. What follows in an example of having a TRUSTED_DOMAIN on Server1 and TRUSTING_DOMAIN on Server2. Both servers are Primary Domain Controllers.
Testing the NTRealmAfter you have started WebLogic Server with NTRealm installed, you can perform the following checks to test that it is working properly:
Troubleshooting NTRealmThis section gives instructions on how to diagnose an NTRealm startup failure.
Further troubleshooting and helpInformation on Windows NT and NT RealmsNTRealm supports running on any machine that is a member of a Domain. A NTRealm can be run on the Primary Domain Controller (PDC) machine,and, additionally, NTRealm also supports running on any machine that is a member of a Domain and wants to use a second, mutually trusted, Domain. In that case, the two Domains must have an explicit mutual trust relationship set up. NTRealm does not support having a stand alone machine trying to authenticate to a Domain that it's not a member of.If a stand alone machine is a PDC of it's own Domain, it can and should be able to authenticate to that Domain, however without a mutually trusted relationship set up with a second Domain, the local machine will be the only user/group store that works. Windows2000 and NT RealmsThere are a few differences between running on Windows2000 versus Windows NT. With Windows 2000, since all Domain Controllers now have an LDAP interface, it's recommended that cusomters use the LDAPRealm (V2) to authenticate against the Windows user and group store (via the ActiveDirectory LDAP server).It is possible to use NTRealm to authenticate against a Windows 2000 ActiveDirectory PDC, but only from a machine which is a member of the domain, not the domain controller itself. Further, there is no way to authenticate to the local user and group store if the machine running NTRealm is a member of a Domain. Also, on Windows 2000 there is a tool, 'Local Users and Groups,' you can use to manage local users and groups. It is available on computers running Windows 2000 Professional and member servers running Windows 2000 Server. To open, click Start, point to Settings, and then click Control Panel. Double-click Administrative Tools, and then double-click Computer Management. For further information, please see the help provided through Windows 2000. Testing and errorsThe first item in development with NTRealm is trying the internal unit test utility which is built into NTRealm. This administers a complete functional sweep of NTRealm features and will tell you immediately whether your configuration will work or not. Do the following:> java weblogic.security.ntrealm.NTRealm username password The first line of output will tell you if the username/password worked for authentication. For example:
auth?joe <--- means authentication worked for user 'joe'
auth?null <--- means it did not authenticate properly The remaining output of the unit test utility will enumerate all the users and groups available to it. If the NTRealm unit test utility comes up with an error immediately, stating that the client/user-running-WebLogic does not have the privleges to run NTRealm, you need to update the Permissions (or Rights) for that Windows user running the WebLogic instance. To update the Priviledges/Rights on WindowsNT: Start->Programs->Administrative Tools->User Manager (a new window appears) Under the menu Policies->User Rights Select the "Show Advanced User Rights" checkbox in the lower left corner. Give the following Priviledges to the user: "Act as part of the operating system" "Create a token object" "Replace a process level token"To update the Priviledges/Rights on Windows2000: Start->Programs->Administrative Tools->Local Security Policy (a new window appears, then in the left hand tree) Local Policies->User Rights Assignment "Act as part of the operating system" "Create a token object" "Replace a process level token" For Windows2000 it is also required for the user running WebLogic to be a member of the Administrators group. For both versions of Windows, make certain to set all above Rights to the specific user and that user is a member of the Administrators group, then reboot to make certain all modifications take effect. Expalnation of common errors (from winerror.h)OS error=1326 // MessageId: ERROR_LOGON_FAILURE // MessageText: // Logon failure: unknown user name or bad password. // #define ERROR_LOGON_FAILURE 1326L This error is incorrectly described. for the purposes of NTRealm, it means that the client machine running the NTRealm unit test utility does not have a trust relationship with the attempted PDC, the client machine might not be a member of that Domain, or the Domain might simply not trust the client. OS error=53 // MessageId: ERROR_BAD_NETPATH // MessageText: // The network path was not found. // #define ERROR_BAD_NETPATH 53L Network error meaning that the path to the PDC cannot be found. probably due to a mispelling or mixing up the Domain name with the hostname of the Domain Controller. OS error=1722 // MessageId: RPC_S_SERVER_UNAVAILABLE // MessageText: // The RPC server is unavailable. // #define RPC_S_SERVER_UNAVAILABLE 1722L The Domain Controller will no longer answer these requests. If this error is seen, please report it to WebLogic support immediately with configuration information. |
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|