e-docs > WebLogic Server > Managing WebLogic Security > Configuring Security for a WebLogic Domain |
Managing WebLogic Security |
Configuring Security for a WebLogic Domain
The following sections describe how to set security attributes on a WebLogic domain:
Note: This chapter applies to WebLogic Server deployments using the security features in this release of WebLogic Server as well as deployments using Compatibility Security.
Enabling Trust Between WebLogic Domains
Note: Enabling trust between WebLogic Server domains opens the servers up to man-in-the-middle attacks. Great care should be taken when enabling trust in a production environment. BEA recommends having strong network security such as a dedicated communication channel or protection by a strong firewall.
A trust relationship is established when principals in a Subject from one WebLogic Server domain (referred to as the domain) are accepted as principals in the local domain.
This release of WebLogic Server adds more restrictions to the trust relationship between domains. Now a trust relationship is established when the Credential attribute for one domain matches the Credential attribute for another domain.
By default, when you boot an Administration Server for the first time, the Credential attribute is not defined. As the Administration Server boots, it notices that the Credential attribute is not defined and generates a random credential. The Administration Server uses that credential to sign principals in subjects created in that domain. The config.xml file which stores the credential is saved after the credential is generated. Managed servers in that domain obtain the credential from the Administration Server when booting.
WebLogic Server performs a validation (comparing how the principal was signed with how a local principal would be signed) whenever the code is asked to create a new subject.
Note: Any credentials in clear text are encrypted the next time the config.xml file is persisted to disk.
If you want a WebLogic Server 6.x domain to interoperate with a WebLogic Server 7.0 domain, change the Credential attribute in the WebLogic Server 7.0 domain to the password of the system user in the WebLogic Server 6.x domain.
If you want two 7.0 domains to interoperate, perform the following procedure in both domains.
To establish a trust relationship between WebLogic Server domains:
When using inter-domain trust with a WebLogic Server domain that uses custom Principals (meaning a custom Authentication provider is configured in the domain), the domain that is not using custom Principals must have the class for the custom Principal defined in the server's class path in order for authentication to work properly. Otherwise, a java.lang.ClassNotFound is thrown.
For example: two domains (Domain 1 and Domain 2) have established trust (meaning their domain credentials are set to the same value).
Configuring Connection Filtering
Connection filters allow you to deny access at the network level. They can be used to protect server resources on individual servers, server clusters, or an entire internal network or Intranet. For example, you can deny any non-SSL connections originating outside of your corporate network. Network connection filters are a type of firewall in that they can be configured to filter on protocols, IP addresses, and DNS node names.
WebLogic Server provides a default connection filter called ConnectionFilterImpl. This connection filter accepts all incoming connections and also provides static factory methods that allow the server to obtain the current connection filter. To configure this connection filter to deny access, simply enter the connection filters rules in the WebLogic Server Administration Console.
You can also use a custom connection filter by implementing the classes in the weblogic.security.net package. For information about writing a connection filter, see Using Network Connection Filters in Programming WebLogic Security. Like the default connection filter, custom connection filters are configured in the WebLogic Server Administration Console.
To configure a connection filter: