Managing WebLogic Security
This following sections describe how to protect user accounts and how to unlock a user account:
Note: For information about protecting user accounts in Compatibility security, see Protecting User Accounts in Compatibilty Security.
It is important to protect passwords that are used to access resources in a WebLogic Server domain. In the past, usernames and passwords were stored in clear text in a WebLogic security realm. Now all the passwords in a WebLogic Server domain are hashed. The SerializedSystemIni.dat
file contains the hashes for the passwords. It is associated with a specific WebLogic Server domain so it cannot be moved from domain to domain.
If the SerializedSystemIni.dat
file is destroyed or corrupted, you must reconfigure the WebLogic Server domain. Therefore, you should take the following precautions:
SerializedSystemIni.dat
file and put it in a safe location.SerializedSystemIni.dat
file such that the system administrator of a WebLogic Server deployment has write and read privileges and no other users have any privileges.
WebLogic Server defines a set of attributes to protect user accounts from intruders. In the default security configuration, these attributes are set for maximum protection. When creating a new security realm, you need to define these attributes.
As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes lessens security and leaves user accounts vulnerable to security attacks.
To set the user lockout attributes:
If a user account exceeds the values set for the attributes on this tab, the user account becomes locked and the table on the Users tab has the word Details
in the table row for the user account. For more information, see Unlocking a User Account.
The following table describes each attribute on the User Lockout tab.
The User Lockout attributes apply to the default security realm and all its security providers. The User Lockout attributes do not work with custom security providers in a security realm other than the default security realm. To use the User Lockout attributes with custom security providers, configure the custom security providers in the default security realm. Include the customer providers in the authentication process after the WebLogic Authentication provider and the WebLogic Identity Assertion provider. This ordering may cause a small performance hit.
If you are using an Authentication provider that has its own mechanism for protecting user accounts, disable the Lockout Enabled attribute.
If a user account becomes locked and you delete the user account and add another user account with the same name and password, the UserLockout attributes will not be reset.
To unlock a locked user account on a managed server, a user with Admin privileges can use the following command:
java weblogic.Admin -url
url
-username
adminuser
-passwordpasswordforadminuser
-type weblogic.management.security.authentication.UserLockoutManager -method clearLockout
lockedusername
You can also wait the time specified in the Lockout Duration attribute. The user account will be unlocked after the specified time.
To unlock a user account using the Administration Console: