bea.com | products | dev2dev | support | askBEA
 Download Docs   Site Map   Glossary 
Search
e-docs > WebLogic Server > Administration Console Online Help > Compatibility Security

Administration Console Online Help

 Previous Next Contents Index  

Compatibility Security

This topic describes configuring and managing security when using Compatibility security. For more information, see Using Compatibility Security in Managing WebLogic Security. For information about using the security features in WebLogic Server 7.0, see Security in the Administration Console online help and Managing WebLogic Security.

 

Tasks

Setting Up Compatibility Security: Main Steps

To set up Compatibility security:

  1. Make a back-up copy of your 6.x WebLogic domain (including your config.xml file) before using Compatibility security. A sample config.xml file that can be used to boot Compatibility Security can be found in Booting WebLogic Server in Compatibility Security in the Upgrade Guide for BEA WebLogic Server 7.0.
  2. Install WebLogic Server 7.0 in a new directory location. Do not overwrite your existing 6.x installation directory. For more information, see the WebLogic Server Installation Guide.
  3. Modify the startup script for your 6.x server to point to the WebLogic Server 7.0 installation. Specifically, you need to modify:

    For more information, see theUpgrade Guide for BEA WebLogic Server 7.0.

  4. Use the startup script for your 6.x server to boot WebLogic Server.

To verify whether you are correctly running Compatibility security, do the following:

  1. In the Administration Console, expand the Domain node.
  2. Click on your WebLogic Server domain (referred to as the domain).
  3. Click the View the Domain Log link.

    The following message appears in the log:

    Security initializing using realm CompatibilityRealm

Changing the System Password

During installation WebLogic Server does the following to the File realm in mydomain:

  1. Adds the username and password supplied during installation to the File realm.
  2. Sets the system password to password specified during installation.

These steps ensure that a system user is defined in the 7.0 version of the File realm and that the SerializedSystemIni.dat file is created.

To improve security, BEA recommends frequently changing the system password that was set during installation. Each WebLogic Server deployment must have a unique password.

  1. In the console for the Administration Server, expand the Compatibility Security node.
  2. Select the Users tab.
  3. In the User Configuration window, under Change a User's Password, enter system in the Name attribute.
  4. In the Old Password attribute, enter password you specified when installing WebLogic Server 6.x..
  5. Enter a new password in the New Password attribute.
  6. Enter the new password again in the Confirm the Password attribute.

Configuring the File Realm

To configure the File realm:

  1. Expand the Domains node (for example, Examples).
  2. Click the View Domain-Wide Security Settings link on the General tab.
  3. Select the Compatibility-->File Realm tab.
  4. Enter values in the attribute fields on the File Realm tab.
  5. Click Apply to save your changes.

If, instead of the File realm, you want to use one of the alternate security realms provided by WebLogic Server, or use a custom security realm, set the attributes for the desired realm and reboot WebLogic Server. If you use one of the alternate security realms, you must enable the Caching realm. Alternate security realms include the LDAP, Windows NT, UNIX, and RDBMS security realms

Configuring the Caching Realm

To configure the Caching realm:

  1. Configure the alternate or custom security realm with which you will use the Caching realm. See the appropriate realm configuration procedures in the following sections:
  2. Expand the Compatibility Security-->Caching Realms nodes.
  3. Click the Configure a new Caching Realm... link.
  4. Enter values in the attribute fields on the Caching Realm --> General tab.
  5. Click Create.
  6. Enable the caches you want to use with the Caching realm. For more information, see:
  7. When you finish enabling caches for the Caching realm, reboot WebLogic Server.

Enabling the ACL Cache

To enable the ACL cache:

  1. Click the ACL tab under the Caching Realm tab.
  2. Configure and enable the ACL cache by defining values for the attributes shown on the Caching Realm --> ACL tab.
  3. Click Apply to save your changes.

Enabling the Authentication Cache

To enable the Authentication cache:

  1. Click the Authentication tab under the Caching Realm tab.
  2. Configure and enable the Authentication cache by defining values for the attributes shown on theCaching Realm --> Authentication tab.
  3. Click Apply to save your changes.

Enabling the Group Cache

To enable the Group cache:

  1. Click the Group tab under the Caching Realm tab.
  2. Configure and enable the Group cache by defining values for the attributes shown on theCaching Realm --> Groups tab.
  3. Click Apply to save your changes.

Enabling the User Cache

To enable the User cache:


 

  1. Click on the User tab under the Caching Realm tab.
  2. Configure and enable the User cache by defining values for the attributes shown on theCaching Realm --> Users tab.
  3. Click Apply to save your changes.

Enabling the Permission Cache

To enable the Permission cache:

  1. Click on the Permission tab under the Caching Realm tab.
  2. Configure and enable the Permission cache by defining values for the attributes shown on theCaching Realm --> Permissions tab.
  3. Click Apply to save your changes.

Adding a Note to the Caching Realm

To add a note to the caching realm:

  1. Click on the Notes tab under the Caching Realm tab.
  2. Write any pertinent information in the Notes field.
  3. Click Apply to save your changes.

Configuring an LDAP V1 Security Realm

The Lightweight Directory Access Protocol (LDAP) V1 security realm provides authentication through users and groups stored in an LDAP directory. This server allows you to manage all the users for your organization in one place: the LDAP directory. The LDAP V1 security realm supports Open LDAP, Netscape iPlanet, Microsoft Site Server, and Novell NDS directory servers.

To use the LDAP V1 security realm instead of the File realm:

  1. Expand the Compatibility-->Realms nodes.
  2. Click the Configure a New LDAP Realm V1... link to display the name of the class that implements the LDAP V1 security realm.
  3. Click Create.
  4. Define attributes for the LDAP directory server and specify how users and groups are located in the LDAP V1 security realm. For more information:
  5. When you have finished defining all the attributes, reboot WebLogic Server.
  6. Configure the Caching realm. For more information, see Configuring the Caching Realm

    When configuring the Caching realm, select the LDAP Realm V1 option from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP V1 security realm).

  7. Expand the Domains node.
  8. Click the View Domain-Wide Security Settings link on the General tab.
  9. Select the Compatibility-->File Realm tab.
  10. In the Caching Realm attribute, choose the name of the Caching realm to be used with the LDAP V1 security realm. A list of configured Caching realms appears on the pull-down menu.
  11. Reboot WebLogic Server.

Enabled Communucation between the LDAP Server and WebLogic Server

To enable communication between the LDAP server and WebLogic Server:

  1. Click the LDAP Realm V1 tab.
  2. Define values for the attributes on the LDAP Security Realm-->LDAP Server tab.
  3. Click Apply to save your changes.

Specifying How Users Are Located in the LDAP V1 Security Realm

To specify how users are located in the LDAP V1 security realm:

  1. Click the Users tab under the LDAP Realm V1 tab.
  2. Define the attributes shown on the LDAP Security Realm-->Users tab.
  3. Click Apply to save your changes.

Specifying How Groups Are Located in the LDAP V1 Security Realm

To specify how groups are located in the LDAP V1 security realm:

  1. Click on the Groups tab under the LDAP Realm V1 tab.
  2. Define the attributes shown on theLDAP Security Realm-->Groups tab.
  3. Click Apply to save your changes.

Adding a Note to the LDAP V1 Security Realm

To add a note to the LDAP V1 security realm:

  1. Click on the Notes tab under the LDAP Realm V1 tab.
  2. Write any pertinent information in the Notes field.
  3. Click Apply to save your changes.

Configuring an LDAP V2 Security Realm

When using the LDAP V2 security realm, WebLogic Server provides templates for the supported LDAP servers. These templates specify default configuration information used to represent users and groups in each of the supported LDAP servers. You choose the template that corresponds to the LDAP server you want to use and then fill in the host and port of the LDAP server, and the GroupDN, the UserDN, Principal, and Credential attributes.

To use an LDAP V2 security realm:

  1. Expand the Compatibility Security-->Realms node.
  2. Choose the LDAP server you want to use with WebLogic Server. The following options are available:

    Select a LDAP server. A configuration window for the chosen LDAP server appears.

  3. Click Create.
  4. On the Configuration tab, enter the host and port of the LDAP server in the server.host and server.port attributes in the Configuration Data box.
  5. If necessary, update the information defined for the GroupDN, the UserDN, Principal, and Credential attributes for your LDAP directory server in the Configuration Data box.
  6. Optionally, define a password for the LDAP server. The Password attribute defines the password for the Principal. Once the password is defined, WebLogic Server encrypts it.
  7. Click Apply to save your changes.
  8. When you have finished defining the attributes, reboot WebLogic Server.
  9. Configure the Caching realm. For more information, see Configuring the Caching Realm

    When configuring the Caching realm, select the LDAP V2 security realm from the pull-down menu for the Basic Realm attribute on the General tab for the Caching realm. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP V2 security realm).

  10. Expand the Domains node.
  11. Click the View Domain-Wide Security Settings link on the General tab.
  12. Click the Compatibility-->File Realm tab.
  13. In the Caching Realm attribute, choose the name of the Caching realm to be used with the LDAP V2 security realm. A list of configured Caching realms appears on the pull-down menu.
  14. Reboot WebLogic Server.

Adding a Note to the LDAP V2 Security Realm

To add a note to the LDAP V2 security realm:

  1. Click on the Notes tab under the configuration window for the chosen LDAP server.
  2. Write any pertinent information in the Notes field.
  3. Click Apply to save your changes.

Configuring the Windows NT Security Realm

To configure the Windows NT security realm:

  1. Expand the Compatibility Security-->Realms node.
  2. Click the Configure a New NT Realm... link.
  3. Set attributes on the Windows NT Realm-->Configuration tab that define a name for the Windows NT realm and the computer on which the Windows NT domain is running.
  4. Click Create.
  5. Reboot WebLogic Server.
  6. Configure the Caching realm. For more information, see Configuring the Caching Realm

    When configuring the Caching realm, select your Windows NT security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the Windows NT security realm).

  7. Expand the Domains node.
  8. Click the View Domain-Wide Security Settings link on the General tab.
  9. Click the Compatibility-->File Realm tab.
  10. In the Caching Realm attribute, choose the name of the Caching realm to be used with the Windows NT security realm. A list of configured Caching realms appears on the pull-down menu.
  11. Reboot WebLogic Server.

Adding a Note to the Windows NT Security Realm

To add a note to the Windows NT securitty realm:

  1. Click on the Windows NT Realm-->Notes tab under the Configuration tab.
  2. Write any pertinent information in the Notes field.
  3. Click Apply to save your changes.

Configuring the wlauth Program for the UNIX Security Realm

The wlauth program runs setuid root. You need root permissions to modify the ownership and file attributes on the wlauth program and to set up the PAM configuration file for wlauth.

To set up the wlauth program for the UNIX security realm:

  1. If WebLogic Server is installed on a network drive, copy the wlauth file to a file system on the computer that executes WebLogic Server, for example, the /usr/sbin directory. The wlauth file is in the weblogic/lib/arch directory, where arch is the name of your platform.
  2. As the root user, run the following commands to change the wlauth owner and permissions: 
      # chown root wlauth
      # chmod +xs wlauth
  3. Set up the PAM configuration for wlauth.

    Solaris—Add the following lines to your /etc/pam.conf file:

      # Setup for WebLogic authentication on Solaris machines
      #
      wlauth auth required      /usr/lib/security/pam_unix.so.1 
      wlauth password required  /usr/lib/security/pam_unix.so.1 
      wlauth account required   /usr/lib/security/pam_unix.so.1

    Linux—Create a file called /etc/pam.d/wlauth containing the following:

      #%PAM-1.0
      #
      # File name:
      # /etc/pam.d/wlauth 
      #
      # If you do not use shadow passwords, delete "shadow".
      auth required     /lib/security/pam_pwdb.so shadow
      account required  /lib/security/pam_pwdb.so

    Note: Omit shadow if you are not using shadow passwords.

If wlauth is not in the WebLogic Server class path or if you have given the program a name other than wlauth, you must add a Java command-line property when you start WebLogic Server. Edit the script you use to start WebLogic Server and add the following option after the java command: 

-Dweblogic.security.unixrealm.authProgram=wlauth_prog

Replace wlauth_prog with the name of the wlauth program, including the full path if the program is not in the search path. Start WebLogic Server. If the wlauth program is in the WebLogic Server path and is named wlauth, this step is not needed.

Configuring the UNIX Security Realm

To configure the Unix security realm:

  1. Expand the Compatibility Security-->Realms nodes.
  2. Click the Configure a New Unix Realm... link.
  3. Set attributes on the Unix Realm-->Configuration tab that define a name for the realm and the program that provides authentication services for the UNIX Security realm.
  4. Click Create.
  5. Reboot WebLogic Server.
  6. Configure the Caching realm. For more information, see Configuring the Caching Realm

    When configuring the Caching realm, select your UNIX security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the UNIX security realm).

  7. Expand the Domains node.
  8. Click the View Domain-Wide Security Settings link on the General tab.
  9. Click the Compatibility Security-->File Realm tab.
  10. In the Caching Realm attribute, choose the name of the Caching realm to be used with the UNIX security realm. A list of configured Caching realms appears on the pull-down menu.
  11. Reboot WebLogic Server.

Adding a Note to the UNIX Security Realm

  1. Click on the Unix Realm-->Notes tab under the Configuration tab.
  2. Write any pertinent information in the Notes field.
  3. Click Apply to save your changes.

Configuring the RDBMS Security Realm

The RDBMS security realm is a BEA-provided custom security realm that stores users, groups and ACLs in a relational database.The RDBMS security realm is an example and is not meant to be used in a production environment.

Note: The RDBMS example does not work with databases that have an autocommit feature enabled. If you use the RDBMS example as a starting point for your RDBMS implementation, use explicit commit statements in your code and make sure the autocommit feature in the database you are using is disabled.

To configure an RDBMS security realm:

  1. Expand the Compatibility Security-->Realms node.
  2. Choose the database you want to use with WebLogic Server. The following templates are available:

    A configuration window for the chosen database appears.

  3. Set attributes on the RDBMS Realm-->General tab that define a name for the realm and the class that implements the RDBMS security realm.
  4. Click Create.
  5. Define attributes for connecting to the database and the database schema. For more information:
  6. When you have finished defining the attributes, reboot WebLogic Server.
  7. Configure the Caching realm. For more information, see Configuring the Caching Realm

    When configuring the Caching realm, select the RDBMS security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the RDBMS security realm).

  8. Expand the Domains node.
  9. Click the View Domain-Wide Security Settings link on the General tab.
  10. Click the Compatibility-->File Realm tab.
  11. In the Caching Realm attribute, choose the name of the Caching realm to be used with the RDBMS security realm. A list of configured Caching realms appears on the pull-down menu.
  12. Reboot WebLogic Server.

Defining Database Attributes for the RDBMS Security Realm

To define attributes for the JDBC driver that connects to the database in the RDBMS security realm:

  1. Click the RDBMS Realm-->Database tab.
  2. Define attributes for the JDBC driver being used to connect to the database.
  3. Click Apply to save your changes.

Defining Database Schema for the RDBMS Security Realm

To define attribute for the database schema used by the RDBMS security realm:

  1. Click the RDBMS Realm-->Schema tab.
  2. Define the schema used to store Users, Groups, and ACLs in the database in the Schema Properties box on the Schema tab.

    Listing 1-1 contains the database statements entered in the Schema properties for the RDBMS code example shipped with WebLogic Server in the /samples/examples/security/rdbmsrealm directory.

Listing 1-1 Sample Schema for RDBMS Security Realm

"getGroupNewStatement=true;getUser=SELECT U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?;
getGroupMembers=SELECT GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP = ?;
getAclEntries=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE A_NAME = ? ORDER BY A_PRINCIPAL;
getUsers=SELECT U_NAME, U_PASSWORD FROM users;
getGroups=SELECT GM_GROUP, GM_MEMBER FROM groupmembers;
getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY A_NAME, A_PRINCIPAL;
getPermissions=SELECT DISTINCT A_PERMISSION FROM aclentries;
getPermission=SELECT DISTINCT A_PERMISSION FROM aclentries WHERE A_PERMISSION = ?;
newUser=INSERT INTO users VALUES ( ? , ? );
addGroupMember=INSERT INTO groupmembers VALUES ( ? , ? );
removeGroupMember=DELETE FROM groupmembers WHERE GM_GROUP = ? AND GM_MEMBER = ?;
deleteUser1=DELETE FROM users WHERE U_NAME = ?;
deleteUser2=DELETE FROM groupmembers WHERE GM_MEMBER = ?;
deleteUser3=DELETE FROM aclentries WHERE A_PRINCIPAL = ?;
deleteGroup1=DELETE FROM groupmembers WHERE GM_GROUP = ?;
deleteGroup2=DELETE FROM aclentries WHERE A_PRINCIPAL = ?"
  1. Click Apply to save your changes.

Adding A Note to the RDBMS Security Realm

To add a note to the RDBMS security realm:

  1. Click on the RDBMS Realm-->Notes tab under the Configuration tab.
  2. Write any pertinent information in the Notes field.
  3. Click Apply to save your changes.

Installing a Custom Security Realm

You can create a custom security realm that draws from an existing store of users such as directory server on the network. To use a custom security realm, you create an implementation of the weblogic.security.acl.AbstractListableRealm interface or the weblogic.security.acl.AbstractManageableRealm interface and then use the Administration Console to install your implementation.

To install a custom security realm:

  1. Expand the Compatibility Security-->Realms node.
  2. Click the Configure a New Custom Realm... link.
  3. Set attributes on the Custom Realm --> Configuration tab that define a name for the custom security realm, specify the interface that implements the realm, and define how the users, groups, and optionally ACLs are stored in the custom security realm on the tab.
  4. Click Create.
  5. When you have finished defining the attributes for the custom security realm, reboot WebLogic Server.
  6. Configure the Caching realm. For more information, see Configuring the Caching Realm

    When configuring the Caching realm, select the custom security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the custom security realm.

  7. Expand the Domains node.
  8. Click the View Domain-Wide Security Settings link on the General tab.
  9. Click the Compatibility-->File Realm tab.
  10. In the Caching Realm attribute, choose the name of the Caching realm to be used with the custom security realm. A list of configured Caching realms appears on the pull-down menu.
  11. Reboot WebLogic Server.

Adding A Note To A Custom Security Realm

To add a note to a custom security realm:

  1. Click on the Custom Realm --> Notes tab under the Configuration tab.
  2. Write any pertinent information in the Notes field.
  3. Click Apply to save your changes.

Defining Users

Note: This section explains how to add users to the File realm. If you are using an alternate security realm, you must use the administration tools provided in that realm to define a user.

To define a user:

  1. Expand the Compatibility Security node.
  2. Click Users.
  3. In the User Configuration window, enter the name of the user in the Name attribute.
  4. Enter a password for the user in the Password attribute.
  5. Enter the password again in the Confirm Password attribute.
  6. Click Create.

Deleting Users

To delete a user:

  1. Expand the Compatibility Security node.
  2. Click Users.
  3. In the User Configuration window, enter the name of the user in the Delete Users box.
  4. Click Delete.

Changing the Password of a User

  1. Expand the Compatibility Security node.
  2. Click Users.

    The User Configuration window appears.

  3. Enter the name of the user in the Name attribute on the User Configuration window.
  4. Enter the old password in the Old Password attribute.
  5. Enter the new password in the New Password attribute.
  6. Enter the new password again to confirm the password change.

Unlocking A User Account

To unlock a user account:

  1. Expand the Compatibility Security node.
  2. Click Users.
  3. In the User Configuration window, click the Unlock Users link.
  4. Enter the names of the user accounts you want to unlock in the Users to Unlock field.
  5. Choose the servers on which you want the user accounts unlocked.
  6. Click Unlock.

Disabling the Guest User

For a more secure deployment, BEA recommends running WebLogic Server with the guest account disabled.

To disable the Guest user:

  1. Expand the Domains node.
  2. Click the View Domain-Wide Security Settings link on the General tab.
  3. Click the Compatibility-->General tab.
  4. Check the Guest Disable checkbox.
  5. Reboot WebLogic Server.

Disabling the guest account just disables the ability to log in into the account guest; it does not disable the ability for unauthenticated users to access a WebLogic Server deployment.

Defining Groups

Note: This section describes how to add groups to the version File realm. If you are using an alternate security realm, you need to use the management tools provided in that realm to define a group.

To define a group in the Compatibility realm:

  1. Expand the Compatibility Security node.
  2. Click Groups.
  3. Click the Create a New Group... link.
  4. In the Groups window, enter the name of the group in the Name attribute. BEA recommends naming groups in the plural. For example, Administrators instead of Administrator.
  5. In the Add Users attribute enter the names of the WebLogic Server users you want to add to the group.
  6. In the Add Groups attribute enter the names the WebLogic Server groups you want to add to the Group.
  7. Click Apply to create a new Group.

Removing Users from a Group

To remove a user from a group:

  1. Expand the Compatibility Security node.
  2. Click Groups.
  3. Select the group from which you want to delete a user.
  4. In the Groups window, check the users you want to remove from the group.
  5. Click Apply.

Deleting Groups

To delete a groups:

  1. Expand the Compatibility Security node.
  2. Click Groups.

    The Groupstable appears. This table displays the names of all groups defined in the Compatibility realm.

  3. To delete a group, click the trash can icon in the corresponding row of the Groups table.

enter the name of the group in the Remove These Groups list box on the Group Configuration window and click Remove.

Defining ACLs

To create ACLs for WebLogic resources:

  1. Expand the Compatibility Security node.
  2. Click the ACLs tab.
  3. Click the Create a New ACL... link.
  4. In the ACL Configuration window, specify the name of WebLogic Server resource that you want to protect with an ACL in the New ACL Name attribute.

    For example, create an ACL for a JDBC connection pool named demopool.

  5. Click Create.
  6. Click on the Add a New Permission link.
  7. Specify a permission for the resource.

    Either create separate ACLs for each permission available for a resource or one ACL that grants all the permissions for a resource. For example, you can create three ACLs for the JDBC connection pool, demopool: one with reserve permission, one with reset permission, and one with shrink permission. Or you can create one ACL with reserve, reset, and shrink permissions.

  8. Specify Weblogic users or groups that have the specified permission to the resource.
  9. Click Apply.

Protecting User Accounts

To protect user accounts in your WebLogic Server domain:

  1. Expand the Domains node.
  2. Click the View Domain-Wide Security Settings link on the General tab.
  3. Click the Compatibility-->Passwords tabs.
  4. Set attributes on the tab by entering values at the appropriate prompts and selecting the required checkboxes.
  5. Click Apply.
  6. Reboot WebLogic Server.

Installing an Audit Provider

If your WebLogic Server 6.x security configuration uses an implementation of the weblogic.security.audit.AuditProvider class, the Auditor is not automatically configured in Compatibility security. Configure a Realm Adapter Auditing provider in the Compatibility realm to access the 6.x Auditor.

To configure a Realm Adapter Auditing provider:

  1. Start WebLogic Server.
  2. Start the admin command line tool
  3. Enter the following commands:

    java weblogic.Admin -url t3://localhost:7001 -username
    adminusername -password adminpassword CREATE -mbean Security:
    Name=CompatibilityRealmRealmAdapterAuditor -type
    weblogic.security.providers.realmadapter.RealmAdapterAuditor commotype

    java weblogic.Admin -url t3://localhost:7001 -username
    adminusername -password adminpassword SET -mbean Security:
    Name=CompatibilityRealmRealmAdapterAuditor -property Realm Security:Name=CompatibilityRealm commotype

    java weblogic.Admin -url t3://localhost:7001 -username
    adminusername -password adminpassword SET -mbean Security
    Name=CompatibilityRealm -property Auditors
    Security:Name=CompatibilityRealmRealmAdapterAuditor commotype

  4. Reboot WebLogic Server.

 

Back to Top Previous Next