Security

This topic describes configuring and managing security in WebLogic Server 7.0. For more information, see Managing WebLogic Security.

For information about configuring and managing security for WebLogic Server deployments using Compatibility security, see Compatibility Securityand Using Compatibility Security in Managing WebLogic Security.

 

---

Tasks

The Default Security Configuration in WebLogic Server 7.0

To simplify the configuration and management of security in WebLogic Server, a default security realm (myrealm) is provided. The default security realm has WebLogic Authentication, Identity Assertion, Authorization, Adjudication, Role Mapping, and Credential Mapping providers configured. When using the default security configuration, you only need to define groups, users, and roles for the security realm and create security policies for the WebLogic resources in the domain. You also need to verify that the configuration of the embedded LDAP server configuration is appropriate for your use. Optionally, you can configure an Auditing provider for the default realm.

If the default security configuration does not meet your requirements, you can create a new security realm with any combination of WebLogic and custom security providers and then set the new security realm as the default security realm. For more information, see Configuring a New Security Realm

Defining Groups

Note: This section applies to the WebLogic Authentication provider only. If you customize the default security configuration to use another authentication provider, you must use the administration tools supplied by that provider to define a group.

User and group names must be unique. BEA recommends using initial capitalization and plural names for groups; for example, Administrators.

To define a group:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Click Groups.

   The Groupstab appears. This tab displays the names of all groups defined in the Weblogic Authentication provider.

4. Click the Configure a New Group... link.
5. On the Groups-->General tab, enter the name of the group.
6. Enter a short description of the group (for example, Product Managers for Code Examples).
7. Click Apply to save your changes.
8. Click the Membership tab to add existing groups to the new group.
   • All available groups appear in the Possible Groups table.
   • All the groups currently defined for a group appear in the Current Groups table.

   To add a group to another group, highlight the desired group name and click the right arrow to move the group name to the Current Groups table.

9. Click Apply to save your changes.

Deleting Groups

To delete a group:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Click Groups.

   The Groupstable appears. This table displays the names of all groups defined in the WebLogic Authentication provider.

4. To delete a group, click the trash can icon in the corresponding row of the Groups table.

Defining Users

Note: This section applies to the WebLogic Authentication provider only. If you customize the default security configuration to use another authentication provider, you must use the administration tools supplied by that provider to define a user.

User and group names must be unique. Do not use the username/password combination weblogic/weblogic in production.

To define a user:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Click Users.

   The Userstable appears. This table displays the names of all users defined in the WebLogic Authentication provider.

4. Click the Configure a New User... link.
5. On the User-->General tab, enter the name of the user.
6. Enter a password for the user.
7. Click Apply to save your changes.

   Note: For more efficient management, BEA recommends adding users to groups.

8. On the Groups tab:
   • All the available groups appear in the Possible Groups table.
   • All the groups to which the user belongs appear in the Current Groups table.

   To add a user to a group, highlight the desired group name and click the right arrow to move the group name to the Current Groups table.

9. Click Apply to save your changes.

Deleting Users

To delete a user:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Click Users.

   The Users table appears. This table displays the names of all users defined in the WebLogic Authentication provider.

4. To delete a user, click the trash can icon in the corresponding row of the Users table.

Changing the Password of a User

To change the password of a user:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Click Users.
4. Select a user.
5. Click the Change... link in the Password attribute.
6. Enter a password for the user.
7. Click Apply.

Protecting User Accounts

Weblogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes lessens security and leaves user accounts vulnerable to security attacks.

To set the User Lockout attributes:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Select the User Lockout tab.
4. Configure the attributes on this tab by entering values at the appropriate prompts and selecting the required checkboxes.

   If a user account exceeds the values set for the attributes on this tab, the user account becomes locked and the table on the Users tab has the word Details in the table row for the user account.

5. To save your changes, click Apply.
6. Reboot WebLogic Server.

Unlocking a User Account

To unlock a user account:

1. Click the Details link in the Users table.

   The Details tab describes the event that occurred when the user was locked out.

2. Click Unlock.

Defining Global Roles

Note: BEA recommends using initial capitalization, singular names for global roles; for example, SecurityEng.

To define a global role:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Click Roles.

   The Rolestab appears. This tab displays the names of all roles defined in the default Role Mapping provider.

4. Click the Configure a New Role... link.
5. On the Roles-->General tab, enter the name of the role. (For example, SecurityEng).
6. Click Apply.
7. Grant the role to users and/or groups.

   Select the Roles-->Conditions tab. Use the following options available in the Role Condition table to grant a role to users and/or groups:

   • User name of the caller—Grants a user the role. Multiple users can be granted the same role, however, BEA recommends adding the users to a group and then granting the group the role. The user must be defined in the Authentication provider configured in the default security realm.
   • Caller is member of group—Grants a group the role. Multiple groups can be granted the same role. The group must be defined in the Authentication provider in the default security realm.
   • Hours of Access are between—Specifies a time period in which the role is in effect.
8. Chose an option and click Add.
9. On the Add window, enter the name of the user or group that is to be granted the role.

   Use the Add window to grant multiple users or groups a role. As you grant users and groups a role, the users or groups are listed on the Add window.

10. Click Add.
11. Use the buttons on the Add window to modify the Role statement:
    • Move Up and Move Down change the ordering of expressions in the Role statement.
    • Change switches the and and or statements in the highlighted expression.
    • Remove deletes the highlighted expression.
12. Click OK.
13. In addition to granting a role to users or groups, specify a time period (called a time constraint) in which the role is in effect. For example, you might create a BankTeller role that is only in effect when the bank is open. To associate a time constraint with a role, choose the Hours of Access Are Between option on the Role Condition tab.
14. In the Time Constraint window, specify the hours during which this role is to be active.
15. Click OK.
16. The expressions for the users and groups granted the role and the time constraints for the role appear in the Role statement on the Role Conditions tab. Use Move Up, Move Down, Change, and Edit to modify the Role statement. Reset clears the Role statement.
17. When you have finished making changes to the users, groups, and time constraints for a role, click Apply to grant the global role.

    The information is stored in a Role Mapping provider. By default, the WebLogic Role Mapping provider is configured and the role information is stored in the embedded LDAP server.

Removing a User, Group, or Time Constraint From a Global Role

1. Highlight the expression for the user, group, or time constraint in the Role statement on the Role Conditions tab.
2. Click Remove.
3. Click Apply to save your change.

Deleting Global Roles

To delete a global role:

1. Expand the Security -->Realms nodes.
2. Click the name of the realm you are configuring (for example, myrealm).
3. Click Roles.

   The Roles table appears. This table displays the names of the global roles defined in the security realm.

4. To delete a role, click the trash can icon in the corresponding row of the Roles table.

   A confirmation window appears.

5. Click Yes to delete the global role.

Protecting WebLogic Resources

TBS

Configuring the Embedded LDAP Server

The embedded LDAP server contains user, group, group membership, role, security policy and credential information. The WebLogic Authentication, Authorization, Role Mapping, and Credential Mapping providers use the embedded LDAP server as a storage mechanism. If you use any of these WebLogic security providers, you need to configure the embedded LDAP server.

To configure the embedded LDAP server:

1. Expand the Domain node (for example, Examples).
2. Click the View Domain-Wide Security Settings link on the General tab.
3. Select the Security Configuration-->Embedded LDAP tabs.
4. Set attributes on the Embedded LDAP Server tab.
5. Click Apply to save your changes.
6. Reboot WebLogic Server.

Note: The WebLogic Security providers stored their data in the embedded LDAP server. When you delete a WebLogic Security provider, the security data in the embedded LDAP server is not automatically deleted. The security data remains in the embedded LDAP server in case you want to use the provider again. Use an external LDAP browser to delete the security data from the embedded LDAP server.

Configuring Backups for the Embedded LDAP Server

To configure the backups of the embedded LDAP server:

1. Expand the Domain node (for example, Examples).
2. Click the View Domain-Wide Security Settings link on the General tab.
3. Click the Security Configuration-->the Embedded LDAP tabs.
4. Set the Backup Hour, Backup Minute, and Backup Copies attributes on the Embedded LDAP Server tab.
5. Click Apply to save your changes.
6. Reboot WebLogic Server.

Configuring a New Security Realm

To configure a new security realm:

1. Expand the Security node.
2. Expand the Realms node.

   All the security realms available for the WebLogic domain are listed in the Realms table.

3. Click the Configure a new Realm... link.
4. Enter the name of the new security realm in the Name attribute on the General tab.
5. Set the J2EE Security Mode attribute.

   The J2EE Security Mode attribute specifies whether or not security for EJBs and Web applications is defined through the Administration Console or through deployment descriptors. The following options are available:

   • Enforce on all methods—This option specifies that all security for EJBs and Web applications is set through the Define Role and Define Policy functions of the Administration Console. When choosing this option, you also need to set the Deployment Descriptor Security Behavior attribute.
   • Limit Enforcement to deployment descriptor—This option specifies that security is only enforced for EJBs and Web applications that have security defined in the deployment descriptor. Each time an application is deployed, the deployment descriptor updates the security information in the Administration Console. When choosing this option, the Deployment Descriptor Security Behavior attributed is grayed-out.
6. If you set the J2EE Security mode attribute to Enforce on all methods, set the Deployment Descriptor Security Behavior attribute.

   The Deployment Descriptor Security Behavior attributes specifies whether or not WebLogic Server loads security data from the weblogic.xml and weblogic-ejb-jar.xml deployment descriptors into the Authorization and Role Mapping providers configured for the security realm each time an application is deployed. The following options are available:

   • Seed security from deployment descriptors—Choose this option to load security data from deployment descriptors into the Authorization, Role Mapping, and Credential Mapping providers configured for the security realm. Once the security data from deployment descriptors is loaded into the Authorization, Role Mapping, and Credential mapping providers, changes made through the WebLogic Server Administration Console take immediately effect but are not persisted back to the deployment descriptors. Therefore, each time an application is deployed, the deployment descriptors are used to update the information in the Administration Console.
   • Ignore security in deployment descriptors—Choose this option to ONLY specify security for EJBs and Web applications through the Administration Console. Any security changes made in the deployment descriptors are not persisted to the Administration Console.
7. The Web resource is deprecated in WebLogic Server 7.p SP02. If you wrote a custom Authorization provider that uses the Web resource (instead of the URL resource), enable the Use Deprecated Web Resource attribute. This attribute changes the runtime behavior of the Servlet container to use a Web resource rather than a URL resource when performing authorization.
8. Click Create.
9. Configure the required security providers for the security realm. In order for a security realm to be valid, you must configure an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, and a Role Mapping provider. Otherwise, you will not be able to set the new security realm as the default security realm.
10. Optionally, define an Identity Assertion and Auditing provider.
11. Define groups and users for the security realm. For more information, see Defining Groups and Defining Users.
12. Grant users and groups in the security realm roles. For more information, see Defining Global Roles
13. Protect WebLogic resources in the security realm with security policies.
14. Reboot WebLogic Server. If you do not reboot WebLogic Server, you cannot set the realm to the default security realm.
15. Set the new realm as the default security realm for the WebLogic domain. For more information, see Changing the Default Security Realm.

Configuring an Authentication Provider: Main Steps

WebLogic Server offers the following types of Authentication providers:

• The WebLogic Authentication provider allows you to manage users and groups in one place, the embedded LDAP server. For more information, see Configuring the WebLogic Authentication Provider.
• LDAP Authentication providers access external LDAP stores. WebLogic Server provides LDAP Authentication providers which access Open LDAP, Netscape iPlanet, Microsoft Active Directory and Novell NDS stores. For more information, see Configuring an LDAP Authentication Provider.
• The Realm Adapter Authentication provider accesses user and group information stored in 6.x security realms. For more information, see Configuring the Realm Adapter Authentication Provider.

In addition, you can use a Custom Authentication provider which offers different types of authentication technologies.

Note: The Administration Console refers to the WebLogic Authentication provider as the Default Authenticator.

Each security realm must have one at least one Authentication provider configured. The WebLogic Security Framework is designed to support multiple Authentication providers (and thus multiple LoginModules) for multipart authentication. Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. The Control Flag attribute determines how the LoginModules for each Authentication provider is used in the authentication process. For more information, see Setting the JAAS Control Flag.

To configure an Authentication provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose an Authentication provider by selecting the appropriate link.
   • Configure a new Active Directory Authenticator...
   • Configure a new Realm Adapter Authenticator...
   • Configure a new Novell Authenticator...
   • Configure a new iPlanet Authenticator...
   • Configure a new Default Authenticator...
   • Configure a new OpenLDAP Authenticator...
5. Go to the appropriate sections to configure an Authentication provider.
   • Configuring an LDAP Authentication Provider
   • Configuring the Realm Adapter Authentication Provider
   • Configuring the WebLogic Authentication Provider
6. Repeat these steps to configure additional Authentication providers.

   If you are configuring multiple Authentication providers, refer to Setting the JAAS Control Flag.

7. After you finish configuring Authentication providers, reboot WebLogic Server.

Setting the JAAS Control Flag

If a security realm has multiple Authentication providers configured, the Control Flag attribute on the Authenticator-->General tab determines the ordered execution of the Authentication providers. The values for the Control Flag attribute are as follows:

• REQUIRED—This LoginModule must succeed. Even if it fails, authentication proceeds down the list of LoginModules for the configured Authentication providers. This setting is the default.
• REQUISITE—This LoginModule must succeed. If other Authentication providers are configured and this LoginModule succeeds, authentication proceeds down the list of LoginModules. Otherwise, return control to the application.
• SUFFICIENT—This LoginModule need not succeed. If it does succeed, return control to the application. If it fails and other Authentication providers are configured, authentication proceeds down the LoginModule list.
• OPTIONAL—This LoginModule need not succeed. Whether it succeeds or fails, authentication proceeds down the LoginModule list.

Configuring the WebLogic Authentication Provider

Note: The Administration Console refers to the WebLogic Authentication provider as the Default Authenticator.

The WebLogic Authentication provider is case insensitive. Ensure user names are unique.

The WebLogic Authentication provider allows you to edit, list, and manage users and group membership. User and group membership information for the WebLogic Authentication provider is stored in the embedded LDAP server.

To configure the WebLogic Authentication provider:

1. Configure the embedded LDAP server as described in Configuring the Embedded LDAP Server.
1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose the Configure a new Default Authenticator... link.
5. Define values for the attributes on the General tab.
6. Click Apply to save your changes.
7. Define values on the Details tab.
8. Optionally, configure additional Authentication providers.
9. Reboot WebLogic Server.

Configuring an LDAP Authentication Provider

To configure an LDAP Authentication provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose an LDAP Authentication provider from the following available links:
   • Configure a new Active Directory Authenticator...
   • Configure a new Novell Authenticator...
   • Configure a new OpenLDAP Authenticator...
   • Configure a new iPlanet Authenticator...
5. If you using multiple Authentication providers, define a value for the Control Flag attribute on the General tab. For more information, Setting the JAAS Control Flag.
6. Click Apply to save your changes.
7. Proceed to Setting LDAP Server and Caching Information.

Setting LDAP Server and Caching Information

To set LDAP server and caching information:

1. Click the LDAP tab under the Configuration tab for the LDAP Authentication provider you want to use.

   For example, click the iPlanet LDAP tab under the iPlanet Configuration tab.

2. Enable communication between WebLogic Server and the LDAP server by defining values for the attributes shown on the LDAP tab.
3. To save your changes, click Apply.
4. Click the Details tab to configure additional attributes the control the behavior of the LDAP server. The following attributes are available:
   • Follow Referrals—Specifies that a search for a user or group within the Active Directory Authentication provider will follow referrals to other LDAP servers or branches within the LDAP directory. By default, this attribute is enabled.
   • Bind Anonymously On Referrals—By default, an LDAP Authentication provider uses the same DN and password used to connect to the LDAP server when following referrals during a search. If you want to connect as an anonymous user, enable this attribute. Contact your LDAP system administrator for more information.
   • Results Time Limit—The maximum number of milliseconds for the LDAP server to wait for results before timing out. If this attribute is set to 0, there is not maximum time limit. The default is 0.
   • Connect Timeout—The maximum time in seconds to wait for the connection to the LDAP server to be established. If this attribute is set to 0, there is not a maximum time limit. The default is 0.
   • Parallel Connect Delay—The delay in seconds when making concurrent attempts to attempt to multiple LDAP servers. If this attribute is set to 0, connection attempts are serialized. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. If this attribute is not set and an LDAP server is unavailable, an application may be blocked for a long time. If this attribute is greater than 0, another connection is started after the specified time.
5. To save your changes, click Apply.
6. Proceed to Locating Users in the LDAP Directory.

For a more secure deployment, BEA recommends using the SSL protocol to protect communications between the LDAP server and WebLogic Server. For more information, see Configuring Two-Way SSL

Locating Users in the LDAP Directory

To specify how users are located in the LDAP directory:

1. Click the Users tab under the Configuration tab for the LDAP server you chose.

   For example, click the Users tab under the iPlanet Configuration tab.

2. Define information about how users are stored and located in the LDAP directory by defining values for the attributes shown on the Users tab.
3. To save your changes, click Apply.
4. Proceed to Locating Groups in the LDAP Directory.

Locating Groups in the LDAP Directory

To specify how groups are stored and located in the LDAP directory:

1. Click the Groups tab under the Configuration tab.

   For example, click the Groups tab under the iPlanet Configuration tab.

2. Define information about how groups are stored and located in the LDAP directory by defining values for the attributes shown on the Groups tab.
3. To save your changes, click Apply.
4. Proceed to Locating Members of a Group in the LDAP Directory.

Locating Members of a Group in the LDAP Directory

Note: The iPlanet Authentication provider supports dynamic groups. To use dynamic groups, set the Dynamic Group Object Class, Dynamic Group Name Attribute, and Dynamic Member URL Attribute attributes on the Members tab.

To specify how groups members are stored and located in the LDAP directory:

1. Click on the Membership tab under the Configuration tab.

   For example, click the Membership tab under the iPlanet Configuration tab.

2. Define information about how group members are stored and located in the LDAP directory by defining values for the attributes shown on the Membership tab.
3. To save your changes, click Apply.
4. Optionally, configure additional Authentication and/or Identity Assertion providers.
5. Reboot WebLogic Server.

Configuring the Realm Adapter Authentication Provider

To configure the Realm Adapter Authentication provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose the Configure a new Realm Adapter Authenticator... link.
5. Define values for the attributes on the General tab.
6. Click Apply to save your changes.
7. Optionally, configure additional Authentication and/or Identity Assertion providers.
8. Reboot WebLogic Server.

Changing the Order of Authentication Providers

The way you configure multiple Authentication providers can affect the overall outcome of the authentication process, which is especially important for multipart authentication. Authentication providers are called in the order in which they are configured. The Authentication Providers table lists the authentication providers in the order they were configured. Click the Re-order the Configured Authentication Providers... link to change the order of the providers. Be aware that the way each Authentication provider's Control Flag attribute is set effects the outcome of the authentication process. For more information, see Setting the JAAS Control Flag.

To change the ordering of Authentication providers:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose the Re-order the Configured Authentication Providers... link.
5. Select an Authentication provider from the list of configured Authentication providers.
6. Use the arrow buttons to move it up or down in the list.
7. Click Apply to save your changes.
8. Reboot WebLogic Server.

Configuring the WebLogic Authorization Provider

Note: The Administration Console refers to the WebLogic Authorization provider as the Default Authorizer.

To configure the WebLogic Authorization provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers node.
4. Click Authorizers.
5. Click the Configure a new Default Authorizer... link.
6. Define values for the attributes on the General tab.
7. Click Apply to save your changes.
8. Reboot WebLogic Server.

Configuring the WebLogic Credential Mapping Provider

To configure the WebLogic Credential Mapping provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers node.
4. Click Credential Mappers.
5. Click the Configure a new Default Credential Mapper... link.
6. On the General tab, set the Credential Mapping Deployment Enabled attribute.

   The Credential Mapping Deployment Enabled attribute specifies whether or not this Credential Mapping provider imports credential maps from a 6.x Resource Adapter Archive (RAR). In order to support the Credential Mapping Deployment Enabled attribute, a Credential Mapping provider must implement the DeployableCredentialProvider SSPI. By default, the WebLogic Credential Mapping provider has this attribute enabled. The credential mapping information is stored in the embedded LDAP server.

7. Click Apply to save your changes.
8. Reboot WebLogic Server.

Configuring the WebLogic Role Mapping Provider

To configure an Role Mapping provider:

1. Expand the Security node.
2. Expand the Realms node.
3. Click the name of the realm you are configuring (for example, TestRealm).
4. Click the Providers node.
5. Click Role Mappers.

   The Role Mappers tab appears. This tab displays the name of the default Role Mapping provider for the realm that is being configured.

6. Click the Configure a new Default Role Mapper... link.

   The General tab appears.

7. Define values for the attributes on the General tab.
8. Click Apply to save your changes.
9. Reboot WebLogic Server.

Configuring a WebLogic Identity Assertion Provider

Note: If you are creating a new security realm, configuring an Identity Assertion provider is an optional step.

The Administration Console refers to the WebLogic Identity Assertion provider as the Default Identity Asserter.

To configure the WebLogic Identity Assertion provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose the Configure a new Default Identity Asserter... link from the Authenticators tab.
5. Define values for the attributes on the General tab.
6. Click Apply to save your changes.
7. Optionally, configure additional Authentication and/or Identity Assertion providers.
8. Reboot WebLogic Server.

Configuring the WebLogic Adjudication Provider

Note: The Administration Console refers to the WebLogic Adjudication provider as the Default Adjudicator.

To configure the WebLogic Adjudication provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm.)
3. Expand the Providers node.
4. Click Adjudicators.
5. Click the Configure a new Default Adjudicator... link.
6. Optionally, on the General tab, set the Require Unanimous Permit attribute.
7. Click Apply to save your changes.
8. Reboot WebLogic Server.

Configuring a WebLogic Auditing Provider

Warning: Using an Auditing provider affects the performance of WebLogic Server even if only a few events are logged.

If you are creating a new security realm, configuring an Auditing provider is an optional step. The Administration Console refers to the WebLogic Auditing provider as the Default Auditor.

To configure the WebLogic Auditing provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers node.
4. Click Auditors.
5. Click the Configure a new Default Auditor... link.

   The General tab appears.

6. Choose the auditing severity level appropriate for your WebLogic Server deployment.
7. Click Create to save your changes.
8. Reboot WebLogic Server.

Configuring a Custom Security Provider

To configure a Custom security provider:

1. Write a Custom security provider. For more information, see Developing Security Providers for WebLogic Server.
2. Put the MBean JAR file for the provider in the WL_HOME\lib\mbeantypes directory.
3. Start the Administration Console.
4. Expand the Security-->Realms nodes.
5. Click on the name of the realm you are configuring (for example, TestRealm.)
6. Expand the Providers node.
7. Expand the node for the type of provider you are configuring. For example, expand the Authentication Providers node to configure a Custom Authentication provider.

   The tab for the provider appears.

8. Click the Configure a new Custom Security_Provider_Type... link

   where Security_Provider_Type is the name of your custom security provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF).

9. The General tab appears.

   The Name attribute displays the name of your Custom Security provider.

10. If desired, adjust the values for the attributes for the Custom Security provider.
11. Click Apply to save your changes.
12. Reboot WebLogic Server.

Deleting a Security Provider

To delete a security provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm in which the provider you want to delete is configured (for example, TestRealm).
3. Expand the Providers node.
4. Click the type of provider you want to delete (for example, TestRealm-->Authorizers).
5. The table page for the provider appears (for example, the Authorizers table). The table page for the provider displays the names of all the available providers.
6. To delete a provider, click the trash can icon in the corresponding row of the provider table.
7. Reboot WebLogic Server.

Note: Deleting and modifying configured security providers by using the Administration Console may require manual clean up of the databases.

Configuring a User Name Mapper

When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to enable a user name mapper that maps the digital certificate of a Web browser or Java client to a user in a WebLogic Server security realm.

The user name mapper is an implementation the weblogic.security.providers.authentication.UserNameMapper interface. By default, WebLogic Server provides a default implementation of the weblogic.security.providers.authentication.UserNameMapper interface. You can also write your own implementation

The WebLogic Identity Assertion provider calls the user name mapper for the following types of identity assertion token types:

• X.509 digital certificates passed via the SSL handshake
• X.509 digital certificates passed via CSIv2
• X.501 distinguished names passed via CSIv2

The default user name mapper uses the attributes from the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm. For example, the user name mapper can be configured to map a user from the Email attribute of the subject DN (smith@bea.com) to a user in the WebLogic Server security realm (smith).

To use the default user name mapper:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose the Default Identity Assertion provider.
5. Click the Details tab.
6. Check the Use the Default User Name Mapper attribute to enable the user name mapper.
7. Specify the following attributes:
   • Default User Name Mapper Attribute Type—The attribute of the subject distinguished name (DN) in a digital certificate used to create a username. Valid values are: C, CN, E, L, O, and OU.
   • Default User Name Mapper Attribute Delimiter—The attribute that ends the username. The user name mapper uses everything to the left of the attribute to create a username.
8. Click Apply.
9. Reboot WebLogic Server.

Configuring a Custom User Name Mapper

To install a custom user name mapper:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Expand the Providers-->Authentication Providers nodes.
4. Choose the Default Identity Assertion provider.
5. Click the General tab.
6. Enter the name of the implementation of the weblogic.security.providers.authentication.UserNameMapper interface in the User Name Mapper Class Name attribute.
7. Click Apply.
8. Reboot WebLogic Server.

Importing and Export Security Data from Security Realms

When creating new security realms, security data (authentication, authorization, credential map, and role data) from one security realm can be exported into a file and then imported into another security realm. This feature allows you to develop and test new security realms without recreating all the security data (for example, when moving a development security realm to production). Only information from the WebLogic security providers can be exported and imported. Two options are available:

• Export all security data from a security realm.
• Export specific data (for example, user and groups or roles) from a specific provider. For information, Importing and Exporting Security Data from Security Providers.

Note: You can only export and import security data between security realms in the same WebLogic Server release.

To export and import security data:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Click the Migration-->Export tab.
4. Specify the directory and filename in which to export the security data in the Export Directory on Server attribute.

   Note: You can specify a directory and file location on another server.

5. Click Export.
6. Expand the Realms node.
7. Click the name of the security realm in which the security data is to be imported.
8. Click the Migration-->Import tab.
9. Specify the directory location and file name of the file that contains the exported security data in the Import Directory on Server attribute.
10. Click Import.

To verify the security data was imported correctly:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm into which the security data was imported.
3. Click Users.
4. Users from the security realm from which you exported the security data should appear in the Users table.

Importing and Exporting Security Data from Security Providers

Provider-specific security data can also be exported and imported between providers in different security realms. Each provider displays the supported formats (DefaultAtn, DefaultAtz, DefaultCreds, or DefaultRoles). The constraints define the data types (users, groups, roles, and credmaps). The constraints are only displayed for the WebLogic Authentication provider because you have the option of exporting or importing users and groups, just users, just groups, specific users, or specific groups.

To export and import security data from a security provider:

1. Expand the Security-->Realms nodes.
2. Click the name of the realm you are configuring (for example, TestRealm).
3. Click the type of provider from which you want to export security data (for example, Authentication Providers).
4. Click the security provider from which you want to export security data.
5. Click the Migration-->Export tab.
6. Specify the directory and filename in which to export the security data in the Export Directory attribute.
7. Optionally, define a specific set of security data to be exported in the Export Constraints box.
8. Click Export.
9. Expand the Realms node.
10. Click the name of the security realm in which the security data is to be imported.
11. Expand the Providers node.
12. Click the security provider in which the security data is to be imported.
13. Click the Migration-->Import tab.
14. Specify the directory location and file name of the file that contains the exported security data in the Import Directory on Server attribute or use the Browse button to locate the exported file on your computer.
15. Click Import.

Changing the Default Security Realm

By default, WebLogic Server sets the myrealm as the default security realm.

1. Configure a new security realm. For more information, see Configuring a New Security Realm.
2. Reboot WebLogic Server.
3. Expand the Domain node (for example, Examples).
4. Click the View Domain-Wide Security Settings link on the General tab.
5. Select the Security Configuration-->General tab.

   The pull-down menu on the Default Realm attribute displays the security realms configured in the WebLogic domain.

   Note: If you create a new security realm but do not configure the required security providers, the realm will not be available from the pull-down menu.

6. Select the security realm you want to set as the default security realm.
7. Click Apply.
8. Reboot WebLogic Server. If you not reboot WebLogic Server, the new realm is not set as the default security realm.

To verify you set the default security realm correctly:

1. Expand the Security node.
2. Expand the Realm node.

   The Realms table appears. All the realms available in the domain are listed. The default security realm has the Default Realm attribute set to true.

Deleting A Security Realm

1. Expand the Security node.
2. Expand the Realm node.

   The Realms table appears. All the realms available the domain are listed in a table.

3. To delete a security realm, click the trash can icon in the corresponding row of the Realms table.
4. A Delete confirmation window appears.
5. Click Yes in response to the following prompt:

   Are you sure you want to permanently delete OldRealm from the domain configuration?

   A confirmation message appears when the security realm is deleted.

Configuring Keystores and SSL

Note: For a complete description of configuring a keystore for use with WebLogic Server, see Managing WebLogic Security.

By default, WebLogic Server is configured with two keystores:

• DemoIdentity.jks—Contains a demonstration private key for WebLogic Server. This keystore establishes an identity for WebLogic Server.
• DemoTrust.jks—Contains a list of certificate authorities trusted by WebLogic Server. This keystore establishes trust for WebLogic Server.

These keystores are located in the BEA_HOME\weblogic710\server\lib directory. For testing and development purposes, the keystore configuration is complete. Use the steps in this section to configure identity and trust keystores for production use.

Before you perform the steps in this section, you need to:

1. Obtain private keys and digital certificates from a reputable certificate authority such as Verisign, Inc. or Entrust.net.
2. Create identity and trust keystores.
3. Load the private keys and trusted CAs into the keystores.

For a complete description of these steps, see Managing WebLogic Security.

To set attributes for the identity and trust keystores:

1. Expand the Servers node.
2. Click the name of the server for which you want to configure keystores (for example, exampleserver).
3. Click the Configuration-->Keystores and SSL tabs.

   The information about the demonstration keystores is displayed in the Keystore Configuration.

4. Click the Change... link in the Keystore Configuration to configure new keystores.
5. Choose the type of keystore configuration being used. The following options are available:
   • Demo Identity and Demo Trust—The demonstration identity and trust keystores located in the BEA_HOME\weblogic710\server\lib directory and configured by default.
   • Custom Identity and Java Standard Trust—A keystore you create and the trusted CAs defined in the cacerts file in the JAVA_HOME\jre\lib\security\cacerts directory.
   • Custom Identity and Custom Trust—Identity and trust keystores you create.
   • Custom Identity and Command-Line Trust—An identity keystore you create and command-line arguments that specify the location of the trust keystore.
6. Click Continue.
7. Define attributes for the Identity keystore.
   • Custom Identity Keystore File—The fully qualified path to the identity keystore.
   • Custom Identity Keystore Type—The type of the keystore. Generally, this attribute is jks.
   • Custom Identity Keystore Passphrase—The password defined when creating the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.
8. Define properties for the trust keystore.

   If you choose Java Standard Trust, specify the password defined when creating the keystore. Confirm the password.

   If you choose Custom Trust, define the following attributes:

   • Custom Trust Keystore File—The fully qualified path to the trust keystore.
   • Custom Trust Keystore Type—The type of the keystore. Generally, this attribute is jks.
   • Custom Trust Keystore Passphrase—The password defined when creating the keystore. This attribute is optional or required depending on the type of keystore. All keystores require the passphrase in order to write to the keystore. However, some keystores do not require the passphrase to read from the keystore. WebLogic Server only reads from the keystore so whether or not you define this property depends on the requirements of the keystore.
9. Click Continue.
10. If necessary, update the definitions for the SSL attributes. The attributes are:
    • Alias—The alias you used when loading the private key for WebLogic Server into the identity keystore.
    • Passphase—The password used to retrieve the private key for WebLogic Server from the identity keystore.
    • Confirm—Re-enter the password.
11. Click Continue.
12. Click Finish.
13. Reboot WebLogic Server.

Configuring Two-Way SSL

By default, WebLogic Server is configured to use one-way SSL (the server passes its identity to the client). For a more secure SSL connection, use two-way SSL. In a two-way SSL connection, the client verifies the identity and trust of the server and then passes its identity and trust to the server. The server then validates the identity and trust of the client before completing the SSL connection. The server determines whether or not two-way SSL is used.

To enable two-way SSL:

1. Expand the Servers node.
2. Click the name of the server for which you want to configure keystores (for example, exampleserver).
3. Click the Configuration-->Keystores and SSL tabs.
4. Click the Show link under Advanced Options.
5. Go to the Server attributes section of the window.
6. Set the Two Way Client Cert Behavior attribute. The following options are available:
   • Client Certs Not Requested—The default (meaning one-way SSL).
   • Client Certs Requested But Not Enforced—Requires a client to present a certificate. If a certificate is not presented, the SSL connection continues.
   • Client Certs Requested And Enforced—Requires a client to present a certificate. If a certificate is not presented, the SSL connection is terminated.
7. Click Apply.
8. Reboot WebLogic Server.

Enabling Trust Between WebLogic Domains

A trust relationship is established when principals in a Subject from one WebLogic Server domain (referred to as a domain) are accepted as principals in the local domain. If you want two 7.0 domains to interoperate, perform the following procedure in both domains.

To establish a trust relationship between WebLogic Server domains:

1. Expand the Domains node (for example, Examples).
2. Click the View Domain-Wide Security Settings link on the General tab.
3. Select the Security Configuration-->Advanced tab.
4. Click the Change... link in the Credential attribute.
5. Enter a password for the domain. Choose the password carefully. BEA Systems recommends using a combination of upper and lower case letters and numbers.
6. Confirm the password.
7. Click Apply.

Configuring Connection Filtering

To configure a connection filter:

1. Expand the Domains node.
2. Click the View Domain-Wide Security Settings link on the General tab.
3. Select the Security Configuration-->Filter tab.
4. Click the Connection Logger Enabled attribute to enable the logging of accepted messages.
5. Enter the class that implements the network connection filter in the Connection Filter attribute. This class must also be specified in the CLASSPATH for WebLogic Server.
6. Enter the syntax for the connection filter rules. For more information about connection filter rules, see Using Network Connection Filters to Protect Application Server Resources in Programming WebLogic Security.
7. Click Apply.
8. Reboot WebLogic Server.