Using Compatibility Security

The following sections describe how to set up Compatibility Security and manage an existing 6.x security configuration:

• Setting Up Compatibility Security: Main Steps
• Changing the System Password
• Specifying a Compatibility Security Realm
• Defining Users in the Compatibility Realm
• Defining Groups in the Compatibility Realm
• Defining ACLs in the Compatibility Realm
• Protecting User Accounts
• Using a 6.x Auditor with Compatibility Security

Note: Compatibility security is deprecated in WebLogic Server 7.0. You should only use Compatibility security while upgrading your WebLogic Server deployment to the security features in WebLogic Server 7.0.

 

---

Setting Up Compatibility Security: Main Steps

To set up Compatibility security:

1. Make a back-up copy of your 6.x WebLogic domain (including your config.xml file) before using Compatibility security. A sample config.xml file that can be used to boot Compatibility Security can be found in Booting WebLogic Server in Compatibility Security in the Upgrade Guide for BEA WebLogic Server 7.0.
2. Install WebLogic Server 7.0 in a new directory location. Do not overwrite your existing 6.x installation directory. For more information, see the WebLogic Server Installation Guide.
3. Modify the startup script for your 6.x server to point to the WebLogic Server 7.0 installation. Specifically, you need to modify:
   • The classpath to point to the weblogic.jar file in the WebLogic Server version 7.0 installation.
   • The JAVA_HOME variable to point to the WebLogic Server version 7.0 installation.

   For more information, see theUpgrade Guide for BEA WebLogic Server 7.0.

4. Use the startup script for your 6.x server to boot WebLogic Server.

To verify whether you are correctly running Compatibility security, do the following:

1. In the Administration Console, expand the Domain node.
2. Click on your WebLogic Server domain (referred to as the domain).
3. Click the View the Domain Log link.

   The following message appears in the log:

   Security initializing using realm CompatibilityRealm

 

---

Changing the System Password

During installation WebLogic Server does the following to the File realm in mydomain:

1. Adds the username and password supplied during installation to the File realm.
2. Sets the system password to password specified during installation.

These steps ensure that a system user is defined in the 7.0 version of the File realm and that the SerializedSystemIni.dat file is created.

To improve security, BEA recommends frequently changing the system password that was set during installation. Each WebLogic Server deployment must have a unique password.

1. In the console for the Administration Server, expand the Compatibility Security node.
2. Select the Users tab.
3. In the User Configuration window, under Change a User's Password, enter system in the Name attribute.
4. In the Old Password attribute, enter password you specified when installing WebLogic Server 6.x..
5. Enter a new password in the New Password attribute.
6. Enter the new password again in the Confirm the Password attribute.

When you use an Administration Server and Managed Servers in a domain, the Managed Server must always use the password for the Administration Server in the domain. Always change the password for the Administration Server through the Administration Console. The new password is propagated to all the Managed Servers in the domain.

Maintaining the secrecy of WebLogic passwords is critical to keeping your WebLogic Server deployment and data secure. For your protection, BEA recommends keeping the password of WebLogic Server secret.

 

---

Specifying a Compatibility Security Realm

The following sections describes configuring a security realm for your WebLogic Server deployment:

• Configuring the File Realm
• Configuring the Caching Realm
• Configuring the LDAP V1 Security Realm
• Configuring the Windows NT Security Realm
• Configuring the UNIX Security Realm
• Configuring the RDBMS Security Realm
• Installing a Custom Security Realm

Note: The File realm, Caching realm, LDAP, Windows NT, UNIX, and RDBMS security realms are deprecated in WebLogic Server 7.0. In addition, the use of WebLogic Server 6.x custom security realms is deprecated in WebLogic Server 7.0.

Configuring the File Realm

By default WebLogic Server is installed with the File realm in place. The File Realm stores user and group data for the purpose of Authentication. Before using the File realm, you need to define several attributes that govern the use of the File realm.

To configure the File realm:

1. Expand the Domains node.
2. Select the Security-->File Realm tab.
3. Enter values in the attribute fields on the File Realm tab.

   The following table describes each attribute on the File Realm tab.

   Table 4-1 File Realm Attributes

   Attribute	Description
   Caching Realm	The File realm does not use a Caching realm. Set this attribute to None.
   Max Users	Maximum number of users in the File realm. The minimum value for this attribute is 1 and the maximum value is 10,000. The default is 1,000.
   Max Groups	Maximum number of Groups to be used with the File realm. The minimum value for this attribute is 1 and the maximum value is 10,000. The default is 1,000.
   Max ACLs	Maximum number of access control lists (ACLs) to be used with the File realm. The minimum value for this attribute is 1 and the maximum value is 10,000. The default is 1,000.

   
    

4. Click Apply to save your changes.

All user and group data for the File realm is stored in the fileRealm.properties file. If the fileRealm.properties file becomes corrupted or is destroyed, you must reconfigure the security information for WebLogic Server. Compatibility security cannot run without a fileRealm.properties file. Even if you write a custom security realm, you still need a fileRealm.properties file to boot WebLogic Server because the custom security realm is not initially called during the start-up sequence. Therefore, BEA recommends that you take the following steps:

1. Make a backup copy of the fileRealm.properties file and put it in a secure place.
2. Set the permissions on the fileRealm.properties file such that the administrator of the WebLogic Server deployment has write and read privileges and no other users have any privileges.

Note: Also make a backup copy of the SerializedSystemIni.dat file for the File realm. For more information about the SerializedSystemIni.dat file, see Protecting User Accounts

If, instead of the File realm, you want to use one of the alternate security realms provided by WebLogic Server, or use a custom security realm, set the attributes for the desired realm and reboot WebLogic Server. If you use one of the alternate security realms, you must enable the Caching realm. Alternate security realms include the LDAP, Windows NT, UNIX, and RDBMS security realms

Configuring the Caching Realm

The Caching realm works with alternate security realms, or custom security realms to fulfill client requests with the proper authentication and authorization. The Caching realm stores the results of both successful and unsuccessful realm lookups. It manages separate caches for users, groups, permissions, ACLs, and authentication requests. The Caching realm improves the performance of WebLogic Server by caching lookups, thereby reducing the number of calls into other security realms.

The Caching realm is installed automatically when you run Compatibility security: the cache is set up to delegate to the other security realms; however, caching is not enabled. You have to enable caching through the Administration Console. If you are using an alternate security realm or a custom security realm, you must configure and enable the Caching realm after you configure an alternate or custom security realm.

When you enable caching, the Caching realm saves the results of a realm lookup in its cache. Lookup results remain in the cache until either the specified number of seconds defined for the time-to-live (TTL) attributes has passed (the lookup result has expired) or the cache has filled. When the cache is full, new lookup results replace the oldest cached results. The TTL attributes determine how long a cached object is valid. The higher you set these attributes, the less often the Caching realm calls the secondary security realm. Reducing the frequency of such calls improves the performance. The trade-off is that changes to the underlying security realm are not recognized until the cached object expires.

Note: When you obtain an object from a security realm, the object reflects a snapshot of the object. To update the object, call the object's get() method again. For example, the membership of a group is set when the group is retrieved from the security realm with a call to the getGroup() method. To update the members of the group, you must call the getGroup() method again.

By default, the Caching realm operates on the assumption that the alternate security realm is case-sensitive. In a case-sensitive security realm, the owners of usernames bill and Bill, for example are treated as two distinct users. The Windows NT Security realm and the LDAP Security realm are examples of security realms that are not case-sensitive. If you are using a security realm that is not case-sensitive, you must disable the CacheCaseSensitive attribute. When this attribute is set, the Caching realm converts usernames to lowercase so that WebLogic Server gives correct results for the security realm when it performs case-sensitive comparisons. When defining or referencing users or groups in a case-sensitive security realm, type usernames in lowercase.

To configure the Caching realm:

1. Configure the alternate or custom security realm with which you will use the Caching realm. See the appropriate realm configuration procedures in the following sections:
   • Configuring the LDAP V1 Security Realm
   • Configuring the Windows NT Security Realm
   • Configuring the UNIX Security Realm
   • Configuring the RDBMS Security Realm
   • Installing a Custom Security Realm
2. Expand the Compatibility Security-->Caching Realms nodes.
3. Click the Configure a new Caching Realm... link.
4. Enter values in the attribute fields on the General tab.

   The following table describes the attributes you set on the General tab.

   Table 4-2 Caching Realm Attributes on the General Tab

   Attribute	Description
   Name	Displays the active security realm as defined in the Administration Console. This attribute can not be changed.
   Basic Realm	Name of the alternate security realm or custom security realm to be used with the Caching realm. The names of the configured realms appear on the pull-down menu.
   Case Sensitive Cache	Defines whether the specified security realm is case-sensitive. By default, this attribute is enabled: the realm is case-sensitive. To use a realm that is not case-sensitive (such as the Windows NT and LDAP security realms), you must disable this attribute.

   
    

5. Click Create.
6. Configure and enable the ACL cache by defining values for the attributes shown on the ACL tab.

   The following table describes the attributes you set on the ACL tab.

   Table 4-3 ACL Cache Attributes

   Attribute	Description
   Enable Cache	Option for enabling the ACL cache.
   ACL Cache Size	Maximum number of ACL lookups to cache. This attribute should be a prime number for best lookup performance. The default is 211.
   ACL Cache Positive TTL	Number of seconds to retain the results of a successful lookup. The default is 60 seconds.
   ACL Cache Negative TTL	Number of seconds to retain the results of an unsuccessful lookup. The default is 10 seconds.

   
    

7. Click Apply to save your changes.
8. Configure and enable the Authentication cache by defining values for the attributes shown on the Authentication tab.

   The following table describes the attributes you set on the Authentication tab.

   Table 4-4 Authentication Cache Attributes

   Attribute	Description
   Enable Authentication Cache	Option for enabling the Authentication cache.
   Authentication Cache Size	Maximum number of Authenticate requests to cache. This attribute should be a prime number for best lookup performance. The default is 211.
   Authentication Cache TTLPositive	Number of seconds to retain the results of a successful lookup. The default is 60 seconds.
   Authentication Cache TTLNegative	Number of seconds to retain the results of an unsuccessful lookup. The default is 10 seconds.

   
    

9. Click Apply to save your changes.
10. Configure and enable the Group cache by defining values for the attributes shown on the Groups tab.

    The following table describes the attributes you set on the Group tab.

    Table 4-5 Group Cache Attributes

    Attribute	Description
    Enable Group Cache	Option for enabling the Group cache.
    Group Cache Size	Maximum number of Group lookups to cache. This attribute should be a prime number for best lookup performance. The default is 211.
    Group Cache TTLPositive	Number of seconds to retain the results of a successful lookup. The default is 60 seconds.
    Group Cache TTLNegative	Number of seconds to retain the results of an unsuccessful lookup. The default is 10 seconds.
    Group Membership Cache TTL	Number of seconds to store the members of a group before updating it. The default is 300 seconds.

    
     

11. Click Apply to save your changes.
12. Configure and enable the User cache by defining values for the attributes shown on the Users tab.

    The following table describes the attributes you set on the User tab.

    Table 4-6 User Cache Attributes

    Attribute	Description
    Enable User Cache	Option for enabling the User cache.
    User Cache Size	Maximum number of user lookups to cache. This attribute should be a prime number for best lookup performance. The default is 211.
    User Cache TTLPositive	Number of seconds to retain the results of a successful lookup. The default is 60 seconds.
    User Cache TTLNegative	Number of seconds to retain the results of an unsuccessful lookup. The default is 10 seconds.

    
     

13. Click Apply to save your changes.
14. Configure and enable the Permission cache by defining values for the attributes shown on the Permissions tab.

    The following table describes each attribute on the Permission tab.

    Table 4-7 Permission Cache Attributes

    Attribute	Description
    Enable Permission Cache	Option for enabling the Permission cache.
    Permission Cache Size	Maximum number of Permission lookups to cache. This attribute should be a prime number for best lookup performance. The default is 211.
    Permission Cache TTLPositive	Number of seconds to retain the results of a successful lookup. The default is 60 seconds.
    Permission Cache TTLNegative	Number of seconds to retain the results of an unsuccessful lookup. The default is 10 seconds.

    
     

15. Click Apply to save your changes.
16. When you finish defining attributes for the Caching realm, reboot WebLogic Server.

Configuring the LDAP V1 Security Realm

The Lightweight Directory Access Protocol (LDAP) V1 security realm provides authentication through an LDAP server. This server allows you to manage all the users for your organization in one place: the LDAP directory. The LDAP V1 security realm supports Open LDAP, Netscape iPlanet, Microsoft Site Server, and Novell NDS.

Configuring the LDAP V1 security realm involves defining attributes that enable the LDAP V1 security realm in WebLogic Server to communicate with the LDAP server and attributes that describe how users and groups are stored in the LDAP directory. The LDAP tree and schema is different for every LDAP server. Therefore, the LDAP V2 security realm provides a set of templates that define default attributes for the supported LDAP servers.

The Difference between the LDAP V1 and LDAP V2 Security Realms

Choose between two versions of the LDAP security realm:

• LDAP V1 security realm—The LDAP security realm packaged in releases of WebLogic Server before WebLogic Server 6.0 SP01. With the exception of Microsoft Site Server, the LDAP V1 security realm works with all the supported LDAP servers and is provided for BEA customers that are currently using the LDAP security realm in an older release of WebLogic Server. However, the LDAP V1 security realm is deprecated in this release and BEA recommends users upgrade to the LDAP V2 security realm.
• LPAP realm V2—An updated LDAP security realm with improved performance and configurability. This is the same LDAP security realm provided in WebLogic Server 6.0 Service Pack 1.0. When running Windows 2000, BEA recommends using LDAP V2 security realm to authenticate against the Windows 2000 User and Group store.

Note: LDAP V1 security realm allows you to view users and members of a group stored in the LDAP directory server through the Administration Console. However, with LDAP V2 security realm, you can only view the groups stored in the LDAP directory server through the Administration Console.

You need to use the administration tools available with the LDAP server to manage users and groups (for example, adding or deleting users or groups or adding members to groups). If you make a change in the LDAP directory store, reset the User cache and the Group cache to immediately view your changes in the Administration Console.

LDAP Realm Performance Tips

To improve LDAP Security realm performance:

• Have the LDAP server index all of the attributes that you use as search keys in your LDAP realm search filters. Not indexing the attributes could cause linear search performance.
• Use the Caching realm carefully. Changes in the LDAP server's information are not propagated to the LDAP Security realm until the cache is cleared.

Restrictions When Using the LDAP Security Realm

The LDAP security realm has the following restrictions:

• When the LDAP server in Microsoft Site Server is installed and the root of the LDAP directory is created, a number of organizational units are created by default. Under groups, a default organization unit called NTGroups has a default group named Administrators, which is empty. By default, WebLogic Server also provides a group called Administrators that contains a member system, which is the user under which WebLogic Server is started. If you use the defaults in Microsoft Site Server and start creating your own groups under the default organizational unit, WebLogic Server will not start. In order to start WebLogic Server with the LDAP security realm, you need to create your own unique organizational unit in the LDAP directory and create groups for your WebLogic Server deployment under that organizational unit.
• If you have two groups within the LDAP directory with the same name, WebLogic Server cannot properly authenticate the users in the second group that it locates. The LDAP security realm uses the group's distinguished name (DN) to locate groups in the LDAP directory. If you create more than one group with the same name, WebLogic Server only authenticates the users in the first group it locates. You must use unique group names when using the LDAP security realm.
• The LDAP V2 security realm does not provide the following functionality provided in LDAP V1 security realm:
• Listing all users
• Listing the members of a group
• The authProtocol and userAuthentication mechanisms have been removed. You need to use the JNDI bind mechanism to pass security credentials to the LDAP server. For more information, see Setting Up JNDI Environment Properties for the Initial Context in Programming with WebLogic JNDI.

Configuring an LDAP V1 Security Realm

To use the LDAP V1 security realm instead of the File realm:

1. Expand the Compatibility Security-->Realms nodes.
2. Click on Configure a New LDAP Realm V1 link to display the name of the class that implements the LDAP V1 security realm.
3. Click Create.
4. To enable communication between the LDAP server and WebLogic Server, define values for the attributes on the LDAP Server tab.

   The following table describes the attributes you set on the LDAP Realm V1 tab.

   Table 4-8 LDAP V1 Security Realm Attributes on the LDAP Tab

   Attribute	Description
   LDAPURL	Location of the LDAP server. Change the URL to the name of the computer on which the LDAP server is running and the number of the port at which it is listening. For example: ldap://ldapserver:385. If you want WebLogic Server to connect to the LDAP server using the SSL protocol, use the LDAP server's SSL port in the URL.
   Principal	Distinguished name (DN) of the LDAP User used by WebLogic Server to connect to the LDAP server. This user must be able to list LDAP users and groups.
   Credential	Password that authenticates the LDAP User defined in the Principal attribute.
   Enable SSL	Option for enabling the SSL protocol to protect communications between the LDAP server and WebLogic Server. Keep in mind the following guidelines: Disable this attribute if the LDAP server is not configured to use the SSL protocol. If you set the UserAuthentication attribute on the LDAP Users tab to external, this attribute must be enabled.
   AuthProtocol	The type of authentication used to authenticate the LDAP server. Set this attribute to one of the following values: None for no authentication Simple for password authentication CRAM-MD5 for certificate authentication Netscape iPlanet supports CRAM-MD5. Microsoft Site Server, Netscape iPlanet, and OpenLDAP and Novell NDS support Simple.

   
    

5. Click Apply to save your changes.
6. To specify how users are stored in the LDAP V1 security realm, define the attributes shown on the Users tab.

   The following table describes the attributes you set on the Users tab.

   Table 4-9 LDAP V1 Security Realm Attributes on the Users Tab

   Attribute	Description
   User Authentication	Determines the method for authenticating users. Set this attribute to one of the following values: Bind specifies that the LDAP security realm retrieves user data, including the password for the LDAP server, and checks the password in WebLogic Server. External specifies that the LDAP security realm authenticates a user by attempting to bind to the LDAP server with the username and password supplied by the WebLogic Server client. If you choose the External setting, you must also use the SSL protocol. Local specifies that the LDAP security realm authenticates a user by looking up the UserPassword property in the LDAP directory and checking it against the passwords in WebLogic Server.
   User Password Attribute	If the User Authentication attribute is set to Local, this attribute is used to find out what LDAP property contains the passwords for the LDAP users.
   User DN	A list of attributes and their values that, when combined with the attributes in the User Name Attribute attribute, uniquely identifies an LDAP user.
   User Name Attribute	The login name of the LDAP user. The value of this attribute can be the common name of an LDAP user but usually it is an abbreviated string, such as the common name.

   
    

7. Click Apply to save your changes.
8. To specify how Groups are stored in the LDAP directory, define the attributes shown on the Groups tab.

   The following table describes the attributes you set on the Groups tab.

   Table 4-10 LDAP V1 Security Realm Attributes on the Groups Tab

   Attribute	Description
   Group DN	List of attributes and values that, combined with the Group Name Attribute attribute, uniquely identifies a group in the LDAP directory.
   Group Name Attribute	Name of a group in the LDAP directory. It is usually a common name.
   Group Is Context	Boolean checkbox that specifies how group membership is recorded in the LDAP directory. Check this checkbox if each Group entry contains one user. By default, the box is selected. Uncheck this checkbox if one Group entry contains an attribute for each group member.
   Group Username Attribute	Name of the LDAP attribute that contains a group member in a Group entry.

   
    

9. Click Apply to save your changes.
10. When you have finished defining all the attributes, reboot WebLogic Server.
11. Configure the Caching realm as described on Configuring the Caching Realm

    When configuring the Caching realm, select the LDAP Realm V1 from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP V1 security realm).

12. Expand the Domains node.
13. Select the Security-->File Realm tab.
14. In the Caching Realm attribute, choose the name of the Caching realm to be used with the LDAP V1 security realm. A list of configured Caching realms appears on the pull-down menu.
15. Reboot WebLogic Server.

The Caching realm caches users and groups internally to avoid frequent lookups in the LDAP directory. Each object in the users and groups caches has a TTL attribute that you set when you configure the Caching realm. If you make changes in the LDAP directory, those changes are not reflected in the LDAP V1 security realm until the cached object expires or is flushed from the cache. The default TTL is 10 seconds for unsuccessful lookups and 60 seconds for successful lookups. Unless you change the TTL attributes for the User and Group caches when you configured the Caching realm, changes in the LDAP directory should be reflected in the LDAP V1 security realm in 60 seconds. For more information about TTL attributes, see Configuring the Caching Realm.

If some server-side code has performed a lookup in the LDAP V1 security realm, such as a getUser() call on the LDAP V1 security realm, the object returned by the realm cannot be released until the code releases it. Therefore, a user authenticated by WebLogic Server remains valid as long as the connection persists, even if you delete the user from the LDAP directory.

Configuring an LDAP V2 Security Realm

When using the LDAP V2 security realm, WebLogic Server provides templates for the supported LDAP servers. These templates specify default configuration information used to represent users and groups in each of the supported LDAP servers. You choose the template that corresponds to the LDAP server you want to use and then fill in the host and port of the LDAP server, and the GroupDN, the UserDN, Principal, and Credential attributes. For information about these attributes, see Configuring an LDAP V1 Security Realm.

To use a LDAP V2 security realm:

1. Expand the Compatibility Security-->Realms nodes.
2. Choose the LDAP server you want to use with WebLogic Server. The following templates are available:
   • defaultLDAPRealmforOpenLDAPDirectoryServices
   • defaultLDAPRealmforNovellDirectoryServices
   • defaultLDAPRealmforMicrosoftSiteServer
   • defaultLDAPRealmforNetscapeDirectoryServer
3. On the Configuration tab, enter the host and port of the LDAP server in the server.host and server.port attributes in the Configuration Data box.
4. If necessary, update the information defined for the GroupDN, the UserDN, Principal, and Credential attributes for your LDAP directory server in the Configuration Data box.
5. Optionally, define a password for the LDAP server. The Password attribute defines the password for the Principal. Once the password is defined, WebLogic Server encrypts it.
6. Click Apply to save your changes.
7. When you have finished defining the attributes, reboot WebLogic Server.
8. Configure the Caching realm as described in Configuring the Caching Realm

   When configuring the Caching realm, select the LDAP V2 security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP V2 security realm).

9. Expand the Domains node.
10. Select the Security-->File Realm tab.
11. In the Caching Realm attribute, choose the name of the Caching realm to be used with the LDAP V2 security realm. A list of configured Caching realms appears on the pull-down menu.
12. Reboot WebLogic Server.

Configuring the Windows NT Security Realm

The Windows NT Security realm uses account information defined for a Windows NT domain to authenticate users and groups. You can view users and groups in the Windows NT Security realm through the Administration Console, but you must manage users and groups through the facilities provided by Windows NT.

The Windows NT Security realm provides authentication (users and groups) but not authorization (ACLs). To update the ACL information in the filerealm.properties file that WebLogic Server uses, click Refresh on the General tab in the Security node after you change an ACL. If you use groups with your ACLs, reduce the frequency with which you must refresh the information in WebLogic Server. Changing the members of a Windows NT group allows you to manage individual users' access to WebLogic Server resources dynamically.

It is possible to use the Windows NT Security realm to authenticate against a Windows 2000 Active Directory primary domain controller. However, the authentication must be from a machine which is a member of the domain, not from the domain controller itself. There is no way to authenticate to the local user and group store if the machine running the Windows NT Security realm is a member of another domain.

The Windows NT Security realm can be run on the primary domain controller, on a machine that is a member of a Windows NT domain, or on a machine that is a member of the Windows NT domain and wants to use a mutually trusted domain.

To use the Windows NT Security realm:

1. Expand the Compatibility Security-->Realms nodes.
2. Click the Configure a New NT Realm... link.
3. Set attributes on the Configurationtab that define a name for the Windows NT realm and the computer on which the Windows NT domain is running.

   The following table describes the attributes you set in the NT Realm Configuration window.

   Table 4-11 Windows NT Security Realm Attributes

   Attribute	Description
   Name	The name of the Windows NT Security realm, such as AccountingRealm.
   Primary Domain	The host and port number of the computer where users and groups are defined for the Windows NT domain. If you enter multiple host and port numbers, use a comma delineated list.

   
    

4. Click Apply to save your changes.
5. Reboot WebLogic Server.
6. Configure the Caching realm as described in Configuring the Caching Realm

   When configuring the Caching realm, select your Windows NT Security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the Windows NT Security realm).

7. Expand the Domains node.
8. Click the Security-->File Realm tab.
9. In the Caching Realm attribute, choose the name of the Caching realm to be used with the Windows NT security realm. A list of configured Caching realms appears on the pull-down menu.
10. Reboot WebLogic Server.

Use the following command to verify that you have the correct privileges to run WebLogic Server as the specified Windows NT user:

java weblogic.security.ntrealm.NTRealm username password

where username and password are the username and password of the Windows NT account under which WebLogic Server runs.

The output from this command indicates if the specified username and password authenticated properly.

Table 4-12 Windows NT Authentication Verification

Command Output	Meaning
auth?poppy	The entered username and password authenticated correctly.
auth?null	The entered username and password did not authenticate properly.

 

If the test comes up with an immediate failure stating that the client or user running WebLogic Server does not have the privileges to run the Windows NT Security realm, you need to update the permissions (referred to as rights) for the Windows user running WebLogic Server.

Updating Users Permissions for Windows NT and Windows 2000

To update the rights in Windows NT:

1. On the Start menu, select Programs—>Administrative Tools.
2. Select User Manager.
3. Under the Policies menu, choose the User Rights option.
4. Check the Show Advanced Users Rights option.
5. Give the following rights to the Windows user running WebLogic Server:
   • Act as part of the operating system
   • Create a token object
   • Replace a process level token
6. Verify that the Windows user running WebLogic Server is a member of the Administrators group.
7. Reboot Windows NT to ensure all the modifications take effect.
8. Verify that the Logon as System Account option is checked. Note that the Allow System to Interact with Desktop option does not need to be checked. Running the Windows NT Security realm under a specific Windows NT user account does not work.

To update the rights in Windows 2000:

1. On the Start menu, select Programs—>Administrative Tools.
2. Select Local Security Policy.
3. Go to Local Policies—>User Rights Assignment.
4. Give the following rights to the Windows user running WebLogic Server:
   • Act as part of the operating system
   • Create a token object
   • Replace a process level token
5. Verify that the Windows user running WebLogic Server is a member of the Administrators group.
6. Reboot Windows 2000 to ensure all the modifications take effect.
7. Verify that the Logon as System Account option is checked. Note that the Allow System to Interact with Desktop option does not need to be checked. Running the Windows NT Security realm under a specific Windows NT user account does not work.

The following are common Windows NT error codes that occur when using the Windows NT Security realm:

Table 4-13

Error Code	Meaning
1326	The host machine running the security realm does not have a trust relationship with the primary domain controller. The host machine may not be a member of the domain or the domain may not trust the host machine.
53	A network error has indicates that the path to the primary domain controller could not be located. This error can occur if the domain name is misspelled or if the domain name is specified rather than the host name of the primary domain controller.

 

A full explanation of the Windows NT error codes is found in the winerror.h file.

Configuring the UNIX Security Realm

Note: The UNIX Security realm runs only on the Solaris and Linux platforms.

The UNIX Security realm executes a small native program, wlauth, to look up users and groups and to authenticate users on the basis of their UNIX login names and passwords. The wlauth program uses Pluggable Authentication Modules (PAM), which allow you to configure authentication services in the operating system without altering applications that use the service.

After you change an ACL, click Refresh on the General tab in the Security to update the information in the filerealm.properties file that WebLogic Server uses. If you use groups with your ACLs, reduce the frequency with which you must refresh the information in WebLogic Server. Changing the members of a UNIX group allows you to manage individual users' access to WebLogic Server resources dynamically.

The wlauth program runs setuid root. You need root permissions to modify the ownership and file attributes on the wlauth program and to set up the PAM configuration file for wlauth.

To set up the wlauth program for the UNIX Security realm:

1. If WebLogic Server is installed on a network drive, copy the wlauth file to a file system on the computer that executes WebLogic Server, for example, the /usr/sbin directory. The wlauth file is in the weblogic/lib/arch directory, where arch is the name of your platform.
2. As the root user, run the following commands to change the wlauth owner and permissions:

     # chown root wlauth
     # chmod +xs wlauth

3. Set up the PAM configuration for wlauth.

   Solaris—Add the following lines to your /etc/pam.conf file:

     # Setup for WebLogic authentication on Solaris machines
     #
     wlauth auth required      /usr/lib/security/pam_unix.so.1 
     wlauth password required  /usr/lib/security/pam_unix.so.1 
     wlauth account required   /usr/lib/security/pam_unix.so.1

   Linux—Create a file called /etc/pam.d/wlauth containing the following:

     #%PAM-1.0
     #
     # File name:
     # /etc/pam.d/wlauth 
     #
     # If you do not use shadow passwords, delete "shadow".
     auth required     /lib/security/pam_pwdb.so shadow
     account required  /lib/security/pam_pwdb.so

   Note: Omit shadow if you are not using shadow passwords.

To configure the UNIX Security realm:

1. Expand the Compatibility Security-->Realms nodes.
2. Click the Configure a New Unix Realm... link.
3. Set attributes on the Configuration tab that define a name for the realm and the program that provides authentication services for the UNIX Security realm.

   Table 4-14 UNIX Security Realm Attributes

   Attribute	Description
   Name	The name of the UNIX Security realm, such as AccountingRealm.
   AuthProgram	The name of the program used to authenticate users in the UNIX security realm. In most cases, the name of the program is wlauth.

   
    
4. Click Create.
5. When you have finished defining the attributes, reboot WebLogic Server.
6. Configure the Caching realm as described in Configuring the Caching Realm

   When configuring the Caching realm, select your UNIX Security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the UNIX Security realm).

7. Expand the Domains node.
8. Select the Security-->File Realm tab.
9. In the Caching Realm attribute, choose the name of the Caching realm to be used with the UNIX security realm. A list of configured Caching realms appears on the pull-down menu.
10. Reboot WebLogic Server.

If wlauth is not in the WebLogic Server path or if you have given the program a name other than wlauth, you must add a Java command-line property when you start WebLogic Server. Edit the script you use to start WebLogic Server and add the following option after the java command:

-Dweblogic.security.unixrealm.authProgram=wlauth_prog

Replace wlauth_prog with the name of the wlauth program, including the full path if the program is not in the search path. Start WebLogic Server. If the wlauth program is in the WebLogic Server path and is named wlauth, this step is not needed.

Configuring the RDBMS Security Realm

Note: If your implementation of the RDBMS security realm uses the getActiveDomain() method, you need to edit and recompile your RDBMSDelegate class in order to use the RDBMS security realm with Compatibility security. Replace the getActiveDomain() method with the getSecurityConfig() method in the weblogic.server package.

The RDBMS Security realm is a BEA-provided custom security realm that stores users, groups and ACLs in a relational database.The RDBMS Security realm is an example and is not meant to be used in a production environment. You can perform the following managment functions on the RDBMS Security realm.

Table 4-15 Management Functions in the RDBMS Security Realm

Management Function	Support for Functions
Create User	Administration Console, but only in memory
Delete User	Administration Console
Change Password	user() interface in weblogic.security.acl
Create Group	manageableRealm() interface in weblogic.security.acl
Delete Group	Administration Console
Add Group Member	Administration Console
Delete Group Member	Administration Console
Create ACL	manageableRealm() interface in weblogic.security.acl
Delete ACL	manageableRealm() interface in weblogic.security.acl
Add Permission	acl() interface in weblogic.security.acl
Delete Permission	acl() interface in weblogic.security.acl

 

SQL scripts that populate a database are used to create groups for the RDBMS Security realm.

The RDBMS Security realm can be used as a starting point for creating a production security realm. Extend the RDBMS Security realm by using the following interfaces in the weblogic.security.acl package to add management capabilities to the RDBMS Security realm:

• ManageableRealm—Create groups, create and delete ACLs, and perform lookups of users, groups, and ACLs.
• User—Change the password.
• ACL—Add and remove permissions for users and groups.

If you extend the RDBMS Security realm with any of these interfaces, you may also need to update the database schema.

Note: The RDBMS example does not work with databases that have an autocommit feature enabled. If you use the RDBMS example as a starting point for your RDBMS implementation, use explicit commit statements in your code and make sure the autocommit feature in the database you are using is disabled.

To configure the RDBMS Security realm:

1. Expand the Compatibility Security-->Realms nodes.
2. Choose the database you want to use with WebLogic Server. The following templates are available:
   • defaultRDBMSRealmForOracle
   • defaultRDBMSRealmForMSSQLServerType4
   • defaultRDBMSRealmForCloudScape
   • defaultRDBMSRealmForODBC

   A configuration window for the chosen database appears.

3. Set attributes on the General tab that define a name for the realm and the class that implements the RDBMS security realm.

   The following table describes the attributes you set on the General tab.

   Table 4-16 RDBMS Security Realm Attributes on the General Tab

   Attribute	Description
   Name	Name of the RDBMS Security realm, such as AccountingRealm.
   Realm Class	Name of the WebLogic class that implements the RDBMS Security realm. The Java class needs to be in the CLASSPATH of WebLogic Server.

   
    

4. Click Apply to save your changes.
5. Select the Database tab. Define attributes for the JDBC driver being used to connect to the database.

   The following table describes the attributes you set on the Database tab.

   Table 4-17 RDBMS Security Realm Attributes on the Database Tab

   Attribute	Description
   Driver	Full class name of the JDBC driver. This class name must be in the CLASSPATH of WebLogic Server.
   URL	URL for the database you are using with the RDBMS realm, as specified by your JDBC driver documentation.
   User Name	Default user name for the database.
   Password	Password for the default user of the database.

   
    

6. Click Apply to save your changes.
7. Select the Schema tab. Define the schema used to store Users, Groups, and ACLs in the database in the Schema Properties box on the Schema tab.

   Listing 4-1 contains the database statements entered in the Schema properties for the RDBMS code example shipped with WebLogic Server in the \samples\server\src\examples\security\rdbmsrealm directory.

Listing 4-1 Sample Schema for RDBMS Security Realm

"getGroupNewStatement=true;getUser=SELECT U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?;
getGroupMembers=SELECT GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP = ?;
getAclEntries=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE A_NAME = ? ORDER BY A_PRINCIPAL;
getUsers=SELECT U_NAME, U_PASSWORD FROM users;
getGroups=SELECT GM_GROUP, GM_MEMBER FROM groupmembers;
getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY A_NAME, A_PRINCIPAL;
getPermissions=SELECT DISTINCT A_PERMISSION FROM aclentries;
getPermission=SELECT DISTINCT A_PERMISSION FROM aclentries WHERE A_PERMISSION = ?;
newUser=INSERT INTO users VALUES ( ? , ? );
addGroupMember=INSERT INTO groupmembers VALUES ( ? , ? );
removeGroupMember=DELETE FROM groupmembers WHERE GM_GROUP = ? AND GM_MEMBER = ?;
deleteUser1=DELETE FROM users WHERE U_NAME = ?;
deleteUser2=DELETE FROM groupmembers WHERE GM_MEMBER = ?;
deleteUser3=DELETE FROM aclentries WHERE A_PRINCIPAL = ?;
deleteGroup1=DELETE FROM groupmembers WHERE GM_GROUP = ?;
deleteGroup2=DELETE FROM aclentries WHERE A_PRINCIPAL = ?"

8. Click Apply to save your changes.
9. When you have finished defining the attributes, reboot WebLogic Server.
10. Configure the Caching realm as described in Configuring the Caching Realm

    When configuring the Caching realm, select the RDBMS Security realm from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the RDBMS Security realm).

11. Expand the Domains node.
12. Select the Security-->File Realm tab.
13. In the Caching Realm attribute, choose the name of the Caching realm to be used with the RDBMS security realm. A list of configured Caching realms appears on the pull-down menu.
14. Reboot WebLogic Server.

Installing a Custom Security Realm

You can create a custom security realm that draws from an existing store of users such as directory server on the network. To use a custom security realm, you create an implementation of the weblogic.security.acl.AbstractListableRealm interface or the weblogic.security.acl.AbstractManageableRealm interface and then use the Administration Console to install your implementation. For more information, see Writing a Custom Security Realm.

To install a custom security realm:

1. Expand the Compatibility Security-->Realms nodes.
2. Click the Configure a New Custom Realm... link.
3. Set attributes on the Configuration tab that define a name for the custom security realm, specify the interface that implements the realm, and define how the users, groups, and optionally ACLs are stored in the custom security realm on the tab.

   The following table describes the attributes you set on the Custom Security Realm Configuration window.

   Table 4-18 Custom Security Realm Attributes

   Attribute	Description
   Name	Name of the Custom Security realm, such as AccountingRealm.
   Realm Class Name	Name of the WebLogic class that implements the Custom Security realm. The Java class needs to be in the CLASSPATH of WebLogic Server.
   Configuration Data	Information needed to connect to the security store.
   Password	Password for the Custom Security realm. If a password is supplied, WebLogic Server encrypts it.

   
    

4. Click Create.
5. Reboot WebLogic Server.
6. Configure the Caching realm as described in Configuring the Caching Realm

   When configuring the Caching realm, select the Custom Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the custom security realm.

7. Expand the Domains node.
8. Click the Security-->File Realm tab.
9. In the Caching Realm attribute, choose the name of the Caching realm to be used with the custom security realm. A list of configured Caching realms appears on the pull-down menu.
10. Reboot WebLogic Server.

 

---

Defining Users in the Compatibility Realm

Note: This section explains how to add users to a manageable security realm (for example, the File realm) in the Compatibility realm. If you are using a security realm that is not manageable through the Administration Console, you must use the administration tools provided in that realm to define a user.

Users are entities that can be authenticated in a WebLogic Server security realm. A user can be a person or a software entity, such as a Java client. Each user is given a unique identity within a WebLogic Server security realm. As a system administrator you must guarantee that no two users in the same security realm are identical.

Defining users in a security realm involves specifying a unique name and password for each user that accesses resources in the WebLogic Server security realm in the users window of the Administration Console.

For information about how to upgrade the guest users, see Guest User in the WebLogic Server 7.0 Upgrade Guide.

WebLogic Server has two special users:

• The system user is the administrative user who controls system-level WebLogic Server operations, such as starting and stopping servers, and locking and unlocking resources. The system user and its password are defined during the WebLogic Server installation procedure. As a security precaution, BEA recommends changing the password for the system user. For more information, see Changing the System Password
• The guest user is automatically provided by WebLogic Server. When authorization is not required, WebLogic Server assigns the guest identity to a client, thus giving the client access to any resources that are available to the guest user. A client can log in as the guest user by entering guest as the username and guest as the password when prompted by a Web browser or by supplying the guest username and password in a Java client. By default, the guest account is disabled.

For a more secure deployment, BEA recommends running WebLogic Server with the guest account disabled. To disable the guest account, select the Guest Disabled attribute on the General tab of the Security Configuration window. Disabling the guest account just disables the ability to log in into the account guest; it does not disable the ability of unauthenticated users to access a WebLogic Server deployment.

The system and guest users are like other users in a WebLogic Server security realm:

• To access WebLogic Server resources, they must have appropriate ACLs.
• To execute an operation on a WebLogic Server resource, they must provide a username and password (or digital certificate).

To define a user:

1. Expand the Compatibility Security node.
2. Click Users.
3. In the User Configuration window, enter the name of the user in the Name attribute.
4. Enter a password for the user in the Password attribute.
5. Enter the password again in the Confirm Password attribute.
6. Click Create.

To delete a user:

1. Expand the Compatibility Security node.
2. Click Users.
3. In User Configuration window, enter the name of the user in the Delete Users box.
4. Click Delete.

To change the password of a user:

1. Expand the Compatibility Security node.
2. Click Users.
3. In the User Configuration window, enter the name of the user in the Name attribute.
4. Enter the old password in the Old Password attribute.
5. Enter the new password in the New Password attribute.
6. Enter the new password again to confirm the password change.

While using WebLogic Server, you may have users that are locked. Perform the following steps to unlock a user:

1. Expand the Compatibility Security node.
2. Click Users.
3. In the User Configuration window, click the Unlock Users link.
4. Enter the names of the user accounts you want to unlock in the Users to Unlock field.
5. Choose the servers on which you want the user accounts unlocked.
6. Click Unlock.

 

---

Defining Groups in the Compatibility Realm

Note: This section explains how to add groups to a manageable security realm (for example, the File realm) in the Compatibility realm. If you are using a security realm that is not manageable through the Administration Console, you must use the administration tools provided in that realm to define a group.

A group represents a set of users who usually have something in common, such as working in the same department in a company. Groups are a means of managing a number of users in an efficient manner. When a group is granted a permission in an ACL, all members of the group effectively receive that permission. BEA recommends assigning permissions to groups rather than to individual users.

By default, WebLogic Server has the following groups:

• All users defined in the defined security realm are automatically members of the everyone group.
• The system user is a member of the Administrators group. This group should be given the permissions appropriate for a user responsible for starting and stopping servers and maintaining a running WebLogic Server deployment. Access to this group should be limited.

To define a group in the Compatibility realm:

1. Expand the Compatibility Security node.
2. Click Groups.
3. Click the Create a New Group... link.
4. In the Group Configuration window, enter the name of the group in the Name attribute. BEA recommends naming groups in the plural. For example, Administrators instead of Administrator.
5. Click on the Users attribute and select the WebLogic Server users you want to add to the group.
6. Click on the Groups attribute and select the WebLogic Server Groups you want to add to the Group.
7. Click Apply to create a new Group.

To delete groups, enter the name of the group in the Remove These Groups list box on the Group Configuration window and click Remove.

 

---

Defining ACLs in the Compatibility Realm

Users access resources in a WebLogic Server security realm. Whether or not a user can access a resource is determined by the access control lists (ACLs) for that resource. An ACL defines the permissions by which a user can interact with the resource. To define ACLs, you create an ACL for a resource, specify the permission for the resource and then grant the permission to a specified set of users and groups. BEA recommends assigning ACLs to groups.

Each WebLogic Server resource has one or more permissions that can be granted. The following table summarizes the functions for various WebLogic Server resources for which permissions can be restricted with an ACL.

Table 4-19 ACLs for WebLogic Server Resources

For this WebLogic Server resource...	This ACL...	Grants Permission for these functions...
WebLogic Servers	weblogic.server weblogic.server.servername	boot
Command-line Administration Tools	weblogic.admin Note: To add ACLs through the Administration Console, you need to define weblogic.admin.acl.modify.	shutdown, lockServer unlockServer, modify
WebLogic Events	weblogic.event.topicName	send receive
WebLogic JDBC connection pools	weblogic.jdbc.connectionPool.poolname	reserve admin
WebLogic Passwords	weblogic.passwordpolicy	unlockuser
WebLogic JMS destinations	weblogic.jms.topic.topicName weblogic.jms.queue.queueName	send, receive
WebLogic JNDI contexts	weblogic.jndi.path	lookup modify list

 

Note: ACLs on MBeans are not supported in WebLogic Server 7.0. For more information, see Protecting System Administration Operations in the BEA WebLogic Server Administration Guide.

To create ACLs for a WebLogic Server resource, open the Administration Console and perform the following steps:

1. Expand the Compatibility Security node.
2. Click the ACLs tab.
3. Click the Create a New ACL... link.
4. In the ACL Configuration window, in the New ACL Name attribute specify the name of WebLogic Server resource that you want to protect with an ACL.

   For example, create an ACL for a JDBC connection pool named demopool.

5. Click Create.
6. Click on the Add a New Permission link.
7. Specify a permission for the resource.

   Either create separate ACLs for each permission available for a resource or one ACL that grants all the permissions for a resource. For example, you can create three ACLs for the JDBC connection pool, demopool: one with reserve permission, one with reset permission, and one with shrink permission. Or you can create one ACL with reserve, reset, and shrink permissions.

8. Specify Weblogic users or groups that have the specified permission to the resource.
9. Click Apply.

When creating ACLs for resources in WebLogic Server, you need to use the syntax in Table 4-19 to refer to the resource. For example, the JDBC connection pool named demopool would be specified as weblogic.jdbc.connectionPool.demopool.

If you modify an existing ACL, click Refresh on the General tab in the Security node to update the information in the filerealm.properties file that WebLogic Server uses.

 

---

Protecting User Accounts

Weblogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes lessens security and leaves user accounts vulnerable to security attacks.

To protect the user accounts in your WebLogic Server domain, perform the following steps:

1. Click on the Domains node.
2. Select the Security-->Passwords tab.
3. Define the desired attributes on this tab by entering values at the appropriate prompts and selecting the required checkboxes. (For details, see the following table).
4. Click Apply to save your choices.
5. Reboot WebLogic Server.

The following table describes each attribute on the Passwords tab.

Table 4-20 Password Protection Attributes

Attribute	Description
Minimum Password Length	Number of characters required in a password. Passwords must contain a minimum of 8 characters. The default is 8.
Lockout Enabled	Requests the locking of a user account after invalid attempts to log in to that account exceed the specified Lockout Threshold. By default, this attribute is enabled.
Lockout Threshold	Number of failed password entries for a user that can be tried to log in to a user account before that account is locked. Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the Lockout Reset Duration attribute. The default is 5.
Lockout Duration	Number of minutes that a user's account remains inaccessible after being locked in response to several invalid login attempts within the amount of time specified by the Lockout Reset Duration attribute. In order to unlock a user account, you need to have the unlockuser permission for the weblogic.passwordpolicy. The default is 30 minutes.
Lockout Reset Duration	Number of minutes within which invalid login attempts must occur in order for the user's account to be locked. An account is locked if the number of invalid login attempts defined in the Lockout Threshold attribute happens within the amount of time defined by this attribute. For example, if the value in this attribute is five minutes and three invalid login attempts are made within a six-minute interval, then the account is not locked. If five invalid login attempts are made within a five-minute period, however, then the account is locked. The default is 5 minutes.
Lockout Cache Size	Specifies the intended cache size of unused and invalid login attempts. The default is 5.

 

 

---

Using a 6.x Auditor with Compatibility Security

If your WebLogic Server 6.x security configuration uses an implementation of the weblogic.security.audit.AuditProvider class, the Auditor is not automatically configured in Compatibility security. Configure a Realm Adapter Auditing provider in the Compatibility realm to access the 6.x Auditor.

1. Start WebLogic Server.
2. Run the admin command line tool, entering the following three commands:

   java weblogic.Admin -url t3://localhost:7001 -username
   adminusername -password adminpassword CREATE -mbean Security:
   Name=CompatibilityRealmRealmAdapterAuditor -type
   weblogic.security.providers.realmadapter.RealmAdapterAuditor commotype

   java weblogic.Admin -url t3://localhost:7001 -username
   adminusername -password adminpassword SET -mbean Security:
   Name=CompatibilityRealmRealmAdapterAuditor -property Realm Security:Name=CompatibilityRealm commotype

   java weblogic.Admin -url t3://localhost:7001 -username
   adminusername -password adminpassword SET -mbean Security
   Name=CompatibilityRealm -property Auditors
   Security:Name=CompatibilityRealmRealmAdapterAuditor commotype

3. Reboot WebLogic Server.