Securing WebLogic Server

Introduction and Roadmap

The following sections describe the contents and organization of this guide, Securing WebLogic Server, as well as new and changed security features in this release.

Document Scope

This document explains how to configure WebLogic Server® security, including settings for security realms, providers, identity and trust, SSL, and Compatibility security. See Related Information for a description of other WebLogic security documentation.

Document Audience

This document is intended for the following audiences:

Application Architects—Architects who, in addition to setting security goals and designing the overall security architecture for their organizations, evaluate WebLogic Server security features and determine how to best implement them. Application Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge, security technologies and tools.
Security Developers—Developers who define the system architecture and infrastructure for security products that integrate with WebLogic Server and who develop custom security providers for use with WebLogic Server. They work with Application Architects to ensure that the security architecture is implemented according to design and that no security holes are introduced, and work with Server Administrators to ensure that security is properly configured. Security Developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX)), and working knowledge of WebLogic Server and security provider functionality.
Application Developers—Java programmers who focus on developing client applications, adding security to Web applications and Enterprise JavaBeans (EJBs), and working with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth/working knowledge of Java (including J2EE components such as servlets/JSPs and JSEE) and Java security.
Server Administrators—Administrators work closely with Application Architects to design a security scheme for the server and the applications running on the server; to identify potential security risks; and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems; configuring and managing security realms, implementing authentication and authorization schemes for server and application resources; upgrading security features; and maintaining security provider databases. Server Administrators have in-depth knowledge of the Java security architecture, including Web services, Web application and EJB security, Public Key security, SSL, and Security Assertion Markup Language (SAML).
Application Administrators—Administrators who work with Server Administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application Administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.

Guide to This Document

This document is organized as follows:

This chapter describes the audience, organization, and related information for this guide.
Overview of Security Management, describes the default security configuration in WebLogic Server; lists the configuration steps for security, and describes Compatibility security.
Customizing the Default Security Configuration, explains when to customize the default security configuration, the configuration requirements for a new security realm, and how to set a security realm as the default security realm.
Configuring WebLogic Security Providers, describes the available configuration options for the security providers supplied by WebLogic Server and how to configure a custom security provider.
Configuring Authentication Providers, describes the Authentication providers supplied by WebLogic Server, including information about how to configure them.
Configuring Single Sign-On with Microsoft Clients, describes how to configure authentication between a WebLogic Server domain and .NET Web Service clients or browser clients (for example, Internet Explorer) in a Microsoft domain, using Windows authentication based on the Simple and Protected Negotiate (SPNEGO) mechanism.
Configuring Single Sign-On with Web Browsers and HTTP Clients, describes how to configure authentication between a WebLogic Server domain and Web browsers or other HTTP clients, using authentication based on the Security Assertion Markup Language (SAML).
Migrating Security Data, provides information about exporting and importing security data between security realms and security providers.
Managing the Embedded LDAP Server, describes the management tasks associated with the embedded LDAP server used by the WebLogic security providers.
Configuring Identity and Trust, describes how to configure identity and trust for WebLogic Server.
Configuring SSL, describes how to configure SSL for WebLogic Server.
Configuring Security for a WebLogic Domain, describes how to set security configuration options for a WebLogic Server domain.
Using Compatibility Security, describes how to use Compatibility security, a security configuration mode designed for backwards compatibility with security realms developed under WebLogic Server 6.x.
Security Configuration MBeans, describes which WebLogic Security MBeans and MBean attributes are dynamic (can be changed without restarting the server) and which are non-dynamic (changes require a server restart).

Related Information

The following BEA WebLogic Server documents contain information that is relevant to the WebLogic Security Service:

Understanding WebLogic Security—Summarizes the features of the WebLogic Security Service, including an overview of its architecture and capabilities. It is the starting point for understanding WebLogic security.
Developing Security Providers for WebLogic Server—Provides security vendors and application developers with the information needed to develop custom security providers that can be used with WebLogic Server.
Securing a Production Environment—Highlights essential security measures for you to consider before you deploy WebLogic Server in a production environment.
Securing WebLogic Resources—Introduces the various types of WebLogic resources, and provides information about how to secure these resources using WebLogic Server. This document focuses primarily on securing URL (Web) and Enterprise JavaBean (EJB) resources.
Programming WebLogic Security—Describes how to develop secure Web applications.
Administration Console Online Help—Many security configuration tasks can be performed using the WebLogic Administration Console. The console's online help describes configuration procedures and provides a reference for configurable attributes.
Upgrading WebLogic Application Environments—Provides procedures and other information you need to upgrade from earlier versions of WebLogic Server to this release. It also provides information about moving applications from an earlier version of WebLogic Server to this release. For specific information on upgrading WebLogic Server security, see Upgrading a Security Provider in Upgrading WebLogic Application Environments.
Javadocs for WebLogic Classes—Provides reference documentation for the WebLogic security packages that are provided with and supported by this release of WebLogic Server.

Security Samples and Tutorials

In addition to the documents listed in Related Information, BEA Systems provides a variety of code samples for developers, some packaged with WebLogic Server and others available at http://dev2dev.bea.com .

Security Examples in the WebLogic Server Distribution

WebLogic Server optionally installs API code examples in WL_HOME\samples\server\examples\src\examples\security, where WL_HOME is the top-level directory of your WebLogic Server installation. You can start the examples server, and obtain information about the samples and how to run them from the WebLogic Server Start menu.

The following examples illustrate WebLogic security features:

Java Authentication and Authorization Service
Outbound and Two-way SSL

Additional Examples Available for Download

Additional API examples are available for download at http://dev2dev.bea.com . These examples are distributed as .zip files that you can unzip into an existing WebLogic Server samples directory structure.

You build and run the downloadable examples in the same manner as you would an installed WebLogic Server example. See the download pages of individual examples for more information.

New and Changed Security Features in This Release

WebLogic Server 9.1 introduces several important changes to WebLogic Server security:

New XACML Security Providers

WebLogic Server includes two new security providers, the XACML Authorization provider and the XACML Role Mapping provider. Previous releases of WebLogic Server used an authorization provider and a role mapping provider based on a proprietary security policy language. These new XACML security providers support the eXtensible Access Control Markup Language (XACML) 2.0 standard from OASIS. These providers can import, export, persist and execute policy expressed using all standard XACML 2.0 functions, attributes, and schema elements.

WebLogic domains created using WebLogic Server 9.1 include the new XACML providers by default. The new XACML providers are fully compatible with policies and roles created using the WebLogic Authorization provider (DefaultAuthorizer) and WebLogic Role Mapping provider (DefaultRoleMapper). Existing WebLogic domains that you upgrade to WebLogic Server 9.1 will continue to use the authorization and role mapping providers currently specified, such as third-party partner providers or the original WLS Authorization and Role Mapping providers. If you wish, you can migrate existing domains from using WLS proprietary providers to the XACML providers. As part of this migration, you can perform bulk imports of existing policies.

For more information, see Configure Authorization providers and Configure Role Mapping providers in the Administration Console online help.

SAML Configuration

Configuration of SAML assertion generation and consumption has changed. WebLogic Server 9.1 includes two new versions of SAML security providers, the SAML Credential Mapping Provider V2 and the SAML Identity Assertion Provider V2. Whereas in WebLogic Server 9.0, configuration of a SAML source site was centralized in the SAML Credential Mapper and configuration of a SAML destination site was centralized in the SAML Identity Asserter, in WebLogic 9.1, SAML source and destination site configuration occurs in the FederationServicesMBean. The new SAML security providers offer enhanced configuration of SAML Asserting Parties and Relying Parties.

The SAML Credential Mapping Provider V1 and SAML Identity Assertion Provider V1 are deprecated; you should use the V2 versions of the SAML Credential Mapping and SAML Identity Assertion providers. Although the version number of the providers has been incremented to V2, the new SAML security providers implement the SAML 1.1 standard, as did the V1 providers.

For more information, see Enhanced SAML Features in What's New in WebLogic Server 9.1 in WebLogic Server Release Notes, as well as Configuring Single Sign-On with Web Browsers and HTTP Clients.

Note: If you are not familiar with the new features provided in version 9.0 of WebLogic Server, see the What's New in WebLogic Server 9.0 section of the WebLogic Server Release Notes.