Contents for Securing WebLogic Server
Introduction and Roadmap
Document Scope
Document Audience
Guide to This Document
Related Information
Security Samples and Tutorials
Security Examples in the WebLogic Server Distribution
Additional Examples Available for Download
New and Changed Security Features in This Release
New XACML Security Providers
SAML Configuration
Overview of Security Management
Security Realms in WebLogic Server
Security Providers
Security Policies and WebLogic Resources
WebLogic Resources
Deployment Descriptors and the WebLogic Server Administration Console
The Default Security Configuration in WebLogic Server
Configuring WebLogic Security: Main Steps
Methods of Configuring Security
What Is Compatibility Security?
Management Tasks Available in Compatibility Security
Customizing the Default Security Configuration
Why Customize the Default Security Configuration?
Before You Create a New Security Realm
Creating and Configuring a New Security Realm: Main Steps
Configuring WebLogic Security Providers
When Do You Need to Configure a Security Provider?
Configuring an Authorization Provider
Configuring the WebLogic Adjudication Provider
Configuring a Role Mapping Provider
Configuring the WebLogic Auditing Provider
Auditing ContextHandler Elements
Configuration Auditing
Enabling Configuration Auditing
Configuration Auditing Messages
Audit Events and Auditing Providers
Configuring a WebLogic Credential Mapping Provider
Configuring a PKI Credential Mapping Provider
PKI Credential Mapper Attributes
Credential Actions
Configuring a SAML Credential Mapping Provider
SAML Credential Mapping Providers in WebLogic Server
Relying Party Registry
Configuring the Credential Lookup and Validation Framework
CertPath Provider
Certificate Registry
Configuring a WebLogic Keystore Provider
Configuring Authentication Providers
Choosing an Authentication Provider
Using More Than One Authentication Provider
Setting the JAAS Control Flag Option
Changing the Order of Authentication Providers
Configuring the WebLogic Authentication Provider
Configuring LDAP Authentication Providers
Requirements for Using an LDAP Authentication Provider
Configuring an LDAP Authentication Provider: Main Steps
Accessing Other LDAP Servers
Dynamic Groups and WebLogic Server
Configuring Failover for LDAP Authentication Providers
LDAP Failover Example 1
LDAP Failover Example 2
Improving the Performance of WebLogic and LDAP Authentication Providers
Optimizing the Group Membership Caches
Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance
Optimizing the Principal Validator Cache
Configuring the Active Directory Authentication Provider to Improve Performance
Configuring RDBMS Authentication Providers
Common RDBMS Authentication Provider Attributes
Data Source Attribute
Group Searching Attributes
Group Caching Attributes
Configuring the SQL Authentication Provider
Password Attributes
SQL Statement Attributes
Configuring the Read-Only SQL Authenticator
Configuring the Custom DBMS Authenticator
Plug-In Class Attributes
Configuring a Windows NT Authentication Provider
Domain Controller Settings
LogonType Setting
UPN Names Settings
Configuring Identity Assertion Providers
How an LDAP X509 Identity Assertion Provider Works
Configuring an LDAP X509 Identity Assertion Provider: Main Steps
Configuring a Negotiate Identity Assertion Provider
Configuring a SAML Identity Assertion Provider
Asserting Party Registry
Certificate Registry
Ordering of Identity Assertion for Servlets
Configuring Identity Assertion Performance in the Server Cache
Configuring a User Name Mapper
Configuring a Custom User Name Mapper
Configuring Single Sign-On with Microsoft Clients
Overview of Single Sign-On with Microsoft Clients
System Requirements for SSO with Microsoft Clients
Single Sign-On with Microsoft Clients: Main Steps
Configuring Your Network Domain to Use Kerberos
Creating a Kerberos Identification for WebLogic Server
Configuring Microsoft Clients to Use Windows Integrated Authentication
Configuring a .NET Web Service
Configuring an Internet Explorer Browser
Configure Local Intranet Domains
Configure Intranet Authentication
Verify the Proxy Settings
Set Integrated Authentication for Internet Explorer 6.0
Creating a JAAS Login File
Configuring the Identity Assertion Provider
Using Startup Arguments for Kerberos Authentication with WebLogic Server
Verifying Configuration of SSO with Microsoft Clients
Configuring Single Sign-On with Web Browsers and HTTP Clients
Overview of SAML-Based Single Sign-On
Single Sign-on with SAML: Main Steps
Configuring a SAML Source Site for Single Sign-On
Configure SAML Credential Mapping Provider
Configure Source Site Federation Services
Configure Relying Parties
Configure Supported Profiles
Assertion Consumer Parameters
Replacing the Default Assertion Store
Configuring a SAML Destination Site for Single Sign-On
Configure SAML Identity Assertion Provider
Configure Destination Site Federation Services
Enable the SAML Destination Site
Set Assertion Consumer URIs
Configure SSL for the Assertion Consumer Service
Add SSL Client Identity Certificate
Configure Single-Use Policy and the Used Assertion Cache or Custom Assertion Cache
Configure Recipient Check for POST Profile
Configuring Asserting Parties
Configure Supported Profiles
Configure Source Site ITS Parameters
Configuring Relying and Asserting Parties with WLST
Migrating Security Data
Overview of Security Data Migration
Migration Concepts
Formats and Constraints Supported by WebLogic Security Providers
Migrating Data with WLST
Migrating Data Using weblogic.admin
Managing the Embedded LDAP Server
Configuring the Embedded LDAP Server
Embedded LDAP Server Replication
Viewing the Contents of the Embedded LDAP Server from an LDAP Browser
Exporting and Importing Information in the Embedded LDAP Server
LDAP Access Control Syntax
The Access Control File
Access Control Location
Access Control Scope
Access Rights
Attribute Permissions
Entry Permissions
Attributes Types
Subject Types
Grant/Deny Evaluation Rules
Configuring Identity and Trust
Private Keys, Digital Certificates, and Trusted Certificate Authorities
Configuring Identity and Trust: Main Steps
Supported Formats for Identity and Trust
Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities
Common Keytool Commands
Using the CertGen Utility
Using Your Own Certificate Authority
Converting a Microsoft p7b Format to PEM Format
Obtaining a Digital Certificate for a Web Browser
Using Certificate Chains (Deprecated)
Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities
Guidelines for Using Keystores
Creating a Keystore and Loading Private Keys and Trusted Certificate Authorities into the Keystore
How WebLogic Server Locates Trust
Configuring Keystores for Production
Configuring SSL
SSL: An Introduction
One-Way and Two-Way SSL
Setting Up SSL: Main Steps
Using Host Name Verification
Enabling SSL Debugging
SSL Session Behavior
Configuring RMI over IIOP with SSL
SSL Certificate Validation
Controlling the Level of Certificate Validation
Checking Certificate Chains
Using Certificate Lookup and Validation Providers
How SSL Certificate Validation Works in WebLogic Server
Troubleshooting Problems with Certificate Validation
Using the nCipher JCE Provider with WebLogic Server
Specifying the Version of the SSL Protocol
Configuring Security for a WebLogic Domain
Enabling Trust Between WebLogic Server Domains
Using Connection Filters
Using the Java Authorization Contract for Containers
Viewing MBean Attributes
How Passwords Are Protected in WebLogic Server
Protecting User Accounts
Using Compatibility Security
Running Compatibility Security: Main Steps
Limited Visibility of Compatibility Security MBeans
The Default Security Configuration in the CompatibilityRealm
Configuring a Realm Adapter Authentication Provider
Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider
Configuring a Realm Adapter Auditing Provider
Protecting User Accounts in Compatibility Security
Accessing 6.x Security from Compatibility Security
Security Configuration MBeans
SSLMBean
ServerMBean
EmbeddedLDAPMBean
SecurityMBean
SecurityConfigurationMBean
RealmMBean
WindowsNTAuthenticatorMBean
CustomDBMSAuthenticatorMBean
ReadonlySQLAuthenticatorMBean
SQLAuthenticatorMBean
DefaultAuditorMBean
Compatibility Security MBeans
UserLockoutManagerMBean
Other Security Provider MBeans