1/18
Contents
Title and Copyright Information
Preface
Documentation Accessibility
Conventions
1
Introduction and Roadmap
Document Scope
Document Audience
Guide to This Document
Related Information
Security Samples and Tutorials
Security Examples in the WebLogic Server Distribution
New and Changed Security Features
2
Overview of Security Management
Security Realms in WebLogic Server
Security Providers
Security Policies and WebLogic Resources
WebLogic Resources
Deployment Descriptors and the WebLogic Server Administration Console
The Default Security Configuration in WebLogic Server
Configuring WebLogic Security: Main Steps
Methods of Configuring Security
What Is Compatibility Security?
Management Tasks Available in Compatibility Security
3
Customizing the Default Security Configuration
Why Customize the Default Security Configuration?
Before You Create a New Security Realm
Creating and Configuring a New Security Realm: Main Steps
4
Configuring WebLogic Security Providers
When Do You Need to Configure a Security Provider?
Reordering Security Providers
Configuring an Authorization Provider
Configuring the WebLogic Adjudication Provider
Configuring a Role Mapping Provider
Configuring the WebLogic Auditing Provider
Auditing ContextHandler Elements
Enabling Configuration Auditing
Configuration Auditing Messages
Audit Events and Auditing Providers
Configuring a WebLogic Credential Mapping Provider
Configuring a PKI Credential Mapping Provider
PKI Credential Mapper Attributes
Credential Actions
Configuring a SAML Credential Mapping Provider for SAML 1.1
Configuring Assertion Lifetime
Relying Party Registry
Configuring a SAML 2.0 Credential Mapping Provider for SAML 2.0
SAML 2.0 Credential Mapping Provider Attributes
Service Provider Partners
Partner Lookup Strings Required for Web Service Partners
Management of Partner Certificates
Java Interface for Configuring Service Provider Partner Attributes
Configuring the Certificate Lookup and Validation Framework
CertPath Provider
Certificate Registry
Configuring a WebLogic Keystore Provider
5
Configuring Authentication Providers
Choosing an Authentication Provider
Using More Than One Authentication Provider
Setting the JAAS Control Flag Option
Changing the Order of Authentication Providers
Configuring the WebLogic Authentication Provider
Setting User Attributes
Configuring LDAP Authentication Providers
Requirements for Using an LDAP Authentication Provider
Configuring an LDAP Authentication Provider: Main Steps
Accessing Other LDAP Servers
Dynamic Groups and WebLogic Server
Use of GUID and LDAP DN Data in WebLogic Principals
Configuring Users and Groups in the Oracle Internet Directory and Oracle Virtual Directory Authentication Providers
Configuring User and Group Name Types
Configuring Static Groups
Configuring Failover for LDAP Authentication Providers
LDAP Failover Example 1
LDAP Failover Example 2
Improving the Performance of WebLogic and LDAP Authentication Providers
Optimizing the Group Membership Caches
Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance
Optimizing the Principal Validator Cache
Configuring the Active Directory Authentication Provider to Improve Performance
Configuring RDBMS Authentication Providers
Common RDBMS Authentication Provider Attributes
Data Source Attribute
Group Searching Attributes
Group Caching Attributes
Configuring the SQL Authentication Provider
Password Attributes
SQL Statement Attributes
Configuring the Read-Only SQL Authenticator
Configuring the Custom DBMS Authenticator
Plug-In Class Attributes
Configuring a Windows NT Authentication Provider
Domain Controller Settings
LogonType Setting
UPN Names Settings
Configuring the SAML Authentication Provider
Configuring the Password Validation Provider
Password Composition Rules for the Password Validation Provider
Using the Password Validation Provider with the WebLogic Authentication provider
Using WLST to Create and Configure the Password Validation Provider
Creating an Instance of the Password Validation Provider
Specifying the Password Composition Rules
Configuring Identity Assertion Providers
How an LDAP X509 Identity Assertion Provider Works
Configuring an LDAP X509 Identity Assertion Provider: Main Steps
Configuring a Negotiate Identity Assertion Provider
Configuring a SAML Identity Assertion Provider for SAML 1.1
Asserting Party Registry
Certificate Registry
Configuring a SAML 2.0 Identity Assertion Provider for SAML 2.0
Identity Provider Partners
Ordering of Identity Assertion for Servlets
Configuring Identity Assertion Performance in the Server Cache
Configuring a User Name Mapper
Configuring a Custom User Name Mapper
6
Configuring Single Sign-On with Microsoft Clients
Overview of Single Sign-On with Microsoft Clients
System Requirements for SSO with Microsoft Clients
Single Sign-On with Microsoft Clients: Main Steps
Configuring Your Network Domain to Use Kerberos
Creating a Kerberos Identification for WebLogic Server
Step 1: Create a User Account for the Host Computer
Step 2: Configure the User Account to Comply with Kerberos
Step 3: Define a Service Principal Name and Create a Keytab for the Service
Defining an SPN and Creating a Keytab on Windows Systems
Defining an SPN and Creating a Keytab on UNIX Systems
Step 4: Verify Correct Setup
Configuring Microsoft Clients to Use Windows Integrated Authentication
Configuring a .NET Web Service
Configuring an Internet Explorer Browser
Configure Local Intranet Domains
Configure Intranet Authentication
Verify the Proxy Settings
Set Integrated Authentication for Internet Explorer 6.0
Configuring a Mozilla Firefox Browser
Creating a JAAS Login File
Configuring the Identity Assertion Provider
Using Startup Arguments for Kerberos Authentication with WebLogic Server
Verifying Configuration of SSO with Microsoft Clients
7
Configuring Single Sign-On with Web Browsers and HTTP Clients
Configuring SAML 1.1 Services
Enabling Single Sign-on with SAML 1.1: Main Steps
Configuring a Source Site: Main Steps
Configuring a Destination Site: Main Steps
Configuring a SAML 1.1 Source Site for Single Sign-On
Configure the SAML 1.1 Credential Mapping Provider
Configure the Source Site Federation Services
Configure Relying Parties
Replacing the Default Assertion Store
Configuring a SAML 1.1 Destination Site for Single Sign-On
Configure SAML Identity Assertion Provider
Configure Destination Site Federation Services
Configuring Asserting Parties
Configuring Relying and Asserting Parties with WLST
Creating Assertions for Non-WebLogic SAML 1.1 Relying Parties
Overview of Creating a Custom SAML Name Mapper
Do You Need Multiple SAMLCredentialAttributeMapper Implementations?
Classes, Interfaces, and Methods
Example Custom SAMLCredentialAttributeMapper Class
Make the Custom SAMLCredentialAttributeMapper Class Available in the Console
Configuring SAML 2.0 Services
Configuring SAML 2.0 Services: Main Steps
Configuring SAML 2.0 General Services
About SAML 2.0 General Services
Publishing and Distributing the Metadata File
Configuring an Identity Provider Site for SAML 2.0 Single Sign-On
Configure the SAML 2.0 Credential Mapping Provider
Configure SAML 2.0 Identity Provider Services
Create and Configure Web Single Sign-On Service Provider Partners
Configuring a Service Provider Site for SAML 2.0 Single Sign-On
Configure the SAML 2.0 Identity Assertion Provider
Configure the SAML Authentication Provider
Configure SAML 2.0 General Services
Configure SAML 2.0 Service Provider Services
Create and Configure Web Single Sign-On Identity Provider Partners
Viewing Partner Site, Certificate, and Service Endpoint Information
Web Application Deployment Considerations for SAML 2.0
Deployment Descriptor Recommendations
Login Application Considerations for Clustered Environments
Enabling Force Authentication and Passive Attributes is Invalid
8
Migrating Security Data
Overview of Security Data Migration
Migration Concepts
Formats and Constraints Supported by WebLogic Security Providers
Migrating Data with WLST
9
Managing the Embedded LDAP Server
Configuring the Embedded LDAP Server
Embedded LDAP Server Replication
Viewing the Contents of the Embedded LDAP Server from an LDAP Browser
Exporting and Importing Information in the Embedded LDAP Server
LDAP Access Control Syntax
The Access Control File
Access Control Location
Access Control Scope
Access Rights
Attribute Permissions
Entry Permissions
Attributes Types
Subject Types
Grant/Deny Evaluation Rules
10
Managing the RDBMS Security Store
Security Providers that Use the RDBMS Security Store
Configuring the RDBMS Security Store
Create a Domain with the RDBMS Security Store
Specifying Database Connection Properties
Testing the Database Connection
Create RDBMS Tables in the Security Datastore
Configure a JMS Topic for the RDBMS Security Store
Configuring JMS Connection Recovery in the Event of Failure
Upgrading a Domain to Use the RDBMS Security Store
11
Configuring Identity and Trust
Private Keys, Digital Certificates, and Trusted Certificate Authorities
Configuring Identity and Trust: Main Steps
Supported Formats for Identity and Trust
Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities
Common Keytool Commands
Using the CertGen Utility
Command Syntax and Examples
Limitation on CertGen Usage
Using Your Own Certificate Authority
Converting a Microsoft p7b Format to PEM Format
Obtaining a Digital Certificate for a Web Browser
Using Certificate Chains (Deprecated)
Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities
Guidelines for Using Keystores
Creating a Keystore and Loading Private Keys and Trusted Certificate Authorities into the Keystore
Configuring Demo Certificates for Clients
How WebLogic Server Locates Trust
Configuring Keystores for Production
12
Configuring SSL
SSL: An Introduction
One-Way and Two-Way SSL
Setting Up SSL: Main Steps
Using Host Name Verification
Enabling SSL Debugging
SSL Session Behavior
Configuring RMI over IIOP with SSL
SSL Certificate Validation
Controlling the Level of Certificate Validation
Accepting Certificate Policies in Certificates
Checking Certificate Chains
Using Certificate Lookup and Validation Providers
How SSL Certificate Validation Works in WebLogic Server
Troubleshooting Problems with Certificate Validation
Using the nCipher JCE Provider with WebLogic Server
Specifying the Version of the SSL Protocol
13
Configuring Security for a WebLogic Domain
Important Information Regarding Cross-Domain Security Support
Enabling Trust Between WebLogic Server Domains
Enabling Cross Domain Security Between WebLogic Server Domains
Configuring Cross-Domain Security
Configuring a Cross-Domain User
Configure a Credential Mapping for Cross-Domain Security
Enabling Global Trust
Using Connection Filters
Using the Java Authorization Contract for Containers
Viewing MBean Attributes
How Passwords Are Protected in WebLogic Server
Protecting User Accounts
Configuring a Domain to Use JAAS Authorization
14
Using Compatibility Security
Running Compatibility Security: Main Steps
Limited Visibility of Compatibility Security MBeans
The Default Security Configuration in the CompatibilityRealm
Configuring a Realm Adapter Authentication Provider
Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider
Configuring a Realm Adapter Auditing Provider
Protecting User Accounts in Compatibility Security
Accessing 6.x Security from Compatibility Security
15
Security Configuration MBeans
SSLMBean
ServerMBean
EmbeddedLDAPMBean
RDBMSSecurityStoreMBean
SecurityMBean
SecurityConfigurationMBean
RealmMBean
WindowsNTAuthenticatorMBean
CustomDBMSAuthenticatorMBean
ReadonlySQLAuthenticatorMBean
SQLAuthenticatorMBean
DefaultAuditorMBean
Compatibility Security MBeans
UserLockoutManagerMBean
Other Security Provider MBeans
Scripting on this page enhances content navigation, but does not change the content in any way.