Administration Console Online Help

Before you begin

Before you configure the RDBMS security store, you must complete the steps described in the following topics:

If you are creating a new domain in which the RDBMS security store is configured, complete the steps summarized in Create a new domain to use the RDBMS security store.
If you are upgrading an existing domain to one that uses the RDBMS security store, complete the steps summarized in Upgrade an existing domain to use the RDBMS security store.

WebLogic Server provides the option of using an external RDBMS as a datastore for the following security providers:

XACML Authorization and Role Mapping providers
WebLogic Credential Mapping provider
PKI Credential Mapping provider
SAML 1.1 providers: SAML Identity Assertion provider V2, and SAML Credential Mapping provider V2
SAML 2.0 providers: SAML 2.0 Identity Assertion provider, and SAML 2.0 Credential Mapping provider
Certificate Registry

The RDBMS security store is required to use SAML 2.0 services in two or more WebLogic Server instances in a domain, such as in a cluster.

To configure the RDBMS security store:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
In the left pane, select Security Realms.
On the Summary of Security Realms page, select the name of the realm (for example, myrealm).
On the Settings for RealmName page select RDBMS Security Store.
Ensure the following attributes are set. If they are not set as described in the following list, the domain could be configured incorrectly.
- The RDBMS Security Store Enabled attribute must be selected. If the domain is created as described in Create a new domain to use the RDBMS security store, or Upgrade an existing domain to use the RDBMS security store, this attribute should be selected by default when you display this page in the console.
- The database name, type, and user credentials match the settings established when creating the domain via the Configuration Wizard.
Note:
- Changing the settings of the RDBMS Security Store Enabled attribute, or the database settings specified here, could result in a domain that cannot be booted if the security providers are unable to access their security policy data. As a best practice, you should avoid modifying the preceding settings of the RDBMS security store once it has been created by the Configuration Wizard.
- If the RDBMS Security Store Enabled attribute is enabled, any security provider that is identified in this help topic and that is created in the security realm will use the RDBMS security store only, and not the embedded LDAP server. WebLogic Server does not support the ability to override this behavior for any of those providers.
- Enabling the RDBMS security store has no effect on any security provider that is not included among those identified in this help topic.
In the section labeled Server Synchronization Configuration, specify the appropriate settings for JNDI and JMS so that the RDBMS security store can cache database information in memory correctly. If the RDBMS is running in more than one JVM -- for example, the domain has multiple servers, or other Oracle products are sharing the same RDBMS store with the new domain -- these caches must be synchronized to ensure the integrity of the security data.
To configure server synchronization:
1. Specify a JNDI user name and password. This can be any valid user in the security realm who has access to JNDI.
2. Create a JMS topic. You may reuse an existing one, if desired. For information, see Configure topics.
Caution: Failure to configure JMS notifications in a multiserver domain in which the RDBMS security store is configured may result in a security vulnerability.
Click Save.
To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
Not all changes take effect immediately—some require a restart (see Use the Change Center).

Result

The domain is now configured so that any of the security providers identified in this help topic that are created in the security realm will use the RDBMS security store.

After you finish

If the JMS topic with which the RDBMS security store is configured goes down, see Managing the RDBMS Security Store for important information about restoring it.

Administration Console Online Help

Configure the RDBMS security store