Fusion Middleware Control Help for WebLogic Server

Previous Next Open TOC in new window
Content starts here

Domain: Security: General

Configuration Options     Advanced Configuration Options     

This page allows you to define the general security settings for this WebLogic Server domain. Use this page to change the default administrative security realm for the WebLogic domain.

Configuration Options

Name Description
Default Realm

The security realm that should be used as the default administrative realm for this WebLogic Server domain.

All available security realms are listed on the pull-down menu. If you configure a new security realm, but do not configure any security providers or all the required security providers, the security realm will not be available from the pull-down menu. In order for a security realm to be valid, you must configure an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, a CertPathBuilder, and a Role Mapping provider.

MBean Attribute:
SecurityConfigurationMBean.DefaultRealm

Changes take effect after you redeploy the module or restart the server.

Administrative Identity Domain

The domain's administrative identity domain.

MBean Attribute:
SecurityConfigurationMBean.AdministrativeIdentityDomain

Changes take effect after you redeploy the module or restart the server.

Identity Domain Aware Providers Required

Specifies whether all role mapping, authorization, credential mapping, and audit providers configured in the domain must support the IdentityDomainAwareProviderMBean interface's administrative identity domain.

MBean Attribute:
SecurityConfigurationMBean.IdentityDomainAwareProvidersRequired

Anonymous Admin Lookup Enabled

Specifies whether anonymous, read-only access to WebLogic Server MBeans should be allowed from the MBeanHome API.

With anonymous access enabled, you can see the value of any MBean attribute that is not explicitly marked as protected by the WebLogic Server MBean authorization process. This attribute should be enabled only for backward compatibility.

MBean Attribute:
SecurityConfigurationMBean.AnonymousAdminLookupEnabled

Changes take effect after you redeploy the module or restart the server.

Cross Domain Security Enabled

Specifies whether or not cross-domain security is enabled for the domain.

If you enable cross-domain security, you need to add one or more cross-domain users and specify a credential mapping that includes the credentials for each remote domain user that is authorized to access this domain.

MBean Attribute:
SecurityConfigurationMBean.CrossDomainSecurityEnabled

Excluded Domain Names

The remote domain names that are to be excluded from the cross-domain checks.

The list can either be semicolon-separated domain names on the same line or could be one domain name per line or could be a combination of both.

MBean Attribute:
SecurityConfigurationMBean.ExcludedDomainNames

Advanced Configuration Options

Name Description
Security Interoperability Mode

Specifies the security mode of the communication channel used for XA calls between servers that participate in a global transaction. All server instances in a domain must have the same security mode setting.

Security Interoperability Mode options:

  • default

    The transaction coordinator makes calls using the kernel identity over an admin channel if it is enabled, and anonymous otherwise. Man-in-the-middle attacks are possible if the admin channel is not enabled.

  • performance

    The transaction coordinator makes calls using anonymous at all times. This implies a security risk since a malicious third party could then try to affect the outcome of transactions using a man-in-the-middle attack.

  • compatibility

    The transaction coordinator makes calls as the kernel identity over an insecure channel. This is a high security risk because a successful man-in-the-middle attack would allow the attacker to gain administrative control over both domains. This setting should only be used when strong network security is in place.

MBean Attribute:
JTAMBean.SecurityInteropMode

Changes take effect after you redeploy the module or restart the server.

Credential

The credential for this WebLogic Server domain. When a domain is created, a unique credential is generated for the domain. If you want to establish trust between two or more domains, decide on a credential that will be shared by the domains, then specify it here and in the other domains.

NodeManager Username

The user name that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

MBean Attribute:
SecurityConfigurationMBean.NodeManagerUsername

NodeManager Password

The password that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

When you get the value of this attribute, WebLogic Server does the following:

  1. Retrieves the value of the NodeManagerPasswordEncrypted attribute.

  2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

  1. Encrypts the value.

  2. Sets the value of the NodeManagerPasswordEncrypted attribute to the encrypted value.

Using this attribute (NodeManagerPassword) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, you should use NodeManagerPasswordEncrypted.

MBean Attribute:
SecurityConfigurationMBean.NodeManagerPassword

Changes take effect after you redeploy the module or restart the server.

Web App Files Case Insensitive

Specifies the case sensitive URL-pattern matching behavior for security-constraints, servlets, filters, virtual-hosts, etc. in the webapp container and external security policies. The valid values are os, true, or false. Note: This is a Windows-only flag that is provided for backward compatibility when upgrading from pre-9.0 versions of WebLogic Server. On Unix platforms, setting this value to true causes undesired behavior.

When the value is set to os, the pattern matching is case sensitive on all platforms except Windows. (Note that on non-Windows platforms, WebLogic Server does not enforce case sensitivity and relies on the file system for optimization. As a result, if you have a Windows Samba mount from UNIX or Mac OS that have been installed in case-insensitive mode, there is a chance of a security risk. If so, specify case insensitive lookups by setting this attribute to true.) This property also preserves backward compatibility on Windows file systems only. Prior to version 9.0, WebLogic Server was case insensitive on Windows platforms. However, as of WebLogic Server 9.0, URL-pattern matching is strictly enforced. During the upgrade of older domains, the value of this parameter is explicitly set to os by the upgrade plug-in to preserve backward compatibility.

Note: Setting this flag to true on Unix platforms causes undesired behavior and is not supported.

MBean Attribute:
SecurityConfigurationMBean.WebAppFilesCaseInsensitive

Changes take effect after you redeploy the module or restart the server.

Enforce Strict URL Pattern

Specifies whether the system should enforce strict URL pattern., " / " to represent the entire contents of a Web Application.

This property is provided for backward compatibility with version 8.1. When this field is checked the system enforces the use of the " / " character as the default representation of an entire Web application in the security container. This is the standard Java EE syntax and is consistent with the syntax used by the Servlet container. In version 8.1 the security container used " /* " as the default representation of an entire Web application. If you want your applications to continue to use " /* " in this context you must change the value to false (unchecked). When set to false, the security container recognizes " /* " as the equivalent of " / " , thereby ensuring consistency with the Servlet container.

MBean Attribute:
SecurityConfigurationMBean.EnforceStrictURLPattern

Changes take effect after you redeploy the module or restart the server.

Downgrade Untrusted Principals

Specifies whether to downgrade to anonymous principals that cannot be verified.

This feature is useful for server-server communication between untrusted domains.

MBean Attribute:
SecurityConfigurationMBean.DowngradeUntrustedPrincipals

Principal Equals Case Insensitive

Specifies whether the WebLogic Server principal name is compared using a case insensitive match when the equals method for the principal object is performed.

If this attribute is enabled, matches are case insensitive.

Note: Note that principal comparison is not used by the WebLogic Security Service to determine access to protected resources. This attribute is intended for use with JAAS authorization, which may require case insensitive principal matching behavior.

MBean Attribute:
SecurityConfigurationMBean.PrincipalEqualsCaseInsensitive

Principal Equals Compare DN and GUID

Specifies whether the GUID and DN data in a WebLogic Server principal object are used when the equals method of that object is invoked.

If enabled, the GUID and DN data (if included among the attributes in a WebLogic Server principal object) and the principal name are compared when this method is invoked.

MBean Attribute:
SecurityConfigurationMBean.PrincipalEqualsCompareDnAndGuid

Compatibility Connection Filters Enabled

Specifies whether this WebLogic Server domain enables compatibility with previous connection filters.

Checking or unchecking this fields changes the protocols names used when filtering needs to be performed.

MBean Attribute:
SecurityConfigurationMBean.CompatibilityConnectionFiltersEnabled

Allow Security Management Operations if Non-dynamic Changes have been Made

Specifies whether security management operations are allowed if non-dynamic changes have been made and the Admin Server requires restart.

If a user makes changes to non-dynamic attributes of security MBeans and then activates the changes, by default he can not perform any security management operations until the server has been restarted. You can override this default behavior by checking this field. This permits users to perform security management operations without restarting the server. Note that this attribute is reset to false when a new console session starts.

Clear Text Credential Access Enabled

Specifies whether credential access in clear text is allowed. This can be overridden by the system property -Dweblogic.management.clearTextCredentialAccessEnabled.

MBean Attribute:
SecurityConfigurationMBean.ClearTextCredentialAccessEnabled

Use KSS For Demo

Specifies whether the Demo Identity and Demo Trust keystores should be obtained from the Oracle Key Store Service (KSS).

MBean Attribute:
SecurityConfigurationMBean.UseKSSForDemo

Changes take effect after you redeploy the module or restart the server.

Secured Production Mode

Specifies whether the domain will run in secured production mode. The domain must be in production mode to enable secured production mode.

MBean Attribute:
SecureModeMBean.SecureModeEnabled

Changes take effect after you redeploy the module or restart the server.

Restrictive JMX Policies

Specifies whether restrictive policies will be used for JMX authorization.

MBean Attribute:
SecureModeMBean.RestrictiveJMXPolicies

Warn on Insecure SSL

Specifies whether warnings should be logged if the SSL configuration is not secure.

MBean Attribute:
SecureModeMBean.WarnOnInsecureSSL

Changes take effect after you redeploy the module or restart the server.

Warn on Insecure File System

Specifies whether warnings should be logged if the File System is not secure.

MBean Attribute:
SecureModeMBean.WarnOnInsecureFileSystem

Changes take effect after you redeploy the module or restart the server.

Warn on Auditing

Specifies whether warnings should be logged if auditing not enabled.

MBean Attribute:
SecureModeMBean.WarnOnAuditing

Changes take effect after you redeploy the module or restart the server.

Warn on Insecure Applications

Specifies whether warnings should be logged if applications are secure.

MBean Attribute:
SecureModeMBean.WarnOnInsecureApplications

Changes take effect after you redeploy the module or restart the server.

Warn on Java Security Manager

Specifies whether warnings should be logged if the Java Security Manager is not enabled.

MBean Attribute:
SecureModeMBean.WarnOnJavaSecurityManager

Changes take effect after you redeploy the module or restart the server.


Back to Top