17 Configuring the Password Validation Provider

Oracle WebLogic Server includes a Password Validation provider, which is configured by default in each security realm. The Password Validation provider manages and enforces a set of configurable password composition rules, and is automatically invoked by a supported authentication provider whenever a password is created or updated for a user in the realm. When invoked, the Password Validation provider performs a check to determine whether the password meets the criteria established by the composition rules. The password is then accepted or rejected as appropriate.

This chapter includes the following sections:

About the Password Validation Provider

Several WebLogic Authentication providers can be used with the Password Validation provider. This includes the following:
  • WebLogic Authentication provider

  • SQL Authenticator provider

  • LDAP Authentication provider

  • Oracle Internet Directory Authentication Provider

  • Oracle Virtual Directory Authentication Provider

  • Active Directory Authentication provider

  • ODSEE Authentication provider

  • Novell Authentication provider

  • Open LDAP Authentication provider

For information about configuring the Password Validation provider in the WebLogic Server Administration Console, see Configure the Password Validation provider in the Oracle WebLogic Server Administration Console Online Help.

Password Composition Rules for the Password Validation Provider

By default, the Password Validation provider is configured to require passwords that have a minimum length of eight characters. When used with one of the supported LDAP authentication providers listed in the preceding section, the Password Validation provider also requires that passwords meet the additional criteria listed in Table 17-1.

Note:

Passwords cannot contain a curly brace ("{") as the first character.

Table 17-1 Additional Password Composition Rules Required by Password Validation Provider When Used with an LDAP Authentication Provider

LDAP Authentication Provider Additional Password Composition Requirement
  • Oracle Internet Directory Authentication provider

  • Oracle Virtual Directory Authentication provider

At least one of the characters in the password must be numeric.

  • WebLogic Authentication provider

  • LDAP Authentication provider

  • Active Directory Authentication provider

  • ODSEE Authentication provider

  • Novell Authentication provider

  • Open LDAP Authentication provider

At least one of the characters in the password must be non-alphabetic. For example, a numeric character, an asterisk (*), or an octothorpe (#).

The password composition rules you optionally can configure for the Password Validation provider include the following:

  • User name policies — Rules that determine whether the password may consist of or contain the user's name, or the reverse of that name

  • Password length policies — Rules for the minimum or maximum number of characters in a password (composition rules may specify both a minimum and maximum length)

  • Character policies — Rules regarding the inclusion of the following characters in the password:

    • Numeric characters

    • Lowercase alphabetic characters

    • Uppercase alphabetic characters

    • Non-alphanumeric characters

For information about the specific composition rules that may be configured for the Password Validation provider, including the settings for these rules that Oracle recommends for a production environment, see System Password Validation Provider: Provider Specific in the Oracle WebLogic Server Administration Console Online Help.

Note:

Setting password composition rules is only one component of hardening the WebLogic Server environment against brute-force password attacks. To protect user accounts, you should also configure user lockout. User lockout specifies the number of incorrect passwords that may be entered within a given interval of time before the user is locked out of his or her account. See Protecting User Accounts.

Using the Password Validation Provider with the WebLogic Authentication Provider

To use the Password Validation provider in conjunction with the WebLogic Authentication provider, ensure that the minimum password length is the same for both providers. Set the minimum password length for WebLogic Authentication provider using the Administration console.

By default, the WebLogic Authentication provider requires a minimum password length of 8 characters, of which one is non-alphabetic. However, the minimum password length enforced by this provider can be customized. If the WebLogic Authentication provider and Password Validation provider are both configured in the security realm, and you attempt to create a password that does not meet the minimum length enforced by the WebLogic Authentication provider, an error is generated. For example, the following message is displayed in the WebLogic Server Administration Console:

Error [Security:090285]password must be at least 8 characters long
Error Errors must be corrected before proceeding.

If the WebLogic Authentication provider rejects a password because it does not meet the minimum length requirement, the Password Validation provider is not called. To ensure that the Password Validator is always used in conjunction with the WebLogic Authentication provider, make sure that the minimum password length is the same for both providers.

Using the WebLogic Server Administration Console, you can set the minimum password length for WebLogic Authentication provider by completing the following steps:

  1. If you have not already done so, in the Change Center of the WebLogic Server Administration Console, click Lock & Edit.
  2. In the left pane, select Security Realms and click the name of the realm you are configuring (for example, myrealm).
  3. Select Providers > Authentication and click DefaultAuthenticator.
  4. Select Configuration > Provider Specific and enter the minimum password length in the field labeled Minimum Password Length.
  5. Click Save to save your changes.
  6. To activate these changes, in the Change Center, click Activate Changes.

For information about how to set the minimum password length in the Password Validation provider, see Using WLST to Create and Configure the Password Validation Provider.

Using the Password Validation Provider with an LDAP Authentication Provider

When the Password Validation provider and an LDAP Authentication provider are configured in the security realm, passwords are validated through two separate policy checks: one from Password Validation provider, and the other from the LDAP server, which has its own password policy check. For example, Oracle Internet Directory has its own password validation mechanism, which is controlled by the LDAP server administrator. These two password validation mechanisms are separate, and each has its own set of password composition rules. If the composition rules are inconsistent, failures may occur in the WebLogic Server Administration Console when you try to create or reset a password, even if the rules for the Password Validation provider are enforced. Therefore you should make sure that the password composition rules for the Password Validation provider do not conflict with those for the LDAP server.

Using WLST to Create and Configure the Password Validation Provider

The Password Validation provider can be administered in the security realm via a WLST script that performs operations on the SystemPasswordValidatorMBean, described in MBean Reference for Oracle WebLogic Server. You may create and configure the Password Validation provider from a single WLST script, or you may have separate scripts that perform these functions separately. The following topics explain how, providing sample WLST code snippets:

Creating an Instance of the Password Validation Provider

The Password Validation provider is created automatically in the security realm when you create a new domain. However, you can use WLST to create one as well, as shown in Example 17-1. This code does the following:

  1. Gets the current realm and Password Validation provider.
  2. Determines whether an instance of the Password Validator provider (named SystemPasswordValidator) has been created:
    • If the provider has been created, the script displays a message confirming its presence.

    • If the provider has not been created, the script creates it in the security realm and displays a message indicating that it has been created.

Example 17-1 Creating the System Password Validator

edit()
startEdit()

realm = cmo.getSecurityConfiguration().getDefaultRealm()
pwdvalidator = realm.lookupPasswordValidator('SystemPasswordValidator')

if pwdvalidator:
   print 'Password Validator provider is already created'

else:
# Create SystemPasswordValidator
 syspwdValidator = realm.createPasswordValidator('SystemPasswordValidator', 
 'com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator')
 print "---  Creation of System Password Validator succeeded!"

save()
activate()

Specifying the Password Composition Rules

The following example shows the WLST code that sets the composition rules for the Password Validation provider. For information about the rule attributes that can be set in this script, see the description of the SystemPasswordValidatorMBean in the MBean Reference for Oracle WebLogic Server.

edit()
startEdit()

# Configure SystemPasswordValidator
try:
  pwdvalidator.setMinPasswordLength(8)
  pwdvalidator.setMaxPasswordLength(12)
  pwdvalidator.setMaxConsecutiveCharacters(3)
  pwdvalidator.setMaxInstancesOfAnyCharacter(4)
  pwdvalidator.setMinAlphabeticCharacters(1)
  pwdvalidator.setMinNumericCharacters(1)
  pwdvalidator.setMinLowercaseCharacters(1)
  pwdvalidator.setMinUppercaseCharacters(1)
  pwdvalidator.setMinNonAlphanumericCharacters(1)
  pwdvalidator.setMinNumericOrSpecialCharacters(1)
  pwdvalidator.setRejectEqualOrContainUsername(true)
  pwdvalidator.setRejectEqualOrContainReverseUsername(true)
  print " --- Configuration of SystemPasswordValidator complete  ---"
except Exception,e:
        print e

save()
activate()