SecurityConfigurationMBean


Overview  |   Related MBeans  |   Attributes  |   Operations

Overview

Provides domain-wide security configuration information.

       
Since7.0.0.0
Fully Qualified Interface NameIf you use the getMBeanInfo operation in MBeanTypeServiceMBean, supply the following value as this MBean's fully qualified interface name:
weblogic.management.configuration.SecurityConfigurationMBean
Factory Methods No factory methods. Instances of this MBean are created automatically.
Access Points You can access this MBean from the following MBean attributes:


    Related MBeans

    This section describes attributes that provide access to other MBeans.


    CertRevoc

    Determines the domain's X509 certificate revocation checking configuration.

    A CertRevocMBean is always associated with a domain's security configuration and cannot be changed, although CertRevocMBean attributes may be changed as documented.

           
    Factory Methods No explicit creator method. The child shares the lifecycle of its parent.
    Privileges Read only
    TypeCertRevocMBean
    Relationship type: Containment.

    DefaultRealm

    Returns the default security realm or null if no realm has been selected as the default security realm.

               
    Lookup OperationlookupRealm(String name)

    Returns a javax.management.ObjectName for the instance of RealmMBean named name.

    Privileges Read/Write
    TypeRealmMBean
    Relationship type: Reference.
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    JASPIC

    Creates a Jaspic MBean from which AuthConfigProviders can be created and configured.

           
    Factory Methods No explicit creator method. The child shares the lifecycle of its parent.
    Privileges Read only
    TypeJASPICMBean
    Relationship type: Containment.

    Realms

    Returns all the realms in the domain.

               
    Factory MethodscreateRealm (java.lang.String name)

    destroyRealm (RealmMBean realm)

    Factory methods do not return objects.

    See Using factory methods.

    Lookup OperationlookupRealm(String name)

    Returns a javax.management.ObjectName for the instance of RealmMBean named name.

    Privileges Read only
    TypeRealmMBean[]
    Relationship type: Containment.

    SecureMode

    Returns the SecureMode MBean that contains attributes that control the behavior of Secure Mode.

           
    Factory Methods No explicit creator method. The child shares the lifecycle of its parent.
    Privileges Read only
    TypeSecureModeMBean
    Relationship type: Containment.


    Attributes

    This section describes the following attributes:


    AdministrativeIdentityDomain

    Domain's administrative identity domain.

           
    Available Since Release 12.2.1.0.0
    Privileges Read/Write
    Typejava.lang.String

    AnonymousAdminLookupEnabled

    Returns true if anonymous JNDI access for Admin MBean home is permitted. This is overridden by the Java property -Dweblogic.management.anonymousAdminLookupEnabled.

    Deprecated. 12.2.1.0.0

           
    Privileges Read/Write
    Typeboolean

    BootAuthenticationMaxRetryDelay

    The maximum length of time, in milliseconds, the boot process will wait before retrying the authentication after a login server not available exception. The boot process will use a backoff algorithm starting at 100 milliseconds increasing on each failure until the delay time reaches the MaxRetryDelay value.

           
    Privileges Read/Write
    Typelong
    Default Value60000

    BootAuthenticationRetryCount

    The maximum number of times the boot process will try to authenticate the boot user with the authentication providers. The authentication will be retried only if a failure occurs that indicates the login server is not available.

           
    Privileges Read/Write
    Typeint
    Minimum value0

    CachingDisabled

    Private property that disables caching in proxies.

    This attribute is not dynamic and requires a server restart to take effect.

           
    Privileges Read only
    Typeboolean
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    CheckCertificatesExpirationDays

    Returns the number of days before certificate expiration that warnings should be issued.

    This attribute was added in the July 2021 Patch Set Update (PSU).

           
    Privileges Read/Write
    Typeint
    Default Value30
    Minimum value1

    CheckCertificatesIntervalDays

    Returns the interval between checks for certificate expiration.

    This attribute was added in the July 2021 Patch Set Update (PSU).

           
    Privileges Read/Write
    Typeint
    Default Value1
    Minimum value1

    CheckIdentityCertificates

    Returns true if identity certificates should be checked periodically for expiration.

    This attribute was added in the July 2021 Patch Set Update (PSU).

           
    Privileges Read/Write
    Typeboolean
    Default Valuetrue

    CheckTrustCertificates

    Returns true if trust certificates should be checked periodically for expiration.

    This attribute was added in the July 2021 Patch Set Update (PSU).

           
    Privileges Read/Write
    Typeboolean

    ClearTextCredentialAccessEnabled

    Returns true if allow access to credential in clear text. This can be overridden by the system property -Dweblogic.management.clearTextCredentialAccessEnabled

           
    Privileges Read/Write
    Typeboolean

    CompatibilityConnectionFiltersEnabled

    Specifies whether this WebLogic Server domain enables compatiblity with previous connection filters.

    This attribute changes the protocols names used when filtering needs to be performed.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typeboolean

    ConnectionFilter

    The name of the Java class that implements a connection filter (that is, the weblogic.security.net.ConnectionFilter interface). If no class name is specified, no connection filter will be used.

    This attribute replaces the deprecated ConnectionFilter attribute on the SecurityMBean.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typejava.lang.String

    ConnectionFilterRules

    The rules used by any connection filter that implements the ConnectionFilterRulesListener interface. When using the default implementation and when no rules are specified, all connections are accepted. The default implementation rules are in the format: target localAddress localPort action protocols.

    This attribute replaces the deprecated ConnectionFilterRules attribute on the SecurityMBean.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typeclass java.lang.String[]

    ConnectionLoggerEnabled

    Specifies whether this WebLogic Server domain should log accepted connections.

    This attribute can be used by a system administrator to dynamically check the incoming connections in the log file to determine if filtering needs to be performed.

    This attribute replaces the deprecated ConnectionLoggerEnabled attribute on the SecurityMBean.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typeboolean

    ConsoleFullDelegationEnabled

    Indicates whether the console is enabled for fully delegate authorization.

           
    Available Since Release 9.2.0.0
    Privileges Read/Write
    Typeboolean

    Credential

    The password for the domain. In WebLogic Server version 6.0, this attribute was the password of the system user. In WebLogic Server version 7.0, this attribute can be any string. For the two domains to interoperate, the string must be the same for both domains.

    When you set the value of this attribute, WebLogic Server does the following:

    1. Encrypts the value.

    2. Sets the value of the UserPasswordEncrypted attribute to the encrypted value.

    For more information, see:

           
    Privileges Read/Write
    Typejava.lang.String
    Encryptedtrue

    CredentialEncrypted

    The encrypted password for the domain. In WebLogic Server version 6.0, this attribute was the password of the system user. In WebLogic Server version 7.0, this attribute can be any string. For the two domains to interoperate, the string must be the same for both domains.

    To set this attribute, pass an unencrypted string to the MBean server's setAttribute method. WebLogic Server encrypts the value and sets the attribute to the encrypted value.

           
    Privileges Read/Write
    Typebyte[]
    Encryptedtrue

    CrossDomainSecurityEnabled

    Indicates whether or not cross-domain security is enabled.

           
    Privileges Read/Write
    Typeboolean

    DowngradeUntrustedPrincipals

    Whether or not to downgrade to anonymous principals that cannot be verified. This is useful for server-server communication between untrusted domains.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typeboolean

    DynamicallyCreated

    Return whether the MBean was created dynamically or is persisted to config.xml

    This attribute is not dynamic and requires a server restart to take effect.

           
    Privileges Read only
    Typeboolean
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    EnforceStrictURLPattern

    Whether or not the system should enforce strict URL pattern or not.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typeboolean
    Default Valuetrue

    EnforceValidBasicAuthCredentials

    Whether or not the system should allow requests with invalid Basic Authentication credentials to access unsecure resources.

           
    Available Since Release 9.2
    Privileges Read/Write
    Typeboolean
    Default Valuetrue

    ExcludedDomainNames

    Specifies a list of remote domains for which cross-domain check should not be applied.

           
    Available Since Release 10.0
    Privileges Read/Write
    Typeclass java.lang.String[]

    Id

    Return the unique id of this MBean instance

    This attribute is not dynamic and requires a server restart to take effect.

           
    Privileges Read only
    Typelong
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    IdentityDomainAwareProvidersRequired

    Returns true if all role mapping, authorization, credential mapping, and audit providers configured in the domain must support the IdentityDomainAwareProviderMBean interface's administrative identity domain.

           
    Available Since Release 12.2.1.0.0
    Privileges Read/Write
    Typeboolean

    MBeanInfo

    Returns the MBean info for this MBean.

    This attribute is not dynamic and requires a server restart to take effect.

    Deprecated.

           
    Privileges Read only
    Typejavax.management.MBeanInfo
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    Name

    The user-specified name of this MBean instance.

    This name is included as one of the key properties in the MBean's javax.management.ObjectName:

    Name=user-specified-name

           
    Privileges Read/Write
    Typejava.lang.String

    NodeManagerPassword

    The password that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

    When you get the value of this attribute, WebLogic Server does the following:

    1. Retrieves the value of the NodeManagerPasswordEncrypted attribute.

    2. Decrypts the value and returns the unencrypted password as a String.

    When you set the value of this attribute, WebLogic Server does the following:

    1. Encrypts the value.

    2. Sets the value of the NodeManagerPasswordEncrypted attribute to the encrypted value.

    Using this attribute (NodeManagerPassword) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

    Instead of using this attribute, you should use NodeManagerPasswordEncrypted.

    For more information, see:

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typejava.lang.String
    Encryptedtrue

    NodeManagerPasswordEncrypted

    The password that the Administration Server passes to a Node Manager when it instructs the Node Manager to start, stop, or restart Managed Servers.

    To set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

    To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typebyte[]
    Default Value
    Encryptedtrue

    NodeManagerUsername

    The user name that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

           
    Available Since Release 9.0.0.0
    Privileges Read/Write
    Typejava.lang.String
    Default Value

    NonceTimeoutSeconds

    Returns the value of the nonce timeout in seconds.

           
    Available Since Release 12.2.1.0.0
    Privileges Read/Write
    Typeint
    Default Value120
    Minimum value15

    Notes

    Optional information that you can include to describe this configuration.

    WebLogic Server saves this note in the domain's configuration file (config.xml) as XML PCDATA. All left angle brackets (<) are converted to the XML entity &lt;. Carriage returns/line feeds are preserved.

    Note: If you create or edit a note from the Administration Console, the Administration Console does not preserve carriage returns/line feeds.

    This attribute is not dynamic and requires a server restart to take effect.

               
    Privileges Read/Write
    Security rolesWrite access is granted only to the following roles:
    • Deployer
    • Operator
    Typejava.lang.String

    ObjectName

    Returns the ObjectName under which this MBean is registered in the MBean server.

    This attribute is not dynamic and requires a server restart to take effect.

    Deprecated.

           
    Privileges Read only
    Typeweblogic.management.WebLogicObjectName
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    Parent

    Return the immediate parent for this MBean

    This attribute is not dynamic and requires a server restart to take effect.

           
    Privileges Read/Write
    Type

    PrincipalEqualsCaseInsensitive

    Specifies whether the WebLogic Server principal name is compared using a case insensitive match when the equals method for the principal object is performed.

    If this attribute is enabled, matches are case insensitive.

    Note: Note that principal comparison is not used by the WebLogic Security Service to determine access to protected resources. This attribute is intended for use with JAAS authorization, which may require case insensitive principal matching behavior.

           
    Privileges Read/Write
    Typeboolean

    PrincipalEqualsCompareDnAndGuid

    Specifies whether the GUID and DN data in a WebLogic Server principal object are used when the equals method of that object is invoked.

    If enabled, the GUID and DN data (if included among the attributes in a WebLogic Server principal object) and the principal name are compared when this method is invoked.

           
    Privileges Read/Write
    Typeboolean

    Registered

    Returns false if the MBean represented by this object has been unregistered.

    This attribute is not dynamic and requires a server restart to take effect.

    Deprecated.

           
    Privileges Read only
    Typeboolean
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    RemoteAnonymousJNDIEnabled

    Returns true if remote anonymous JNDI access is permitted for list and modify operations.

           
    Available Since Release 12.2.1.3.0
    Privileges Read/Write
    Typeboolean
    Default Valuetrue

    Tags

    Return all tags on this Configuration MBean

    This attribute is dynamic and takes effect immediately.

           
    Available Since Release 12.2.1.0.0
    Privileges Read/Write
    Typeclass java.lang.String[]

    Type

    Returns the type of the MBean.

    This attribute is not dynamic and requires a server restart to take effect.

           
    Privileges Read only
    Typejava.lang.String
    Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

    UseKSSForDemo

    Determines whether the Demo Identity and Demo Trust key stores should be obtained from the Oracle Key Store Service (KSS).

    If enabled, Weblogic Server will request the Demo Identity and Domain Trust key stores from KSS. Subsequent to installation however, the KSS Demo key stores may have been manipulated such that appropriate Demo certificates or keys are not available.

    Please verify the following KSS Demo Identity keystore has an X.509 private key and corresponding public identity certificate signed by the Demo Certificate Authority (CA):

    KSS Stripe

    system

    KSS Key Store

    demoidentity

    KSS Private Key Alias

    DemoIdentity

    Please verify the following KSS Domain Trust keystore has a trusted Demo Certificate Authority X.509 certificate:

    KSS Stripe

    system

    KSS Key Store

    trust

    For more information, see:

           
    Privileges Read/Write
    Typeboolean

    WebAppFilesCaseInsensitive

    This property defines the case sensitive URL-pattern matching behavior for security constraints, servlets, filters, virtual-hosts, and so on, in the Web application container and external security policies. Note: This is a Windows-only flag that is provided for backward compatibility when upgrading from pre-9.0 versions of WebLogic Server. On Unix platforms, setting this value to true causes undesired behavior and is not supported. When the value is set to os, the pattern matching will be case- sensitive on all platforms except the Windows file system. Note that on non-Windows file systems, WebLogic Server does not enforce case sensitivity and relies on the file system for optimization. As a result, if you have a Windows Samba mount from Unix or Mac OS that has been installed in case-insensitive mode, there is a chance of a security risk. If so, specify case-insensitive lookups by setting this attribute to true. Note also that this property is used to preserve backward compatibility on Windows file systems only. In prior releases, WebLogic Server was case- insensitive on Windows. As of WebLogic Server 9.0, URL-pattern matching is strictly enforced. During the upgrade of older domains, the value of this parameter is explicitly set to os by the upgrade plug-in to preserve backward compatibility.

           
    Privileges Read/Write
    Typejava.lang.String
    Default Valuefalse
    Legal Values
    • os
    • true
    • false


    Operations

    This section describes the following operations:


    addTag

    Add a tag to this Configuration MBean. Adds a tag to the current set of tags on the Configuration MBean. Tags may contain white spaces.

       
    Operation Name"addTag"
    ParametersObject [] {  tag }

    where:

    • tag is an object of type java.lang.String that specifies:

      tag to be added to the MBean

    SignatureString [] { "java.lang.String" }
    Returns boolean
    Exceptions
    • java.lang.IllegalArgumentException
      IllegalArgumentException if the tag contains illegal punctuation

    findDefaultRealm

    Finds the default security realm. Returns null if a default security realm is not defined.

    Deprecated. 9.0.0.0 Replaced by DefaultRealm

       
    Operation Name"findDefaultRealm"
    Parametersnull
    Signaturenull
    ReturnsRealmMBean

    findRealm

    Finds a realm by name (that is, by the display name of the realm). Returns null no realm with that name has been defined. Throws a configuration error if there are multiple matches.

    Deprecated. 9.0.0.0 Replaced by lookupRealm

       
    Operation Name"findRealm"
    ParametersObject [] {  realmDisplayName }

    where:

    • realmDisplayName is an object of type java.lang.String that specifies:

      A String containing the realm's display name.

    SignatureString [] { "java.lang.String" }
    ReturnsRealmMBean

    findRealms

    Returns all the realms in the domain.

    Deprecated. 9.0.0.0 Replaced by Realms

       
    Operation Name"findRealms"
    Parametersnull
    Signaturenull
    Returns class

    freezeCurrentValue

    If the specified attribute has not been set explicitly, and if the attribute has a default value, this operation forces the MBean to persist the default value.

    Unless you use this operation, the default value is not saved and is subject to change if you update to a newer release of WebLogic Server. Invoking this operation isolates this MBean from the effects of such changes.

    Note: To insure that you are freezing the default value, invoke the restoreDefaultValue operation before you invoke this.

    This operation has no effect if you invoke it on an attribute that does not provide a default value or on an attribute for which some other value has been set.

    Deprecated. 9.0.0.0

       
    Operation Name"freezeCurrentValue"
    ParametersObject [] {  attributeName }

    where:

    • attributeName is an object of type java.lang.String that specifies:

      attributeName

    SignatureString [] { "java.lang.String" }
    Returns void
    Exceptions
    • javax.management.AttributeNotFoundException
    • javax.management.MBeanException

    generateCredential

    Generates a new encrypted byte array which can be use when calling #setCredentialEncrypted

       
    Operation Name"generateCredential"
    Parametersnull
    Signaturenull
    Returns class

    getInheritedProperties

    Return all properties' names whose value is inherited from template mbean. this is a convenient method to get inheritance info on multiple properties in one jmx call.

       
    Operation Name"getInheritedProperties"
    ParametersObject [] {  propertyNames }

    where:

    • propertyNames is an object of type [Ljava.lang.String; that specifies:

      properties to check

    SignatureString [] { "[Ljava.lang.String;" }
    Returns class

    isInherited

    Check if the value of a property is inherited from template mbean or not.

       
    Operation Name"isInherited"
    ParametersObject [] {  propertyName }

    where:

    • propertyName is an object of type java.lang.String that specifies:

      the name of the property

    SignatureString [] { "java.lang.String" }
    Returns boolean

    isSet

    Returns true if the specified attribute has been set explicitly in this MBean instance.

       
    Operation Name"isSet"
    ParametersObject [] {  propertyName }

    where:

    • propertyName is an object of type java.lang.String that specifies:

      property to check

    SignatureString [] { "java.lang.String" }
    Returns boolean

    removeTag

    Remove a tag from this Configuration MBean

       
    Operation Name"removeTag"
    ParametersObject [] {  tag }

    where:

    • tag is an object of type java.lang.String that specifies:

      tag to be removed from the MBean

    SignatureString [] { "java.lang.String" }
    Returns boolean
    Exceptions
    • java.lang.IllegalArgumentException
      IllegalArgumentException if the tag contains illegal punctuation

    restoreDefaultValue

    If the specified attribute has a default value, this operation removes any value that has been set explicitly and causes the attribute to use the default value.

    Default values are subject to change if you update to a newer release of WebLogic Server. To prevent the value from changing if you update to a newer release, invoke the freezeCurrentValue operation.

    This operation has no effect if you invoke it on an attribute that does not provide a default value or on an attribute that is already using the default.

    Deprecated. 9.0.0.0

       
    Operation Name"restoreDefaultValue"
    ParametersObject [] {  attributeName }

    where:

    • attributeName is an object of type java.lang.String that specifies:

      attributeName

    SignatureString [] { "java.lang.String" }
    Returns void
    Exceptions
    • javax.management.AttributeNotFoundException

    unSet

    Restore the given property to its default value.

       
    Operation Name"unSet"
    ParametersObject [] {  propertyName }

    where:

    • propertyName is an object of type java.lang.String that specifies:

      property to restore

    SignatureString [] { "java.lang.String" }
    Returns void