This chapter describes the contents and organization of this guide, Administering Security for Oracle WebLogic Server 12.1.3, as well as new and changed security features in this release. This guide explains how to configure WebLogic Server security, including settings for security realms, providers, identity and trust, SSL, and Compatibility security. See Related Information for a description of other WebLogic security documentation.
This chapter includes the following sections:
This document is intended for the following audiences:
Application Architects—Architects who, in addition to setting security goals and designing the overall security architecture for their organizations, evaluate WebLogic Server security features and determine how to best implement them. Application Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge, security technologies and tools.
Security Developers—Developers who define the system architecture and infrastructure for security products that integrate with WebLogic Server and who develop custom security providers for use with WebLogic Server. They work with Application Architects to ensure that the security architecture is implemented according to design and that no security holes are introduced, and work with Server Administrators to ensure that security is properly configured. Security Developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX)), and working knowledge of WebLogic Server and security provider functionality.
Application Developers—Java programmers who focus on developing client applications, adding security to Web applications and Enterprise JavaBeans (EJBs), and working with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth/working knowledge of Java (including Java EE components such as servlets/JSPs and JSEE) and Java security.
Server Administrators—Administrators work closely with Application Architects to design a security scheme for the server and the applications running on the server; to identify potential security risks; and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems; configuring and managing security realms, implementing authentication and authorization schemes for server and application resources; upgrading security features; and maintaining security provider databases. Server Administrators have in-depth knowledge of the Java security architecture, including Web services, Web application and EJB security, Public Key security, SSL, and Security Assertion Markup Language (SAML).
Application Administrators—Administrators who work with Server Administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application Administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.
This document is organized as follows:
Describes the audience, organization, and related information for this guide.
Describes basic features of the WebLogic Server security system.
Describes the security standards supported by WebLogic Server, including FIPS versions and cipher suites.
Describes the default security configuration in WebLogic Server; lists the configuration steps for security, and describes Compatibility security.
Explains when to customize the default security configuration, the configuration requirements for a new security realm, and how to set a security realm as the default security realm.
Part II, "Configuring Security Providers" describes the available configuration options for the security providers supplied by WebLogic Server and how to configure a custom security provider.
Part III, "Configuring Authentication Providers" describes the Authentication and Identity Assertion providers supplied by WebLogic Server, including information about how to configure them.
Part IV, "Configuring Single Sign-On" describes how to configure the following:
Authentication between a WebLogic domain and .NET Web service clients or browser clients (for example, Internet Explorer) in a Microsoft domain, using Windows authentication based on the Simple and Protected Negotiate (SPNEGO) mechanism.
How to configure authentication between a WebLogic domain and Web browsers or other HTTP clients, using authentication based on the Security Assertion Markup Language (SAML) 1.1 and 2.0.
Provides information about exporting and importing security data between security realms and security providers.
Describes the management tasks associated with the embedded LDAP server used by the WebLogic security providers.
describes the steps required to configure the RDBMS security store, which enables you to store the security data managed by several security providers in an external RDBMS system rather than in the embedded LDAP server. The use of the RDBMS security store is required for SAML 2.0 services when configured on multiple servers in a domain, such as in a cluster.
Part VI, "Configuring SSL" explains:
The SSL configuration features in WebLogic Server, including details about the JSSE-based SSL implementation provided in WebLogic Server.
How to configure keystores in WebLogic Server, including separate keystores for identity and trust.
How to configure the Oracle Platform Security Services (OPSS) Keystore Service for use with WebLogic Server.
How to use host name verification, which ensures the host name in the URL to which the client connects matches the host name in the digital certificate that the server sends back as part of the SSL connection.
How to specify a client certificate when making an outbound two-way SSL connection.
How to configure certificate revocation (CR) status checking and other certificate validation features.
The cipher suites and cryptographic libraries supported in WebLogic Server.
How WebLogic Server supports the use of the RSA, JDK, and nCipher Java Cryptography Extension (JCE) providers.
How to configure FIPS 140-2 mode in WebLogic Server.
Part VII, "Advanced Security Topics" describes:
How to set security configuration options for a WebLogic domain, such as Cross-Domain Security.
How to configure the Java Authentication Service Provider Interface for Containers (JASPIC).
How to use Compatibility security, a security configuration mode designed for backwards compatibility with security realms developed under WebLogic Server 6.x.
The WebLogic Security MBeans and MBean attributes that are dynamic (can be changed without restarting the server) and non-dynamic (changes require a server restart).
The following Oracle Oracle Fusion Middleware documents contain information that is relevant to the WebLogic Security Service:
Understanding Security for Oracle WebLogic Server—Summarizes the features of the WebLogic Security Service, including an overview of its architecture and capabilities. It is the starting point for understanding WebLogic security.
Developing Security Providers for Oracle WebLogic Server—Provides security vendors and application developers with the information needed to develop custom security providers that can be used with WebLogic Server.
Securing a Production Environment for Oracle WebLogic Server—Highlights essential security measures for you to consider before you deploy WebLogic Server in a production environment.
Securing Resources Using Roles and Policies for Oracle WebLogic Server—Introduces the various types of WebLogic resources, and provides information about how to secure these resources using WebLogic Server. This document focuses primarily on securing URL (Web) and Enterprise JavaBean (EJB) resources.
Developing Applications with the WebLogic Security Service—Describes how to develop secure Web applications.
Securing WebLogic Web Services for Oracle WebLogic Server—Describes how to develop and configure secure Web services.
Oracle WebLogic Server Administration Console Online Help—Many security configuration tasks can be performed using the WebLogic Server Administration Console. The console's online help describes configuration procedures and provides a reference for configurable attributes.
Upgrading Oracle WebLogic Server—Provides procedures and other information you need to upgrade from earlier versions of WebLogic Server to this release. It also provides information about moving applications from an earlier version of WebLogic Server to this release. For specific information about compatibility issues related to security and upgrading, see Upgrading Oracle WebLogic Server.
Java API Reference for Oracle WebLogic Server—Provides reference documentation for the WebLogic security packages that are provided with and supported by this release of WebLogic Server.
In addition to the documents listed in Related Information, Oracle provides a variety of code samples for developers, some packaged with WebLogic Server and others available at the Oracle Technology Network (OTN) at
WebLogic Server optionally installs API code examples in
EXAMPLES_HOME represents the directory in which the WebLogic Server code examples are configured. For more information about the WebLogic Server code examples, see "Sample Applications and Code Examples" in Understanding Oracle WebLogic Server.
The following examples are included to illustrate WebLogic security features:
Java Authentication and Authorization Service
Outbound and Two-way SSL
Additional WebLogic Server security examples are available for download at the Oracle Technology Network (OTN) at
http://www.oracle.com/technetwork/indexes/samplecode/weblogic-sample-522121.html. These examples are distributed as .zip files that you can unzip into an existing WebLogic Server samples directory structure.
You build and run the downloadable examples in the same manner as you would an installed WebLogic Server example. See the download pages of individual examples for more information.
WebLogic Server 12c (12.1.3) includes the following new and changed security features, which are described in this guide:
The ability to configuring custom identity keystores, and other SSL overrides, that are specific to network channels. For information, see Chapter 41, "Configuring an Identity Keystore Specific to a Network Channel".
The ability to authenticate users who are not defined in the identity store of the security realm, but who instead are created as virtual users who are assigned subject principals based on attributes contained in X.509 client certificate passed in during the SSL handshake. For information, see Authenticating a User Not Defined in the Identity Store.
This document has also been revised to include the following changes:
This document, Administering Security for Oracle WebLogic Server 12.1.3, has been reorganized. The largest chapters have been subdivided into smaller chapters to make it easier to locate key topics. The new organization is described in Guide to This Document.
Chapter 3, "WebLogic Server Security Standards" has been added to describe all the security standards supported by WebLogic Server 12.1.3, including supported FIPS versions and cipher suites.
Chapter 4, "Configuring Security for a WebLogic Domain" has been added to summarize the key steps to configure security for a WebLogic Server environment, with emphasis on tasks to perform before, during, and after creating a WebLogic domain.
Chapter 30, "Configuring Keystores" has been revised to streamline and simplify the steps for creating and configuring JKS keystores, particularly for use in production environments.
Chapter 37, "Enabling FIPS Mode" has been added to describe how to enable FIPS 140-2 mode in WebLogic Server.
Chapter 44, "Configuring Cross-Domain Security" has been revised to add more detail and clarity regarding the steps to configure Cross-Domain Security.
For a comprehensive listing of the new WebLogic Server features introduced in this release, see What's New in Oracle WebLogic Server.