18 WebLogic Server Security

This chapter describes how to create and monitor security realms and how to monitor and configure WebLogic Server users and groups.

A security realm comprises mechanisms for protecting WebLogic Server resources. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. A user must be defined in a security realm in order to access any WebLogic Server resources belonging to that realm. When a user attempts to access a particular WebLogic Server resource, WebLogic Server tries to authenticate and authorize the user by checking the security role assigned to the user in the relevant security realm and the security policy of the particular WebLogic Server resource.

Note:

To log into a domain partition, you must have the administrator role. For complete information, see Configuring Security in Using WebLogic Server MT.

If you are logged into a domain partition, navigate from the Domain Partition menu.

This chapter includes the following sections:

Create security realms

To create a new security realm:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The Security Realms table displays information about the security realms that have been configured in the current domain.

  2. Click Create.
  3. On the Create a Security Realm page, enter a name for the new security realm in the Name field.
  4. Click Create.

The new security realm contains the following WebLogic Server security providers with the default configuration settings:

  • DefaultAuthenticator

  • DefaultIdentityAsserter

  • SystemPasswordValidator

  • XACMLAuthorizer

  • DefaultAdjudicator

  • XACMLRoleMapper

  • DefaultCredentialMapper

  • WebLogicCertPathProvider

After creating your security realm, you can change the security providers and provider settings from the WebLogic Server Administration Console.

See Configuration Options.

Monitor security realms

To monitor the security realms configured in a domain:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The Security Realms table displays information about the security realms that have been configured in the current domain, such as:

    • Name

    • Used By

    • Management Identity Domain

    • Deploy Credential Mapping Ignored

    • Deploy Policy Ignored

    • Deploy Role Ignored

    For more information about these fields, see Configuration Options.

    Optionally, select View to access the following table options:

    • Columns: add or remove the columns displayed in the table

    • Detach: detach the table (viewing option)

    • Sort: sort the columns in ascending or descending order

    • Reorder: change the order of the columns displayed

    • Query by Example

Monitor WebLogic Server users and groups

This section describes how to monitor the users and groups in your domain. This section includes the following tasks:

Monitor users

To monitor users:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Users.

    The Users table displays information about the users that have been configured in the current domain, such as:

    • Name

    • Description

    • Groups

    • Provider

    For more information about these fields, see Configuration Options.

    Optionally, select View to access the following table options:

    • Columns: add or remove the columns displayed in the table

    • Detach: detach the table (viewing option)

    • Sort: sort the columns in ascending or descending order

    • Reorder: change the order of the columns displayed

    • Query by Example

Monitor groups

To monitor groups:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Groups.

    The Groups table displays information about the groups that have been configured in the current domain, such as:

    • Name

    • Description

    • Provider

    For more information about these fields, see Configuration Options.

    Optionally, select View to access the following table options:

    • Columns: add or remove the columns displayed in the table

    • Detach: detach the table (viewing option)

    • Sort: sort the columns in ascending or descending order

    • Reorder: change the order of the columns displayed

    • Query by Example

Configure WebLogic Server users

This section describes how to create and configure users in your WebLogic Server domain. This section includes the following tasks:

Create a new user

To create a new user:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Users.

    The Users table displays information about the users that have been configured in the current domain, such as:

    • Name

    • Description

    • Groups

    • Provider

    For more information about these fields, see Configuration Options.

  4. Click Create.
  5. From the Create a User page, you can define the properties for your new user, including:

    • Name (must be unique)

    • Description

    • Provider

    • Password

    For more information about these fields, see Configuration Options.

  6. Click Create.

Configure user general settings

To configure general settings for a user:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Users.

    The Users table displays information about the users that have been configured in the current domain.

  4. In the Users table, select the name of the user you want to configure.
  5. Select General Settings.
  6. From the General Settings page, you can change the description for the selected user. Enter a description in the Description field.
  7. Click Save.

Configure user password settings

To configure password settings for a user:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Users.

    The Users table displays information about the users that have been configured in the current domain.

  4. In the Users table, select the name of the user you want to configure.
  5. Select Passwords.
  6. From the Passwords page, you can change the password for the selected user. Enter a password in the New Password and Confirm Password fields.
  7. Click Save.

Configure user attribute settings

To configure attribute settings for a user:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Users.

    The Users table displays information about the users that have been configured in the current domain.

  4. In the Users table, select the name of the user you want to configure.
  5. Select Attributes.
  6. From the Attributes page, you can modify the values of the attributes for this selected user.
  7. Click Save.

Configure user group settings

To configure group settings for a user:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Users.

    The Users table displays information about the users that have been configured in the current domain.

  4. In the Users table, select the name of the user you want to configure.
  5. Select Groups.
  6. From the Groups page, you can configure group membership for the selected user.
  7. Click Save.

Configure WebLogic Server groups

This section describes how to create and configure groups in your WebLogic Server domain. This section includes the following tasks:

Create a new group

To create a new group:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Groups.

    The Groups table displays information about the groups that have been configured in the current domain, such as:

    • Name

    • Description

    • Provider

    For more information about these fields, see Configuration Options.

  4. Click Create.
  5. From the Create a New Group page, you can define the properties for your new group, including:

    • Name (must be unique)

    • Description

    • Provider

    For more information about these fields, see Configuration Options.

  6. Click Create.

Configure group general settings

To configure general settings for a group:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Groups.

    The Groups table displays information about the groups that have been configured in the current domain.

  4. In the Groups table, select the name of the group you want to configure.
  5. Select General Settings.
  6. From the General Settings page, you can change the description for the selected group. Enter a description in the Description field.
  7. Click Save.

Configure group membership settings

To configure membership settings for a group:

  1. From the WebLogic Domain menu, select Security, then select Security Realms.

    The security realms table displays information about the security realms that have been configured in the current domain.

  2. In the table, select a realm you want to monitor.
  3. Select the Users and Groups page and then select Groups.

    The Groups table displays information about the groups that have been configured in the current domain.

  4. In the Groups table, select the name of the group you want to configure.
  5. Select Membership.
  6. From the Membership page, you can configure group membership for the selected group.
  7. Click Save.

Configure domain security

This section describes how to configure the security settings for a WebLogic Server domain. This section includes the following task:

Configure general settings

To configure general settings:

  1. From the WebLogic Domain menu, select Security, then select Administration.

    The Security Administration page appears.

    1. Select the General Settings page.

      From the General Settings page, you can define the general, advanced, and secured production mode settings for this WebLogic Server domain, such as:

      • Default Realm

      • Administrative Identity Domain

      • Identity Domain Aware Providers Required

      • Anonymous Admin Lookup Enabled

      • Cross Domain Security Enabled

      • Excluded Domain Names

      For more information about the fields on this page, see Configuration Options.

    2. Expand Advanced to define the advanced settings for this WebLogic Server domain, such as:

      • Security Interoperability Mode

      • Node Manager Username

      • Web App Files Case Insensitive

      • Enforce Strict URL Pattern

      • Downgrade Untrusted Principals

      • Principal Equals Case Insensitive

      • Principal Equals Compare DN and GUID

      • Compatibility Connection Filters Enabled

      • Allow Security Management Operations if Non-dynamic Changes have been Made

      • Clear Text Credential Access Enabled

      • Use KSS For Demo

      For more information about the fields on this page, see Configuration Options.

    3. Expand Secured Production Mode Settings to define the secured production mode settings for this WebLogic Server domain.
      Enable secured production mode for your production domain to ensure a highly secure environment for your applications and resources.

      Note:

      Your domain must be in production mode to enable secured production mode.

      Also note that if you select to run your domain in secured production mode, then the administration port is enabled by default and administrative traffic is no longer allowed on non-administration ports. For this reason, when in secured production mode, FMWC is available only via HTTPS on the default port, 9002. If you disable the administration port, FMWC will log a warning.

      The Secured Production Mode Settings include:

      • Secured Production Mode

      • Restrictive JMX Policies

      • Warn on Insecure SSL

      • Warn on Insecure File System

      • Warn on Auditing

      • Warn on Insecure Applications

      • Warn on Java Security Manager

      For more information about the fields on this page, see Configuration Options.

  2. Click Save.