WebLogic Server MT expands upon the traditional WebLogic Server security support in significant ways, with multiple security realms, identity domains, and administrative roles for configuration and management when logged in directly to a partition.
This chapter assumes that you have a working knowledge of the WebLogic Server security concepts and tasks described in Understanding Security for Oracle WebLogic Server.
This chapter includes the following sections:
Configuring the Administrative Identity Domain: Main Steps and WLST Example
Configuring Security Realms and Primary Identity Domains: Main Steps and Examples
Setting the Identity Domain-Aware Providers Required Control: Main Steps
Connecting Directly to Domain Partitions: Main Steps and WLST Example
Managing Security Data as a Partition Administrator: Main Steps and Examples
Configuring Security in Domain Partitions: Related Tasks and Links
WebLogic Server MT provides a unique security realm and identity domain for each domain partition, and administrative roles for configuring and managing users and groups, credential maps, roles, and policies in the partitions.
Multiple realms. WebLogic Server MT supports multiple active realms and allows each partition to execute against a different realm.
As before, there is only one active default realm used at the global (domain) level.
Identity domains. An identity domain is a logical namespace for users and groups, typically representing a discrete set of users and groups in the physical data store. Identity domains are used to identify the users associated with particular partitions.
Administrative roles for configuration and management when logged in directly to a partition. You can use Fusion Middleware Control and WebLogic Scripting Tool (WLST) to connect directly to a domain partition instead of logging in to the domain level.
These changes are described in the sections that follow.
As described in Security Realms in Understanding Security for Oracle WebLogic Server, a security realm comprises mechanisms for protecting WebLogic Server resources. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies. You use realms to configure authentication, authorization, role mapping, credential mapping, auditing, and other services.
WebLogic Server traditionally supports multiple realms in a domain configuration, but only one realm—typically referred to as the default realm or admin realm—can be active at any given time.
In contrast, WebLogic Server MT supports multiple active realms and allows each partition to execute against a different realm.
This means that a partition can have unique security providers, users, groups, security roles, and security policies. Resources and applications in the domain partition are available only to users within the domain partition's security realm. Other tenants cannot see or access the resources or applications.
Note:
Partitions can share a security realm, with consequent loss of independence and isolation. In particular, if you do not specify a realm when you create a partition, then the default realm is shared with the partition and there is no security isolation between the partition and the domain.
You cannot use the RDBMS Authentication providers in a multitenant environment. These providers require a data source that is defined at the domain level and do not support partition-level data sources.
Note:
Identity domains are an optional feature you should use only if your user store supports them. The structure, configuration, and management of the identity domain itself are outside the control of, and are invisible to, WebLogic Server.
The purpose of an identity store is for a partition's users to able to access the partition, while other partitions' users cannot.
Identity domains distinguish users associated with different partitions. You can configure a partition with an identity domain that identifies the set of users associated with the partition. Access policies allow those users—but not users from other identity domains—to access the partition.
Identity domain names should be meaningful in your environment.
There is a generally a one-to-one mapping between partitions and identity domains. However, it is possible for multiple partitions to use the same identity domain. The result is to remove any distinction between users of those partitions, which may not be appropriate in your environment.
There are two types of identity domains:
Administrative identity domain: The identity domain for the default security realm in the domain. The purpose of the administrative identity domain is to distinguish between global domain users and partition users. WebLogic Server system administrators belong to this administrative identity domain.
The administrative identity domain is shown on the Oracle WebLogic Server Administration Console Domain > Security page.
Primary identity domain: The primary identity domain configured for a partition. The primary identity domain is used as the default identity domain when authenticating partition users and for determining ownership of partition resources.
This primary identity domain is shown in the WebLogic Server Administration Console, on the Authentication providers provider-specific pages.
The user store's representation of an identity domain can be anything supported by the underlying technology. For example:
You can create a separate Lightweight Directory Access Protocol (LDAP) instance for each identity domain.
An identity domain field can be added to user records in a database.
Identity domains are represented as distinct sub-trees in the Users and Groups hierarchies of a single Oracle Internet Directory (OID) instance.
To enable partition administrators access to realm security data in a partition, the system administrator must configure a management identity domain on the realm. The management identity domain can be the primary identity domain, the administrative identity domain, or another identity domain supported by an authenticator in the realm. A partition administrator with the identity domain that matches this management identity domain can access a subset of the security MBeans and can invoke management operations on the MBeans. Note that although the administrative identity domain can be the management identity domain, it is not necessary because the system administrator already has permission to manage the security realm.
WebLogic Server MT creates a default administrative identity domain and a default primary identity domain as follows:
Administrative identity domain: WebLogic Server MT creates a default identity domain named idd_DOMAIN
in the default security realm. The administrative identity domain is created when you create the first partition in a domain in production mode.
If you create the first partition in a domain in development mode, then the default value is null
. (This is the only case in which null is considered a valid identity domain.)
Primary identity domain: WebLogic Server MT creates the default identity domain for a partition with the name of the partition prefixed with idd
when you create the partition.
This primary identity domain is shown on the provider-specific WebLogic Server Administration Console page for the WebLogic Default Authenticator provider.
The default primary identity domain is a convenience feature for the Default Authenticator with the embedded LDAP. It is intended for testing and internal development use, not for a production environment. The embedded LDAP does not actually use identity domains.
You can use Fusion Middleware Control and WLST to connect directly to a domain partition instead of logging in at the domain level, as described in Connecting Directly to Domain Partitions: Main Steps and WLST Example.
The configuration and management capabilities of the WebLogic Server administrative roles in a partitioned environment are shown in Table 5-1.
Table 5-1 Administrative Roles for Configuration and Management
Role | Logged In to Domain | Logged In to Partition |
---|---|---|
Administrator |
Full control over domain resources, including partition configuration and management. Configure the management identity domain attribute on the Realm MBean. |
Write access to partition-owned MBeans. Read-only access to own Read-only access to own RealmMBean and its children. The partition administrator in the management identity domain:
|
Deployer |
Configure resources within the domain and partitions, deploy/redeploy/undeploy/start/stop applications within the domain and partitions. |
Configure resources within the partition, deploy/redeploy/undeploy/start/stop applications within the partition. |
Operator |
Start/stop servers, partitions, resource groups. |
Start/stop partition and resource group. |
Monitor |
Read-only access to domain and partition resources. |
Read-only access to partition resources. |
If you are using the default security realm, and only the Default Authenticator is used to store WebLogic Server system administrator credentials, then you can accept the default idd_DOMAIN
value. However, if your chosen user store for the default realm supports identity domains, and you have configured an identity domain for WebLogic Server administrators, then you need to configure at least one authentication provider in the default realm to match your administrative identity domain value.
The administrative identity domain is shown on the WebLogic Server Administration Console Domain > Security page.
From the WebLogic Server Administration Console:
Select the Authentication provider in the default realm and specify an existing administrative identity domain.
In the navigation pane, select Security Realms.
Select the default security realm.
Select the Providers page.
Select the Authentication provider.
Select the Provider Specific page.
Enter the name of a valid administrative identity domain in the Identity Domain field.
Save your changes.
Go to the Domain > Security page and change the Administrative Identity Domain: value to the name of the administrative identity domain.
Save your changes.
Restart the Administration Server.
The example does the following:
edit() startEdit() wls:/base_domain/edit/ !> domain=getMBean('/') wls:/base_domain/edit/ !> ADMIN_IDD = "Admin-idd" wls:/base_domain/edit/ !> secure=domain.getSecurityConfiguration() wls:/base_domain/edit/ !> secure.setAdministrativeIdentityDomain(ADMIN_IDD) wls:/base_domain/edit/ !> realm = secure.getDefaultRealm() wls:/base_domain/edit/ !> defAtn = realm.lookupAuthenticationProvider('DefaultAuthenticator') wls:/base_domain/edit/ !> defAtn.setIdentityDomain(ADMIN_IDD)
You are not required to create a security realm. Partitions can share a security realm, or use the default realm. However, the best practice is to create a security realm for each partition. This is particularly true if you want to use identity domains to achieve isolation between partitions.
If your user store does support identity domains, then configure the primary identity domain and the management identity domain as described in this section.
Perform the following steps to configure security realms and identity domains in a domain partition. Note that some of the steps require the WebLogic Server Administration Console.
Create a security realm. The name must be unique within the domain.
If you are using Fusion Middleware Control, then go to WebLogic Domain > Security > Security Realms. The default providers are created on your behalf in the new realm.
If you are using the WebLogic Server Administration Console, then in the navigation pane, select Security Realms. You will probably find it most convenient to select the option to create the default providers in the new realm.
Add partition-specific users to the security realm.
If you are using Fusion Middleware Control, go to WebLogic Domain > Security > Users and Groups. Select the security realm that you just created and on the Users and Groups pages, click Create to add users and groups to the realm.
If you are using the WebLogic Server Administration Console, then in the navigation pane, select Security Realms. Select the security realm that you just created, and then the Users and Groups page. On the Users and Groups pages, click New to add users and groups to the realm.
Configure your providers in the security realm, as described in Manage Security Providers in the Oracle WebLogic Server Administration Console Online Help.
Perform this step from the WebLogic Server Administration Console.
Optionally, select the Authentication provider that you just created and specify an existing identity domain. Identity domains are an optional feature that you can use only if your user store supports them.
Perform this step from the WebLogic Server Administration Console.
Select the Provider Specific page.
In the Identity Domain field, enter the name of a valid identity domain.
Save your changes.
When you later create a partition as described in Configuring Domain Partitions, or if you created a partition when you created the domain using the Domain Configuration Wizard.
Specify the security realm that you created.
If you use the WebLogic Server Administration Console to configure a partition that you created using the Domain Configuration Wizard, select the security realm in the User Realm field on the Partition > Configuration > General page.
Specify the identity domain that you set for the Authentication provider.
If you use Fusion Middleware Control to create the domain partition, then specify the primary identity domain on the Create Domain Partition: General page. If you do not specify a value, then WebLogic Server MT creates the default identity domain for a partition with the name of the partition prefixed with idd
when you create the partition.
If you use the WebLogic Server Administration Console to create the domain partition, then WebLogic Server MT creates the default identity domain with the name of the partition prefixed with idd
. After you create the partition, and before you activate your changes, go to the Partition >Configuration > General page and change the default name in the Primary Identity Domain field to your actual identity domain name.
Set the management identity domain attribute in the realm to the same value that you used for the primary identity domain for the partition.
Perform this step from the WebLogic Server Administration Console.
Select Security Realms in the navigation pane. Select the security realm for the partition, then select Configuration > General and click Advanced. In the Management Identity Domain field, enter the name of the primary identity domain configured for the partition, and click Save.
The example does the following:
Gets the domain MBean.
Gets the security configuration for the domain.
Sets the administrative identity domain for the security configuration.
Gets the default realm for the security configuration.
Looks up the default Authentication provider for the realm.
Sets the identity domain for the default Authentication provider.
Creates a new realm for the partition.
Creates the required security providers for the new realm.
Creates a domain partition.
Creates a virtual target.
Sets the host name and URI prefix for the virtual target.
Adds the virtual target as an available target in the partition.
Sets the security realm for the partition.
Sets the primary identity domain for the partition.
Sets the management identity domain for the partition.
Creates the resource group.
Adds the virtual target to the resource group.
Activates the changes.
Starts the partition.
Note:
You must restart the Administration Server before you can start the partition. Setting the administrative identity domain value is a nondynamic change and requires a server restart.
edit() startEdit() wls:/base_domain/edit/ !> domain=getMBean('/') wls:/base_domain/edit/ !> ADMIN_IDD = "Admin-idd" wls:/base_domain/edit/ !> secure=domain.getSecurityConfiguration() wls:/base_domain/edit/ !> secure.setAdministrativeIdentityDomain(ADMIN_IDD) wls:/base_domain/edit/ !> realm = secure.getDefaultRealm() wls:/base_domain/edit/ !> defAtn = realm.lookupAuthenticationProvider('DefaultAuthenticator') wls:/base_domain/edit/ !> defAtn.setIdentityDomain(ADMIN_IDD) wls:/base_domain/edit/ !> partrealm=secure.createRealm('partrealm') wls:/base_domain/edit/ !> partrealm.createAuthenticationProvider("DefaultAuthenticator","weblogic.security.providers.authentication.DefaultAuthenticator") wls:/base_domain/edit/ !> defAtnP = partrealm.lookupAuthenticationProvider('DefaultAuthenticator') wls:/base_domain/edit/ !> defAtnP.setIdentityDomain('partID') wls:/base_domain/edit/ !> partrealm.createAuthenticationProvider("DefaultIdentityAsserter","weblogic.security.providers.authentication.DefaultIdentityAsserter") wls:/base_domain/edit/ !> partrealm.createAuthorizer("XACMLAuthorizer","weblogic.security.providers.xacml.authorization.XACMLAuthorizer") wls:/base_domain/edit/ !> partrealm.createRoleMapper("XACMLRoleMapper","weblogic.security.providers.xacml.authorization.XACMLRoleMapper") wls:/base_domain/edit/ !> partrealm.createAdjudicator("DefaultAdjudicator","weblogic.security.providers.authorization.DefaultAdjudicator") wls:/base_domain/edit/ !> partrealm.createCredentialMapper("DefaultCredentialMapper","weblogic.security.providers.credentials.DefaultCredentialMapper") wls:/base_domain/edit/ !> cert = partrealm.createCertPathProvider("WebLogicCertPathProvider","weblogic.security.providers.pk.WebLogicCertPathProvider") wls:/base_domain/edit/ !> partrealm.setCertPathBuilder(cert) wls:/base_domain/edit/ !> partrealm.setManagementIdentityDomain('partID') wls:/base_domain/edit/ !> pv = partrealm.createPasswordValidator('SystemPasswordValidator','com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator') wls:/base_domain/edit/ !> pv.setMinPasswordLength(8) wls:/base_domain/edit/ !> pv.setMinNumericOrSpecialCharacters(1) wls:/base_domain/edit/ !> peppart=domain.createPartition('Pep') wls:/base_domain/edit/ !> vt=domain.createVirtualTarget('TestVT') wls:/base_domain/edit/ !> vt.setHostNames(jarray.array([String('somehost')],String)) wls:/base_domain/edit/ !> vt.setUriPrefix('/foo') wls:/base_domain/edit/ !> peppart.addAvailableTarget(vt) wls:/base_domain/edit/ !> peppart.setRealm(partrealm) wls:/base_domain/edit/ !> peppart.setPrimaryIdentityDomain('partID') wls:/base_domain/edit/ !> peprg=peppart.createResourceGroup('TestRG') wls:/base_domain/edit/ !> peprg.addTarget(vt) wls:/base_domain/edit/ !> activate() wls:/base_domain/edit/ !> startPartitionWait(peppart)
For an example of creating domain partitions from Representational State Transfer (REST), see Creating Partitions in Administering Oracle WebLogic Server with RESTful Management Services.
This example demonstrates how to create a partition, including:
A new security realm for the partition, including security providers, the primary identity domain, and the management identity domain.
A virtual target for the cluster, on which the applications will run.
A virtual target for the Administration Server, so that the Deployer role can create system resources and deploy applications.
A resource group for each virtual target.
Partition users in the Administrator, Deployer, Monitor, and Operator roles.
For an example that demonstrates how to set the management identity domain on a partition, see Managing Users and Groups as a Partition Administrator: REST Example
The WebLogic Server role mapping, authorization, credential mapping, and audit security providers must be identity-domain-aware to function correctly in an environment where identity domains are configured.
For example, an authorization provider that does not understand identity domains cannot correctly distinguish between two users with the same name but different identity domains, and therefore cannot make valid authorization decisions.
The standard WebLogic Server security providers are identity-domain-aware. However, deprecated providers, such as Default Role Mapper and Default Authorizer, are not identity-domain-aware.
If you have configured identity domains in your user store, you can force the use of identity-domain-aware providers by setting the Identity Domain Aware Providers Required control. Setting this control specifies that only role mapping, authorization, credential mapping, and audit providers that support identity domains are used, even if no identity domains are configured.
From the WebLogic Server Administration Console:
Instead of logging in to the domain level, you can connect directly to a domain partition using both Fusion Middleware Control and WLST. When you do this, the user name that you specify is validated against the security realm and the management identity domain for that partition.
To login to a partition in Fusion Middleware Control:
Enter the URL in your Web browser. For example:
http://host1.example.com:7001/em
Enter the partition user name and password and click Login to Partition.
Enter the name of the partition in the Partition Name field and click Sign in.
See Table 5-1 for the configuration and management capabilities of the WebLogic Server administrative roles when logged directly in to a partition.
You can use WLST to connect directly to a domain partition instead of logging in to the domain level. When you do this:
The user name you specify is validated against the security realm for that partition.
See Table 6-1 for the configuration and management capabilities of the WebLogic administrative roles when logged directly in to a partition.
The initial view of the MBean hierarchy is partition-specific.
The WLST syntax is as follows. Note that only t3
connections are supported.
The initial view of the MBean hierarchy is partition-specific.
Using the Partition Name
wls:/offline> connect('username','password',"t3://system:port/partitions/partition-name")
For example:
wls:/offline> connect('weblogic','password',"t3://somehost:7001/partitions/Partition-0") Connecting to t3://somehost:7001/partitions/Partition-0 with userid weblogic ... Successfully connected to partition "Partition-0". wls:/base_domain/serverConfig/Partitions/Partition-0>
Using a Virtual Target
Specify a URL that matches a configured virtual target for the partition. For example, if you have a virtual target without a host name and a uriPrefix
of /foo
, then you can connect as follows:
connect('weblogic','password',"t3://somehost:7001/foo")
MBean Hierarchy Is Partition-Specific
The MBean hierarchy after connecting is partition-specific:
wls:/base_domain/serverConfig/Partitions/Partition-0> ls() dr-- AvailableTargets dr-- CoherencePartitionCacheConfigs dr-- DataSourceForJobScheduler dr-- DataSourcePartition dr-- DefaultTargets dr-- JDBCSystemResourceOverrides dr-- JMSSystemResourceOverrides dr-- JTAPartition dr-- MailSessionOverrides dr-- ManagedExecutorServiceTemplates dr-- ManagedScheduledExecutorServiceTemplates dr-- ManagedThreadFactoryTemplates dr-- PartitionLog dr-- PartitionWorkManager dr-- PartitionWorkManagerRef dr-- ResourceGroups dr-- ResourceManager dr-- ResourceManagerRef dr-- SelfTuning dr-- SystemFileSystem dr-- WebService -r-- BatchJobsExecutorServiceName null -r-- DataSourceForJobScheduler null -r-- GracefulShutdownTimeout 0 -r-- IgnoreSessionsDuringShutdown false -r-- JobSchedulerTableName WEBLOGIC_TIMERS -r-- MaxConcurrentLongRunningRequests 50 -r-- MaxConcurrentNewThreads 50 -r-- Name Partition-0 -r-- ParallelDeployApplicationModules false -r-- ParallelDeployApplications true -r-- PartitionID 085b48c2-6d70-434e-8200-f4eb f28ca3a0 -r-- PartitionLifeCycleTimeoutVal 120 -r-- PartitionWorkManager null -r-- PartitionWorkManagerRef null -r-- PrimaryIdentityDomain idd_Partition-0 -r-- RCMHistoricalDataBufferLimit 250 -r-- ResourceDeploymentPlanPath null -r-- ResourceManager null -r-- ResourceManagerRef null -r-- StartupTimeout 0 -r-- Type Partition -r-- UploadDirectoryName C:\Oracle\Middleware\Oracle_ Home\user_projects\domains\base_domain/partitions/Partition-0/system\servers\Adm inServer\upload\
When logged in or connected to a partition as a member of the management identity domain, the partition administrator can manage the security realm data associated with the partition, such as managing users and groups, credential maps, roles, and policies. A partition administrator cannot change the configuration of the realm.
Note:
To enable security management capabilities for the partition administrator, the system administrator must set the management identity domain attribute on the realm to be the same as the primary identity domain. See Configuring Security Realms and Primary Identity Domains: Main Steps and Examples.
In Fusion Middleware Control, partition administrators can manage users and groups. To invoke additional security management operations on the supported MBeans, they can use WLST, REST APIs, or JMX.
An overview of the process is as follows:
The system administrator configures a management identity domain on the realm. A partition administrator with the identity domain that matches this management IDD can invoke on the Security Runtime MBeans operations that control realm behavior. For example:
The system administrator configures the administrative identity domain on the Security Configuration MBean with the value idd-DOMAIN
.
The system administrator configures partition Partition1
in the domain. The primary identity domain configured on the Partition MBean has the value idd-Partition1
. Users that authenticate to Partition1
are part of the idd-Partition1
identity domain.
The system administrator configures a Partition1
realm in the domain and configures the management identity domain on the Realm MBean using the value idd-Partition1
.
The system administrator creates the partition administration user and assigns it to the Administrators group.
Users with identity domain idd-DOMAIN
(such as system administrators) and users with identity domain idd-Partition1
(such as partition administrators) can access the security management operations on the Realm MBean and security provider MBeans contained by the realm.
The partition administrator can manage users and groups using Fusion Middleware Control.
The partition administrator can navigate to the realm via the Partition MBean Realm attribute.
The partition administrator can navigate to the security providers from the Realm MBean provider-related attributes.
The partition administrator can invoke on a subset of the methods in the security provider MBeans. For a list of the MBean mixin interfaces for security providers available to the partition administrator, see Table 6-3 in Security MBeans in Developing Custom Management Utilities Using JMX for Oracle WebLogic Server.
In a shared realm scenario with multiple partitions referring to one realm, the system administrator configures a management identity domain that matches the primary identity domain of one of the partitions. In this case, by default, only the users from the partition that matches can access the security management operations. The system administrator can also configure a separate authenticator that supports the management identity domain specifically and, in this case, users from all partitions that authenticate and specify the management identity domain can access the security management operations.
Table 5-2 lists the security management packages on which the partition administrator can invoke MBean operations when connected to the partition.
Table 5-2 Security Packages Accessible by a Partition Administrator
Package | Description |
---|---|
Provides interfaces and classes for the control and monitoring of security providers in a WebLogic security realm. |
|
Provides interfaces and classes for the control and monitoring of Audit security providers in a WebLogic security realm. |
|
Provides interfaces and classes for the control and monitoring of Authentication security providers in a WebLogic security realm. |
|
Provides interfaces and classes for the control and monitoring of Authorization, Adjudication, and Role Mapping security providers in a WebLogic security realm. |
|
Provides interfaces and classes for the control and monitoring of Credential Mapping security providers in a WebLogic security realm. |
|
Provides interfaces and classes for the control and monitoring of certification path security providers in a WebLogic security realm. |
|
Provides interfaces and classes for the listing of data returned from security providers in a WebLogic security realm. |
For details about how to manage the security realm using JMX, see Managing Security Realms with JMX in Developing Custom Management Utilities Using JMX for Oracle WebLogic Server.
To manage users and groups using Fusion Middleware Control:
The following example demonstrates how to log into the partition Partition1
as the partition administrator, connect to the realm partition and authentication provider Partition1Realm/auth_provider2)
, list the available operations, and add a new user to the realm.
For an example of managing security data as a partition administrator in a partition from Representational State Transfer (REST), see Configuring Users in Administering Oracle WebLogic Server with RESTful Management Services.
This example demonstrates how the partition administrator creates deployer, operator, and monitor users for the partition and assigns them to their respective groups.
However, note the following important differences:
If you configure an explicit or offset port for the virtual target as described in Configuring Virtual Targets, then SSL is not supported for that virtual target.
This means that clients (for example, Remote Method Invocation (RMI) clients) cannot communicate directly over SSL to a partition that uses port-based routing.
CertPath providers configured in nondefault security realms, such as security realms associated with one or more partitions, are not run as part of the extra SSL validation. Only the default security realm's CertPath provider is run.
The behavior of the SSLMBean:UseServerCerts attribute is unchanged when a client is running in a partition. That is, when the UseServerCerts
attribute is set to true
, a client running in a partition uses the server identity for an outbound connection over HTTPS.
SSL is not supported in multitenant environments for older WebLogic Server clients. WebLogic Server clients prior to 12.2.x (that is, 10.3.6 and 12.1.x), are not multitenant aware. Therefore, to connect an older client to a multitenant partition, you must define an explicit port number on the virtual target for the partition as described in Using Partition Channels with Virtual Targets. SSL is not supported for explicit or offset ports on virtual targets.
Manage Security Providers in the Oracle WebLogic Server Administration Console Online Help
Create Users in the Oracle WebLogic Server Administration Console Online Help
Configuring SSL in Administering Security for Oracle WebLogic Server