Administration Console Online Help

Compatibility Security

[Attributes and Console Screen Reference for Compatibility Security]

This topic describes configuring and managing security when using Compatibility security. For more information, see Using Compatibility Security in Managing WebLogic Security. For information about how to use the security features in WebLogic Server, see Security in the Administration Console online help and Managing WebLogic Security.

 

---

Tasks

Setting Up Compatibility Security: Main Steps

To set up Compatibility security:

Make a back-up copy of your 6.x WebLogic domain (including your config.xml file) before using Compatibility security.
Add the following to the 6.x config.xml file if it does not exist:

<Security Name="mydomain" Realm="mysecurity"/>
<Realm Name="mysecurity" FileRealm="myrealm"/>
<FileRealm Name="myrealm"/>

Install WebLogic Server in a new directory location. Do not overwrite your existing 6.x installation directory.
Modify the start script for your 6.x server to point to the new WebLogic Server installation. Specifically, you need to modify:
• The classpath to point to the weblogic.jar file in the new WebLogic Server installation.
• The JAVA_HOME variable to point to the new WebLogic Server installation.
Use the start script for your 6.x server to boot WebLogic Server.

To verify whether you are correctly running Compatibility security, do the following:

In the WebLogic Server Administration Console, expand the Domain node.
Click on your WebLogic Server domain (referred to as the domain).
Click the View the Domain Log link.

The following message appears in the log:

Security initializing using realm CompatibilityRealm

In addition, a CompatibilitySecurity node will appear in the WebLogic Server Administration Console.

Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider

The Realm Adapter Authentication provider includes an Identity Assertion provider.The Identity Assertion provider provides backward compatibility for implementations of the weblogic.security.acl.CertAuthenticator class. The identity assertion is performed on X.509 tokens. By default, the Identity Assertion provider is not enabled in the Realm Adapter Authentication provider.

To enable identity assertion in the Realm Adapter Authentication provider:

Expand the Security-->Realms nodes.
Click the CompatibilityRealm.
Expand the Providers node.
Click Authentication Providers.
Click the Realm Adapter Authenticator link in the Realms table.

The General tab appears.

Enter X.509 in the Active Types list box.

This step enables the use of 6.x Cert Authenticators.

Click Apply.
Reboot WebLogic Server.

Configuring a Realm Adapter Auditing Provider

The Realm Adapter Auditing provider allows you to use implementations of the weblogic.security.audit.AuditProvider class when using Compatibility security. In order for the Realm Adapter Auditing provider to work properly, the implementation of the weblogic.security.audit.AuditProvider class must have been defined in the Audit Provider class attribute on the Domain-->Security-->Compatibility-->General tab.

To configure a Realm Adapter Auditing provider:

Expand the Compatibility Security-->Realms nodes.
Expand the Providers node.
Click Auditors.
Click Configure a Realm Adapter Auditor... link.

The General tab appears

Click Create to save your changes.
Reboot WebLogic Server.

Changing the System Password

During installation, WebLogic Server does the following to the File realm in mydomain:

Adds the username and password supplied during installation to the File realm.
Sets the system password to password specified during installation.

These steps ensure that a system user is defined in the compatibility version of the File realm.

When using the Configuration Wizard to create a new WebLogic Server domain, WebLogic Server sets the system password in the File realm in mydomain to the password of the first user defined in the Admin role. If the Admin role is mapped only to the Administrators group, the system password is the password of the first alphabetical user in the Administrators group.

To improve security, BEA recommends frequently changing the system password that was set during installation. Each WebLogic Server deployment must have a unique password.

In the console for the Administration Server, expand the Compatibility Security node.
Select the Users tab.
In the User Configuration window, under Change a User's Password, enter system in the Name attribute.
In the Old Password attribute, enter 6.x password.
Enter a new password in the New Password attribute.
Enter the new password again in the Confirm the Password attribute.

When you use an Administration Server and Managed Servers in a domain, the Managed Server must always use the password for the Administration Server in the domain. Always change the password for the Administration Server through the WebLogic Server Administration Console. When WebLogic Server is rebooted, the new password is propagated to all the Managed Servers in the domain.

Configuring the File Realm

To configure the File realm:

Expand the Domain node (for example, mydomain).
Click the View Domain-Wide Security Settings link at the bottom of the General tab.
Select the Compatibility-->File Realm tab.
Enter values in the attribute fields on the File Realm tab.
Click Apply to save your changes.

All user and group data for the File realm is stored in the fileRealm.properties file. If the fileRealm.properties file becomes corrupted or is destroyed, you must reconfigure the security information for WebLogic Server. Compatibility security cannot run without a fileRealm.properties file. Even if you write a custom security realm, you still need a fileRealm.properties file to boot WebLogic Server. Therefore, BEA recommends that you take the following steps:

Make a backup copy of the fileRealm.properties file and put it in a secure place.
Set the permissions on the fileRealm.properties file such that the administrator of the WebLogic Server deployment has write and read privileges and no other users have any privileges.

Note: Also make a backup copy of the SerializedSystemIni.dat file for the File realm.

Configuring the Caching Realm

To configure the Caching realm:

Configure the alternate or custom security realm with which you will use the Caching realm. See the appropriate realm configuration procedures in the following sections:
• Configuring an LDAP V1 Security Realm
• Configuring an LDAP Realm V2
• Configuring the Windows NT Security Realm
• Configuring the UNIX Security Realm
• Configuring the RDBMS Security Realm
• Installing a Custom Security Realm
Expand the Compatibility Security-->Caching Realms nodes.
Click the Configure a new Caching Realm... link.
Enter values in the attribute fields on the Caching Realm --> General page.
Click Create.
Enable the caches you want to use with the Caching realm. For more information, see:
• Enabling the ACL Cache
• Enabling the Authentication Cache
• Enabling the Group Cache
• Enabling the User Cache
• Enabling the Permission Cache
When you finish enabling caches for the Caching realm, reboot WebLogic Server.

Enabling the ACL Cache

To enable the ACL cache:

Click the ACL tab under the Caching Realm tab.
Configure and enable the ACL cache by defining values for the attributes shown on the Caching Realm-->ACL page.
Click Apply to save your changes.

Enabling the Authentication Cache

To enable the Authentication cache:

Click the Authentication tab under the Caching Realm tab.
Configure and enable the Authentication cache by defining values for the attributes shown on the Caching Realm --> Authentication page.
Click Apply to save your changes.

Enabling the Group Cache

To enable the Group cache:

Click the Group tab under the Caching Realm tab.
Configure and enable the Group cache by defining values for the attributes shown on the Caching Realm --> Groups page.
Click Apply to save your changes.

Enabling the User Cache

To enable the User cache:

 

Click on the User tab under the Caching Realm tab.
Configure and enable the User cache by defining values for the attributes shown on the Caching Realm --> Users page.
Click Apply to save your changes.

Enabling the Permission Cache

To enable the Permission cache:

Click on the Permission tab under the Caching Realm tab.
Configure and enable the Permission cache by defining values for the attributes shown on the Caching Realm --> Permissions page.
Click Apply to save your changes.

Adding a Note to the Caching Realm

To add a note to the caching realm:

Click on the Notes tab under the Caching Realm tab.
Write any pertinent information in the Notes field.
Click Apply to save your changes.

Configuring an LDAP V1 Security Realm

The Lightweight Directory Access Protocol (LDAP) V1 security realm provides authentication through users and groups stored in an LDAP directory. This server allows you to manage all the users for your organization in one place: the LDAP directory. The LDAP V1 security realm supports Open LDAP, Netscape iPlanet, Microsoft Site Server, and Novell NDS directory servers.

To use the LDAP V1 security realm instead of the File realm:

Expand the Compatibility Security-->Realms nodes.
Click the Configure a New LDAP Realm V1... link to display the name of the class that implements the LDAP V1 security realm.
Click Create.
Define attributes for the LDAP directory server and specify how users and groups are located in the LDAP V1 security realm. For more information:
• Enabling Communication between the LDAP Server and WebLogic Server
• Specifying How Users Are Located in the LDAP V1 Security Realm
• Specifying How Groups Are Located in the LDAP V1 Security Realm
When you have finished defining all the attributes, reboot WebLogic Server.
Configure the Caching realm. For more information, see Configuring the Caching Realm

When configuring the Caching realm, select the LDAP Realm V1 option from the pull-down menu for the Basic Realm attribute on the General page. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP V1 security realm).

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General page.
Select the Compatibility-->File Realm tab.
In the Caching Realm attribute, choose the name of the Caching realm to be used with the LDAP V1 security realm. A list of configured Caching realms appears on the pull-down menu.
Reboot WebLogic Server.

Enabling Communication between the LDAP Server and WebLogic Server

To enable communication between the LDAP server and WebLogic Server:

Click the LDAP Realm V1 tab.
Define values for the attributes on the LDAP Security Realm-->LDAP Server page.
Click Apply to save your changes.

Specifying How Users Are Located in the LDAP V1 Security Realm

To specify how users are located in the LDAP V1 security realm:

Click the Users tab under the LDAP Realm V1 tab.
Define the attributes shown on the LDAP Security Realm-->Users page.
Click Apply to save your changes.

Specifying How Groups Are Located in the LDAP V1 Security Realm

To specify how groups are located in the LDAP V1 security realm:

Click on the Groups tab under the LDAP Realm V1 tab.
Define the attributes shown on the LDAP Security Realm-->Groups page.
Click Apply to save your changes.

Adding a Note to the LDAP V1 Security Realm

To add a note to the LDAP V1 security realm:

Click on the Notes tab under the LDAP Realm V1 tab.
Write any pertinent information in the Notes field.
Click Apply to save your changes.

Configuring an LDAP Realm V2

In Compatibility security, the LDAP realm V2 is configured as a custom security realm.

The LDAP tree and schema is different for every LDAP server. The Supported Server Templates has templates for the supported LDAP servers. These templates specify default configuration information used to represent users and groups in each of the supported LDAP servers.

To use a LDAP realm V2:

Expand the Compatibility Security-->Realms nodes.
Click the Configure a new Custom Realm... link.
Set attributes on the Configuration tab.
The following table describes the attributes you set on the Custom Security Realm Configuration window.

Table 152-1 Custom Security Realm Attributes

Attribute	Description
Name	Name of the LDAP realm V2, such as defaultLDAPRealmForNetscapeDirectoryServer.
Realm Class Name	Name of the WebLogic class that implements the LDAP V2 realm such as weblogic.security.ldaprealmv2. LDAPRealm. This class needs to be in the CLASSPATH of WebLogic Server.
Configuration Data	Specify information specific to your LDAP configuration for the following: server.host—The host name of the LDAP server. server.port—The port number on which the LDAP server listens. useSSL—Specifies whether or not to use SSL to protect communications between the LDAP server and WebLogic Server. Set the value to true to enable the use of SSL. server.principal—The LDAP user used by WebLogic Server to connect to the LDAP server. server.credential—The password of the LDAP user user by WebLogic Server to connect to the LDAP server. user.dn—The base DN of the tree in the LDAP directory that contains users. user.filter—The LDAP search filter for finding a user given the name of the user. group.dn—The base DN of the tree in the LDAP directory that contains groups. group.filter—The LDAP search filter for finding a group given the name of the group. membership.filter—The LDAP search filter for finding the members of a group given the name of the group. membership.directmembershiponly—Indicates that the LDAP search filter will only list the direct members of a group. For example, if User X belongs to Group G1 and Group G1 belongs to Group G2, only Group G1 will be listed. By default, this option is set to true. See Supported Server Templates for sample values for the supported LDAP servers.


 
Click Apply to save your changes.
Configure the Caching realm as described in Configuring the Caching Realm.

When configuring the Caching realm, select the LDAP realm V2 from the pull-down menu for the Basic Realm attribute on the General tab. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP realm V2).

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General page.
Select the Compatibility-->File Realm tab.
In the Caching Realm attribute, choose the name of the Caching realm to be used with the LDAP V2 security realm. A list of configured Caching realms appears on the pull-down menu.
Reboot WebLogic Server.

Supported Server Templates

Listing 152-1 through Listing 152-1 are templates used to configure LDAP servers supported in the LDAP realm V2. Copy these templates directly into the config.xml file for your application.

Warning: Each line in the following code examples must appear on a single line. The examples in the code examples have been formated to fit the margins of this document and some lines have been broken to facilitate that formatting. If you paste this text into the config.xml file, be sure to concatentate the lines that are broken so that they appear on a single line in your code.

Listing 152-1 Default Netscape Directory Server Template

<CustomRealmName="defaultLDAPRealmForNetscapeDirectoryServer"
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
ConfigurationData=
"server.host=ldapserver.example.com;
server.port=700;
useSSL=true;
server.principal=uid=admin,
ou=Administrators,ou=TopologyManagement,o=NetscapeRoot;
server.credential=*secret*;
user.dn=ou=people,o=beasys.com;
user.filter=(&amp;(uid=%u)(objectclass=person));
group.dn=ou=groups,o=beasys.com;
group.filter=(&amp;(cn=%g)(objectclass=groupofuniquenames));
membership.filter=(&amp;(uniquemember=%M)
   (objectclass=groupofuniquenames));
membership.directmembershiponly

"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>

Listing 152-2 Default Microsoft Site Server Template

<CustomRealmName="defaultLDAPRealmForMicrosoftSiteServer"
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
ConfigurationData=
"server.host=ldapserver.example.com;
server.port=700;
useSSL=true;
server.principal=cn=Administrator,ou=Members,
   o=ExampleMembershipDir;
server.credential=*secret*
user.dn=ou=Members, o=ExampleMembershipDir;
user.filter=(&amp;(cn=%u)(objectclass=member)
   (!userAccountControl:1.2.840.113556.1.4.803:=2)));
group.dn=ou=Groups, o=ExampleMembershipDir;
group.filter=(&amp;(cn=%g)(objectclass=mgroup));
membership.scope.depth=1;microsoft.membership.scope=sub;
membership.filter=(|(&amp;(memberobject=%M)
(objectclass=memberof))(&amp;(groupobject=%M)
(objectclass=groupmemberof)));
membership.search=true;
membership.directmembershiponly

"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>

Listing 152-3 Default Novell Directory Services Template

<CustomRealmName="defaultLDAPRealmForNovellDirectoryServices"
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
ConfigurationData=
"server.host=ldapserver.example.com;
server.port=700;
useSSL=true;
server.principal=cn=Admin, DC=BEASYS
server.credential= *secret*;
user.dn=ou=people,o=example.com;
user.filter=(&amp;(cn=%u)(objectclass=person));
group.dn=ou=groups,o=example.com;
group.filter=(&amp;(cn=%g)(objectclass=groupofuniquenames));
membership.filter=(&amp;(member=%M)
   (objectclass=groupofuniquenames));
membership.directmembershiponly;"

"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>

Listing 152-4 Default Open LDAP Directory Services Template

<CustomRealmName="defaultLDAPRealmForOpenLDAPDirectoryServices"
RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
ConfigurationData=
"server.host=ldapserver.example.com;
server.port=700;
useSSL=true;
server.principal=cn=Manager, dc=example, dc=com;
server.credential= *secret*;
user.dn=ou=people, dc=example,dc=com;
user.filter=(&amp;(uid=%u)(objectclass=person));
group.dn=ou=groups,dc=example,c=com;
group.filter=(&amp;(cn=%g)(objectclass=groupofuniquenames));
membership.filter=(&amp;(uniquemember=%M)     (objectclass=groupofuniquenames));"
membership.directmembershiponly;

"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>

Adding a Note to the LDAP V2 Security Realm

To add a note to the LDAP V2 security realm:

Click on the Notes tab under the configuration window for the chosen LDAP server.
Write any pertinent information in the Notes field.
Click Apply to save your changes.

Configuring the Windows NT Security Realm

To configure the Windows NT security realm:

Expand the Compatibility Security-->Realms node.
Click the Configure a New NT Realm... link.
Set attributes on the Windows NT Realm-->Configuration page that define a name for the Windows NT realm and the computer on which the Windows NT domain is running.
Click Apply to save your changes.
Configure the Caching realm. For more information, see Configuring the Caching Realm.

When configuring the Caching realm, select your Windows NT security realm from the pull-down menu for the Basic Realm attribute on the General page. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the Windows NT security realm).

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General page.
Click the Compatibility-->File Realm tab.
In the Caching Realm attribute, choose the name of the Caching realm to be used with the Windows NT security realm. A list of configured Caching realms appears on the pull-down menu.
Reboot WebLogic Server.

Use the following command to verify that you have the correct privileges to run WebLogic Server as the specified Windows NT user:

java weblogic.security.ntrealm.NTRealm username password

where username and password are the username and password of the Windows NT account under which WebLogic Server runs.

The output from this command indicates if the specified username and password authenticated properly.

 

If the test comes up with an immediate failure stating that the client or user running WebLogic Server does not have the privileges to run the Windows NT Security realm,then it may be necessary to do one of two things:

• Boot the server using -Dweblogic.security.ntrealm.logonNetwork=true to change the NTRealm's NT Logon from LOGON32_LOGIN_INTERACTIVE to LOGON32_LOGIN_NETWORK.
• Update the permissions (referred to as rights) for the Windows user running WebLogic Server to provide the user with the NT "Log on Locally" user right. For more information, see Updating Users Permissions for Windows NT and Windows 2000.

Updating Users Permissions for Windows NT and Windows 2000

To update the rights in Windows NT:

On the Start menu, select Programs—>Administrative Tools.
Select User Manager.
Under the Policies menu, choose the User Rights option.
Check the Show Advanced Users Rights option.
Give the following rights to the Windows user running WebLogic Server:
Act as part of the operating system
Create a token object
Replace a process level token
Verify that the Windows user running WebLogic Server is a member of the Administrators group.
Reboot Windows NT to ensure all the modifications take effect.
Verify that the Logon as System Account option is checked. Note that the Allow System to Interact with Desktop option does not need to be checked. Running the Windows NT Security realm under a specific Windows NT user account does not work.

To update the rights in Windows 2000:

On the Start menu, select Programs—>Administrative Tools.
Select Local Security Policy.
Go to Local Policies—>User Rights Assignment.
Give the following rights to the Windows user running WebLogic Server:
• Act as part of the operating system
• Create a token object
• Replace a process level token
Verify that the Windows user running WebLogic Server is a member of the Administrators group.
Reboot Windows 2000 to ensure all the modifications take effect.
Verify that the Logon as System Account option is checked. Note that the Allow System to Interact with Desktop option does not need to be checked. Running the Windows NT Security realm under a specific Windows NT user account does not work.

The following are common Windows NT error codes that occur when using the Windows NT Security realm:

 

A full explanation of the Windows NT error codes is found in the winerror.h file.

Adding a Note to the Windows NT Security Realm

To add a note to the Windows NT securitty realm:

Click on the Windows NT Realm-->Notes tab under the Configuration tab.
Write any pertinent information in the Notes field.
Click Apply to save your changes.

Configuring the wlauth Program for the UNIX Security Realm

The wlauth program runs setuid root. You need root permissions to modify the ownership and file attributes on the wlauth program and to set up the PAM configuration file for wlauth.

To set up the wlauth program for the UNIX security realm:

If WebLogic Server is installed on a network drive, copy the wlauth file to a file system on the computer that executes WebLogic Server, for example, the /usr/sbin directory. The wlauth file is in the weblogic/lib/arch directory, where arch is the name of your platform.
As the root user, run the following commands to change the wlauth owner and permissions:

  # chown root wlauth
  # chmod +xs wlauth

Set up the PAM configuration for wlauth.

Solaris—Add the following lines to your /etc/pam.conf file:

  # Setup for WebLogic authentication on Solaris machines
  #
  wlauth auth required      /usr/lib/security/pam_unix.so.1 
  wlauth password required  /usr/lib/security/pam_unix.so.1 
  wlauth account required   /usr/lib/security/pam_unix.so.1

Linux—Create a file called /etc/pam.d/wlauth containing the following:

  #%PAM-1.0
  #
  # File name:
  # /etc/pam.d/wlauth 
  #
  # If you do not use shadow passwords, delete "shadow".
  auth required     /lib/security/pam_pwdb.so shadow
  account required  /lib/security/pam_pwdb.so

Note: Omit shadow if you are not using shadow passwords.

If wlauth is not in the WebLogic Server class path or if you have given the program a name other than wlauth, you must add a Java command-line property when you start WebLogic Server. Edit the script you use to start WebLogic Server and add the following option after the java command:

-Dweblogic.security.unixrealm.authProgram=wlauth_prog

Replace wlauth_prog with the name of the wlauth program, including the full path if the program is not in the search path. Start WebLogic Server. If the wlauth program is in the WebLogic Server path and is named wlauth, this step is not needed.

Configuring the UNIX Security Realm

Note: The UNIX Security realm runs only on the Solaris and Linux platforms.

To configure the Unix security realm:

Expand the Compatibility Security-->Realms nodes.
Click the Configure a New Unix Realm... link.
Set attributes on the Unix Realm-->Configuration page that define a name for the realm and the program that provides authentication services for the UNIX Security realm.
Click Create.
Configure the Caching realm. For more information, see Configuring the Caching Realm.

When configuring the Caching realm, select your UNIX security realm from the pull-down menu for the Basic Realm attribute on the General page. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the UNIX security realm).

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General page.
Click the Compatibility-->File Realm tab.
In the Caching Realm attribute, choose the name of the Caching realm to be used with the UNIX security realm. A list of configured Caching realms appears on the pull-down menu.
Reboot WebLogic Server.

Adding a Note to the UNIX Security Realm

Click on the Unix Realm-->Notes tab under the Configuration tab.
Write any pertinent information in the Notes field.
Click Apply to save your changes.

Configuring the RDBMS Security Realm

The RDBMS security realm is a BEA-provided custom security realm that stores users, groups and ACLs in a relational database.The RDBMS security realm is an example and is not meant to be used in a production environment.

Notes: The RDBMS example does not work with databases that have an autocommit feature enabled. If you use the RDBMS example as a starting point for your RDBMS implementation, use explicit commit statements in your code and make sure the autocommit feature in the database you are using is disabled.

If your implementation of the RDBMS security realm uses the getActiveDomain() method, you need to edit and recompile your RDBMSDelegate class in order to use the RDBMS security realm with Compatibility security. Replace the getActiveDomain() method with the getSecurityConfig() method in the weblogic.server package.

To configure an RDBMS security realm:

Expand the Compatibility Security-->Realms node.
Choose the database you want to use with WebLogic Server. The following templates are available:
• defaultRDBMSRealmForOracle
• defaultRDBMSRealmForMSSQLServerType4
• defaultRDBMSRealmForCloudScape
• defaultRDBMSRealmForODBC

A configuration window for the chosen database appears.

Set attributes on the RDBMS Realm-->General page that define a name for the realm and the class that implements the RDBMS security realm.
Click Create.
Define attributes for connecting to the database and the database schema. For more information:
• Defining Database Attributes for the RDBMS Security Realm
• Defining Database Schema for the RDBMS Security Realm
Configure the Caching realm. For more information, see Configuring the Caching Realm.

When configuring the Caching realm, select the RDBMS security realm from the pull-down menu for the Basic Realm attribute on the General page. The Basic Realm attribute defines the association between the Caching realm and the alternate security realm (in this case, the RDBMS security realm).

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General page.
Click the Compatibility-->File Realm tab.
In the Caching Realm attribute, choose the name of the Caching realm to be used with the RDBMS security realm. A list of configured Caching realms appears on the pull-down menu.
Reboot WebLogic Server.

Defining Database Attributes for the RDBMS Security Realm

To define attributes for the JDBC driver that connects to the database in the RDBMS security realm:

Click the RDBMS Realm-->Database tab.
Define attributes for the JDBC driver being used to connect to the database.
Click Apply to save your changes.

Defining Database Schema for the RDBMS Security Realm

To define attribute for the database schema used by the RDBMS security realm:

Click the RDBMS Realm-->Schema tab.
Define the schema used to store Users, Groups, and ACLs in the database in the Schema Properties box on the Schema page.

Listing 152-1 contains the database statements entered in the Schema properties for the RDBMS code example shipped with WebLogic Server in the /samples/examples/security/rdbmsrealm directory.

Listing 152-1 Sample Schema for RDBMS Security Realm

"getGroupNewStatement=true;getUser=SELECT U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?;
getGroupMembers=SELECT GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP = ?;
getAclEntries=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE A_NAME = ? ORDER BY A_PRINCIPAL;
getUsers=SELECT U_NAME, U_PASSWORD FROM users;
getGroups=SELECT GM_GROUP, GM_MEMBER FROM groupmembers;
getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY A_NAME, A_PRINCIPAL;
getPermissions=SELECT DISTINCT A_PERMISSION FROM aclentries;
getPermission=SELECT DISTINCT A_PERMISSION FROM aclentries WHERE A_PERMISSION = ?;
newUser=INSERT INTO users VALUES ( ? , ? );
addGroupMember=INSERT INTO groupmembers VALUES ( ? , ? );
removeGroupMember=DELETE FROM groupmembers WHERE GM_GROUP = ? AND GM_MEMBER = ?;
deleteUser1=DELETE FROM users WHERE U_NAME = ?;
deleteUser2=DELETE FROM groupmembers WHERE GM_MEMBER = ?;
deleteUser3=DELETE FROM aclentries WHERE A_PRINCIPAL = ?;
deleteGroup1=DELETE FROM groupmembers WHERE GM_GROUP = ?;
deleteGroup2=DELETE FROM aclentries WHERE A_PRINCIPAL = ?"

Click Apply to save your changes.

Adding A Note to the RDBMS Security Realm

To add a note to the RDBMS security realm:

Click on the RDBMS Realm-->Notes tab under the Configuration tab.
Write any pertinent information in the Notes field.
Click Apply to save your changes.

Installing a Custom Security Realm

You can create a custom security realm that draws from an existing store of users such as directory server on the network. To use a custom security realm, you create an implementation of the weblogic.security.acl.AbstractListableRealm interface or the weblogic.security.acl.AbstractManageableRealm interface and then use the Administration Console to install your implementation.

To install a custom security realm:

Expand the Compatibility Security-->Realms node.
Click the Configure a New Custom Realm... link.
Set attributes on the Custom Realm --> Configuration page that define a name for the custom security realm, specify the interface that implements the realm, and define how the users, groups, and optionally ACLs are stored in the custom security realm.
Click Create.
Configure the Caching realm. For more information, see Configuring the Caching Realm.

When configuring the Caching realm, select the custom security realm from the pull-down menu for the Basic Realm attribute on the General page. The Basic Realm attribute defines the association between the Caching realm and the custom security realm.

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General page.
Click the Compatibility-->File Realm tab.
In the Caching Realm attribute, choose the name of the Caching realm to be used with the custom security realm. A list of configured Caching realms appears on the pull-down menu.
Reboot WebLogic Server.

Adding A Note To A Custom Security Realm

To add a note to a custom security realm:

Click on the Custom Realm --> Notes tab under the Configuration tab.
Write any pertinent information in the Notes field.
Click Apply to save your changes.

Defining Users

Note: This section explains how to add users to a manageable security realm (for example, the File realm) in the CompatibilityRealm. If you are using a security realm that is not manageable through the WebLogic Server Administration Console, you must use the administration tools provided in that realm to define a user.

To define a user:

Expand the Compatibility Security node.
Click Users.
In the User Configuration window, enter the name of the user in the Name attribute.
Enter a password for the user in the Password attribute.
Enter the password again in the Confirm Password attribute.
Click Create.

Deleting Users

To delete a user:

Expand the Compatibility Security node.
Click Users.
In the User Configuration window, enter the name of the user in the Delete Users box.
Click Delete.

Changing the Password of a User

Expand the Compatibility Security node.
Click Users.

The User Configuration window appears.

Enter the name of the user in the Name attribute on the User Configuration window.
Enter the old password in the Old Password attribute.
Enter the new password in the New Password attribute.
Enter the new password again to confirm the password change.

Unlocking A User Account

To unlock a user account:

Expand the Compatibility Security node.
Click Users.
In the User Configuration window, click the Unlock Users link.
Enter the names of the user accounts you want to unlock in the Users to Unlock field.
Choose the servers on which you want the user accounts unlocked.
Click Unlock.

Disabling the Guest User

For a more secure deployment, BEA recommends running WebLogic Server with the guest account disabled.

To disable the Guest user:

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General page.
Click the Compatibility-->General tab.
Check the Guest Disable checkbox.
Reboot WebLogic Server.

Disabling the guest account just disables the ability to log in into the account guest; it does not disable the ability for unauthenticated users to access a WebLogic Server deployment.

Defining Groups

Note: This section explains how to add groups to a manageable security realm (for example, the File realm) in the CompatibilityRealm. If you are using a security realm that is not manageable through the WebLogic Server Administration Console, you must use the administration tools provided in that realm to define a group.

To define a group in the Compatibility realm:

Expand the Compatibility Security node.
Click Groups.
Click the Create a New Group... link.
In the Groups window, enter the name of the group in the Name attribute. BEA recommends naming groups in the plural. For example, Administrators instead of Administrator.
Click the Users attribute and select the WebLogic Server users you want to add to the group.
Click the Groups attribute and select the WebLogic Server groups you want to add to the group.
Click Apply to create a new Group.

Removing Users from a Group

To remove a user from a group:

Expand the Compatibility Security node.
Click Groups.
Select the group from which you want to delete a user.
In the Groups window, check the users you want to remove from the group.
Click Apply.

Deleting Groups

To delete a groups:

Expand the Compatibility Security node.
Click Groups.

The Groups table appears. This table displays the names of all groups defined in the Compatibility realm.

To delete a group, enter the name of the group in the Remove These Groups list box.
Click Remove.

Defining ACLs

Compatibility security provides backward compatibility for ACLs and should not be considered a long-term security solution. The steps in this section should only be used if you corrupt an existing 6.x security realm and you have no choice but to restore it. Instead of ACLs, use security roles and security policies to protect WebLogic resources.

Note: ACLs on MBeans are not supported in this release of WebLogic Server. For more information, see "Layered Security Scheme for Server Resources in Securing WebLogic Resources.

When you specify an ACL for a JDBC connection pool, you must specifically define access to the JDBC connection pool for the system user in the filerealm.properties file. For example:

acl.reserve.poolforsecurity=system
acl.reset.poolforsecurity=system

To create ACLs for WebLogic resources:

Expand the Compatibility Security node.
Click the ACLs tab.
Click the Create a New ACL... link.
In the ACL Configuration window in the New ACL Name attribute, specify the name of WebLogic Server resource that you want to protect with an ACL.

For example, create an ACL for a JDBC connection pool named demopool.

Click Create.
Click on the Add a New Permission link.
Specify a permission for the resource.

Either create separate ACLs for each permission available for a resource or one ACL that grants all the permissions for a resource. For example, you can create three ACLs for the JDBC connection pool, demopool: one with reserve permission, one with reset permission, and one with shrink permission. Or you can create one ACL with reserve, reset, and shrink permissions.

Specify Weblogic users or groups that have the specified permission to the resource.
Click Apply.

Protecting User Accounts

To protect user accounts in your WebLogic Server domain:

Expand the Domains node.
Click the View Domain-Wide Security Settings link on the Domain-->General tab.
Click the Compatibility-->Passwords tabs.
Set attributes on the page by entering values at the appropriate prompts and selecting the required checkboxes.
Click Apply.
Reboot WebLogic Server.

Installing an Audit Provider

If your WebLogic Server 6.x security configuration uses an implementation of the weblogic.security.audit.AuditProvider class, the Auditor is not automatically configured in Compatibility security. Configure a Realm Adapter Auditing provider in the Compatibility realm to access the 6.x Auditor.

To configure a Realm Adapter Auditing provider:

Start WebLogic Server.
Start the admin command line tool
Enter the following commands:

java weblogic.Admin -url t3://localhost:7001 -username
adminusername -password adminpassword CREATE -mbean Security:
Name=CompatibilityRealmRealmAdapterAuditor -type
weblogic.security.providers.realmadapter.RealmAdapterAuditor commotype

java weblogic.Admin -url t3://localhost:7001 -username
adminusername -password adminpassword SET -mbean Security:
Name=CompatibilityRealmRealmAdapterAuditor -property Realm Security:Name=CompatibilityRealm commotype

java weblogic.Admin -url t3://localhost:7001 -username
adminusername -password adminpassword SET -mbean Security
Name=CompatibilityRealm -property Auditors
Security:Name=CompatibilityRealmRealmAdapterAuditor commotype

Reboot WebLogic Server.

Contact BEA |  Feedback |  Privacy  |