Securing WebLogic Server

Introduction and Roadmap

Document Scope

Document Audience

Guide to this Document

Related Information

Security Samples and Tutorials

Security Examples in the WebLogic Server Distribution

Additional Examples Available for Download

New and Changed Security Features in This Release

New Security Providers

Authentication Providers

Identity Assertion Providers

SAML Providers

Certificate Lookup and Validation Providers

Overview of Security Management

Security Realms in WebLogic Server

Security Providers

Security Policies and WebLogic Resources

WebLogic Resources

Deployment Descriptors and the WebLogic Administration Console

The Default Security Configuration in WebLogic Server

Configuring WebLogic Security: Main Steps

What Is Compatibility Security?

Management Tasks Available in Compatibility Security

Customizing the Default Security Configuration

Why Customize the Default Security Configuration?

Configuration Decisions When Creating a New Security Realm

Creating a New Security Realm: Main Steps

Configuring WebLogic Security Providers

When Do I Need to Configure a Security Provider?

Configuring the WebLogic Authorization Provider

Configuring the WebLogic Adjudication Provider

Configuring a WebLogic Role Mapping Provider

Configuring the WebLogic Auditing Provider

Auditing ContextHandler Elements

Configuration Auditing

Enabling Configuration Auditing

Configuration Auditing Messages

Audit Events and Auditing Providers

Configuring a WebLogic Credential Mapping Provider

Creating Credential Mappings

Configuring a PKI Credential Mapping Provider

PKI Credential Mapper Attributes

Creating PKI Credential Mappings

Credential Actions

Configuring a SAML Credential Mapping Provider

SAML Authority Configuration

Source Site Configuration

POST Profile Configuration

Artifact Profile Configuration

Produced Assertion Configuration

Example of Produced Assertion Configuration

Configuring the Credential Lookup and Validation Framework

CertPath Provider

Certificate Registry

Configuring a WebLogic Keystore Provider

Configuring Authentication Providers

Choosing an Authentication Provider

Using More than One Authentication Provider

Setting the JAAS Control Flag Option

Changing the Order of Authentication Providers

Configuring the WebLogic Authentication Provider

Configuring LDAP Authentication Providers

Requirements for Using an LDAP Authentication Provider

Accessing Other LDAP Servers

Configuring Failover for LDAP Authentication Providers

LDAP Failover Example 1

LDAP Failover Example 2

Improving the Performance of WebLogic and LDAP Authentication Providers

Optimizing the Group Membership Caches

Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance

Optimizing the Principal Validator Cache

Configuring the Active Directory Authentication Provider to Improve Performance

Configuring RDBMS Authentication Providers

Common RDBMS Authentication Provider Attributes

Data Source Attribute

Group Searching Attributes

Group Caching Attributes

Configuring the SQL Authenticator

Password Attributes

SQL Statement Attributes

Configuring the Read-Only SQL Authenticator

Configuring the Custom DBMS Authenticator

Plug-In Class Attributes

Configuring a Windows NT Authentication Provider

Domain Controller Settings

LogonType Setting

UPN Names Settings

Configuring Identity Assertion Providers

How an LDAP X509 Identity Assertion Provider Works

Configuring an LDAP X509 Identity Assertion Provider:Main Steps

Configuring a Negotiate Identity Assertion Provider

Configuring a SAML Identity Assertion Provider

POST and ARTIFACT Profiles

SAML Destination Site Configuration

Limiting the Re-use of Assertions

Certificate Registry

Consumed Assertion Configuration

Example of Consumed Assertion Configuration

Ordering of Identity Assertion for Servlets

Configuring Identity Assertion Performance in the Server Cache

Configuring a User Name Mapper

Configuring a Custom User Name Mapper

Configuring Single Sign-On with Microsoft Clients

Single Sign-on with Microsoft Clients: Main Steps

System Requirements for SSO with Microsoft Clients

Configuring your Network Domain to Use Kerberos

Creating a Kerberos Identification for WebLogic Server

Configuring Microsoft Clients to Use Windows Integrated Authentication

Configuring a .NET Web Service

Configuring an Internet Explorer Browser

Configure Local Intranet Domains

Configure Intranet Authentication

Verify the Proxy Settings

Set Integrated Authentication for Internet Explorer 6.0

Creating a JAAS Login File

Configuring the Identity Asssertion Provider

Startup Arguments for Using Kerberos Authentication with WebLogic Server

Verifying that SSO with Microsoft Clients Works

Configuring Single Sign-On with Web Browsers and HTTP Clients

Overview of SAML-Based Single Sign-On

Single Sign-on with SAML: Main Steps

Configuring a SAML Source Site for Single Sign-On

Configure SAML Authority Attributes

Configure Source Site Attributes

Configure Supported Profiles

Configure Produced Assertions

Configuring a SAML Destination Site for Single Sign-On

Configure Supported Profiles

Configure Consumed Assertions

Migrating Security Data

Overview of Security Data Migration

Migration Concepts

Formats and Constraints Supported by the WebLogic Security Providers

Migrating Data Using WLST

Migrating Data Using weblogic.admin

Managing the Embedded LDAP Server

Configuring the Embedded LDAP Server

Embedded LDAP Server Replication

Viewing the Contents of the Embedded LDAP Server from an LDAP Browser

Exporting and Importing Information in the Embedded LDAP Server

LDAP Access Control Syntax

The Access Control File

Access Control Location

Access Control Scope

Access Rights

Attribute Permissions

Entry Permissions

Attributes Types

Subject Types

Grant/Deny Evaluation Rules

Configuring Identity and Trust

Private Keys, Digital Certificates, and Trusted Certificate Authorities

Configuring Identity and Trust: Main Steps

Supported Formats for Identity and Trust

Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities

Common Keytool Commands

Using the CertGen Utility

Using Your Own Certificate Authority

Converting a Microsoft p7b Format to PEM Format

Obtaining a Digital Certificate for a Web Browser

Using Certificate Chains (Deprecated)

Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities

Guidelines for Using Keystores

Creating a Keystore and Loading Private Keys and Trusted Certificate Authorities into the Keystore

How WebLogic Server Locates Trust

Configuring Keystores For Production

Configuring SSL

SSL: An Introduction

One-Way and Two-Way SSL

Setting Up SSL: Main Steps

Using Host Name Verification

Enabling SSL Debugging

SSL Session Behavior

Configuring RMI over IIOP with SSL

SSL Certificate Validation

Controlling the Level of Certificate Validation

Checking Certificate Chains

Troubleshooting Problems with Certificate Validation

Enabling SSL Debugging

Using Certificate Lookup and Validation Providers

Using the nCipher JCE Provider with WebLogic Server

Specifying the Version of the SSL Protocol

Configuring Security for a WebLogic Domain

Enabling Trust Between WebLogic Server Domains

Using Connection Filters

Using the Java Authorization Contract for Containers

Viewing MBean Attributes

How Passwords are Protected in WebLogic Server

Protecting User Accounts

Using Compatibility Security

Running Compatibility Security: Main Steps

Compatibility Security MBeans

The Default Security Configuration in the CompatibilityRealm

Configuring a Realm Adapter Authentication Provider

Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider