Securing Oracle Coherence in Oracle WebLogic Server

7 Securing Oracle Coherence in Oracle WebLogic Server

Authentication and authorization can be used to secure Coherence in an Oracle WebLogic Server domain.

This chapter includes the following sections:

Overview of Securing Oracle Coherence in Oracle WebLogic Server
Several security features are used to secure cluster members, caches and services, and extend clients when deploying Coherence within an Oracle WebLogic Server domain.
Securing Coherence using SSL/TLS
You can use SSL/TLS to secure Managed Coherence servers in a WebLogic Server domain. WebLogic Server will create Java keystores for identity and trust and create a Coherence socket provider configuration that Coherence will be configured to use.
Securing Oracle Coherence Cluster Membership
The Oracle Coherence security framework (access controller) can be enabled within a Oracle WebLogic Server domain to secure access to cluster resources and operations. The access controller provides authorization and uses encryption/decryption between cluster members to validate trust.
Authorizing Oracle Coherence Caches and Services
Oracle WebLogic Server authorization can be used to secure Oracle Coherence resources that run within a domain. In particular, different roles and policies can be created to control access to caches and services.
Securing Extend Client Access with Identity Tokens
Identity tokens are used to protect against unauthorized access to an Oracle Coherence cluster through an Oracle Coherence proxy server. Identity tokens are used by local (within WebLogic Server) extend clients and remote (outside of WebLogic Server) Java, C++, and .NET extend clients.

Overview of Securing Oracle Coherence in Oracle WebLogic Server

Several security features are used to secure cluster members, caches and services, and extend clients when deploying Coherence within an Oracle WebLogic Server domain. The default security configuration allows any server to join a cluster and any extend client to access a cluster's resources.

The following security features should be configured to protect against unauthorized use of a cluster:

SSL/TLS - enables SSL/TLS for Coherence cluster member connections
Coherence access controllers - provides authorization between cluster members
WebLogic Server authorization - provides authorization to Oracle Coherence caches and services
Coherence identity tokens - provides authentication for extend clients

Much of the security for Oracle Coherence in a Oracle WebLogic Server domain reuses existing security capabilities. Knowledge of these existing security components is assumed. References are provided in this documentation to existing content where applicable.

Parent topic: Securing Oracle Coherence in Oracle WebLogic Server

Securing Coherence using SSL/TLS

You can use SSL/TLS to secure Managed Coherence servers in a WebLogic Server domain. WebLogic Server will create Java keystores for identity and trust and create a Coherence socket provider configuration that Coherence will be configured to use.

By default, WebLogic Server will configure managed Coherence servers to use mTLS authentication, but these settings can be overridden.

You can only use WebLogic Server to configure SSL/TLS for cluster membership, or globally for all Coherence sockets. There is no way to configure individual Coherence services, such as Extend proxies and client, gRPC proxies and client, federation, and so on. If you need to configure these services differently, see Using SSL/TLS to Secure Communication.

Extended Usage Certificates
If certificates with extended usage are used, it is important to understand how this affects the different SSL/TLS configuration choices available for Coherence.
Configure Coherence Cluster Traffic Using mTLS
Coherence clusters form a peer-to-peer network where each JVM is both a server receiving connections from other cluster members, and a client connecting to other cluster members. You can configure Coherence cluster peer-to-peer communication to use SSL/TLS in a WebLogic Server domain using either WebLogic Remote Console or a WLST script.
Configure Coherence Cluster Traffic Using One-Way SSL/TLS
In one-way SSL/TLS, a client authenticates a server certificate, but the server does not receive a certificate from the client, so the client is anonymous. You can configure Coherence cluster traffic to use one-way SSL/TLS in a WebLogic Server domain using either WebLogic Remote Console or a WLST script.
Using a Custom Coherence Operational Configuration File
As WebLogic Server only supports a limited subset of Coherence configuration options, occasionally, you may require a custom Coherence operational configuration file (also known as an override file).
Configure the Coherence Global Socket Provider
WebLogic Server allows you to configure the Coherence global socket provider. The global socket provider can be either the WebLogic Server generated socket provider or a socket provider from the Coherence operational configuration. This may require importing a custom operational configuration file.
WebLogic Server Secured Production Mode
When a WebLogic Server domain is in secured production mode, then, by default, Coherence will be configured to use the WebLogic Server socket provider as the global socket provider. The default WebLogic socket provider is configured for mTLS. If you do not require mTLS, then the Coherence configuration can be overridden using WebLogic Remote Console or a WLST script.

Parent topic: Securing Oracle Coherence in Oracle WebLogic Server

Extended Usage Certificates

If certificates with extended usage are used, it is important to understand how this affects the different SSL/TLS configuration choices available for Coherence.

By default, WebLogic will configure Coherence to use mTLS, so the extend usage for any certificates must include both serverAuth and clientAuth. If only serverAuth certificates are available, Coherence must be configured to use one-way SSL/TLS as described in Configure Coherence Cluster Traffic Using One-Way SSL/TLS.

Parent topic: Securing Coherence using SSL/TLS

Configure Coherence Cluster Traffic Using mTLS

Coherence clusters form a peer-to-peer network where each JVM is both a server receiving connections from other cluster members, and a client connecting to other cluster members. You can configure Coherence cluster peer-to-peer communication to use SSL/TLS in a WebLogic Server domain using either WebLogic Remote Console or a WLST script.

Configure mTLS for Cluster Traffic Using WebLogic Remote Console

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit.
On the General tab, from the Transport drop-down list, select SSL. Or, if you want to use datagram as the transport instead of TCMP, then select SSLUDP instead.
Click Save.

Configure mTLS for Cluster Traffic Using WLST Script

To configure Coherence to use mTLS for cluster membership using WLST, use the following script:

Note:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/CoherenceCluster/CoherenceResource/defaultCoherenceCluster/CoherenceClusterParams/NO_NAME_0')
set('Transport', 'ssl')
updateDomain()
closeDomain()

Parent topic: Securing Coherence using SSL/TLS

Configure Coherence Cluster Traffic Using One-Way SSL/TLS

In one-way SSL/TLS, a client authenticates a server certificate, but the server does not receive a certificate from the client, so the client is anonymous. You can configure Coherence cluster traffic to use one-way SSL/TLS in a WebLogic Server domain using either WebLogic Remote Console or a WLST script.

Configure One-Way SSL for Cluster Traffic Using WebLogic Remote Console

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit.
On the General tab, from the Transport drop-down list, select SSL. Or, if you want to use datagram as the transport instead of TCMP, then select SSLUDP instead.
Click Save.
On the Security tab, from the Client Authentication Mode drop-down list, select none.
Click Save.

Configure One-Way for Cluster Traffic SSL Using WLST Script

To configure Coherence to use one-way SSL/TLS for cluster traffic using WLST, use the following script:

Note:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/defaultCoherenceCluster/CoherenceResource/defaultCoherenceCluster/CoherenceClusterParams/NO_NAME_0')
create("cohKS","CoherenceKeystoreParams")
cd('CoherenceKeystoreParams/NO_NAME_0')
set('Transport', 'ssl')
set('CoherenceClientAuth','none')
updateDomain()
closeDomain()

Parent topic: Securing Coherence using SSL/TLS

Using a Custom Coherence Operational Configuration File

As WebLogic Server only supports a limited subset of Coherence configuration options, occasionally, you may require a custom Coherence operational configuration file (also known as an override file).

A custom operational configuration file can be imported using either WebLogic Remote Console or a WLST script.

Before you can import the custom Coherence operational configuration file, you must make sure that the file exists on the Administration Server and is readable. When you import the operational configuration file, a copy of the file is placed in the DOMAIN_HOME/config/coherence/CoherenceClusterName directory, where CoherenceClusterName is a placeholder that represents the actual name of the Coherence cluster.

Import a Custom Operational Configuration File Using WebLogic Remote Console

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit.
On the General tab, click the Import Configuration button.
Enter the full path to a custom Coherence operational configuration file that is on the Administration Server.
Click Save.

Set a Custom Operational Configuration File Using a WLST Script

The file name is the relative path to the domain home. In the example below, if the full path of the operational configuration file is /ORACLE_HOME/user_projects/domains/base_domain/config/coherence/defaultCoherenceCluster/mySSLOverride.xml, the file name would be config/coherence/defaultCoherenceCluster/mySSLOverride.xml.

Use the following WLST script to configure a custom Coherence operational configuration file.

Note:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.
sslSocketProviderName with the name of the socket provider.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/defaultCoherenceCluster/CoherenceResource/defaultCoherenceCluster')
set('CustomClusterConfigurationFileName', 'config/coherence/defaultCoherenceCluster/mySSLOverride.xml')
cd('CoherenceClusterParams/NO_NAME_0')
set('GlobalSocketProvider','sslSocketProviderName')
updateDomain()
closeDomain()

Parent topic: Securing Coherence using SSL/TLS

Configure the Coherence Global Socket Provider

WebLogic Server allows you to configure the Coherence global socket provider. The global socket provider can be either the WebLogic Server generated socket provider or a socket provider from the Coherence operational configuration. This may require importing a custom operational configuration file.

See Specifying a Global Socket Provider and Using a Custom Coherence Operational Configuration File.

Set the WebLogic Server Socket Provider as the Global Socket Provider in WebLogic Remote Console

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit.
On the Security tab, enable the Secured Production option.
Click Save.

The name of the WebLogic Server socket provider will automatically be inserted into the Global Socket Provider field.

Set WebLogic Socket Provider as the Global Socket Provider Using a WLST Script

Use the following WLST script to configure the WebLogic Server socket provider as the Coherence global socket provider.

Note:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/defaultCoherenceCluster/CoherenceResource/defaultCoherenceCluster/CoherenceClusterParams/NO_NAME_0')
set('SecuredProduction', 'true')
updateDomain()
closeDomain()

Set a Custom Socket Provider as the Global Socket Provider in WebLogic Remote Console

You can configure Coherence to use a custom socket provider as the global socket provider using WebLogic Remote Console. The named socket provider must be configured in the Coherence operational configuration.

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit.
On the Security tab, enter the name of the custom socket provider in the Global Socket Provider field.
Click Save.

Set a Custom Socket Provider as the Global Socket Provider Using WLST Script

You can configure Coherence to use a custom socket provider as the global socket provider using WLST. The named socket provider must be configured in the Coherence operational configuration.

Use the following WLST script to set the name of the Coherence global socket provider.

Note:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.
sslSocketProviderName with the name of the socket provider.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/defaultCoherenceCluster/CoherenceResource/defaultCoherenceCluster/CoherenceClusterParams/NO_NAME_0')
set('Transport', 'ssl')
set('GlobalSocketProvider', 'sslSocketProviderName')
updateDomain()
closeDomain()

Parent topic: Securing Coherence using SSL/TLS

WebLogic Server Secured Production Mode

When a WebLogic Server domain is in secured production mode, then, by default, Coherence will be configured to use the WebLogic Server socket provider as the global socket provider. The default WebLogic socket provider is configured for mTLS. If you do not require mTLS, then the Coherence configuration can be overridden using WebLogic Remote Console or a WLST script.

For general information on secured production mode in WebLogic Server, see Understand How Domain Mode Affects the Default Security Configuration in Securing a Production Environment for Oracle WebLogic Server.

Configure Coherence for One-Way SSL/TLS in Secured Production Mode
If the WebLogic Server domain is in secured production mode, where the WebLogic Server socket provider defaults to mTLS, you can configure Coherence to use one-way SSL/TLS instead using WebLogic Remote Console or a WLST script.
Disable Coherence SSL/TLS in Secured Production Mode
If the WebLogic Server domain is in secured production mode but you need Coherence to run with plain TCP, then you can configure this behavior using WebLogic Remote Console or a WLST script.

Parent topic: Securing Coherence using SSL/TLS

Configure Coherence for One-Way SSL/TLS in Secured Production Mode

If the WebLogic Server domain is in secured production mode, where the WebLogic Server socket provider defaults to mTLS, you can configure Coherence to use one-way SSL/TLS instead using WebLogic Remote Console or a WLST script.

Configure Coherence for One-Way SSL/TLS Using WebLogic Remote Console

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit.
On the Security tab, from the Client Authentication Mode drop-down list, select none.
Click Save.

Configure Coherence for One-Way SSL/TLS Using WLST Script

Use the following script to configure Coherence to use one-way SSL/TLS.

Note:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/defaultCoherenceCluster/CoherenceResource/defaultCoherenceCluster/CoherenceClusterParams/NO_NAME_0')
create("cohKS","CoherenceKeystoreParams")
cd('CoherenceKeystoreParams/NO_NAME_0')
set('CoherenceClientAuth','none')
updateDomain()
closeDomain()

Parent topic: WebLogic Server Secured Production Mode

Disable Coherence SSL/TLS in Secured Production Mode

If the WebLogic Server domain is in secured production mode but you need Coherence to run with plain TCP, then you can configure this behavior using WebLogic Remote Console or a WLST script.

Note:

If you disable secured production mode in Coherence, it only affects Coherence and does not affect the broader aspects of secured production mode in WebLogic Server.

Disable Coherence SSL/TLS in Secured Production Mode Using WebLogic Remote Console

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit.
On the Security tab, turn off the Secured Production option.
Click Save.

Disable Coherence SSL/TLS in Secured Production Mode Using a WLST Script

Use the following script to configure Coherence to use plain TCP.

Note:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/defaultCoherenceCluster/CoherenceResource/defaultCoherenceCluster/CoherenceClusterParams/NO_NAME_0')
set('SecuredProduction', 'false')
updateDomain()
closeDomain()

Parent topic: WebLogic Server Secured Production Mode

Securing Oracle Coherence Cluster Membership

The Oracle Coherence security framework (access controller) can be enabled within a Oracle WebLogic Server domain to secure access to cluster resources and operations. The access controller provides authorization and uses encryption/decryption between cluster members to validate trust. See Overview of Using an Access Controller.

In Oracle WebLogic Server, access controllers use a managed Coherence server's keystore to establish a caller's identity between Oracle Coherence cluster members. The Demo Identity keystore is used by default and contains a default SSL identity (DemoIdentity). The default keystore and identity require no setup and are ideal during development and testing. Specific keystores and identities should be created for production environments. See Configuring Keystores in Administering Security for Oracle WebLogic Server.

This section includes the following topics:

Parent topic: Securing Oracle Coherence in Oracle WebLogic Server

Enabling the Oracle Coherence Security Framework

To enable the security framework in an Oracle WebLogic Server domain using WebLogic Remote Console:

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit, then select the Security tab.
Turn on the Security Framework Enabled option.
Click Save.

Parent topic: Securing Oracle Coherence Cluster Membership

Specifying an Identity for Use by the Security Framework

The Oracle Coherence security framework requires a principal (identity) when performing authentication. The SSL Demo Identity keystore is used by default and contains a default SSL identity (DemoIdentity). The SSL Demo keystore and identity are typically used during development. For production environments, you should create an SSL keystore and identity. For example, use the Java keytool utility to create a keystore that contains an admin identity:

keytool -genkey -v -keystore ./keystore.jks -storepass password -alias admin
-keypass password -dname CN=Administrator,O=MyCompany,L=MyCity,ST=MyState

Note:

If you create an SSL keystore and identity, you must configure Oracle WebLogic Server to use that SSL keystore and identity. In addition, the same SSL identity must be located in the keystore of every managed Coherence server in the cluster. Use the Keystores and SSL tabs on the Environment: Servers: myServer: Security tab for a managed Coherence server to configure a keystore and identity.

To override the default SSL identity and specify an identity for use by the security framework:

In the Edit Tree, go to Environment, then Coherence Clusters.
Click the Coherence cluster that you want to edit, then select the Security tab.
Make sure the Security Framework Enabled option is enabled.
Optional: Turn on the Global Socket Provider option. If you enable this option, Coherence uses the Oracle WebLogic Server's SSL as its global socket provider. For more information about configuring global SSL socket provider for Coherence, see Configuring a Cluster-Side Extend Proxy SSL Socket Provider.
In the Client Authentication Mode field, specify the client authentication mode for SSL. The valid values are:
- none
- required
- wanted
The default value is none.
In the Private Key Pass Phrase field, enter the password for the identity.
Click Save.

Parent topic: Securing Oracle Coherence Cluster Membership

Authorizing Oracle Coherence Caches and Services

Oracle WebLogic Server authorization can be used to secure Oracle Coherence resources that run within a domain. In particular, different roles and policies can be created to control access to caches and services. Authorization is enabled by default and the default authorization policy gives all users access to all Oracle Coherence resources. See Overview of Securing WebLogic Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.

Authorization roles and policies are explicitly configured for caches and services. You must know the cache names and service names that are to be secured. In some cases, inspecting the cache configuration file may provide the cache names and service names. However, because of wildcard support for cache mappings in Oracle Coherence, you may need to consult an application developer or architect that knows the cache names being used by an application. For example, a cache mapping in the cache configuration file could use a wildcard (such as * or dist-*) and does not indicate the name of the cache that is actually used in the application.

Note:

Deleting a service or cache resource does not delete roles and policies that are defined for the resource. Roles and policies must be explicitly deleted before deleting a service or cache resource.

This section includes the following topics:

Parent topic: Securing Oracle Coherence in Oracle WebLogic Server

Specifying Cache Authorization

Oracle WebLogic Server authorization can be used to restrict access to specific Oracle Coherence caches. To specify cache authorization:

In the Edit Tree, go to Environment, then Coherence Clusters, then myCoherenceCluster, then Coherence Caches.
Click New.
In the Name field, enter a name for the Coherence cache. The name of the cache must exactly match the name of the cache used in an application.
Click Create and commit your changes.
Define security roles and policies that are scoped to the Coherence cache. See Create a Scoped Role in Oracle WebLogic Remote Console Online Help.
For example, you can create a policy that allows specific users to access the cache. The users can be selected based on their membership in a global role, or a Coherence-specific scoped role can be created and used to define which users can access the cache. See Overview of Securing WebLogic Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.

Parent topic: Authorizing Oracle Coherence Caches and Services

Specifying Service Authorization

Oracle WebLogic Server authorization can be used to restrict access to Oracle Coherence services. Specifying authorization on a cache service (for example a distributed cache service) affects access to all the caches that are created by that service.

To specify service authorization:

In the Edit Tree, go to Environment, then Coherence Clusters, then myCoherenceCluster, then Coherence Services.
Click New.
In the Name field, enter a name for the Coherence service. The name of the service must exactly match the name of the service used in an application.

Note:

The exact name must include the scope name as a prefix to the service name. The scope name can be explicitly defined in the cache configuration file or, more commonly, taken from the deployment module name. For example, if you deploy a GAR named contacts.gar that defines a service named ContactsService, then the exact service name is contacts:ContactsService.
Click Create and commit your changes.
Define security roles and policies that are scoped to the Coherence service. See Create a Scoped Role in Oracle WebLogic Remote Console Online Help.
For example, you can create a policy that allows specific users to access the service. The users can be selected based on their membership in a global role, or a Coherence-specific scoped role can be created and used to define which users can access the service. See Overview of Securing WebLogic Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.

Parent topic: Authorizing Oracle Coherence Caches and Services

Securing Extend Client Access with Identity Tokens

Identity tokens are used to protect against unauthorized access to an Oracle Coherence cluster through an Oracle Coherence proxy server. Identity tokens are used by local (within WebLogic Server) extend clients and remote (outside of WebLogic Server) Java, C++, and .NET extend clients.

Only clients that pass a valid identity token are permitted to access cluster services. If a null identity token is passed (a client connecting without being within the scope of a Subject), then the client is treated as an Oracle WebLogic Server anonymous user. The extend client is able to access caches and services that the anonymous user can access.

Note:

Upon establishing and identity, an authorization policy should be used to restrict that identity to specific caches and services. See Authorizing Oracle Coherence Caches and Services.

Identity token security requires an identity transformer implementation that creates an identity token and an identity asserter implementation that validates the identity token. A default identity transformer implementation (DefaultIdentityTransformer) and identity asserter implementation (DefaultIdentityAsserter) are provided. The default implementations use a Subject or Principal as the identity token. However, custom implementations can be created as required to support any security token type (for example, to support Kerberos tokens). See Using Identity Tokens to Restrict Client Connections.

This section includes the following topics:

Parent topic: Securing Oracle Coherence in Oracle WebLogic Server

Enabling Identity Transformers for Use in Oracle WebLogic Server

An identity transformer associates an identity token with an identity. For local (within Oracle WebLogic Server) extend clients, the default identity transformer cannot be replaced. The default identity transformer passes a token of type weblogic.security.acl.internal.AuthenticatedSubject representing the current Oracle WebLogic Server user.

For remote (outside of Oracle WebLogic Server) extend clients, the identity transformer implementation class must be included as part of the application's classpath and the fully qualified name of the implementation class must be defined in the client operational override file. See Enabling a Custom Identity Transformer. The following example enables the default identity transformer:

...
<security-config>
   <identity-transformer>
      <class-name>
         com.tangosol.net.security.DefaultIdentityTransformer</class-name>
   </identity-transformer>
</security-config>
...

Remote extend clients must execute cache operations within the Subject.doAS method. For example,

Principal principal = new WLSUserImpl("user");
Subject subject = new Subject();
subject.getPrincipals().add(principal);

Subject.doAs(subject, new PrivilegedExceptionAction()
   {
      NamedCache cache = CacheFactory.getCache("mycache");
      ...

Parent topic: Securing Extend Client Access with Identity Tokens

Enabling Identity Asserters for Use in Oracle WebLogic Server

Identity asserters must be enabled for an Oracle Coherence cluster and are used to assert (validate) a client's identity token. For local (within Oracle WebLogic Server) extend clients, an identity asserter is already enabled for asserting a token of type weblogic.security.acl.internal.AuthenticatedSubject.

For remote (outside of Oracle WebLogic Server) extend clients, a custom identity asserter implementation class must be packaged in a GAR. However, an identity asserter is not required if the remote extend client passes null as the token. If the proxy service receives a non-null token and there is no identity asserter implementation class configured, a SecurityException is thrown and the connection attempt is rejected.

You can use WebLogic Remote Console or WLST to enable an identity asserter for a cluster.

If using WebLogic Remote Console, perform the following steps:
1. In the Edit Tree, go to Environment, then Coherence Clusters, then myCoherenceCluster, then Coherence Identity Asserter.
2. In the Class Name field, enter the fully qualified name of the asserter class. For example, to use the default identity asserter, enter com.tangosol.net.security.DefaultIdentityAsserter.
3. Click Save.
4. If there are any arguments, open the Identity Asserter Constructor Arguments node and click New to add class constructor arguments.
5. Click Save and then commit your changes.

If using WLST, perform the following steps:

Invoke WLST and connect to the domain. Then, configure an identity asserter. Use the script below as an example:

In the script below, replace:

DOMAIN_HOME with the path to your WebLogic Server domain home.
defaultCoherenceCluster with the name of your Coherence cluster.

readDomain('DOMAIN_HOME')
cd('CoherenceClusterSystemResource/defaultCoherenceCluster/CoherenceResource/defaultCoherenceCluster/CoherenceClusterParams/NO_NAME_0')
set('SecurityFrameworkEnabled', 'true')
cd('CoherenceIdentityAsserter/NO_NAME_0')
set('ClassName',"com.tangosol.net.security.DefaultIdentityAsserter")
updateDomain()
closeDomain()

Restart the cluster servers or redeploy the GAR for the changes to take effect.

Parent topic: Securing Extend Client Access with Identity Tokens