Securing WebLogic Server
Introduction and Roadmap
Document Scope
Document Audience
Guide to This Document
Related Information
Security Samples and Tutorials
Security Examples in the WebLogic Server Distribution
New and Changed Security Features
Overview of Security Management
Security Realms in WebLogic Server
security providers
Security Policies and WebLogic Resources
WebLogic Resources
Deployment Descriptors and the WebLogic Server Administration Console
The Default Security Configuration in WebLogic Server
Configuring WebLogic Security: Main Steps
Methods of Configuring Security
What Is Compatibility Security?
Management Tasks Available in Compatibility Security
Customizing the Default Security Configuration
Why Customize the Default Security Configuration?
Before You Create a New Security Realm
Creating and Configuring a New Security Realm: Main Steps
Configuring WebLogic security providers
When Do You Need to Configure a Security Provider?
Reordering security providers
Configuring an Authorization Provider
Configuring the WebLogic Adjudication Provider
Configuring a Role Mapping Provider
Configuring the WebLogic Auditing Provider
Auditing ContextHandler Elements
Configuration Auditing
Enabling Configuration Auditing
Configuration Auditing Messages
Audit Events and Auditing Providers
Configuring a WebLogic credential mapping Provider
Configuring a PKI credential mapping Provider
PKI Credential Mapper Attributes
Credential Actions
Configuring a SAML credential mapping Provider for SAML 1.1
Configuring Assertion Lifetime
Relying Party Registry
Configuring a SAML 2.0 credential mapping Provider for SAML 2.0
SAML 2.0 credential mapping Provider Attributes
service provider Partners
Partner Lookup Strings Required for Web Service Partners
Management of Partner Certificates
Java Interface for Configuring service provider Partner Attributes
Configuring the Certificate Lookup and Validation Framework
CertPath Provider
Certificate Registry
Configuring a WebLogic Keystore Provider
Configuring Authentication Providers
Choosing an Authentication Provider
Using More Than One Authentication Provider
Setting the JAAS Control Flag Option
Changing the Order of Authentication Providers
Configuring the WebLogic Authentication Provider
Configuring LDAP Authentication Providers
Requirements for Using an LDAP Authentication Provider
Configuring an LDAP Authentication Provider: Main Steps
Accessing Other LDAP Servers
Dynamic Groups and WebLogic Server
Configuring Failover for LDAP Authentication Providers
Improving the Performance of WebLogic and LDAP Authentication Providers
Optimizing the Group Membership Caches
Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance
Optimizing the Principal Validator Cache
Configuring the Active Directory Authentication Provider to Improve Performance
Configuring RDBMS Authentication Providers
Common RDBMS Authentication Provider Attributes
Configuring the SQL Authentication Provider
Configuring the Read-Only SQL Authenticator
Configuring the Custom DBMS Authenticator
Configuring a Windows NT Authentication Provider
Domain Controller Settings
LogonType Setting
UPN Names Settings
Configuring the SAML Authentication Provider
Configuring the Password Validation Provider
Password Composition Rules for the Password Validation Provider
Using the Password Validation Provider with the WebLogic Authentication Provider
Using WLST to Create and Configure the Password Validation Provider
Creating an Instance of the Password Validation Provider
Specifying the Password Composition Rules
Configuring Identity Assertion Providers
How an LDAP X509 Identity Assertion Provider Works
Configuring an LDAP X509 Identity Assertion Provider: Main Steps
Configuring a Negotiate Identity Assertion Provider
Configuring a SAML Identity Assertion Provider for SAML 1.1
Configuring a SAML 2.0 Identity Assertion Provider for SAML 2.0
Partner Lookup Strings Required for Web Service Partners
Management of Partner Certificates
Java Interface for Configuring identity provider Partner Attributes
Ordering of Identity Assertion for Servlets
Configuring Identity Assertion Performance in the Server Cache
Configuring a User Name Mapper
Configuring a Custom User Name Mapper
Configuring Single Sign-On with Microsoft Clients
Overview of Single Sign-On with Microsoft Clients
System Requirements for SSO with Microsoft Clients
Single Sign-On with Microsoft Clients: Main Steps
Configuring Your Network Domain to Use Kerberos
Creating a Kerberos Identification for WebLogic Server
Configuring Microsoft Clients to Use Windows Integrated Authentication
Configuring a .NET Web Service
Configuring an Internet Explorer Browser
Configure Local Intranet Domains
Configure Intranet Authentication
Set Integrated Authentication for Internet Explorer 6.0
Creating a JAAS Login File
Configuring the Identity Assertion Provider
Using Startup Arguments for Kerberos Authentication with WebLogic Server
Verifying Configuration of SSO with Microsoft Clients
Configuring Single Sign-On with Web Browsers and HTTP Clients
Configuring SAML 1.1 Services
Enabling Single Sign-on with SAML 1.1: Main Steps
Configuring a Source Site: Main Steps
Configuring a Destination Site: Main Steps
Configuring a SAML 1.1 Source Site for Single Sign-On
Configure the SAML 1.1 credential mapping Provider
Configure the Source Site Federation Services
Replacing the Default Assertion Store
Configuring a SAML 1.1 Destination Site for Single Sign-On
Configure SAML Identity Assertion Provider
Configure Destination Site Federation Services
Enable the SAML Destination Site
Configure SSL for the Assertion Consumer Service
Add SSL Client Identity Certificate
Configure Single-Use Policy and the Used Assertion Cache or Custom Assertion Cache
Configure Recipient Check for POST Profile
Configure Source Site ITS Parameters
Configuring Relying and Asserting Parties with WLST
Configuring SAML 2.0 Services
Configuring SAML 2.0 Services: Main Steps
Configuring SAML 2.0 General Services
About SAML 2.0 General Services
Publishing and Distributing the Metadata File
Configuring an identity provider Site for SAML 2.0 Single Sign-On
Configure the SAML 2.0 credential mapping Provider
Configure SAML 2.0 identity provider Services
Enable the SAML 2.0 identity provider Site
Specify a Custom Login Web Application
Publish Your Site's Metadata File
Create and Configure Web Single Sign-On service provider Partners
Obtain Your service provider Partner's Metadata File
Create Partner and Enable Interactions
Configure How Assertions are Generated
Configure How Documents Are Signed
Configure Artifact Binding and Transport Settings
Configuring a service provider Site for SAML 2.0 Single Sign-On
Configure the SAML 2.0 Identity Assertion Provider
Configure the SAML Authentication Provider
Configure SAML 2.0 General Services
Configure SAML 2.0 service provider Services
Enable the SAML 2.0 service provider Site
Specify How Documents Must Be Signed
Specify How Authentication Requests Are Managed
Create and Configure Web Single Sign-On identity provider Partners
Obtain Your identity provider Partner's Metadata File
Create Partner and Enable Interactions
Configure Authentication Requests and Assertions
Configure Binding and Transport Settings
Viewing Partner Site, Certificate, and Service Endpoint Information
Web Application Deployment Considerations for SAML 2.0
Deployment Descriptor Recommendations
Use of relogin-enabled with CLIENT-CERT Authentication
Use of Non-default Cookie Name
Login Application Considerations for Clustered Environments
Migrating Security Data
Overview of Security Data Migration
Migration Concepts
Formats and Constraints Supported by WebLogic security providers
Migrating Data with WLST
Migrating Data Using weblogic.admin
Managing the Embedded LDAP Server
Configuring the Embedded LDAP Server
Embedded LDAP Server Replication
Viewing the Contents of the Embedded LDAP Server from an LDAP Browser
Exporting and Importing Information in the Embedded LDAP Server
LDAP Access Control Syntax
The Access Control File
Access Control Location
Access Control Scope
Access Rights
Attributes Types
Subject Types
Grant/Deny Evaluation Rules
Managing the RDBMS Security Store
security providers that Use the RDBMS Security Store
Configuring the RDBMS Security Store
Create a Domain with the RDBMS Security Store
Specifying Database Connection Properties
For More Information About Default Connection Properties
Testing the Database Connection
Create RDBMS Tables in the Security Datastore
Configure a JMS Topic for the RDBMS Security Store
Configuring JMS Connection Recovery in the Event of Failure
Upgrading a Domain to Use the RDBMS Security Store
Configuring Identity and Trust
Private Keys, Digital Certificates, and Trusted Certificate Authorities
Configuring Identity and Trust: Main Steps
Supported Formats for Identity and Trust
Obtaining Private Keys, Digital Certificates, and Trusted Certificate Authorities
Common Keytool Commands
Using the CertGen Utility
Using Your Own Certificate Authority
Converting a Microsoft p7b Format to PEM Format
Obtaining a Digital Certificate for a Web Browser
Using Certificate Chains (Deprecated)
Storing Private Keys, Digital Certificates, and Trusted Certificate Authorities
Guidelines for Using Keystores
Creating a Keystore and Loading Private Keys and Trusted Certificate Authorities into the Keystore
Configuring Demo Certificates for Clients
How WebLogic Server Locates Trust
Configuring Keystores for Production
Configuring SSL
SSL: An Introduction
One-Way and Two-Way SSL
Setting Up SSL: Main Steps
Using Host Name Verification
Enabling SSL Debugging
SSL Session Behavior
Configuring RMI over IIOP with SSL
SSL Certificate Validation
Controlling the Level of Certificate Validation
Accepting Certificate Policies in Certificates
Checking Certificate Chains
Using Certificate Lookup and Validation Providers
How SSL Certificate Validation Works in WebLogic Server
Troubleshooting Problems with Certificate Validation
Using the nCipher JCE Provider with WebLogic Server
Specifying the Version of the SSL Protocol
Configuring Security for a WebLogic Domain
Important Information Regarding Cross-Domain Security Support
Enabling Trust Between WebLogic Server Domains
Enabling Cross Domain Security Between WebLogic Server Domains
Configuring Cross-Domain Security
Configuring a Cross-Domain User
Configure a credential mapping for Cross-Domain Security
Enabling Global Trust
Using Connection Filters
Using the Java Authorization Contract for Containers
Viewing MBean Attributes
How Passwords Are Protected in WebLogic Server
Protecting User Accounts
Using Compatibility Security
Running Compatibility Security: Main Steps
Limited Visibility of Compatibility Security MBeans
The Default Security Configuration in the CompatibilityRealm
Configuring a Realm Adapter Authentication Provider
Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider
Configuring a Realm Adapter Auditing Provider
Protecting User Accounts in Compatibility Security
Accessing 6.x Security from Compatibility Security
Security Configuration MBeans
SSLMBean
ServerMBean
EmbeddedLDAPMBean
SecurityMBean
SecurityConfigurationMBean
RealmMBean
WindowsNTAuthenticatorMBean
CustomDBMSAuthenticatorMBean
ReadonlySQLAuthenticatorMBean
SQLAuthenticatorMBean
DefaultAuditorMBean
Compatibility Security MBeans
UserLockoutManagerMBean
Other Security Provider MBeans
|