Configuring Security for a WebLogic Domain

The following sections describe how to set security attributes on a WebLogic domain:

Note: This chapter applies to WebLogic Server deployments using the security features in this release of WebLogic Server as well as deployments using Compatibility Security.

 

Enabling Trust Between WebLogic Server Domains

A trust relationship is established when principals in a Subject from one WebLogic Server domain (referred to as the domain) are accepted as principals in the local domain.

This release of WebLogic Server adds more restrictions to the trust relationship between domains. Now a trust relationship is established when the Credential attribute for one domain matches the Credential attribute for another domain.

The domain credential is generated when WebLogic Server is started. This process ensures that by default no two WebLogic Server domains have the same credential. To enable trust between two WebLogic Server domains, explicitly specifiy the same value for the credential in both WebLogic Server domains.

By default, when you boot an Administration Server for the first time, the Credential attribute is not defined. As the Administration Server boots, it notices that the Credential attribute is not defined and generates a random credential.

WebLogic Server performs a validation (comparing how the principal was signed with how a local principal would be signed) whenever the code is asked to create a new subject.

Note: Any credentials in clear text are encrypted the next time the config.xml file is persisted to disk.

If you want a WebLogic Server 6.x domain to interoperate with a WebLogic Server domain, change the Credential attribute in the WebLogic Server domain to the password of the system user in the WebLogic Server 6.x domain.

If you want two WebLogic Server domains to interoperate, perform the following procedure in both domains:

  1. Expand the Domains node (for example, Examples).
  2. Click the View Domain-Wide Security Settings link on the Domain-->General page.
  3. Select the Security Configuration-->Advanced tab.
  4. Uncheck the Enable Generated Credential attribute.
  5. Enter a password for the domain in the Credential text field. Choose the password carefully. BEA Systems recommends using a combination of upper and lower case letters and numbers.
  6. Confirm the password by entering it in the Confirm Credential text field.
  7. Click Apply.

 

Configuring Connection Filtering

Connection filters allow you to deny access at the network level. They can be used to protect server resources on individual servers, server clusters, or an entire internal network or Intranet. For example, you can deny any non-SSL connections originating outside of your corporate network. Network connection filters are a type of firewall in that they can be configured to filter on protocols, IP addresses, and DNS node names.

Connection filters are particularly useful when using the Administration port. Depending on your network firewall configuration, you may be able to use a connection filter to further restrict administration access. A typical use might be to restrict access to the Administration port to only the servers and machines in the domain. An attacker who gets access to a machine inside the firewall, still cannot perform administration operations unless the attacker is on one of the permitted machines.

WebLogic Server provides a default connection filter called weblogic.security.net.ConnectionFilterImpl. This connection filter accepts all incoming connections and also provides static factory methods that allow the server to obtain the current connection filter. To configure this connection filter to deny access, simply enter the connection filters rules in the WebLogic Server Administration Console.

You can also use a custom connection filter by implementing the classes in the weblogic.security.net package. Like the default connection filter, custom connection filters are configured in the WebLogic Server Administration Console.

To configure a connection filter:

  1. Expand the Domains node.
  2. On the Domain-->General tab, click the View Domain-Wide Security Settings link.
  3. Select the Security-->Filter tab.
  4. Click the Connection Logger Enabled attribute to enable the logging of accepted messages. This attribute logs successful connections and connection data in the server. This information can be used to debug problems relating to server connections.
  5. Specify the connection filter to be used in the domain.

    • To configure the default connection filter, specify weblogic.security.net.ConnectionFilterImpl in the Connection Filter attribute field.
    • To configure a custom connection filter, specify the class that implements the network connection filter in the Connection Filter attribute. This class must also be specified in the CLASSPATH for WebLogic Server.
  6. Enter the syntax for the connection filter rules.
  7. Click Apply.
  8. Reboot WebLogic Server.

 

Viewing MBean Attributes

The Anonymous Admin Lookup Enabled attribute specifies whether anonymous, read-only access to WebLogic Server MBeans should be allowed from the MBeanHome API. With this anonymous access, you can see the value of any MBean attribute that is not explicitly marked as protected by the Weblogic Server MBean authorization process. This attribute is checked by default to sure backward compatibility.

To verify the setting of the Anonymous Admin Lookup Enabled attribute:

  1. Expand the Domains node.
  2. On the Domain-->General tab, click the View Domain-Wide Security Settings link.
  3. Select the Security-->General tab.
  4. Verify that the Anonymous Admin Lookup Enabled attribute is checked. Unchecking this attribute will make the server more secure; however, it might cause applications that require anonymous access to MBeans to stop working properly.
  5. Reboot WebLogic Server.

Skip navigation bar  Back to Top Previous Next