Protecting User Accounts

Protecting User Accounts

This following sections describe how to protect user accounts and how to unlock a user account:
Setting Lockout Attributes for User Accounts
Unlocking a User Account

Protecting Passwords

It is important to protect passwords that are used to access resources in a WebLogic Server domain. In the past, usernames and passwords were stored in clear text in a WebLogic security realm. Now all the passwords in a WebLogic Server domain are hashed. The SerializedSystemIni.dat file contains the hashes for the passwords. It is associated with a specific WebLogic Server domain so it cannot be moved from domain to domain.
If the SerializedSystemIni.dat file is destroyed or corrupted, reconfigure the WebLogic Server domain. Therefore, you should take the following precautions:
Make a backup copy of the SerializedSystemIni.dat file and put it in a safe location.
Set permissions on the SerializedSystemIni.dat file such that the system administrator of a WebLogic Server deployment has write and read privileges and no other users have any privileges.

Setting Lockout Attributes for User Accounts

WebLogic Server defines a set of attributes to protect user accounts from intruders. In the default security configuration, these attributes are set for maximum protection. When creating a new security realm, you need to define these attributes.
As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes lessens security and leaves user accounts vulnerable to security attacks.
To set the user lockout attributes:

Expand the Security-->Realms nodes.
Select the name of the realm you are configuring (for example, myrealm).
Select the User Lockout tab.
Define the desired attributes on this tab by entering values at the appropriate prompts and selecting the required checkboxes. (For details, see the following table).
If a user account exceeds the values set for the attributes on this tab, the user account becomes locked and the table on the Users tab has the word Details in the table row for the user account.
To save your changes, click Apply.
Reboot WebLogic Server.

The following table describes each attribute on the User Lockout tab.

Attribute

Description
Lockout Enabled Requests the locking of a user account after invalid attempts to log in to that account exceed the specified Lockout Threshold. By default, this attribute is enabled.
Lockout Threshold Number of failed user password entries that can be tried before that user account is locked. Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the Lockout Reset Duration attribute. The default is 5.
Lockout Duration Number of minutes that a user's account remains inaccessible after being locked in response to several invalid login attempts within the amount of time specified by the Lockout Reset Duration attribute. The default is 30 minutes.
Lockout Reset Duration Number of minutes within which invalid login attempts must occur in order for the user's account to be locked.An account is locked if the number of invalid login attempts defined in the Lockout Threshold attribute happens within the amount of time defined by this attribute. For example, if the value in Lockout Reset Duration attribute is 5 minutes, the Lockout Threshold is 3, and 3 invalid login attempts are made within a 6 minute interval, then the account is not locked. If 3 invalid login attempts are made within a 5 minute period, however, then the account is locked.The default is 5 minutes.
Lockout Cache Size Specifies the intended cache size of unused and invalid login attempts. The default is 5.
Lockout GC Threshold The maximum number of invalid login records that the server keeps in memory. If the number of invalid login records is equal to or greater than the value of this attribute, the server's garbage collection purges the records that have expired. A record expires when the user associated with the record have been locked out. The default is 400 records.

Note that the User Lockout attributes apply to the security realm and all its security providers. If you are using an Authentication provider that has its own mechanism for protecting user accounts, disable the Lockout Enabled attribute.
If a user account becomes locked and you delete the user account and add another user account with the same name and password, the UserLockout attributes will not be reset.

Unlocking a User Account

To unlock a user account:

Click on the Details link in the table on the Users tab.
The Details tab describes the event that occurred when the user was locked out.
Click Unlock.

Attribute	Description
Lockout Enabled	Requests the locking of a user account after invalid attempts to log in to that account exceed the specified Lockout Threshold. By default, this attribute is enabled.
Lockout Threshold	Number of failed user password entries that can be tried before that user account is locked. Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the Lockout Reset Duration attribute. The default is 5.
Lockout Duration	Number of minutes that a user's account remains inaccessible after being locked in response to several invalid login attempts within the amount of time specified by the Lockout Reset Duration attribute. The default is 30 minutes.
Lockout Reset Duration	Number of minutes within which invalid login attempts must occur in order for the user's account to be locked.An account is locked if the number of invalid login attempts defined in the Lockout Threshold attribute happens within the amount of time defined by this attribute. For example, if the value in Lockout Reset Duration attribute is 5 minutes, the Lockout Threshold is 3, and 3 invalid login attempts are made within a 6 minute interval, then the account is not locked. If 3 invalid login attempts are made within a 5 minute period, however, then the account is locked.The default is 5 minutes.
Lockout Cache Size	Specifies the intended cache size of unused and invalid login attempts. The default is 5.
Lockout GC Threshold	The maximum number of invalid login records that the server keeps in memory. If the number of invalid login records is equal to or greater than the value of this attribute, the server's garbage collection purges the records that have expired. A record expires when the user associated with the record have been locked out. The default is 400 records.