14 Using Compatibility Security

Compatibility security is the capability to run security configurations developed with WebLogic Server 6.x in this release of WebLogic Server. In Compatibility security, you manage 6.x security realms, users, groups, and ACLs, protect user accounts, and configure the Realm Adapter Auditing provider and optionally the Identity Assertion provider in the Realm Adapter Authentication provider. The following sections describe how to configure Compatibility security:

Running Compatibility Security: Main Steps

To set up Compatibility security:

  1. Make a backup copy of your 6.x WebLogic domain (including your config.xml file) before using Compatibility security.

  2. Add the following to the 6.x config.xml file if it does not exist, replacing the values with the actual names of your domain, security realm, and FileRealm:

    <Security Name="mydomain" Realm="mysecurity"/> 
    <Realm Name="mysecurity" FileRealm="myrealm"/> 
    <FileRealm Name="myrealm"/> 
    
  3. Install the current version of WebLogic Server in a new directory location. Do not overwrite your existing 6.x installation directory. For more information, see Oracle WebLogic Server Installation Guide.

  4. Modify the start script for your 6.x server to point to the new WebLogic Server installation. Specifically, you need to modify:

    • The classpath to point to the weblogic.jar file in the new WebLogic Server installation.

    • The JAVA_HOME variable to point to the new WebLogic Server installation.

  5. Use the start script for your 6.x server to boot the new version of WebLogic Server.

To verify whether you are running Compatibility security correctly, open the new WebLogic Server Administration Console. If you are running Compatibility security, a Compatibility Security node is displayed on the left in the Domain Structure pane.

Limited Visibility of Compatibility Security MBeans

All Compatibility security MBeans are marked excluded and therefore have limited visibility in the WebLogic Scripting Tool. For example, the following command lists the attributes of the DomainMBean, excluding Compatibility security attributes such as FileRealmMBean:

java weblogic.WLST
connect()
ls()

However, if you address a Compatibility MBean directly, you can access it as in the following command:

java weblogic.WLST
connect()
cmo.getFileRealms()

The Default Security Configuration in the CompatibilityRealm

By default, the CompatibilityRealm is configured with a Realm Adapter Adjudication provider, a Realm Adapter Authentication provider, a WebLogic Authorization provider, a Realm Adapter Authorization provider, a WebLogic Credential Mapping provider, and a WebLogic Role Mapping provider.

  • In the CompatibilityRealm, the Realm Adapter Authentication provider is populated with users and groups from the 6.x security realm defined in the config.xml file.

    • If you used the File realm in your 6.x security configuration, you can manage the users and groups in the Realm Adapter Authentication provider following the steps in "Define users" and "Define groups" topics of the Compatibility security section of the Oracle WebLogic Server Administration Console Help.

    • If you are using an alternate security realm (LDAP, Windows NT, RDBMS, or custom), you must use the administration tools provided by that realm to manage users and groups.

    For information about configuring a Realm Adapter Authentication provider, see Configuring a Realm Adapter Authentication Provider.

    You can use implementations of the weblogic.security.acl.CertAuthenticator class in Compatibility security by configuring the Identity Assertion provider in the Realm Adapter Authentication provider. For more information, see Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider.

  • Access Control Lists (ACLs) in the 6.x security realm are used to populate the Realm Adapter Authorization provider.

  • The Realm Adapter Adjudication provider enables the use of both ACLs and security roles and security policies in Compatibility security. The Realm Adapter Adjudication provider can be used only with the Realm Adapter Authentication provider and the WebLogic Authorization provider. It resolves access decision conflicts between ACLs and new security policies set through the Administration Console. The Realm Adapter Adjudication provider permits access if the one authorization provider votes PERMIT and the other authorization provider votes DENY.

  • The WebLogic Credential Mapping provider allows the use of credential maps in Compatibility security. For more information, see Programming Resource Adapters for Oracle WebLogic Server.

  • You can add a Realm Adapter Auditing provider to access implementations of the weblogic.security.audit.AuditProvider class from the CompatibilityRealm. For more information, see "Configure a Realm Adapter Auditing Provider" in the Oracle WebLogic Server Administration Console Help.

Configuring a Realm Adapter Authentication Provider

When using Compatibility security, a Realm Adapter Authentication provider is by default configured for the CompatibilityRealm. For information about using the Realm Adapter Authentication provider in the CompatibilityRealm, see The Default Security Configuration in the CompatibilityRealm.

The Realm Adapter Authentication provider also allows use of implementations of the weblogic.security.acl.CertAuthenticator class with this release of WebLogic Server. The Realm Adapter Authentication provider includes an Identity Assertion provider that asserts identity based on X.509 tokens. For information about using a CertAuthenticator with WebLogic Server, Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider.

When you add a Realm Adapter Authentication provider to a security realm with an Authentication provider already configured, WebLogic Server sets the JAAS Control Flag on the Realm Adapter Authentication provider to OPTIONAL and checks for the presence of a fileRealm.properties file in the domain directory. WebLogic Server will not add the Realm Adapter Authentication provider to the security realm if the fileRealm.properties file does not exist.

Note:

The subjects produced by the Realm Adapter Authentication provider do not contain principals for the groups to which a user belongs. Use the weblogic.security.SubjectUtils.isUserInGroup() method to determine whether a user is in a group. When you use subjects produced by the Realm Adapter Authentication provider, you cannot iterate the complete set of groups to which a user belongs.

Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider

The Realm Adapter Authentication provider includes an Identity Assertion provider.The Identity Assertion provider provides backward compatibility for implementations of the deprecated weblogic.security.acl.CertAuthenticator class. The identity assertion is performed on X.509 tokens. By default, the Identity Assertion provider is not enabled in the Realm Adapter Authentication provider.

For information about how to enable the Identity Assertion provider, see "Enable the Identity Assertion provider" in the Oracle WebLogic Server Administration Console Help.

Configuring a Realm Adapter Auditing Provider

The Realm Adapter Auditing provider allows you to use implementations of the weblogic.security.audit.AuditProvider interface when using Compatibility security. In order for the Realm Adapter Auditing provider to work properly, the implementation of the AuditProvider interface must have been defined. You can define the AuditProvider class using the Administration Console by selecting, in the Audit Provider Class field available from the Domain: Compatibility Security > General page.

For information, see "Configure a Realm Adapter Auditing provider" in the Oracle WebLogic Server Administration Console Help.

Protecting User Accounts in Compatibility Security

Password guessing is a common type of security attack. In this type of attack, a hacker attempts to log in to a computer using various combinations of usernames and passwords. WebLogic Server provides a set of lockout configuration options to protect user accounts from this kind of attack. By default, these options are set for maximum protection. As a system administrator, you have the option of turning off all the options, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the configuration options lessens security and leaves user accounts vulnerable to security attacks.

There are two sets of configuration options available to protect user accounts, one set at the domain and one set at the security realm. You may notice that if you set one set of configuration options (for example, the options for the security realm) and exceed any of the values, the user account is not locked. This happens because the user account lockout options at the domain override the user account options at the security realm. To avoid this situation, disable the user account lockout options at the security realm.

Caution:

If you disable the user lockout configuration option at the security realm, you must set the user lockout configuration options on the domain otherwise the user accounts will not be protected.

For information, see "Protect user accounts" and "Unlock user accounts" in the Oracle WebLogic Server Administration Console Help.

Accessing 6.x Security from Compatibility Security

Using Compatibility security assumes that you have an existing config.xml file with a security realm that defines users and groups and ACLs that protect the resources in your WebLogic domain. WebLogic Server 6.x security management tasks such as configuring a security realm or defining ACLs should not be required and therefore those management tasks are not described in this section. However, if you corrupt an existing 6.x security realm and have no choice but to restore it, the following 6.x security management tasks are described in the Compatibility Security topic of the Oracle WebLogic Server Administration Console Help: