Security concepts
Security Realms in WebLogic Server :
- Security realms act as a scoping mechanism.
- Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies.
- You can configure multiple security realms in a domain; however, only one can be the active security realm.
Security Providers :
Role Mapping :
Adjudication :
Certificate Lookup and Validation (CLV) :
Auditing :
- Security providers are modular components that handle specific aspects of security, such as authentication and authorization.
- The WebLogic Security Service supports the following types of security providers :
- Authentication:
- Process whereby the identity of users or system processes are proved or verified.
- Types of authentication
- Username and password authentication
- Certificate-based authentication directly with WebLogic Server
- HTTP certificate-based authentication proxied through an external Web server.
- It is an Authentication provider that performs perimeter authentication (authentication using tokens).
- It involves establishing a client’s identity through the use of client-supplied tokens.
- Function of an Identity Assertion provider is to validate and map a token to a username
- Once this mapping is complete, an Authentication provider’s LoginModule can be used to convert the username to a principal (an authenticated user, group, or system process).
- Once a user’s identity has been established by an authentication provider, authorization is responsible for determining whether access to WebLogic resources should be permitted for that user.
- An Authorization provider supplies these services
Role Mapping :
- One or more roles can be assigned to multiple users.
- Access rights can be set to a user having a particular role.
- Role mapping providers get the information about the set of roles granted to a requestor for a given resource.
- Role Mapping providers supply Authorization providers with this information so that the Authorization provider can answer the “is access allowed?” question for Weblogic resources that use role-based security
Adjudication :
- When multiple Authorization providers are configured in a security realm, each may return a different answer to the “is access allowed” question for a given resource.
- Adjudication providers resolve authorization conflicts by weighing each Authorization provider’s answer and returning a final access decision.
- Credential Mapping Providers allows the weblogic server to access remote systems with the credentials that are already authenticated in weblogic.
- i.e. Credential Mapping Providers help an authorized subject in weblogic server to access a remote systems by mapping his credentials.
- It is a password protected store of private keys and certificates for trusted certificate authorities. E.g.: trust.jks, identity.jks
Certificate Lookup and Validation (CLV) :
- X.509 certificates need to be located and validated for purposes of identity and trust.
- CLV providers receive certificates, certificate chains, or certificate references, complete the certificate path (if necessary), and validate all the certificates in the path.
- There are two types of CLV :
- - CertPath Builder –> looks up and optionally completes the certificate path and validates the certificates
- - CertPath Validator –> looks up and optionally completes the certificate path, validates the certificates,and performs extra validation (for example, revocation checking).
- The registry stores a list of valid certificates.
- Only registered certificates are valid.
- A certificate is revoked by removing it from the certificate registry.
- The registry is stored in the embedded LDAP server.
- The Certificate Registry is both a CertPath Builder and a CertPath Validator.
Auditing :
- Auditing provides an electronic trail of computer activity.
- It is the process whereby information about security requests and the outcome of those security requests is collected, stored, and distributed for the purpose of non-repudiation
Hands on security
Creating users in Weblogic.
Creating users in Weblogic.
When you create domain you create one administrative username and password .But you may need to have more user for your Environment having different roles ie Deployer,Tester etc so for that purpose we can create a new user by Navigating to Security Realms==>my realms ==>users and group tab and create "New"
When you create domain you create one administrative username and password .But you may need to have more user for your Environment having different roles ie Deployer,Tester etc so for that purpose we can create a new user by Navigating to Security Realms==>my realms ==>users and group tab and create "New"
Provide the name of the user and the Password for the user and Press OK.
The user will be created
But now if you try to login with the newly created user you will not be allowed to login as we have not provided the proper group or roles which this user have.
and try to login you will be able to login into the console.
The user will be created
But now if you try to login with the newly created user you will not be allowed to login as we have not provided the proper group or roles which this user have.
and try to login you will be able to login into the console.
So now click on the New user"Shadab" created and navigate to Group tab and add him in any of the given group and save it Now you can log out of console.
and try to login you will be able to login into the console. with the newly created user Shadab1
In this way we can create a Number of user and providing them different roles
In this way we can create a Number of user and providing them different roles
Migrating user from one environment to other
There may be scenario where you have to migrate all the users from one environment to another environment .
Weblogic has provided a very effective method for the user and roles to be transferred from one domain to another.
Do these activities with the user who have admin rights
Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Export
Weblogic has provided a very effective method for the user and roles to be transferred from one domain to another.
Do these activities with the user who have admin rights
Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Export
in one of our domain we have 5 user and now we want to export them to other domain
Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Export
Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Export
Create a New folder and give the location of the folder and click on the "save"
These files will be created inside the folder now copy the files to the environment i.e Domain where you want to import these user .
users.zip | |
File Size: | 5 kb |
File Type: | zip |
Now we are in a other domain where we want to import the user.
Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Import
You can use the above user.zip file to import in your domain.
All the users have password "weblogic1"
Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Import
You can use the above user.zip file to import in your domain.
All the users have password "weblogic1"
The user are imported in the new Environment(ie Domain)
In the users and group tab you can view all the user and use them in your New domain.
user lockout
In weblogic we can configure how many time a user can give a wrong password and try to open.After all the attempts are done Weblogic locks that user for a particular period of time .Only admin user can then unlock the user.
Click on Security Realms==>my realms ==>Configuration ==>user lock out
Here we can change the value as we would like
If a user try with a wrong password for 5 times his account will be locked.
Here we can change the value as we would like
If a user try with a wrong password for 5 times his account will be locked.
You will see in the admin logs that the user shadab1 has been locked for 30 mins
Now for unlocking the user we have to log in to the console with admin credentials.
Now for unlocking the user we have to log in to the console with admin credentials.
You have to navigate click on the Domain name ==>security==>unlock user and provide the user which have be locked
You will get a message that the user has been unlocked.
You will get a message that the user has been unlocked.
to check how many invalid ATTEMPTS are made and other information
Click on Admin Server==>Monitoring==>Security