Security Realms in WebLogic Server :
- Security realms act as a scoping mechanism.
- Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies.
- You can configure multiple security realms in a domain; however, only one can be the active security realm.
- WebLogic Server provides two default security realms:
- myrealm—Has the WebLogic Adjudication, Authentication, Identity Assertion, Authorization, Role Mapping, and Credential Mapping providers configured by default.
- CompatibilityRealm—Provides backward compatibility for 6.x security configurations. You can access an existing 6.x security configuration through the CompatibilityRealm.
Security Providers :
- Security providers are modular components that handle specific aspects of security, such as authentication and authorization.
- The WebLogic Security Service supports the following types of security providers :
- Process whereby the identity of users or system processes are proved or verified.
- Types of authentication:
- – Username and password authentication
- – Certificate-based authentication directly with WebLogic Server
- – HTTP certificate-based authentication proxied through an external Web server.
2. Identity Assertion :
- It is an Authentication provider that performs perimeter authentication (authentication using tokens).
- It involves establishing a client’s identity through the use of client-supplied tokens.
- Function of an Identity Assertion provider is to validate and map a token to a username
- Once this mapping is complete, an Authentication provider’s LoginModule can be used to convert the username to a principal (an authenticated user, group, or system process).
- Once a user’s identity has been established by an authentication provider, authorization is responsible for determining whether access to WebLogic resources should be permitted for that user.
- An Authorization provider supplies these services
4. Role Mapping :
- One or more roles can be assigned to multiple users.
- Access rights can be set to a user having a particular role.
- Role mapping providers get the information about the set of roles granted to a requestor for a given resource.
- Role Mapping providers supply Authorization providers with this information so that the Authorization provider can answer the “is access allowed?” question for WebLogic resources that use role-based security
5. Adjudication :
- When multiple Authorization providers are configured in a security realm, each may return a different answer to the “is access allowed” question for a given resource.
- Adjudication providers resolve authorization conflicts by weighing each Authorization provider’s answer and returning a final access decision.
6. Credential Mapping :
- Credential Mapping Providers allows the weblogic server to access remote systems with the credentials that are already authenticated in weblogic.
- i.e. Credential Mapping Providers help an authorized subject in weblogic server to access a remote systems by mapping his credentials.
7. Keystore :
- It is a password protected store of private keys and certificates for trusted certificate authorities. E.g.: trust.jks, identity.jks
8. Certificate Lookup and Validation (CLV) :
- X.509 certificates need to be located and validated for purposes of identity and trust.
- CLV providers receive certificates, certificate chains, or certificate references, complete the certificate path (if necessary), and validate all the certificates in the path.
- There are two types of CLV :
- – CertPath Builder –> looks up and optionally completes the certificate path and validates the certificates
- – CertPath Validator –> looks up and optionally completes the certificate path, validates the certificates,and performs extra validation (for example, revocation checking).
9. Certificate Registry :
- The registry stores a list of valid certificates.
- Only registered certificates are valid.
- A certificate is revoked by removing it from the certificate registry.
- The registry is stored in the embedded LDAP server.
- The Certificate Registry is both a CertPath Builder and a CertPath Validator.
10. Auditing :
- Auditing provides an electronic trail of computer activity.
- It is the process whereby information about security requests and the outcome of those security requests is collected, stored, and distributed for the purpose of non-repudiation
Security Policies and WebLogic Resources
- WebLogic Server uses security policies to protect WebLogic resources.
- Security policies answer the question “who has access” to a WebLogic resource.
- Note: Role mapping providers get the information about the set of roles granted to a requestor for a given resource.
- It supplies this information to the Authorization providers.
- Adjudication Providers resolve the conflicts between Authorization Providers (if multiple authorization providers are configured in a security realm) and help them answers the “is access allowed” question for a given resource.
- A security policy is created when you define an association between a WebLogic resource and a user, group, or security role.
- A WebLogic resource has no protection until you assign it a security policy.
- WebLogic Server defines the following resources:
- Administrative resources
- Application resources
- Component Object Model (COM) resources
- Enterprise Information System (EIS) resources
- Enterprise JavaBean (EJB) resources
- Java DataBase Connectivity (JDBC) resources
- Java Naming and Directory Interface (JNDI) resources.
- Java Messaging Service (JMS) resources.
- Server resources
- URL resources
- Web Services resources
- Remote resources.
Deployment Descriptors and the WebLogic Server Administration Console
- The WebLogic Security Service can use information defined in deployment descriptors to grant security roles and define security policies for Web applications and EJBs.
- When WebLogic Server is booted for the first time, security role and security policy information stored in web.xml, weblogic.xml, ejb-jar.xml, or weblogic-ejb-jar.xml deployment descriptors is loaded into theAuthorization and Role Mapping providers configured in the default security realm.
- To use information in deployment descriptors, at least one Authorization and Role Mapping provider in then security realm must implement the DeployableAuthorizationProvider and DeployableRoleProvider Security Service Provider Interface (SSPI).
- This SSPI allows the providers to store (rather than retrieve) information from deployment descriptors.
- By default, the WebLogic Authorization and Role Mapping providers implement this SSPI.
Methods of Configuring Security
- When you manage security realms, you must use two different MBean servers depending on your task:
- · To set the value of a security MBean attribute, you must use the Edit MBean Server.
- · To add users, groups, roles, and policies, or to invoke other operations in a security provider MBean, you must use a Runtime MBean Server or the Domain Runtime MBean Server.
- Secure Socket Layer
Public Key Cryptography :
- In public key cryptography, an individual or organization has two complimentary keys, one called a public key, and one called a private key.
- Any information encrypted using the private key can only be decrypted using the public key.
- Conversely, any information encrypted using the public key can only be decrypted using the private key.
– Bob has two complimentary keys
– What one key encrypts on the other key can decrypt
– Bob keeps one key private (Private Key)
– Bob makes one key available to the public (Public Key)
– If Alice needs to send Bob a message
– Bob sends Alice a copy of his public key
– Alice encrypts a message with Bob’s public key
– Bob decrypts the message with his private key
- In Public Key Cryptography, if Alice wants to send a secret message to Bob, she must obtain a copy of his public key. Before doing so, however, she needs to make sure that the public key really belongs to Bob
- Certificate addresses the above problem; it is an electronic document that binds a public key to a particular individual or organization.
- Certificates are issued by a trusted third party, called a Certification Authority (CA).
- CA’s issue certificate that contains the organization’s public key.
- All digital certificates are “signed” with the Certificate Authority’s private key to ensure authenticity. The Certificate Authority’s Public Key is widely distributed.
SSL Certificate will contain the following information:
– Your organization’s common name (e.g., http://www.oracle.com)
– Additional identifying information (e.g., IP and physical address)
– Your public key
– Expiration date of the public key
– Name of the CA that issued the ID (i.e., VeriSign)
– A unique serial number
– VeriSign’s digital signature
The primary certificate types are:
- PEM – Can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It stores data Base64 encoded DER format, surrounded by ASCII headers, so is suitable for text mode transfers between systems.
- DER – Distinguished Encoding Rules (DER) can contain all of private keys, public keys and certificates. It is the default format for most browsers, and is stored according to the ASN1 DER format. It is headerless — PEM is text header wrapped DER.
- PKCS#12 – Public Key Cryptography Standards #12 (PKCS#12) can contain all private keys, public keys, and certificates. It stores in a binary format, and is also known as PFX files.
< References >