Deploying and configuring security in WebLogic

You can deploy Enterprise Security in a BEA WebLogic server using either:

• The installer—see the Enterprise Portal Installation Guide for your platform, or

• securetool—see “Deploying Enterprise Security in WebLogic using securetool,” below.

To remove Enterprise Security, see “Removing Enterprise Security from a WebLogic server”.

Deploying Enterprise Security in WebLogic using securetool

1. Set the BEA_HOME environment variable to the WebLogic installation directory.

2. Set the JAVA_HOME environment variable to point to a JDK 1.4 installation.

3. Deploy the middleware, using the securetool wls_deploymw command—see wls_deploymw.

4. Configure the middleware, using either:

   • The securetool wls_configmw command—see wls_configmw, or

   • The WebLogic Server Console—see “Configuring Enterprise Security using the WebLogic Server Console”.

5. Deploy Enterprise Security Manager, using the securetool wls_deploysm command—see wls_deploysm.

For complete information about securetool, see Chapter 4, “Using securetool.”

Configuring Enterprise Security using the WebLogic Server Console

1. Using a Web browser, connect and log in to the WebLogic Server Console; typically, using this URL: http://localhost:7001/console.

2. Configure the Sybase security provider for the default WebLogic security realm:

   1. If you configure the Sybase providers in the default realm, the system user already exists; it was created when you deployed Enterprise Security. If you use another realm, create a system user for this realm, using the same system user name as in the default realm. By default, the system user name in the default realm is “SybaseSecuritySystemIdentity.” Although the system user name for each realm must be the same, the passwords can be different.

   2. In the left pane, open the Security | Realm folder. Select the default security realm; typically, “myrealm.”

   3. In the right pane, select the Providers tab; then, select the Authentication tab. You should see two providers installed, “DefaultAuthenticator” and “DefaultIdentityAsserter.”

   4. Select Configure a New Sybase Authenticator, then click Create.

   5. Change the Control Flag setting to Optional, and click Apply.

   6. Select the Details tab, and set the Provider URL to the WebLogic server URL, if it is different from the default, which is t3://localhost:7001.

   7. In the left pane, select “myrealm.” Note the newly added SybaseAuthenticator instance.

   8. From the list of configured authenticators, select DefaultAuthenticator. Change the Control Flag setting to Sufficient, and click Apply.

3. Configure the SybaseAuthorizer:

   1. In the left pane, select “myrealm.” In the right pane, select the Authorizers tab.

   2. Select Configure a New Sybase Authorizer, accept the defaults, and click Create.

   3. Set the Provider URL to the WebLogic server URL, if it is different from the default, which is t3://localhost:7001.

   4. The SybaseAuthorizer uses the isAllowedAccess method to perform certain tasks, such as automatic session extension, which should be performed on each authorization invocation. This method does not actually verify whether a caller is allowed access. The default return value from isAllowedAccess is “PERMIT”; other possible values are “ABSTAIN” and “DENY.”

      If you change the return value to “ABSTAIN,” you must reconfigure the Adjudication provider:

      1. In the right pane, select the configured Adjudication provider, and choose the Details tab.

      2. Uncheck the box titled “Require Unanimous Permit,” and click Apply.

4. Configure a new SybaseIdentityAsserter:

   1. In the left pane, select “myrealm.” In the right pane, select the Providers tab, then select the Authentication tab.

      You should see these providers already installed: DefaultAuthenticator, DefaultIdentityAsserter, SybaseAuthenticator, and SybaseIdentityAsserter.

      To enable the SybaseIdentityAsserter to perform certificate authentication, you must first enable two-way SSL on your WebLogic server. See the BEA WebLogic documentation.

   2. Select Configure a New Sybase Identity Asserter, and click Create.

   3. In the Available Active Types list, highlight X.509, and move it to the Chosen list. Click Apply.

   4. Select the Details tab, and verify that the Provider URL is set to “t3s://localhost:7002.” Click Apply.

5. Configure the Sybase role provider:

   1. In the left pane, select the default realm (myrealm). In the right pane, select the Providers tab, then select the Role Mapping tab. You should see an instance of the Sybase Role Mapper.

   2. Select Configure a New Sybase Role Mapper, accept the defaults, and click Create.

   3. Select the Details tab, and in the Data Source JNDI Name field, enter the JNDI name of the data source that connects to the ACDB. The default value is set to the JNDI name of the data source that is created when Enterprise Security is installed.

      If you change the data source name, you must update the value in the Data Source JNDI Name field and the values in the deployment descriptors for the security modules.

6. Restart the WebLogic server.

For information about setting up authentication and role mapping, see “Setting up WebLogic authentication”.

Removing Enterprise Security from a WebLogic server

To remove Enterprise Security from a WebLogic server, you can either run the uninstaller, or perform the following steps. For information about running the uninstaller, see the Enterprise Portal Installation Guide for your platform.

1. Remove the middleware using the securetool wls_removemw command—see wls_removemw.

2. Remove Enterprise Security Manager using the securetool wls_removesm command—see wls_removesm.

---

Copyright © 2004. Sybase Inc. All rights reserved.

View this book as PDF