Sunday, 21 August 2016

Security concepts

Security Realms in WebLogic Server :
  • Security realms act as a scoping mechanism.
  • Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies.
  • You can configure multiple security realms in a domain; however, only one can be the active security realm.
Security Providers :
  • Security providers are modular components that handle specific aspects of security, such as authentication and authorization.
  • The WebLogic Security Service supports the following types of security providers :
  • Authentication:
    • Process whereby the identity of users or system processes are proved or verified.
    • Types of authentication

  1. Username and password authentication
  2.  Certificate-based authentication directly with WebLogic Server
  3. HTTP certificate-based authentication proxied through an external Web server.
Identity Assertion :
  • It is an Authentication provider that performs perimeter authentication (authentication using tokens).
  • It involves establishing a client’s identity through the use of client-supplied tokens.
  • Function of an Identity Assertion provider is to validate and map a token to a username
  • Once this mapping is complete, an Authentication provider’s LoginModule can be used to convert the username to a principal (an authenticated user, group, or system process).
Authorization :
  • Once a user’s identity has been established by an authentication provider, authorization is responsible for determining    whether access to WebLogic resources should be permitted for that user.
  • An Authorization provider supplies these services


Role Mapping :
  • One or more roles can be assigned to multiple users.
  • Access rights can be set to a user having a particular role.
  • Role mapping providers get the information about the set of roles granted to a requestor for a given resource.
  • Role Mapping providers supply Authorization providers with this information so that the Authorization provider can answer the “is access allowed?” question for Weblogic resources that use role-based security
 
Adjudication :
  • When multiple Authorization providers are configured in a security realm, each may return a different answer to the “is access allowed” question for a given resource.
  • Adjudication providers resolve authorization conflicts by weighing each Authorization provider’s answer and returning a final access decision.
Credential Mapping :
  • Credential Mapping Providers allows the weblogic server to access remote systems with the credentials that are already authenticated in weblogic.
  • i.e. Credential Mapping Providers help an authorized subject in weblogic server to access a remote systems by mapping his credentials.
Keystore :
  • It is a password protected store of private keys and certificates for trusted certificate authorities. E.g.: trust.jks, identity.jks


Certificate Lookup and Validation (CLV) :
  • X.509 certificates need to be located and validated for purposes of identity and trust.
  • CLV providers receive certificates, certificate chains, or certificate references, complete the certificate path (if necessary),   and validate all the certificates in the path.
  • There are two types of CLV :
  • -          CertPath Builder       –> looks up and optionally completes the certificate path and validates the certificates
  • -          CertPath Validator  –> looks up and optionally completes the certificate path, validates the certificates,and performs extra validation (for example, revocation checking).
Certificate Registry :
  • The registry stores a list of valid certificates.
  • Only registered certificates are valid.
  • A certificate is revoked by removing it from the certificate registry.
  • The registry is stored in the embedded LDAP server.
  • The Certificate Registry is both a CertPath Builder and a CertPath Validator.


Auditing :
  • Auditing provides an electronic trail of computer activity.
  • It is the process whereby information about security requests and the outcome of those security requests is collected, stored, and distributed for the purpose of non-repudiation

Hands on security

Creating users in Weblogic.

Picture













Creating users in Weblogic.
When you create domain you create one administrative username and password .But you may need to have more user for your Environment having different roles ie Deployer,Tester etc so for that purpose we can create a new user by Navigating to Security Realms==>my realms ==>users and group taband create "New"
Picture













Provide the name of the user and the Password for the user and Press OK.

The user will be created

But now if you try to login with the newly created user you will not be allowed to login as we have not provided the proper group or roles which this user have.

and try to login you will be able to login into the console.
Picture













So now click on the New user"Shadab" created and navigate to Group tab and add him in any of the given group and save it Now you can log out of console.
Picture













and try to login you will be able to login into the console. with the newly created user Shadab1

In this way we can create a Number of user and providing them different roles 

Migrating user from one environment to other

There may be scenario where you have to migrate all the users from one environment to another environment .
Weblogic has provided a very effective method for the user and roles to be transferred from one domain to another.
Do these activities with the user who have admin rights

Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Export 
Picture













in one of our domain we have 5 user and now we want to export them to other domain

Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Export 
Picture













Create a New folder and give the location of the folder and click on the "save"
Picture















These files will be created inside the folder now copy the files to the environment i.e Domain where you want to import these user .

users.zip
Download File
Picture













Now we are in a other domain where we want to import the user.

Navigate to the Environment ie domain from where you want to migrate the user
Click on Security Realms==>my realms ==>Migration tab ===>Import

You can use the above user.zip file to import in your domain.
All the users have password "weblogic1"
Picture












 The user are imported in the new Environment(ie Domain)
Picture












In the users and group tab you can view all the user and use them in your New domain.

user lockout

In weblogic we can configure how many time  a user can give a wrong password and try to open.After all the attempts are done Weblogic locks that user for a particular period of time .Only admin user can then unlock the user.
Picture












Click on Security Realms==>my realms ==>Configuration ==>user lock out

Here we can change the value as we would like

If a user try with a wrong password for 5 times his account will be locked.
Picture
You will see in the admin logs that the user shadab1 has been locked for 30 mins
Now for unlocking the user we have to log in to the console with admin credentials.
Picture












You have to navigate click on the Domain name ==>security==>unlock user and provide the user which have be locked

You will get a message that the user has been unlocked.

to check how many invalid ATTEMPTS are made and other information

Picture












Click on Admin Server==>Monitoring==>Security 
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)