Tech Mahindra Limited confidential© Tech Mahindra Limited 2007

Introducing Weblogic Security

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Session Objectives At the end of the training you will be able to

Understand security fundamentals and the enhanced security features of Weblogic Server 10

Understand the Weblogic and the Single Sign-On (SSO) framework

Understand the Security Assertion Markup Language (SAML) security framework

Introduction to WLS Security

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Authentication Authentication is the process that establishes the identity of

a user by validating the users credentials against the user repository.

Weblogic Server provides the following types of authentication

Username/password authentication Certificate authentication Digest authentication Perimeter authentication

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Authorization Authorization is the process that controls interactions

between users and Weblogic resources These interactions are based on user identity Authorization is defined with the help of the following

concepts and functionalities: Weblogic resources Security policies ContextHandlers Access decisions Adjudication Java Authorization Contracts for Containers (JACC)

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Auditing Auditing is a process that collects, stores and distributes

information about operating requests An auditing provider provides auditing services.

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Identity and Trust A private key and a digital certificate provide identity for a

server A trusted CA certificate established trust for a certificate

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Secure Sockets Layer (SSL) SSL enables secure communication between applications

connected through the web The following SSL features have been added to Weblogic

Server versions 9.1 and above SSL attributes for network channels Dynamic SSL attributes for the Weblogic Server

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Java EE and Weblogic Security Weblogic Server 10.3 uses the security services of the Java

Software Development Kit (SDK) version, Java Platform Edition (JSE) 6.0

The security services are based on standardized, modular components

Weblogic Server supports the following JSE 6.0 security packages

Java Secure Socket Extension (JSSE) Java Authentication and Authorization Service (JAAS) Java Security Manager Java Cryptography Architecture (JCA) and Java Cryptography

Extensions (JCE) JACC

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Introduction to SSO SSO requires a user to sign on to an application only once

and gain access to many different application components This enables users to log on securely to all their applications,

Web sites, and mainframe sessions with a single identity

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Tech Mahindra Limited confidential© Tech Mahindra Limited 2007

Understanding Security Realms

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Tech Mahindra Limited confidential© Tech Mahindra Limited 2007

Configuring Non-Default Security Providers

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

Tech Mahindra Limited confidential© Tech Mahindra Limited 2007

Securing Weblogic Resources Through SSL

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited

CONFIDENTIAL© Copyright 2007 Tech Mahindra Limited