Security Realms 4-5

4.6.1.3 Embedded LDAP Server

WebLogic Server uses its embedded LDAP server as the database that stores user, group, security roles, and security policies for the WebLogic security providers. The embedded LDAP server is a complete LDAP server that is production quality for reasonably small environments 10,000 or fewer users. For applications that need to scale above this recommendation, the embedded LDAP server can serve as an excellent development, integration and testing environment for future export to an external LDAP server for production deployment. The embedded LDAP server supports the following access and storage functions: ■ Access and modification of entries in the LDAP server ■ Use of an LDAP browser to import and export security data into and from the LDAP server. ■ Read and write access by the WebLogic security providers. Table 4–1 shows how each of the WebLogic security providers uses the embedded LDAP server.

4.6.1.4 RDBMS Security Store

WebLogic Server provides the option of using an external RDBMS as a datastore that is used by the following security providers: ■ XACML Authorization and Role Mapping providers ■ WebLogic Credential Mapping provider ■ PKI Credential Mapping provider ■ The following providers for SAML 1.1: – SAML Identity Assertion provider V2 – SAML Credential Mapping provider V2 ■ The following providers for SAML 2.0: – SAML 2.0 Identity Assertion provider Note: WebLogic Server does not support adding attributes to the embedded LDAP server. Table 4–1 Usage of the Embedded LDAP Server WebLogic Security Provider Embedded LDAP Server Usage Authentication Stores user and group information. Identity Assertion Stores user and group information. Authorization Stores security roles and security policies. Adjudication None. Role Mapping Supports dynamic role associations by obtaining a computed set of roles granted to a requestor for a given WebLogic resource. Auditing None. Credential Mapping Stores Username-Password credential mapping information. Certificate Registry Stores registered end certificates. 4-6 Understanding Security for Oracle WebLogic Server – SAML 2.0 Credential Mapping provider ■ Default Certificate Registry When the RDBMS security store is configured in a security realm, an instance of any of the preceding security providers that has been created in the security realm automatically uses only the RDBMS security store as a datastore, and not the embedded LDAP server. Other security providers continue to use their default stores; for example, the WebLogic Authentication provider continues to use the embedded LDAP server. Oracle recommends that you configure the RDBMS security store at the time of domain creation. The Configuration Wizard has been enhanced to simplify the process. This ensures that when the domain is booted, the security policies required to access the domain can be retrieved from the external RDBMS. Note that the use of the RDBMS security store is required to use SAML 2.0 services in two or more WebLogic Server instances in a domain, such as in a cluster. For more information about the RDBMS security store, see Managing the RDBMS Security Store in Securing Oracle WebLogic Server.

4.6.2 Types of Security Providers