3 Customizing the Default Security Configuration 3-1 3 Customizing the Default Security Configuration The following sections provide information about customizing the default security configuration by creating a new security realm: ■ Section 3.1, Why Customize the Default Security Configuration? ■ Section 3.2, Before You Create a New Security Realm ■ Section 3.3, Creating and Configuring a New Security Realm: Main Steps For information about configuring security providers, see Chapter 4, Configuring WebLogic Security Providers, and Chapter 5, Configuring Authentication Providers. For information about migrating security data to a new security realm, see Chapter 8, Migrating Security Data. 3.1 Why Customize the Default Security Configuration? To simplify the configuration and management of security, WebLogic Server provides a default security configuration. In the default security configuration, myrealm is set as the default active security realm, and the WebLogic Adjudication, Authentication, Identity Assertion, Credential Mapping, CertPath, XACML Authorization and XACML Role Mapping providers are defined as the security providers in the security realm. Customize the default security configuration if you want to do any of the following: ■ Replace one of the security providers in the default realm with a different security provider. ■ Configure additional security providers in the default security realm. For example, if you want to use two Authentication providers, one that uses the embedded LDAP server and one that uses a Windows NT store of users and groups. ■ Use an Authentication provider that accesses an LDAP server other than WebLogic Servers embedded LDAP server. ■ Use an existing store of users and groups for example, a DBMS database instead of defining users and groups in the WebLogic Authentication provider also known as the DefaultAuthenticator. ■ When performing authentication, use the GUID or DN attributes of principals, in addition to user names, specify that principal matching is case-insensitive. ■ Add an Auditing provider to the default security realm. 3-2 Securing Oracle WebLogic Server ■ Use an Identity Assertion provider that handles SAML assertions or Kerberos tokens. ■ Use the Certificate Registry to add certificate revocation to the security realm. ■ Change the default configuration settings of the security providers. ■ Use a custom Authorization or Role Mapping provider that does not support parallel security policy and role modification, respectively, in the security provider database. For information about configuring different types of security providers in a security realm, see Chapter 4, Configuring WebLogic Security Providers, and Chapter 5, Configuring Authentication Providers. The easiest way to customize the default security configuration is to add the security providers you want to the default security realm myrealm. However, Oracle recommends instead that you customize the default security configuration by creating an entirely new security realm. This preserves your ability to revert more easily to the default security configuration. You configure security providers for the new realm; migrate any security data, such as users as groups, from the existing default realm; and then set the new security realm as the default realm. See Section 3.3, Creating and Configuring a New Security Realm: Main Steps.

3.2 Before You Create a New Security Realm