13-2 Securing Oracle WebLogic Server For these domain types, the alternative is to use the global trust feature, in which global trust is established between two domains by using the same domain credential in each domain. For information about the global trust approach in WLS, see Section 13.2.2, Enabling Global Trust.

13.2 Enabling Trust Between WebLogic Server Domains

Trust between domains is established so that principals in a Subject from one WebLogic domain can make calls in another domain. In previous releases of WebLogic Server, there was only one type of domain trust that is now referred to as Global Trust. WebLogic Server now supports a type of domain trust that is referred to as Cross Domain Security. The following sections explain how to configure each domain trust type: ■ Section 13.2.1, Enabling Cross Domain Security Between WebLogic Server Domains ■ Section 13.2.2, Enabling Global Trust

13.2.1 Enabling Cross Domain Security Between WebLogic Server Domains

Cross Domain Security establishes trust between two WebLogic domain pairs by using a credential mapper to configure communication between these WebLogic domains. Configuration and use of cross-domain security is described in the following sections: ■ Section 13.2.1.1, Configuring Cross-Domain Security ■ Section 13.2.1.2, Configuring a Cross-Domain User ■ Section 13.2.1.3, Configure a Credential Mapping for Cross-Domain Security In addition to the approach that uses a Credential Mapping security provider for cross-domain security, WebLogic Server also enables a different approach, under which global trust is established between two or more domains by using the same domain credential in each domain. If you enable global trust between two or more domains, the trust relationship is transitive and symmetric. In other words, if Domain A trusts Domain B and Domain B trusts Domain C, then Domain A will also trust Domain C and Domain B and Domain C will both trust Domain A. In most cases, the Cross Domain Security approach is preferable to the global trust approach, because its use of a specific user group and role for cross-domain actions allows for finer grained security. For information about the global trust approach in WebLogic Server, see Section 13.2.2, Enabling Global Trust.

13.2.1.1 Configuring Cross-Domain Security

To configure cross-domain security in a WebLogic domain, set the SecurityConfigurationMBean.CrossDomainSecurityEnabled attribute to true. To do this in the WebLogic Server Administration Console: 1. Click the name of the domain in the Domain Configurations section of the Home page.

2. Select Security General.

Note: Please see Section 13.1, Important Information Regarding Cross-Domain Security Support, before enabling cross domain security. Configuring Security for a WebLogic Domain 13-3

3. Check Cross Domain Security Enabled.

If you maintain any WebLogic domains that have not enabled cross-domain security, you need to add their domain names to the list of excluded domains, in the SecurityConfigurationMBean.ExcludedDomainNames attributes. To do this in the WebLogic Server Administration Console: 1. Click the name of the domain in the Domain Configuration section of the Home page.

2. Select Security General.

3. In the Excluded Domain Names field, enter the names of any domains that do not

have cross-domain security enabled. Enter the names of these domains separated either by semicolons or line breaks.

13.2.1.2 Configuring a Cross-Domain User