Overview of Security Management 2-7 4. Ensure that user accounts are properly secured. WebLogic Server provides a set of configuration options for protecting user accounts. By default, they are set for maximum security. However, during the development and deployment of WebLogic Server, you may need to weaken the restrictions on user accounts. Before moving to production, check that the options on user accounts are set for maximum protection. If you are creating a new security realm, you need to set the user lockout options. See Section 13.6, How Passwords Are Protected in WebLogic Server, and Section 13.7, Protecting User Accounts. 5. Protect WebLogic resources with security policies. Creating security policies is a multi-step process with many options. To fully understand this process, read Securing Resources Using Roles and Policies for Oracle WebLogic Server. Securing Oracle WebLogic Server should be used in conjunction with Securing Resources Using Roles and Policies for Oracle WebLogic Server to ensure security is completely configured for a WebLogic Server deployment. 6. Configure identity and trust for WebLogic Server. This step is optional but recommended. See Chapter 11, Configuring Identity and Trust. 7. Enable SSL for WebLogic Server. This step is optional but recommended. See Chapter 12, Configuring SSL. 8. When you have moved to production, review and implement the additional security options described in Securing a Production Environment for Oracle WebLogic Server. In addition, you can: ■ Configure a connection filter. See Section 13.3, Using Connection Filters. ■ Enable interoperability between WebLogic domains. See Section 13.2.1, Enabling Cross Domain Security Between WebLogic Server Domains.

2.6 Methods of Configuring Security

In many cases, this document describes how to configure WebLogic security by using the WebLogic Server Administration Console. Generally, any configuration task you can accomplish through the Console you can also accomplish by using the WebLogic Scripting Tool or the Java Management Extensions JMX APIs. For information about using WLST to manage WebLogic security, see Managing Security Data in Oracle WebLogic Scripting Tool. For information about using JMX APIs, see Choosing an MBean Server to Manage Security Realms in Developing Custom Management Utilities With JMX for Oracle WebLogic Server. When you manage security realms, you must use two different MBean servers depending on your task: ■ To set the value of a security MBean attribute, you must use the Edit MBean Server. ■ To add users, groups, roles, and policies, or to invoke other operations in a security provider MBean, you must use a Runtime MBean Server or the Domain Runtime MBean Server. In addition, to prevent the possibility of incompatible changes, you cannot invoke operations in security provider MBeans if your client or another JMX client has an edit session currently active. The Administration Console automatically enforces this limitation and automatically accesses the proper MBean server. When you use the Administration Console, you can override this limitation by selecting the Domain Security General page and enabling Allow Security Management Operations if 2-8 Securing Oracle WebLogic Server Non-dynamic Changes have been Made . Setting this attribute to true permits users to perform security management operations without restarting the server. Note that this attribute is reset to false when a new MBean edit session begins. For example, the value of the MinimumPasswordLength attribute in DefaultAuthenticatorMBean is stored in the domains configuration document. Because all modifications to this document are controlled by WebLogic Server, to change the value of this attribute you must use the Edit MBean Server and acquire a lock on the domains configuration. The createUser operation in DefaultAuthenticatorMBean adds data to an LDAP server, which is not controlled by WebLogic Server. To prevent incompatible changes between the DefaultAuthenticatorMBeans configuration and the data that it uses in the LDAP server, you cannot invoke the createUser operation if you or other users are in the process of modifying the MinimumPasswordLength attribute. In addition, because changing this attribute requires you to restart WebLogic Server, you cannot invoke the createUser operation until you have restarted the server. 2.7 What Is Compatibility Security?