6-6 Using Web Server 1.1 Plug-Ins with Oracle WebLogic Server

6.3 Set Up Perimeter Authentication

Use perimeter authentication to secure WebLogic Server applications that are accessed via the plug-in. A WebLogic Identity Assertion Provider authenticates tokens from outside systems that access your WebLogic Server application, including users who access your WebLogic Server application through the plug-in. Create an Identity Assertion Provider that will safely secure your plug-in as follows: 1. Create a custom Identity Assertion Provider on your WebLogic Server application. See How to Develop a Custom Identity Assertion Provider in Developing Security Providers for Oracle WebLogic Server. 2. Configure the custom Identity Assertion Provider to support the Cert token type and make Cert the active token type. See How to Create New Token Types in Developing Security Providers for Oracle WebLogic Server. 3. Set clientCertProxy to True in the web.xml deployment descriptor file for the Web application or, if using a cluster, optionally set the Client Cert Proxy Enabled attribute to true for the whole cluster on the Administration Console Cluster--Configuration--General tab. The clientCertProxy attribute can be used with a third party proxy server, such as a load balancer or an SSL accelerator, to enable 2-way SSL authentication. For more information about the clientCertProxy attribute, see context-param in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server. 4. Once you have set clientCertProxy, be sure to use a connection filter to ensure that WebLogic Server accepts connections only from the machine on which the plug-in is running. See Using Network Connection Filters in Programming Security for Oracle WebLogic Server. 5. Web server plug-ins require a trusted Certificate Authority file in order to use SSL between the plug-in and WebLogic Server. See Section 6.1, Use SSL With Plug-Ins for the steps you need to perform to configure SSL. See Identity Assertion Providers in Developing Security Providers for Oracle WebLogic Server.

6.4 Set the WebLogic Plug-in Enabled Control in WebLogic Server