Administering the WebLogic UNIX security realm
- Installing the WebLogic UNIX realm
- Testing your UNIX realm
This document describes how to install and configure the WebLogic UNIX
security realm for your WebLogic Server. After installing the UNIX
realm, WebLogic Server authenticates users with UNIX authentication
services in place of weblogic.password and weblogic.security.group properties
in the weblogic.properties
file. Access control lists (ACLs) are still defined in the weblogic.properties file.
WebLogic Server executes a small native program, wlauth, to look up users and
groups, and to authenticate users given UNIX login names and
passwords. On some platforms, wlauth uses PAM (Pluggable Authentication Modules),
which allows you to configure authentication services in the operating
system without altering applications that use the service. On
platforms where PAM is not available, wlauth uses the standard login mechanism, including
shadow passwords, where supported.
Since WebLogic Server reads ACLs from the weblogic.properties file at start up
time, you must still restart WebLogic Server after you change
an ACL. If you use groups with your ACLs, however, you can avoid
having to restart the server as often. Changing UNIX groups
allows you to manage individual users' access to WebLogic Server
The UNIX security realm is hosted by CachingRealm, a realm that
provides caching services, as well as delegating to an alternate
realm. CachingRealm falls back on the weblogic.properties file when the UNIX realm cannot
satisfy a lookup. See Administering the WebLogic Caching realm for help
setting up and configuring the cache.
Installing the WebLogic UNIX realm
The wlauth program must
run setuid root. You will need root permission to modify the
ownership and file attributes on this file and to set up the PAM
configuration file for wlauth.
Follow these steps to set up the UNIX realm:
If you installed WebLogic Server on a network drive, copy wlauth to a file system on
the computer that executes WebLogic Server, for example, the /usr/sbin directory. The file is in
directory, where arch is the name of your platform.
As root, change the wlauth owner and permissions with these
# chown root wlauth
# chmod +xs wlauth
On PAM platformis (Solaris and Linux), set up the PAM configuration
Add the following lines to your /etc/pam.conf file:
# Setup for WebLogic authentication on Solaris machines
wlauth auth required /usr/lib/security/pam_unix.so.1
wlauth password required /usr/lib/security/pam_unix.so.1
wlauth account required /usr/lib/security/pam_unix.so.1
Create a file /etc/pam.d/wlauth
containing the following:
# File name:
# If you do not use shadow passwords, delete "shadow".
auth required /lib/security/pam_pwdb.so shadow
account required /lib/security/pam_pwdb.so
Note: Omit "shadow" if you are not using shadow passwords.
Add the following properties to your weblogic.properties file:
- You can also set properties that control the cache size and time-to-live
of cached users and groups. See Administering the WebLogic Caching realm for help with these properties.
If wlauth is not in WebLogic
Server's path, or if you have renamed it to something other than wlauth, you must add a Java command
line property when you start WebLogic Server. Edit the script you
use to start Weblogic Server and add this option after the java command:
Replace wlauth_prog with the name of the wlauth program, including the full path if
the program is not in the search path. If wlauth is in the WebLogic Server path and is
named wlauth, this step is not
- Start WebLogic Server.
Testing the UNIX realm
After you have started WebLogic Server with the UNIX realm
installed, you can perform the following checks to test that it
is working properly.
- Load the AdminRealm servlet in a browser. This servlet displays
information about the realm WebLogic Server is using, and it
includes lists of all known users and groups. Load the servlet using a URL
- Display the realm in the WebLogic Console. The Console displays
all users and ACLs known in the realm.
- Add an ACL to your weblogic.properties file for the helloWorld example
servlet. First find the weblogic.httpd.register property for the helloWorld
servlet and make sure that it is not commented out. Add the following
Replace username with the name of a UNIX user. Replace groupname with the name of a UNIX group -- but select a group that does not include
Restart WebLogic Server and then load the helloWorld servlet with an ACL like this:
Try entering the name and password for UNIX user who is not
included in the ACL you added for the servlet. You should get a
message telling you that you were not authorized.
Try entering the name and password of a UNIX user who you did
include in the ACL, either as an individual or a member of the
group. The servlet should load and display the "Hello World" message.