Innovative ideas for every utility

Securing Your JNDI Resources for Other Groups

Anthony Shorten
Senior Principal Product Manager

As with other applications, the Oracle Utilities Application Framework respects the settings within the Oracle WebLogic domain, including any default settings. One of the default settings for the domain is access to the JNDI resources within the domain. By default, Oracle WebLogic grants access to Everyone that is defined in the security realm definition of the domain. Whilst, this is generally acceptable in the vast majority of domains that are setup (remember you tend to set up a lot of non-production copies in any implementation of the products), it may not be appropriate for production domains. There is a simple setup to correct that.

  • Create a group to designate the specific users outside the application users you want to give access to the JNDI resources. Allocate the user identities to that group in your security repository. If you use the internal LDAP of Oracle WebLogic then you can add them using the console. If you want to designate different groups of people, create different groups.
    • Remember you have groups already for other users, Administrators and the product group. For this documentation we will use the Administrators and cisusers groups. You can vary the values according to your site setup. These will be reused for the setup.
  • Create a Global Role which refers to the above group. If you created multiple then specify each group in the role.
  • On the product server(s) or cluster, select the View JNDI Tree option on the Configuration --> General tab. For example:

View JNDI Tree

  • On the root node of the server definition in the tree remove the Everyone from the node using the Remove button. The Administrators should be the only group that has access at the root level. Do NOT remove Administrators as this will corrupt your access to the domain. The following is an example of the recommended settings:

Root Node Access

  • All child nodes in the JNDI inherit the root node setup. Now for the product to work you need to add cisusers to the following JNDI objects:
    • The servicebean must be accessible for cisusers. This will be under the context value set for your domain.
    • The Data Sources (OUAF_DS in my example) must be accessible to cisusers.
    • The JMX nodes should be accessible to cisusers if you are using JMX monitoring (directly or via OEM).
    • If using the internal JMS processing, wither that is the JMS Senders or MDB, then you must allow cisusers access to the JMS resources in the domain.
  • Add your custom group to the relevant JNDI objects they need to have access to.
  • Set the Enable Remote JDBC Connection Property to false. This can be done using the JAVA_OPTIONS setting in the setDomainEnv[.sh] script shipped with Oracle WebLogic in the bin directory of your domain home (Add -Dweblogic.jdbc.remoteEnabled=false to JAVA_OPTIONS). Check that the variable WLS_JDBC_REMOTE_ENABLED is not set incorrectly.
  • If you are using SSL, you need to set the RMI JDBC Security to Secure to ensure Administrators use SSL as well for connections. For example:

RMI JDBC Security

The domain is now more secure.



Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.