Identity Propagation between two WebLogic Domains : Cross Domain Security VS Global Trust

I discussed about WebLogic Domain earlier, In this post I am going to discuss on configuring trust between two WebLogic Domains i.e. Cross Domain Security or Global Trust so that identity can be propagated across WebLogic Domains.

 

If there are two WebLogic Domains with same user (principal) like user1 then these two users (principal) are differnet and can’t be used in another domain, unless there is trust configured between these two WebLogic Domain. If you want to propagate identity across WebLogic Domains (from one WebLogic domain to another) then you must configure trust between these two Weblogic Domains.

There are two types of trust between two or more WebLogic Domains (Note : Prior to WebLogic 9.2 there was only one way i.e. Global Trust)

A. Global Trust – This is the only supported option for RMI and EJB
B. Cross Domain Security – Use this for JMS, JTA, MDB or WAN replication sub system (don’t use this option for RMI/EJB)

 

Global Trust VS Cross Domain Security

1. Global Trust is transitive and symmetric i.e. If there is global trust between WebLogic Domain A & B, and there is Global Trust between webLogic Domain B & C then there will be trust between Domain A & C. In cross domain security, if there is trust between A & B and B & C then there will not trust configured between A & C automatically.

2. The domain name involved in Cross Domain Security must be unique

3. Global Trust can be used for all type of sub systems like RMI, EJB, JMS, JTA, MDB, and WAN where as Cross Domain Security can’t be used for RMI or EJBs (you can use cross domain security  or global trust for JMS, JTA, MDB or WAN)

4. Global Trust between WebLogic domains has the potential to open the servers up to man-in-the-middle attacks. You must use firewalls or dedicated network channels to restrict access in WebLogic Domains (with Global Trust configured)

 

To configure Global Trust
Global Trust across WebLogic Domains : This is old style of configuring trust between two WebLogic Domains where you simply change the credential (domain credential) in two WebLogic Domains to be Same (<Domain Name> : Security -> General -> Advanced : Credential).

 

1. Change the credential of Domain to a known value in Domain A
2. Change the credential of Domain to same value (as used in domain A) in Domain B

 

 

 

For full steps to configure trust between two domains using Global Trust click here

.

To configure Cross Domain Security : In this type of trust between two WebLogic Domains
1. Enable cross domain security checkbox next to “Cross Domain Security Enabled” in <WebLogic Domain> : Security -> General for both Domain A and Domain B

2. You create user in WebLogic Domain A (and assign it to group CrossDomainConnectors) using Security Realm -> myrealm -> Users and Groups -> New

3. In Domain B, create Credential Mapping with “Use Cross-domain protocol” option (Security Realm -> myrealm -> Credential Mapping -> New)

 

4. repeat step 2 in Domain B and Step 3 in Domain B

Follow the full steps to configure cross domain security across two servers here

 

Related/References

 

 

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

10 comments
kishna says November 5, 2013

Good Post

Reply
David Richardson says November 5, 2013

Timely Article!

Reply
Shrikant says March 24, 2014

Hi,
I am also trying to achieve cross domain security, but facing some issue, thus seek your help.
Basically we have 2 weblogic instances (10.3.6) and exactly followed the same steps as explained for setting up cross domain security. I have 2 FORM based web applications and are deployed in each of these domain. Requirement is, when we navigate from one application to another using URL then control should directly navigate to home page of another application (as if both applications deployed in the same domain). But control is navigating to login page. I am not passing any user credentials though this URL.
Any clue will be much helpful

Reply
    Atul Kumar says March 24, 2014

    @ Shrikant,
    What login application/authentication mechanism you are using to login to these two applications ?

    —–

    Regards
    Atul Kumar
    Contact Us for any consulting service

    Reply
Shrikant says March 25, 2014

Atul,
I am using simple custom based login application which is FORM based (POST method) with j_security_check action. Authentication using myrealm.

Reply
Shrikant says March 27, 2014

Atul,
It will be helpful if you could put some light.

Reply
Saad Benbouzid says January 14, 2015

4. repeat step 2 in Domain B and Step 3 in Domain B

Don’t you mean “repeat step 2 in Domain B and Step 3 in Domain A” ?

Reply
Israel says October 10, 2017

Hi,

I have follow all the steps, I have a question, Do you know if I can make that with WLST script to establish a trust instead of console weblogic

Reply
Susana says April 3, 2018

Hi! Dou you know if it’s possible to add a non-Weblogic server as trusted domain?

Reply
indrani says May 24, 2018

i see errors while creating the cross domain

<Administration Console encountered the following error: weblogic.management.utils.NotFoundException:
at weblogic.security.providers.credentials.DefaultCredentialMapperStoreHelper.setResourceMap(DefaultCredentialMapperStoreHelper.java:329)
at weblogic.security.providers.credentials.DefaultCredentialMapperImpl.setUserPasswordCredentialMapping(DefaultCredentialMapperImpl.java:417)

Can you please let me know where i went wrong,

Reply
Add Your Reply

Not found