Identity Propagation between two WebLogic Domains : Cross Domain Security VS Global Trust
I discussed about WebLogic Domain earlier, In this post I am going to discuss on configuring trust between two WebLogic Domains i.e. Cross Domain Security or Global Trust so that identity can be propagated across WebLogic Domains.
If there are two WebLogic Domains with same user (principal) like user1 then these two users (principal) are differnet and can’t be used in another domain, unless there is trust configured between these two WebLogic Domain. If you want to propagate identity across WebLogic Domains (from one WebLogic domain to another) then you must configure trust between these two Weblogic Domains.
There are two types of trust between two or more WebLogic Domains (Note : Prior to WebLogic 9.2 there was only one way i.e. Global Trust)
A. Global Trust – This is the only supported option for RMI and EJB
B. Cross Domain Security – Use this for JMS, JTA, MDB or WAN replication sub system (don’t use this option for RMI/EJB)
Global Trust VS Cross Domain Security
1. Global Trust is transitive and symmetric i.e. If there is global trust between WebLogic Domain A & B, and there is Global Trust between webLogic Domain B & C then there will be trust between Domain A & C. In cross domain security, if there is trust between A & B and B & C then there will not trust configured between A & C automatically.
2. The domain name involved in Cross Domain Security must be unique
3. Global Trust can be used for all type of sub systems like RMI, EJB, JMS, JTA, MDB, and WAN where as Cross Domain Security can’t be used for RMI or EJBs (you can use cross domain security or global trust for JMS, JTA, MDB or WAN)
4. Global Trust between WebLogic domains has the potential to open the servers up to man-in-the-middle attacks. You must use firewalls or dedicated network channels to restrict access in WebLogic Domains (with Global Trust configured)
To configure Global Trust
Global Trust across WebLogic Domains : This is old style of configuring trust between two WebLogic Domains where you simply change the credential (domain credential) in two WebLogic Domains to be Same (<Domain Name> : Security -> General -> Advanced : Credential).
1. Change the credential of Domain to a known value in Domain A
2. Change the credential of Domain to same value (as used in domain A) in Domain B
For full steps to configure trust between two domains using Global Trust click here
.
To configure Cross Domain Security : In this type of trust between two WebLogic Domains
1. Enable cross domain security checkbox next to “Cross Domain Security Enabled” in <WebLogic Domain> : Security -> General for both Domain A and Domain B
2. You create user in WebLogic Domain A (and assign it to group CrossDomainConnectors) using Security Realm -> myrealm -> Users and Groups -> New
3. In Domain B, create Credential Mapping with “Use Cross-domain protocol” option (Security Realm -> myrealm -> Credential Mapping -> New)
4. repeat step 2 in Domain B and Step 3 in Domain B
Follow the full steps to configure cross domain security across two servers here
Related/References