Integrate Oracle WebLogic Server with OID
This is on “How to integrate Oracle
WebLogic Server with OID (Oracle Internet Directory) for user
Login/Authentication” By Default Oracle WebLogic Server uses security realm
with name “myrealm” that uses embedded LDAP server (two default users WebLogic
& OracleSystemUser) that acts as data store for Authentication,
Authorization, Credential Mapping and Role Mapping Provider.
You can view Embedded LDAP Server configuration from WebLogic Console Page (/console) : Domain -> Security -> Embedded LDAP Server
You can view Embedded LDAP Server configuration from WebLogic Console Page (/console) : Domain -> Security -> Embedded LDAP Server
If you wish to login to WebLogic Server using users in Oracle Internet
Directory (more on OID here) or allow access to your WebServices to users in
OID (OWSM Policy) then you will have to define new Authentication Providers in
your WebLogic realm (myrealm) . Authentication Provider supported by WebLogic
are LDAP, RDBMS, Windows NT, SAML, Password Validator, Identity Assertion etc..
Before I jump to step by step OID (LDAP) authentication provider configuration for WebLogic, lets first check few important things
1.You can configure one or more (minimum one) Authentication Provider in a security realm in WebLogic.
2. For multiple Authentication Providers, they are called in order in which they were configured in the security realm.
3. Control Flag: (as shown in 4th image from top) is used to control how authentication providers are used in login sequence. These are also called as JAAS control flag and values are : REQUIRED , REQUISITE, SUFFICIENT, OPTIONAL.
REQUIRED - The Authentication provider is always called, and the user must always pass its authentication test. Regardless of whether authentication succeeds or fails, authentication still continues down the list of providers
REQUISITE - The user is required to pass the authentication test of this Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
SUFFICIENT - The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
OPTIONAL - The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
Before I jump to step by step OID (LDAP) authentication provider configuration for WebLogic, lets first check few important things
1.You can configure one or more (minimum one) Authentication Provider in a security realm in WebLogic.
2. For multiple Authentication Providers, they are called in order in which they were configured in the security realm.
3. Control Flag: (as shown in 4th image from top) is used to control how authentication providers are used in login sequence. These are also called as JAAS control flag and values are : REQUIRED , REQUISITE, SUFFICIENT, OPTIONAL.
REQUIRED - The Authentication provider is always called, and the user must always pass its authentication test. Regardless of whether authentication succeeds or fails, authentication still continues down the list of providers
REQUISITE - The user is required to pass the authentication test of this Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
SUFFICIENT - The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
OPTIONAL - The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
Things required to configure OID as authentication Provider in WebLogic
1. OID Server Name
2. OID Port
3. Password for cn=orcladmin account -> WebLogic Server uses this account to connect to LDAP Server
4.BASE DN of your user base in OID -> cn=users, [default OID realm] (usually of format cn=users, dc=uk, dc=co, dc=focusthread)
5.BASE DN of your group base in OID -> cn=groups, [default OID realm] (usually of format cn=groups, dc=uk, dc=co, dc=focusthread)
How to configure OID as Authentication Provider in WebLogic
1. Login to WebLogic Console -> Security Realm -> myrealm
1. OID Server Name
2. OID Port
3. Password for cn=orcladmin account -> WebLogic Server uses this account to connect to LDAP Server
4.BASE DN of your user base in OID -> cn=users, [default OID realm] (usually of format cn=users, dc=uk, dc=co, dc=focusthread)
5.BASE DN of your group base in OID -> cn=groups, [default OID realm] (usually of format cn=groups, dc=uk, dc=co, dc=focusthread)
How to configure OID as Authentication Provider in WebLogic
1. Login to WebLogic Console -> Security Realm -> myrealm
3. Change Control Flag (JAAS Flag) from REQUIRED to SUFFICIENT
5. Select OracleInternetDirectoryAuthenticator
6. Change control flag to SUFFICIENT for OID Authentication Provider added above
7. Select Provider Specific tab and enter your OID server details
Do not forget to change “User Base DN” and “Group Base DN” as per your OID
8. Bounce WebLogic Server
To test if Integration is working :Create a group (Administrators or Deployers or Operators or Monitors) and dummy user as member of group in OID and try to login to WebLogic Server using user in OID who is member of one of group in OID.
To test if Integration is working :Create a group (Administrators or Deployers or Operators or Monitors) and dummy user as member of group in OID and try to login to WebLogic Server using user in OID who is member of one of group in OID.
You can enable debug on Login (Security) to find debug messages in log file for actions (behind the scenes in WebLogic Server)
Servers -> AdminServer -> Debug Select WebLogic ->
Security and click on Enable button
You can see debug messages in $DOMAIN_HOME/servers/AdminServer/logs
You can see debug messages in $DOMAIN_HOME/servers/AdminServer/logs
No comments:
Post a Comment