How to integrate WebLogic with Oracle Internet Directory for Login : Authentication

This post is from our Oracle WebLogic training for Administrators/DBA’s which covers step by step instructions on “How to integrate Oracle WebLogic Server with OID (Oracle Internet Directory) for user Login/Authentication

By Default Oracle WebLogic Server uses security realm with name “myrealm” that uses embedded LDAP server (two default users WebLogic & OracleSystemUser) that acts as data store for Authentication, Authorization, Credential Mapping and Role Mapping Provider.

You can view Embedded LDAP Server configuration from WebLogic Console Page (/console) : Domain -> Security -> Embedded LDAP Server

.

If you wish to login to WebLogic Server using users in Oracle Internet Directory (more on OID here) or allow access to your WebServices to users in OID (OWSM Policy) then you will have to define new Authentication Providers in your WebLogic realm (myrealm) . Authentication Provider supported by WebLogic are LDAP, RDBMS, Windows NT, SAML, Password Validator, Identity Assertion  etc..

Before I jump to step by step OID (LDAP) authentication provider configuration for WebLogic, lets first check few important things

1.You can configure one or more (minimum one) Authentication Provider in a security realm in WebLogic.

2. For multiple Authentication Providers, they are called in order in which they were configured in the security realm.

3. Control Flag: (as shown in 4th image from top) is used to control how authentication providers are used in login sequence. These are also called as JAAS control flag and values are : REQUIRED , REQUISITE, SUFFICIENT, OPTIONAL

REQUIRED – The Authentication provider is always called, and the user must always pass its authentication test. Regardless of whether authentication succeeds or fails, authentication still continues down the list of providers

REQUISITE – The user is required to pass the authentication test of this Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).

SUFFICIENT – The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.

OPTIONAL – The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.

.

Things required to configure OID as authentication Provider in WebLogic

1. OID Server Name
2. OID Port
3. Password for cn=orcladmin account ->  WebLogic Server uses this account to connect to LDAP Server
4.BASE DN of your user base in OID -> cn=users, [default OID realm] (usually of format cn=users, dc=uk, dc=co, dc=focusthread)
5.BASE DN of your group base in OID -> cn=groups, [default OID realm] (usually of format cn=groups, dc=uk, dc=co, dc=focusthread)

For steps on how to find OID Port or OID realm click here

.

How to configure OID as Authentication Provider in WebLogic

1. Login to WebLogic Console -> Security Realm -> myrealm
.

.

2. Select tab Providers -> Authentication -> Default Provider

.

3. Change Control Flag (JAAS Flag) from REQUIRED to SUFFICIENT

.

4. Click on New to add new Authentication Provider

.

5. Select OracleInternetDirectoryAuthenticator

.

6. Change control flag to SUFFICIENT for OID Authentication Provider added above

.

7. Select Provider Specific tab and enter your OID server details

Do not forget to change “User Base DN” and “Group Base DN” as per your OID

 

8. Bounce WebLogic Server

To test if Integration is working :Create a group (Administrators or Deployers or Operators or Monitors) and dummy user as member of group in OID and try to login to WebLogic Server using user in OID who is member of one of group in OID.

.

How to Debug if Login to WebLogic via OID user fails ?

You can enable debug on Login (Security) to find debug messages in log file for actions (behind the scenes in WebLogic Server)
Servers -> AdminServer -> Debug Select WebLogic -> Security and click on Enable button

You can see debug messages in $DOMAIN_HOME/servers/AdminServer/logs

.

References

.

Learn Oracle Weblogic Server Administration

 

Get 100 USD OFF + 100% Money Back Guarantee

Click here to get Early Bird Discounts

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

82 comments
dbabeege says February 8, 2010

Nice details.

I have an R12.1 e-business integrated to OID/SSO 10.1.4.3 and the SSO has an external authentication (custom IPASAuthInterface for a smartcard system). Works great for E-business logins. Can I use the same OID/SSO/Smartcard environment for WebLogic 10.3.1 logins as recommended here? It would really help my authentication issues.

Reply
Atul Kumar says February 10, 2010

@ dbabeege,
Yes you can use same OID environment for weblogic 10.3.1

If you also want SSO (single sign-on) with weblogin (authentication using OID is different from SSO) then check
documentation here

Reply
Harsh says February 12, 2010

Hi Atul,

First of all, you’ve done a very nice compilation of all steps needed for LDAP authentication.

After doing all steps, i could see all LDAP users loaded through ‘Users and Groups’ tab in WLS console. However, I’m unable to log into OBIEE Answers with any LDAP user; it everytime says –

Unable to Sign In
An invalid User Name or Password was entered.

I also enabled debugging and checked AdminServer\logs but to no avail. Can you suggest, what could be wrong?

Reply
Atul Kumar says February 15, 2010

@ Harsh,
Did you deploy OBIEE n weblogic ?

If yes which version of OBIEE and WebLogic you are running ?

which documentation you used to deploy OBIEE on WebLogic ?

Reply
Harsh says February 17, 2010

Atul,

I can now access Answers with LDAP users. thanks..

Reply
Atul Kumar says February 17, 2010

@ Harsh,
Good to hear that so what was issue ? Is this simple weblogic restart or something else ?

Reply
Harsh says February 20, 2010

Thnx Atul. restarting weblogic and OPMN services fixed this issue..

Reply
dbabeege says February 22, 2010

Atul – thanks for the SSO document reference. I realize SSO is a little off topic, however I’m trying to follow the document and in section 10.3.2, step 1.e. it has this:
An Oracle Fusion Middleware product such as Oracle Identity Management, Oracle SOA Suite, or Oracle WebCenter is required; it includes the provider required for OSSO by Oracle WebLogic Server in the following path:

ORACLE_INSTANCE/modules/oracle.ossoiap_11.1.1/ossoiap.jar

Any thoughts regarding which environment actually needs this jar file? It doesn’t exist in the existing 10.1.4.3 Identity Management environment. Also, we’ve installed an OHS 10g from the companion CD and we still can’t find the file.

In order to use SSO we need a newer (11g? “Oracle Fusion Middleware”??) identity management environment instead of the 10.1.4.3 IM we use with our e-business suite?

Reply
Atul says February 22, 2010

@ Harsh,
This jar file is part of Fusion Middleware 11g of installation type SOA, WebCenter or Identity Managerement

In my case Fusion MW 11g home is /oracle/apps/fusion/mid with installation type of SOA

/oracle/apps/fusion/mid/Oracle_SOA1/modules/oracle.ossoiap_11.1.1
-bash-3.00# ls
ossoiap.jar

Reply
» Authentication Providers in #WebLogic - Oracle Access Manager Identity Assertion for Single Sign-On and OAM Authenticator Online Apps DBA: One Stop Shop for Apps DBA’s says July 5, 2010

[…] To configure OID (Oracle Internet Directory) as Authentication Provider in WebLogic click here […]

Reply
udaykiran says July 8, 2010

Atul,
I was trying to integrate my 10.1.4.0.1 OID with ADS. I was able to do the sync from AD to OID. I am also able to authenticate AD users from SSO against ADS by running oidspadi.sh.
But later i realized that i missed excluding the orcladmin and other OID specific users to mention under “exception entry property”. For this i re-run the oidspadi.sh, after deleting “adwhencompare” and “adwhenbind” from PLug-in management through oidadmin. From then onwards i am not able to authenticate AD users. New users created in AD are getting synced to OID perfectly, but authentication is getting failed. Please help me on this

Reply
Javier says July 12, 2010

Hi Atul

I was tryig to create the OID Authenticator but it does not appear in the list box in new provider screen.

What i need to do or configurate to fix this??

Can you help me please??

Thanks

Reply
Atul Kumar says July 13, 2010

@ Javier,
Which version of WebLogic you are using ? Did you or any one in team extended weblogic console (It is possible to change console properties so that only selective providers are available) ?

Update full nevigation path for your authentication provider (OIDAuthenticator)

Reply
Milind says September 17, 2010

Hi Atul,

Im trying to integrate OID with OSB. I hv WS having BPEL and OSB.
I have followed all step u have provided for integrating OID with weblogic server.
Now when i’m tryng to login with new username passoword in BPEL console, its worked fine but when trying to login in OSB console with new username password, it has showing authentication error.
Can you please provide me help to integrate OID with OSB?

Reply
Atul Kumar says September 17, 2010

@ Milind, Which version of OSB you are using ? What is error message in OSB managed server log file ?

Reply
Milind says September 17, 2010

Hi Atul,

following are the OSB and WS version.
also find error which I got during logging.
I’m not able to trace the error in log files.
I have checked both log files.
1osb_server1.log and osb_server1-diagnostic.log

OSB version 11.
WS version 10.3.3.0
Authentication Denied

Reply
Atul Kumar says September 17, 2010

@ Milind,
Only user with IntegrationAdmin role can access OSB console .

http://download.oracle.com/docs/cd/E14571_01/doc.1111/e15867/roles.htm#i1074187

Create group in OID, map this group with WebLogic Role IntegrationAdmin and add user to OID group which you have mapped .

Let me know how it goes.

Reply
Sravi says October 1, 2010

Your explanations are splendid, We are trying to provide the SSO authentication for our weblogic 10.3 portal with RSA Access Manager authentication. Could you please provide the steps for SSO integration of the WLP 10.3 with RSA Access Manager?

Thank you in Advance

Reply
Atul Kumar says October 1, 2010

@Sravi,

Check steps in below guide which is for RSA with peoplesoft however conceptually it should be applicable to weblogic too (peoplesoft uses weblogic server)

http://italy.rsa.com/rsasecured/guides/cleartrust/PeopleSoft_PeopleSoft89_PT47_AxM6.pdf

Reply
cristiano says October 22, 2010

Hi,
why i have to create a group in OID as Administrators and include in it a dummy user ?

Not i s possible to define group\profile for the dummy user in Weblogic ?

Reply
Atul Kumar says October 23, 2010

@ cristiano,
By creating Administrators group and adding a user to that group, you make that user as weblogic administrator user.

When a user who is member of Administrators logs into weblogic (integrated with OID), weblogic gets information is member of Group Administrators. In WebLogic Roles , Admin Role of WebLogic is mapped to Administrators Group of LDAP server (OID or embedded ldap)

Other option is to find a user X in OID who is member of group Y, then go to WebLogic Roles section . Search for Admin Role and configure Admin Role to group Y .

This way user X in OID will become Admin user of WebLogic.

Reply
cristiano says November 30, 2010

I want to integrate WL 10.0 Mp2 with OID.
I have configured correctly the integration with WL 10.3 (11g), but i cant modify the LDAPAuthenticator created because this error is shown:
OBJECT DELETED: The object that you were viewing has been deleted,either by you or another user. Please make another selection.

what is happen ?

Reply
cristiano says November 30, 2010

the previous error happen only with WL 10 MP2, with WL 10.3 (11g) this integration was gone fine.

Reply
cristiano says December 2, 2010

THE SOLUTION:
Weblogic 10 MP2 64 bit work only with Java Rockit version jrrt-3.1.2-1.5.0

Reply
me2 says December 8, 2010

Atual – do you know if we can start weblogic server 10.3.x using an LDAP account and boot.properties file. We would like to have only one authentication provider for our security realm and want to remove the default authentication provider. The LDAP user who we will be using to start and stop the server is a part of OID group that is mapped to Global Admin role in weblogic.

Thank you.

Reply
me2 says December 8, 2010

No worries I was able to test and got it working.

Reply
Atul Kumar says December 10, 2010

@ Me2,
Yes you can start weblogic using LDAP account. You can either create group administrators in LDAP and add weblogic admin user to this group

or

use one of existing group in OID and map it to Admin role in weblogic (WebLogic Console -> Security Realm -> your_realm -> Roles and Policies -> Global Roles -> Roles -> click on “view role conditions” against admin role -> click add condition and add your LDAP group here)

Reply
me2 says December 11, 2010

Thanks Autul – I was able to configure it. I was having issues with ACI on the LDAP but all is good now.

Reply
Alexander says May 23, 2011

Hello Atul,

I have serious problem.
When I change control flag to SUFFICIENT for OID Authentication Provider I can’t start weblogic.
./startWebLogic.sh
<Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.
weblogic.security.SecurityInitializationException: User weblogic is not permitted to boot the server; The server policy may have changed in such a way that the user is no longer able to boot the server.Reboot the server with the administrative user account or contact the system administrator to update the server policy definitions.

In OID is the user weblogic with the same password which in config file with login and password and group Administrators.

Reply
Atul Kumar says May 23, 2011

@Alexander,

In order to understand this issue please answer following

1. Are you using boot.properties (if yes do not use boot.properties unless you can start from command prompt)

2. Remove user weblogic from oid and create user like weblogicoid and add that to group Administrator in OID (ensure that attribute userpasswd is set and value is defined for weblogicoid in OID)

3. Ensure that weblogic server can connect to OID server on port 3060 (this is default OID port)

4. Also make sure that in User Base DN and Groupbase DN in OID provider are set as per your OID.

Reply
Alexander says May 25, 2011

Many thank, Atul
I just added the weblogic user to the administrators group.

Reply
Atul Kumar says May 25, 2011

@ Alexander,
Is this working now ?

Reply
Alexander says May 25, 2011

Yes, sure.
Thank you.

Reply
Alexander says June 1, 2011

Hello Atul,
I can not understand a simple thing.
I have an application that is deployed on weblogic.
In this application, there is no authentication.
In OID I have one user weblogic in the group Administrators.
Now I want to statically protect url applications. When opening links, appear to page
SSO, after the authentication would provide access to the application.
I do not understand how to deal with groups. I in the OID create a user group for this application, add users there. How weblogic understand that the user belongs to this group and give access to the application?

Reply
Atul Kumar says June 1, 2011

@ Alexander,
WebLogic during authentication process (via authentication provider) weblogic authentication provider checks user and all groups assigned to user (in identity store) and populates them into subject . You can enable debug in ATN (authentication) and check admin server logs to see user and group queried from Identity store

Check here
http://download.oracle.com/docs/cd/E17904_01/web.1111/e13710/archtect.htm#i1052063

Reply
Alexander says June 1, 2011

Thanks for the reply.
But I would like to clarify a bit unclear.
In OID, I created a user alex in the group webapp.
Link to the application module on weblogic domain is protected by SSO.
When I open a link that appears SSO page.
I enter a username alex with the appropriate password.
How weblogic knows that the user alex from the group webapp can give access to the application?
What I need to add to weblogic domain?

Reply
Alexander says June 1, 2011

Addition

In the OID also is user alex2 with group webapp2.
This user does not have access to the application.
How to make the user alex had access, and alex2 – no?

Reply
» User not found in Identity Store : Webcenter Integration with External LDAP like OID (or AD) Online Apps DBA: One Stop Shop for Apps DBA’s says June 3, 2011

[…] Internet Directory (OID) 11g using steps here (For OID integration with WebLogic Domain click here ).  I also added an OID user to WebCenter Administrator role as mentioned […]

Reply
Atul Kumar says June 3, 2011

@ Alexander ,
Which application we are talking here ?

Application should have roles defined (and allow or deny access to application based on role – This is authorization). Application roles are then mapped to group in OID (LDAP server).

Hope this helps

Reply
» Unable to login to OBIEE /Analytics after OID integration : %user% was authenticated but could not be located within the identity store Online Apps DBA: One Stop Shop for Apps DBA’s says June 21, 2011

[…] Fix: Change control flag of default authentication provider (in weblogic domain) from REQUIRED to SUFFICIENT . More on control flag in WebLogic Authentication Provider here […]

Reply
kdo says June 27, 2011

as a Developer stand point, what api can we access to get those roles after integration?

Reply
muthuvel says October 11, 2011

Hi,

thanks a lot for your post, this has greatly helped me to configure OID in weblogic 10.3.5.

would you please answer the below doubt.

I have configured OID, and deployed a J2EE application in weblogic. when I try to login my credentials getting authunticated. server is bring back the login page.
can you suggest what would be the problem?

muthuvel.p

Reply
Atul Kumar says October 12, 2011

@muthuvel,
J2EE app which you have deployed on weblogic server , is this custom application or standard oracle app ?

Either you are using wrong username or user is not authorised to access this application.

You can enable debug in atn & atz from weblogic console to find why this is failing.

Reply
muthuvel says October 12, 2011

Hi,

thanks a lot for your immediate reply.

this is a custom J2EE application. we have migrated this from oc4j to weblogic 10.3.5.

In oc4j, LDAP details we have specified in the orion-application.xml file.

In web logic, I have followed your tutorial instruction, the configuration is success-full, As I am able to see the OID user names appearing in the console –> security –> user details screen.

when see the log I was able to see the Access allowed or Denied details depends on the correctness of password.

But after clicking on login into my application, the same login page is coming again.but in the log I was able to see authentication succeed. this is problem I am facing for last 10 days.

I have given some roles like testrole , abc and Administrators in the weblogic.xml and web.xml.

these roles are not present in the OID, OID have seperate set of roles.

Since I am migrating this application, I kept the earlier roles configuration as it is.

Please give your suggestion.

I would greatly appreciate it.

Pegards
Muthuvel.P

Reply
muthuvel says October 12, 2011

Hi,

few more details , I am present to your kind suggestions

I have cofigured roles in web.xml as shown below.

testrole

Administrator

Administrators

SuperRole

abc

ADMLoginRole

these same roles I have added in weblogic.xml

CBCMCashier

testrole

Administrator

Administrators

SuperRole

abc

ADMLoginRole

but none of these Roles except Administrators is available in the OID.

is this is a problem?

Muthuvel.P

Reply
» Integrate OBIEE 11g with OAM 11g for Single Sign-On in 13 steps Online Apps DBA: One Stop Shop for Apps DBA’s says December 5, 2011

[…] You must add additional Authentication Provider of type OID in WebLogic Security Realm (steps here and here  ) so that OBIEE/WebLogic can authenticate users against […]

Reply
» Integrate E-Business Suite with Oracle WebCenter (11.1.1.5) using OID and OAM (11g) as SSO Online Apps DBA: One Stop Shop for Apps DBA’s says February 15, 2012

[…] 5.4 Configure OID as Authentication Provider in WewbCenter’s weblogic security realm. More on OID as authentication provider in WebLogic here […]

Reply
Vikrant Korde says February 28, 2012

Hi Atul,
Thanks for such detailed information about OID integration with Weblogic. I have achieved that successfully.

I want to create users in Weblogic Embedded LDAP automatically from OID server. I guess, DIP does the same thing. I sync the other directory servers with OID, right?
Can i use DIP to push the users from OID to Weblogic embedded LDAP server? I could configure JExplorer to view both the servers, OID & Weblogic embedded LDAP.

Thanks & Regards,
Vikrant Korde

Reply
Atul Kumar says March 2, 2012

@ Vikrant Korde,
Though I have not tried my self but yes DIP should be able to handle this . Use synchronization component of DIP .

On side note , why do you want to duplicate users in OID and weblogic’s embedded LDAP server when weblogic can users OID users via OID Authentication Provider.

Reply
Vikrant Korde says March 3, 2012

I am doing implementation at client side and client wants us to keep groups in Weblogic however user credentials should be validated from OID.
Client want to create user with same name in Weblogic and assign IPM related groups in weblogic onlyl. OID will have a single group IPM which will define eligible users for IPM. Later Weblogic will define more specific rights for IPM. So to create users automatically from OID to Weblogic is mnadatory.
As weblogic doesn;t allow us to assign groups to users from other authentication source.

Reply
jerry says April 12, 2012

Hi Atul,
I want all the users in OID to be created in weblogic also.This is simple only integration or else it creates users to in weblogic realm.

Reply
    Atul Kumar says April 14, 2012

    OID as a stand alone application does not require WebLogic.
    There are two J2EE applications (part of IDM)
    a) DIP (used for provisioning and replication of OID with applications and other ldap)
    b) OWSMM – Graphical User Interface to manage OID/OVD

    These two applications require WebLogic.

    WebLogic comes with its own embedded LDAP Server but ODSM and DIP uses users stored in OID and not weblogic’s embedded LDAP Server.

    User is weblogic embedded LDAP server are used to login to application like weblogic console or enterprise manager (/em)

    and WebLogic are two different thing and you ma

    Reply
Vikrant Korde says April 16, 2012

Hi Atul,

Can i use DIP to integrate OID and Weblogic’s embedded LDAP server.
I want to create users of specific group from OID into Weblogic. I tried using DIP but it gives me an error of “destination attribute not found”. That attribute is mandatory. I could create some entities of OID in Weblogic but i am not able to create the Users.

Regards,
Vikrant Korde.

Reply
Pallavi says June 1, 2012

Hi Atual,

We have configured custom AD Authenticator with weblogic. we are experiencing issue when particular user tries to login to OIM OIM managed server goes down.

This is not happening for all users. Just the case with few users.

Any pointer would be a great help.

Thanks

Reply
    Atul Kumar says June 1, 2012

    @ Pallavi,
    Check OIM managed server and weblogic domain log file to see why OIM managed server is crashing on specific users.

    Is there anything different for these users ?

    Reply
Pallavi says June 1, 2012

Managed server goes down and auto-restarted. we are able to reproduce the issue .. we asked to try login again for the same user and same thing happens some time OIM server restarted itself.

Reply
Atul Kumar says June 1, 2012

@ Pallavi,
What does log says please ?

Reply
Pallavi says June 1, 2012

com.thortech.xl.security.tcLoginException:
at com.thortech.xl.security.tcLoginExceptionUtil.createException(tcLoginExceptionUtil.java:96)
at com.thortech.xl.security.tcLoginExceptionUtil.createException(tcLoginExceptionUtil.java:53)
at com.thortech.xl.security.Authenticate.connect(Authenticate.java:231)
at com.thortech.xl.security.Authenticate.connect(Authenticate.java:71)
at com.thortech.xl.security.wl.XellerateLoginModuleImpl.login(XellerateLoginModuleImpl.java:159)
at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
at java.security.AccessController.doPrivileged(Native Method)
at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at com.bea.common.security.internal.service.JAASLoginServiceImpl.login(JAASLoginServiceImpl.java:113)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

Reply
Atul Kumar says June 1, 2012

@ Pallavi,
Are these users locked, expired ? Please raise SR with Oracle Support and try to find difference between set of users for whom this issue is happening..

Reply
Vivek says August 20, 2012

Hi Atul,
To configure OID as a Authentication provider, what are the pre-requisite installation and configurations are required?
I have installed OIM by following your post on WLS.
Now I trying to execute \Oracle\Middleware\Oracle_IDM\bin\config.bat.
But it is not launching the config wizard.
Please help ASAP.. Big trouble

Reply
    Atul Kumar says August 21, 2012

    @ Vivek,
    Are you planning to integrate OIM with OID ? If yes do not use this post. Share your requirement and steps/process will differ depending on requirement.

    Reply
vivek says August 21, 2012

Hi atul,
I hav deployed simple j2ee drm application on epm managed server. So to access the webservice i need to havOIDauthentication privider.
So to configure OID when i try to ececute config.bat cnfig qizard doesnt start. Only on command line we.can see some teats are pSssd anfter that it exit.
Please tell me pre requisites of configuring oid authentication provider.
Thanks.

Reply
Atul Kumar says August 21, 2012

@Vivek,
You don’t use config.bat(.sh) to configure Authenticatuion Provider . Use WebLogic Console for same.

Reply
vivek says August 21, 2012

Thanks for quick response. atul i used the same steps u mentioned above. But unless we dont configure oid how can i use oid authentication provider. I created a provider, but in users and roles while creating provide it showsonly default authenticator.

Reply
vivek says August 21, 2012

So did u mean after installation of OIM including OID i dont need to run config.bat??

Reply
Atul Kumar says August 21, 2012

Why do you want OIM (Identity Manager in the mix) ?

Reply
Atul Kumar says August 21, 2012

When you say you wish to configure authentication provider I was assuming you already have OID ready.

Issue for you is that you can’t start config.bat from OID oracle_home , am I right ? please post in right post to avoid issues like this. Your question should go under OID installation and configuration post .

Reply
vivek says August 21, 2012

Okay. Thanks.. N sorry for this..
Ill post in right post

Reply
Vivek says August 22, 2012

Hi Atul,
That worked for me. Thanks so much.
But can you please elaborate the testing?

i.e.
To test if Integration is working :Create a group (Administrators or Deployers or Operators or Monitors) and dummy user as member of group in OID and try to login to WebLogic Server using user in OID who is member of one of group in OID.

Reply
Charan says June 26, 2013

Hello Atul,

I have integrated weblogic server with sso to have single login for IPM and R12. In weblogic and in IPM I can see the sso users and login to IPM for sso users is also successful when I login through http://hostname.domain.com:16000/imaging.

I have registered the URL http://hostname.domain.com:7778 through ssoreg.sh. Now If I give http://hostname.domain.com:7778/imaging/faces it is redirecting to SSO login page, after I give credentials, I am getting 500 internal server error. Please help.

Reply
vijay says June 27, 2013

Hi Team,

After configuration ldap in weblogic.

Suppose if ldap team added new group, Do we need to bounce the weblogic server everytime to see the new group in console or it will add dynamically?

Reply
    Atul Kumar says June 27, 2013

    @ Vijay,
    No restart is required at weblogic level, just log out and log back in to WebLogic Server and group should be visible .

    Reply
vijay says June 27, 2013

@Atul,
Thanks

Reply
Charan says June 27, 2013

Hi Atul,

Please check the header trace

POST /sso/auth HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://hostname:7777/sso/pages/login.jsp?site2pstoretoken=v1.4~CA42CA8E~FAC9280B22B1321338A6DBB585F121CFECD3B2C4BB16EECD1F7674D7B905DCA3ADA222337DD0C6C8CC7300C5703865307FCD755CC3151EE81A6061B6A1ABCE218EDFA3BFE60B8A8DD314EBB84BBA7F8364E0E9D0104069680E40A7AD51F7B1AFFF9289FB70DBEEF7696C75A3F9AF7FD5C5AC816ECA206A48C5B4B0936DEB5BB6EE6BB4FFA7EBC599A7BF7A8EEBB93A6535AF5CFC143927669ED395F5A2E6EF688EFCAEC1EABC4EE364275EB1175999308D0DDB852FB1CFD3EE7CF0A18503BFB810A79F7C9814D976&p_error_code=&p_submit_url=http%3A%2F%2Fhostname%3A7777%2Fsso%2Fauth&p_cancel_url=http%3A%2F%2Fhostname%3A7778&ssousername=&subscribername=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: hostname:7777
Content-Length: 565
Connection: Keep-Alive
Cache-Control: no-cache

p_action=OK&v=v1.4&site2pstoretoken=v1.4%7ECA42CA8E%7EFAC9280B22B1321338A6DBB585F121CFECD3B2C4BB16EECD1F7674D7B905DCA3ADA222337DD0C6C8CC7300C5703865307FCD755CC3151EE81A6061B6A1ABCE218EDFA3BFE60B8A8DD314EBB84BBA7F8364E0E9D0104069680E40A7AD51F7B1AFFF9289FB70DBEEF7696C75A3F9AF7FD5C5AC816ECA206A48C5B4B0936DEB5BB6EE6BB4FFA7EBC599A7BF7A8EEBB93A6535AF5CFC143927669ED395F5A2E6EF688EFCAEC1EABC4EE364275EB1175999308D0DDB852FB1CFD3EE7CF0A18503BFB810A79F7C9814D976&appctx=&p_cancel_url=http%3A%2F%2Fhostname%3A7778&locale=&ssousername=testuser01&password=welcome123

HTTP/1.1 302 Moved Temporarily
Date: Thu, 27 Jun 2013 08:11:01 GMT
Server: Oracle-Application-Server-10g/10.1.2.0.2 Oracle-HTTP-Server
Content-Length: 2181
Set-Cookie: SSO_ID=v1.2~1~C16025781FCDC5C19E002EFDB53D20F4D55C8A9548B8FBE9240E08769C6D4002DB4E65C239FF5E718DD85CC704C14574085C360B308AECAEF7352155C9F2A364A328905B7524361043A40C82D9090E07936E7450343550CDE61713B2A53791782852BB2FEDB476A9AADF3F6A374A490CA16DDF6A6EF5A3EC3EBCF378414726AA28D2DF7B0B5BA75FD91F939ED939955FD27CF87A34D73C5E09522EDCEDCD2075A5C55F9983DD66215B144433DF11470C7AAD3A34E0BDA54A5A71104D29F7AB95AD2AEE042E487A2FE8A5DEA3E50716782404D48ED070D6D4CCF2D73FE96265FF53F251B5C14531CC7AB050BE9533E01F12CF8256A0F3B2F4A58A07A12D4AC1EC; Path=/
Cache-Control: private
Location: http://hostname:7778/osso_login_success?urlc=v1.4~184A224F95172A88C9A3BF3B513D3B079FB8EDA70EF91B837EAD6843B3DDBD0064EB4799432679CEB9838020469F045971DCAC86DCD0C82F643B36C646F11F0F97D6AF9526F13370665D2021FF1880B30F6D8979C0A36E5120513797EC0622A805C71DB539B665B5934E427385E27D99D4698393E034921683B3E627C3E1185D4D80A252667234708DF8FDAB4C272C39EB18776BFAC231CBF150FC1C845F1952B1BE2E7696C48F4D4C9F3548AD50D1DC4089A2C4B5CD03EC1E69299D3098930A71DEE0BAE7B761579C38EDA680F32238C753F86B3C43EF0957E93639DD924B44A59A6B4A67A8F30865A5D46DB616CEA4D62E0D972482133D149C999A9777B1683D2ED602466F7036035902AD4BEE8CC30186302D3F4E867E5ECF400C71D7C348B65714EE6F172A49CAA905B6B0C8FE676BBA4EC1F140C63ABE5D6DA879FD98D7
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

GET /osso_login_success?urlc=v1.4~184A224F95172A88C9A3BF3B513D3B079FB8EDA70EF91B837EAD6843B3DDBD0064EB4799432679CEB9838020469F045971DCAC86DCD0C82F643B36C646F11F0F97D6AF9526F13370665D2021FF1880B30F6D8979C0A36E5120513797EC0622A805C71DB539B665B5934E427385E27D99D4698393E034921683B3E627C3E1185D4D80A252667234708DF8FDAB4C272C39EB18776BFAC231CBF150FC1C845F1952B1BE2E7696C48F4D4C9F3548AD50D1DC4089A2C4B5CD03EC1E69299D3098930A71DEE0BAE7B761579C38EDA680F32238C753F86B3C43EF0957E93639DD924B44A59A6B4A67A8F30865A5D46DB616CEA4D62E0D972482133D149C999A9777B1683D2ED602466F7036035902AD4BEE8CC30186302D3F4E867E5ECF400C71D7C348B65714EE6F172A49CAA905B6B0C8FE676BBA4EC1F140C63ABE5D6DA879FD98D7 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://hostname:7777/sso/pages/login.jsp?site2pstoretoken=v1.4~CA42CA8E~FAC9280B22B1321338A6DBB585F121CFECD3B2C4BB16EECD1F7674D7B905DCA3ADA222337DD0C6C8CC7300C5703865307FCD755CC3151EE81A6061B6A1ABCE218EDFA3BFE60B8A8DD314EBB84BBA7F8364E0E9D0104069680E40A7AD51F7B1AFFF9289FB70DBEEF7696C75A3F9AF7FD5C5AC816ECA206A48C5B4B0936DEB5BB6EE6BB4FFA7EBC599A7BF7A8EEBB93A6535AF5CFC143927669ED395F5A2E6EF688EFCAEC1EABC4EE364275EB1175999308D0DDB852FB1CFD3EE7CF0A18503BFB810A79F7C9814D976&p_error_code=&p_submit_url=http%3A%2F%2Fhostname%3A7777%2Fsso%2Fauth&p_cancel_url=http%3A%2F%2Fhostname%3A7778&ssousername=&subscribername=
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: hostname:7778
Cookie: SSO_ID=v1.2~1~C16025781FCDC5C19E002EFDB53D20F4D55C8A9548B8FBE9240E08769C6D4002DB4E65C239FF5E718DD85CC704C14574085C360B308AECAEF7352155C9F2A364A328905B7524361043A40C82D9090E07936E7450343550CDE61713B2A53791782852BB2FEDB476A9AADF3F6A374A490CA16DDF6A6EF5A3EC3EBCF378414726AA28D2DF7B0B5BA75FD91F939ED939955FD27CF87A34D73C5E09522EDCEDCD2075A5C55F9983DD66215B144433DF11470C7AAD3A34E0BDA54A5A71104D29F7AB95AD2AEE042E487A2FE8A5DEA3E50716782404D48ED070D6D4CCF2D73FE96265FF53F251B5C14531CC7AB050BE9533E01F12CF8256A0F3B2F4A58A07A12D4AC1EC
Connection: Keep-Alive
Cache-Control: no-cache

HTTP/1.1 500 Internal Server Error
Date: Thu, 27 Jun 2013 08:11:01 GMT
Server: Oracle-Application-Server-11g
Set-Cookie: OHS-whostname-7778=2B2DF7FD4C31187084D42B250C498215D29B4F9A184B16527C0709045A1F81D2C0BEA30828A8BEB6E917ED0143894F5D4AADCC16EBB87682E43FD4E3896E855C0C6A86DE3964A45EA5992DA7F83D4EE43C93A688B90F325AFFDBB8875DC03458BC73A1C81258441F35A5429D318F6185F3E7DFAC4598BEA8C1814CAA7CA7DA7CC70618CF7500CE32115C1FF5853C5B7809F3136E9251B4DAB64251E1CE17BE811E25BB72B87FFA60C59F9248732B5983D726B91C0512FA10EA775314A1AD47AD3A8F1A951A0F6F4C02CE3B3B73713FB86F39F13AD2186F46BB3711E6EF34F638290487C74DD6A3E292B8AE3D837338A5D356842648AFF6C1~; path=/; secure;HTTPOnly
Content-Length: 375
Connection: close
Content-Type: text/html; charset=iso-8859-1

Reply
    Atul Kumar says June 27, 2013

    I had similar issue for one of my client.

    See if this helps

    1. Change $ORACLE_INSTNACE/config/OHS/ohs1/moduleconf/mod_osso.conf
    2. Add following entry


    SetHandler osso_login_success_handler


    SetHandler osso_logout_success_handler

    3. Restart OHS and test again

    Update results in either case

    Reply
vijay says June 28, 2013

Hi Atul,

I need one more information.

We are using novel e directory for user accessing different applications (soa,bam and bpm).

I am giving different roles level like monitor , developer and tester .

How can i remove and console and em access. i just want to give only bpm and soa application level access.

Thanks,
Vijay

Reply
» Integrate OES 11gR2 with LDAP (OID) Server for OES Policy Administration Console (/apm) login Online Apps DBA: One Stop Shop for Apps DBA’s says August 5, 2013

[…] steps mentioned here to add OID as additional Authentication Provider in WebLogic […]

Reply
» Security:090294 could not get connection javax. net. ssl. SSLKeyException FATAL Alert BAD_CERTIFICATE – A corrupt or unuseable certificate was received Online Apps DBA: One Stop Shop for Apps DBA’s says February 7, 2014

[…] Security:090294 could not get connection javax. net. ssl. SSLKeyException FATAL Alert BAD_CERTIFICATE – A corrupt or unuseable certificate was received Posted in February 7th, 2014 byAtul Kumar in ssl, troubleshooting, weblogic In today’s post I am going to discuss issue while integrating WebLogic Server with LDAP Server (OID/OVD) listening on SSL. To know more about adding OID as authentication provider in WebLogic click here […]

Reply
alirazaidi says August 28, 2014

After doing all steps, i could see all LDAP users loaded through ‘Users and Groups’ tab in WLS console.
I have deployed jsp application on WLS. I can login with WLS users but I’m unable to log with any LDAP user; it everytime says –
Unable to Sign In
Please advise

Reply
pdf release says February 5, 2015

Hurrah! After all I got a web site from where I be able to truly obtain valuable data
concerning my study and knowledge.

Reply
Add Your Reply

Not found