Integrating Oracle Access Manager with WebLogic Server 10g

Hi all,

This post will talk about the integration between Oracle Access Manager 10g with WebLogic Server 10g. This is not applicable for WebLogic versions 10.3.1 and higher. The functionality achieved with this integration is to get the Single Sign-On between applications deployed on WebLogic Server (webLogic resource) and non-WebLogic resources. Therefore SSPI connector can be used to achieve Single Sign-On between OAM access gates and web gates.

Infrastructure involved:

Oracle Access Manager 10.1.4.2 and higher
WebLogic SSPI
Oracle HTTP Server (for reverse proxy)

It is assumed that Oracle Access Manager is already installed and will not talk about any components installation unless needed for this integration.

It is good to upgrade the Oracle Access Manager to 10.1.4.2 if you are using 10.1.4.1 as there are some bugs associated with this integration.

WebLogic SSPI can be downloaded here (linux) or here (windows). Here I have selected OHS as reverse proxy and this can be any other webserver of your choice provided WebGate is already there.

Until WebLogic Server 10.3.0, this integration has been achieved using SSPI connector.

Security Service Provider Interface (SSPI) Connector:

WebLogic security framework and WLS connector are based on J2EE standards and an implementation of JAAS. Together, WebLogic implementation of JAAS is called SSPI. SSPI consists of several provider modules such as Authentication provider, Identity Asserter, Authorization provider, Role Mapping provider, Deployment Provider.

Authentication Provider: This provider uses OAM authentication services to authenticate users (based on username and password) who acces WebLogic applications. This provider does not provide Single Sign-On capability.

Authorization Provider: This provider uses OAM authorization services to authenticate users who access WebLogic resource. The authorization is done based on policies that are specified in the Policy Manager.

Identity Asserter: This is very essential provider when a user wants Single Sign-On capability. This is similar to Authentication provider which validates the already authenticated user based on ObSSOCookie. This is used in case of proxied configuration.

Role Mapper: This provider returns security roles of a user. The groups that the user is part of, are returned as part of actions configured in a authentication policy of policy domain.

Deployment Provider: This provider (though not part of JAAS specification) monitors the applications that are deployed or undeployed on the WebLogic Server and writes information about these applications to either NetPointDeployPolicy.txt or NetPointUndeployPolicy.txt.

Architecture:

Process Flow:

User requests for a WebLogic resource protected by OAM. In this case, the authen method configured in web.xml should be CLIENT-CERT.
WebGate intercepts the request and checks wit the Access Server whether the resource is protected or not. If the resource is protected, it fetches the Authentication scheme configured for that resource.
User is challenged for username and password based on the Auth scheme configured for that resource.
User submits the credentials.
WebGate will pass the credentials to Access Server for validation. If the user is authenticated successfully, access server creates session token and passes to WebGate. Webgate will set the ObSSOCookie and appends it in HTTP Header. The plugin configured in the Proxy server (mod_proxy) will forward the request to the WebLogic server.
The WebLogic server plugin passes the cookie to WebLogic server.
WebLogic security framework invokes the SSPI connector which inturn invokes the Identity Asserter. The Identity Asserter expects ObSSOCookie as an external token for validating the user. The Asserter sets the cookie in the HTTP response object once it validates the token.
The Identity Asserter extracts the cookie from HTTP header. The Asserter retrieves the user identity from the Access Server using a return action defined in a special auth scheme in OAM. A resource with URL /Authen/Basic is protected by OAM and is used by SSPI internally to authenticate users.
The Authorization provider talks to the Access Server to verify whether the user is authorized to access the resource or not. The Role Mapping provider uses the access gate to communicate with the Access Server to determine what OAM roles are defined to the user. These roles are mapped to security roles in WebLogic. In OAM, these roles are defined as return action /Authen/Roles when getting an authorization policy.

If the authorization is successful, WebLogic server enables the user to access the requested resource. The ObSSOCookie is set so that when user attempts to access additional OAM protected non-WebLogic resources, re-authentication is not performed. Thus Single Sign-On is achieved between webgates and access gates.

Installation and Configuration:

This integration involves:

Configure OAM for SSPI
SSPI connector install
Configure SSPI Connector
Deploy Policy Domains
Deploy WebLogic Application
Configure Reverse proxy
Test for SSO
Troubleshooting

Configure OAM for SSPI:

SSPI connector communicates with both Identity and Access Servers. SSPI connector also expects user information about privileges, groups, actions, responses etc., you will need an user with respect to SSPI to talk to access server. Lets name the user as wlsadmin (create the user) and assign the user Master Identity Administrator, Master Administrator, Delegated Identity Administrator.

1. Create the resource type definitions in OAM for the following.

wl_url: resource operation as GET and POST

wl_svr: resource operation as BOOT and DEFAULT

wl_adm: resource operation as DEFAULT

wl_ejb: resource operation as EXECUTE

wl_authen: resource operation as LOGIN

2. Create the WebLogic authentication scheme to be used by the WebLogic policy domain with following values.

Name: Oracle WebLogic Access and Identity authentication scheme

Description: Used to authenticate users who access WebLogic resources.

Level: 1

Challenge Method: Basic

Challenge Parameter: realm:Oracle Access and Identity

SSL Required: No

Challenge Redirect: (Leave blank)

Enabled: (Leave as is)

Specify the credential_mapping and validate_password plugin values as shown below.

credential_mapping obMappingBase=”o=company,c=us”,obMappingFilter= “(&(&(objectclass=inetorgperson)(uid=%userid%)) (|(!(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))”

validate_password obCredentialPassword=”password”

Specify the domain name (o=company,c=us) as per your environment.

3. Create the second authentication scheme for un-protecting certain resources, such as gif images in WebLogic resources using the following details and the Anonymous authentication scheme as a template:

General tab:

Name: Oracle WebLogic Anonymous Authentication

Description: Used to un-protect gifs, and so on.

Level: 0

Challenge Method: Anonymous

Parameter: (Leave blank)

SSL Required: No

Challenge Redirect: (Leave blank)

Enabled: Yes

Provide the plugin values as shown below.

credential_mapping obMappingBase=”o=company,c=us”,obMappingFilter=”
(uid=OblixAnonymous)”

4. Configure an Access Gate for SSPI connector. This is the access gate used by security providers to communicate with Access Server. Follow the OAM installation guide for creating an access gate. FYI, port need not be specified.

5. Backup the config.xml and boot.properties.

6. Install the SSPI connector. The steps are straight forward and I will make a note of few things to remember.

Select Advanced as Configuration option.

Enter allow for Map the authorization result obstain.

Enter the webpass hostname and port.

Enter the user and group search attributes.

Select the transport mode option as open or simple or cert.

Enter the access gate details as specified in Access gate profile.

Configure SSPI connector:

1. Goto the location sspi_install_dir/NetPointSecuProvForWeblogic.

2. Take backup of files NetPointResourceMap.conf, NetPointResourceMap.conf and NetPointProvidersConfig.properties.

3. Edit the file NetPointProvidersConfig.properties with following values

OB_LogLevel=Info

OB_LogLevel=sspi_conn_install/NetPointSecuProvForWeblogic/

OB_AdminUserName=wlsadmin

OB_AdminUserCreds=password

OB_CookieDomain=.domain.com (change it as per your environment)

4. Copy the file NetPointResourceMap.conf and NetPointProvidersConfig.properties to weblogic domain directory.

5. Copy the wl92NetPointSecurityProviders.jar from sspi_conn/NetPointSecuProvForWeblogic/oblix/lib/mbeantypes/wl92NetPointSecurityProviders.jar to wlsserver_103/server/lib/mbeantypes.

6. Take a backup of file setDomainEnv.sh or cmd and edit the file with values as shown below.

Search for end of file and place this text after export JAVA_OPTIONS line.

# SET WLSConnector Classpath and other paths export OAMWLC="/u01/oracle/sspi/NetPointSecuProvForWeblogic" export OAMWLCDIR="${OAMWLC}/oblix/lib" LD_LIBRARY_PATH="${OAMWLCDIR}" export LD_LIBRARY_PATH export PATH="${PATH}:${OAMWLCDIR}" export WLC_LIB_CLASSPATH="${OAMWLCDIR}/jobaccess.jar${CLASSPATHSEP}${OAMWLCDIR}/bcprov-jdk14-125.jar${CLASSPATHSEP} ${OAMWLCDIR}/wlNetPoint.jar${CLASSPATHSEP}${OAMWLCDIR}/xerces.jar"

Note:Be careful with WLC_LIB_CLASSPATH value as it should not have any spaces or line breaks.

7. Comment the existing classpath and replace with a new one as shown below.

CLASSPATH=”${PRE_CLASSPATH}${CLASSPATHSEP}${WLC_LIB_CLASSPATH}${CLASSPATHSEP}${WEBLOGIC_CLASSPATH}${CLASSPATHSEP}${POST_CLASSPATH}$
{CLASSPATHSEP}${WLP_POST_CLASSPATH}”
export CLASSPATH

8. Restart the weblogic server. Now you should see the new jars in the classpath.

9. Take a backup of file setupNetPointRealm.properties present in the location sspi_connector/NetPointSecuProvForWeblogic.

10. Edit the file setupNetPointRealm.properties with values as shown below.

Enter the hostname, domain name, weblogic server port, username and password details and save it.

11. Goto the location sspi_connector/NetPointSecuProvForWeblogic and execute setupNetPointRealm_wl92.sh.

Note: Though you are using weblogic server 10.3.0, you should execute setupNetPointRealm_wl92.sh file, don’t execute the file setupNetPointRealm.sh.

12. This script will create the NetPointRealm with necessary security providers.

Deploy Policy Domains:

1. Take backup of file NetPointWeblogicTools.properties present in location sspi_conn/NetPointSecuProvForWeblogic/oblix/tools/npWLTools and edit with values as given below.

ObWLTools.Debug=true

ObPolicyDomain.Name=WebLogic Server Security Provider

ObWLTools.DeployPolicy=false

ObWLSDomain.Dir=weblogic directory location

ObWLAuthenticationScheme.Name=OAM WebLogic Server Basic Authentication

ObWLNoneAuthenticationScheme.Name=OAM WebLogic Anonymous Authentication

2. Create a file runDeployerTool.sh under this location sspi_conn/NetPointSecuProvForWeblogic/oblix/tools/npWLTools

export CLASSPATHSEP=”:”
export OAMWLC=”sspi_conn/NetPointSecuProvForWeblogic”
export OAMWLCDIR=”${OAMWLC}/oblix”
export CLASSPATH=”${CLASSPATH}${CLASSPATHSEP}${OAMWLCDIR}/lib/jobaccess.jar${CLASSPATHSEP}${OAMWLCDIR}/tools/npWLTools;
${CLASSPATHSEP}${OAMWLCDIR}/tools/npWLTools/npWLTools.jar”
export PATH=”${PATH}:${OAMWLCDIR}/lib”
export LD_LIBRARY_PATH=”${OAMWLCDIR}/lib”
echo $CLASSPATH
/u01/jdk160_05/bin/java com.oblix.weblogic.tools.NetPointPolicyDeployer wlsadmin password

Note: This is for linux environment, if its windows, follow the one shown below.

set CLASSPATHSEP=;
set OAMWLC=D:/sspi_Connector/NetPointSecuProvForWeblogic
set OAMWLCDIR=%OAMWLC%/oblix
set CLASSPATH=%CLASSPATH%;%OAMWLCDIR%/lib/jobaccess.jar;%OAMWLCDIR%/tools/npWLTools;%OAMWLCDIR%/tools/npWLTools/npWLTools.jar
set PATH=%PATH%;%OAMWLCDIR%/lib
set LD_LIBRARY_PATH=%OAMWLCDIR%/lib
echo %CLASSPATH%
D:/bea/jdk160_05/bin/java com.oblix.weblogic.tools.NetPointPolicyDeployer wlsadmin password

3. Run the deployertool and check the log for any errors. This tool will create a policy domain with resources, authorization policies etc., and verify it by logging it to OAM policy manager console.

4. Now login to weblogic console and inspect the new realm NetPointRealm created. Check for users and groups, security providers etc., Remember that this is not default realm yet.

5. Goto the providers tab, Certification Path and click the WebLogicCertPathProvivider and enable the check box set current builder.

6. Enable NetPointRealm as default realm in the console.

7. Stop the WebLogic server. Change the boot.properties file and edit the username and password with wlsadmin and password values.

8. Start the weblogic server and you should see Netpointrealm is the default realm and you should be able to login to WLS console using wlsadmin and password.

Deploy the WebLogic application:

You can deploy a sample weblogic application to the server where Netpointrealm is the default realm. Goto the WebLogic policy domain in OAM console and add the resource /sample/index.jsp and save it.

Configure Reverse Proxy:

1. In this case, I have used OHS as reverse proxy.

2. Create a OHS webgate profile in OAM console and install the OHS webgate. I am not briefing about this more as its pretty straight forward.

3. Edit the httpd.conf file of OHS server and goto the end of file and enter the following lines.

ProxyPass /sample http://sspi_hostname:port/sample

Test the SSO:

1. Now access the application http://reverseproxy_hostname:port/sample.

2. You will be challenged with credentials with the authentication scheme configured for it.

3. If you access any other resource protected by the OAM with the same authentication level configured for /sample application, you should be able to access it directly without re-authentication.

Troubleshooting Tips:

1. Refer the Oracle Documentation

2. Troubleshooting-sspi-integration

References:Oracle SSPI Integration guide

Coming Soon:

1. Oracle Access Manager and Oracle Adaptive Access Manager integration

2. OAM integration with WebLogic server for different versions and architectures

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

27 comments

bharathi says March 25, 2010

hi Mahendra,

I have tried the integration of OAM and Weblogic using SSPI connector. But while creating the NetPointRealms in Weblogic using the setupNetPointRealm.cmd i am not able to create realms in Weblogic for OAM. Please suggest how to do the same.

Thanks,
Bharathi

Mahendra says March 25, 2010

Hi Bharathi,

If your weblogic server version is >= 10.3.0, you should use setupnetpointrealm_wl92.cmd. I made a note of it in the post.

» Oracle Access Manager 10.1.4.3 integration with WebLogic Server Online Apps DBA: One Stop Shop for Apps DBA’s says May 13, 2010

[…] architecture diagram goes almost similiar to the one as here except that the SSPI Connector is not explicitly installed in the WebLogic Server (instead there […]

Joseph says August 26, 2010

Mahendra,

I’m using weblogic server 10.3.2. In your post you said SSPI plug in is only for versions below 10.3.2. So what is the alternative?

Is an SSPI connector essential to protect a weblogic resource/application running on port 7001, using Oracle Access Manager?

Thanks for your time.

Regards
Joseph

Joseph says August 26, 2010

Ok, Saw it only later that for weblogic > 10.3 one would have to use setupnetpointrealm_wl92.cmd..

but the question remains
Is an SSPI connector essential to protect a weblogic resource/application running on port 7001, using Oracle Access Manager?

thanks

Mahendra says August 26, 2010

Joseph,

Which version of OAM are you using?
If it is 10.1.4.3, then you can use Out of the box identity asserter available with OAM downloads. If not, you have to use SSPI connector.

Yes, SSPI is used to protect weblogic resources using OAM.

Mahendra.

Joseph says August 26, 2010

Yes, Mahendra. It is 10.1.4.3

I checked the package downloaded. Found oamcfgtool jar file. Is this what you are referring to? How can I use this, is there a link where you can direct me to?

Many thanks
Joseph

Atul Kumar says August 26, 2010

@ Joseph,
In your weblogic server do you see OAM identity asserter provider (under weblogic authentication providers) ?

Check more here
http://onlineappsdba.com/index.php/2010/07/05/authentication-providers-in-weblogic-oracle-access-manager-identity-assertion-for-single-sign-on-and-oam-authenticator/

oamcfgtool is tool to automate OAM integration with Fusion Middleware 11g products
http://onlineappsdba.com/index.php/2010/05/18/oamcfgtool-oam-configuration-tool-for-fusion-middleware-11g-soawebcenter-integration-with-oam/

Mahendra says August 26, 2010

Joseph,

You can check this link http://onlineappsdba.com/index.php/2010/05/13/oracle-access-manager-10143-integration-with-weblogic-server/ for end to end integration steps of OAM 10.1.4.3 and WLS 10.3.2.

Let me know if you face any issues.

-M.

Joseph says August 27, 2010

Mahendra,

I don’t see the OAMIdentityAsserter provider in the weblogic authentication providers list.

In your latest post you have provided me the link to

http://onlineappsdba.com/index.php/2010/05/13/oracle-access-manager-10143-integration-with-weblogic-server/

where we need to create an OAMIdentityAsserter provider. So I’ll be in trouble here.

Is there a workaround?

Thank you
Joseph

Joseph says August 27, 2010

I realize I have to copy oamAuthenProvider.jar to /lib/mbeantypes to achieve this. Where can I find this jar file?

Joseph says August 27, 2010

Ok, it’s part of the WebGate package.

Thanks for the help.

I’ll refer the link above and perform the integration.

Thanks
Joseph

Atul Kumar says August 28, 2010

@ Joseph,
Yes this is part of Webgate/OAM . I think you got all your answers.

Joseph says August 29, 2010

After I add the OAM Identity Asserter provider with the LDAPAuthenticator (marking it required and reorder), when I try to restart the weblogic server I encounter this error:

If I remove the below section from config.xml then I’m able to get the server up:

OAM
REQUIRED
OAM_AG
AccessServer
mydomain.com
{AES}fC8yO6qqJrTh7h1fmo12fH+g=

The corresponding policy and webgate configurations are done when I run oam configuration tool.

Please help.

Thanks
Joseph

Joseph says August 29, 2010

The error code and description is:
OAMAP-60516: Unable to create the AccessGate entry for identity assertion/authentication.

-Joseph

Mahendra says August 30, 2010

Joseph,

I assume you are using Identity Asserter of OAM 10.1.4.3 instead of SSPI connector. Check this post http://onlineappsdba.com/index.php/2010/05/13/oracle-access-manager-10143-integration-with-weblogic-server/ for it.
I presume you have provided incorrect details of Access Gate in the Identity Asserter specific details of WebLogic realm.

Ensure to have access gate entry as AccessGate:accessgate_port in identity asserter specific details of weblogic realm and I believe this is root cause of that issue.

Let me know if you face any issues.

Mahendra.

sam says December 20, 2010

Hello Mahendra,

I am facing the same issue as OAMAP-60516: Unable to create the AccessGate entry for identity assertion/authentication.

I have manually added the accessgate detiails in access system console and in the provider details of OAM identity asserter in weblogic I have added all the details.

Can you please let me know what is the root cause of the error:
The details I provided are:
Transport Security: simple
Application domain : My_policy_domain( it is the name of the policy domain)
Access Gate password: <>
Key store pass phrase: I left blank because it the password for client transport mode
Access gate name: ABC_ag01
Primary access server: DEF.na.xyz.com(hots name of the access server)
Simple mode pass phrase: <>

Atul Kumar says December 21, 2010

@ Sam,
What is version of your weblogic server and OAM server ?

sam says December 21, 2010

Weblogic server is 10.3 and OAM server is 10.1.4.3.

I am able to add the details one by one and now when I restart the weblogic server it gives below error:

I have double checked the access gate name, access server which is configured in simple modee and I used telnet host port to see if Access server is up and running. Evrything looks fine.

Please let me know what would be the root cause of the error.

Thanks Sam.

Mahendra says December 21, 2010

Sam,

I presume you are using the OAM Identity Asserter provided in OAM downnload package. If so, it is not supported for Weblogic servers with version <10.3.* .

-Mahendra.

sam says December 22, 2010

I have downloaded it from http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html under Oracle access manager core component. But as I see there is other coloumn with oracle access manager webgates and weblogic identity assertion providers.

Do I need to download it from that disk?

Mahendra says December 22, 2010

Sam,

Can you tell me your requirement?

-Mahendra

sam says December 22, 2010

Mahendra,

I am doing integration of OAM with Documentum. In that process I am using OAM Identity Asserter as a WebLogic Authentication Provider (which is also an OAM AccessGate)to verify the user login session with OAM when a user is logged into SSO and to create a weblogic user session to access any application deployed in a weblogic container.

Thanks
Sam.

Mahendra says December 23, 2010

Sounds good. I presume you are using WebLogic to deploy Documentum application. To integrate this with OAM, you can simply deploy a webserver with a webgate and protect the documentum app URL in OAM policy domain. However, there is a security hole in this concept. To get rid of it, you need to create OAM identity asserter in weblogic realm. Create an access gate profile in OAM and copy the oamidentityasserter jar file to weblogic server mbean lib folder and restart weblogic server. Cofnigure the auth providers so that oam asserter is on top and ldap authenticator (if u r mapping groups/roles) as next authenticator. Configure the oam id asserter to point to access gate. I believe you are not passing this step.

The OAM identity asserter jar provided in OAM downloads will work with OAM 10.1.4.3 and WebLogic servers higher than 10.3.0. Else you have to develop your own custom identity asserter to read obssocookie.

You can also check the oam identity asserter or authentication provider logs for more details.

neha8000 says May 28, 2013

I am trying to integrate OAM with Documentum(on Tomcat),Cognos(IIS) and Metastorm(IIS). You have any references for that ?

Thanks.

Mahendra says May 28, 2013

I have integrated with Documentum before. All you need to do is to setup proxy Web Server infront of Document application server and install webgate on web server.

Protect the proxy server policies. You are all set to go now. Let me know if you face any issue.

Thanks
mahendra.

Yamini says November 7, 2014

Hi Mahendra,

I am working on migration Documentum application from OAM10g access server to OAM11g access server using OAM10g webgate. I just configured the webgate to point Documentum to OAM11g. I could able to access the site but unable to access any documents(ex.word,excel or image) from the site. While accessing documents I am getting Java authentication required. Could you please let me know what I have to do for this error.

Thanks,
Sarada

Add Your Reply