- \n
- Oracle Access Manager 10.1.4.2 and higher<\/li>\n
- WebLogic SSPI<\/li>\n
- Oracle HTTP Server (for reverse proxy)<\/li>\n<\/ul>\n
It is assumed that Oracle Access Manager is already installed and will not talk about any components installation unless needed for this integration.<\/p>\n
It is good to upgrade the Oracle Access Manager to 10.1.4.2 if you are using 10.1.4.1 as there are some bugs associated with this integration.<\/p>\n
WebLogic SSPI can be downloaded here<\/a> (linux) or here<\/a> (windows). Here I have selected OHS as reverse proxy and this can be any other webserver of your choice provided WebGate is already there.<\/p>\n
Until WebLogic Server 10.3.0, this integration has been achieved using SSPI connector.<\/p>\n
Security Service Provider Interface <\/strong>(SSPI) <\/strong>Connector:<\/strong><\/p>\n
WebLogic security framework and WLS connector are based on J2EE standards and an implementation of JAAS. Together, WebLogic implementation of JAAS is called SSPI.\u00a0 SSPI consists of several provider modules such as Authentication provider, Identity Asserter, Authorization provider, Role Mapping provider, Deployment Provider.<\/p>\n
Authentication Provider<\/strong>: This provider uses OAM authentication services to authenticate users (based on username and password) who acces WebLogic applications. This provider does not provide\u00a0 Single Sign-On capability.<\/p>\n
\u00a0Authorization Provider:<\/strong> This provider uses OAM authorization services to authenticate users who access WebLogic resource. The authorization is done based on policies that are specified in the Policy Manager.<\/p>\n
Identity Asserter: <\/strong>This is very essential provider when a user wants Single Sign-On capability. This is similar to Authentication provider which validates the already authenticated user based on ObSSOCookie. This is used in case of proxied configuration.<\/p>\n
Role Mapper: <\/strong>This provider returns security roles of a user. The groups that the user is part of, are returned as part of actions configured in a authentication policy of policy domain.<\/p>\n
Deployment Provider: <\/strong>This provider (though not part of JAAS specification)\u00a0 monitors the applications that are deployed or undeployed on the WebLogic Server and writes information about these applications to either
NetPointDeployPolicy.txt<\/code> orNetPointUndeployPolicy.txt.\u00a0<\/code><\/p>\nArchitecture:\u00a0<\/strong><\/p>\n
![](\"\/\/\/C:\/DOCUME%7E1\/mbkrishn\/LOCALS%7E1\/Temp\/moz-screenshot-5.png\")
\u00a0![](\"http:\/\/download.oracle.com\/docs\/cd\/E10761_01\/doc\/oam.1014\/e10356\/img\/aiing003.gif\")
<\/p>\nProcess Flow:<\/strong><\/p>\n
- \n
- User requests for a WebLogic resource protected by OAM. In this case, the authen method configured in web.xml should be CLIENT-CERT.<\/li>\n
- WebGate intercepts the request and checks wit the Access Server whether the resource is protected or not. If the resource is protected, it fetches the Authentication scheme configured for that resource.<\/li>\n
- User is challenged for username and password based on the Auth scheme configured for that resource.<\/li>\n
- User submits the credentials.<\/li>\n
- WebGate will pass the credentials to Access Server for validation. If the user is authenticated successfully, access server creates session token and passes to WebGate. Webgate will set the ObSSOCookie and appends it in HTTP Header. The plugin configured in the Proxy server (mod_proxy) will forward the request to the WebLogic server.<\/li>\n
- The WebLogic server plugin passes the cookie to WebLogic server.<\/li>\n
- WebLogic security framework invokes the SSPI connector which inturn invokes the Identity Asserter. The Identity Asserter expects ObSSOCookie as an external token for validating the user. The Asserter sets the cookie in the HTTP response object once it validates the token.<\/li>\n
- The Identity Asserter extracts the cookie from HTTP header. The Asserter retrieves the user identity from the Access Server using a return action defined in a special auth scheme in OAM. A resource with URL \/Authen\/Basic is protected by OAM and is used by SSPI internally to authenticate users.<\/li>\n
- The Authorization provider talks to the Access Server to verify whether the user is authorized to access the resource or not. The Role Mapping provider uses the access gate to communicate with the Access Server to determine what OAM roles are defined to the user. These roles are mapped to security roles in WebLogic. In OAM, these roles are defined as return action \/Authen\/Roles when getting an authorization policy.<\/li>\n<\/ol>\n
If the authorization is successful, WebLogic server enables the user to access the requested resource. The ObSSOCookie is set so that when user attempts to access additional OAM protected non-WebLogic resources, re-authentication is not performed. Thus Single Sign-On is achieved between webgates and access gates.<\/p>\n
Installation and Configuration:<\/strong><\/p>\n
This integration involves:<\/p>\n
- \n
- Configure OAM for SSPI<\/li>\n
- SSPI connector install<\/li>\n
- Configure SSPI Connector<\/li>\n
- Deploy Policy Domains<\/li>\n
- Deploy WebLogic Application<\/li>\n
- Configure Reverse proxy<\/li>\n
- Test for SSO<\/li>\n
- Troubleshooting<\/li>\n<\/ul>\n
Configure OAM for SSPI:<\/strong><\/p>\n
SSPI connector communicates with both Identity and Access Servers. SSPI connector also expects user information about privileges, groups, actions, responses etc., you will need an user with respect to SSPI to talk to access server. Lets name the user as wlsadmin (create the user) and assign the user Master Identity Administrator, Master Administrator, Delegated Identity Administrator.<\/p>\n
1. Create the resource type definitions in OAM for the following.<\/p>\n
wl_url: resource operation as GET and POST<\/code><\/address>\n<\/code>wl_svr: resource operation as BOOT and DEFAULT<\/code><\/address>\nwl_adm: <\/code>resource operation as DEFAULT<\/code><\/address>\nwl_ejb: <\/code>resource operation as <\/code>EXECUTE<\/code><\/address>\nwl_authen: <\/code>resource operation as <\/code>LOGIN<\/code><\/address>\n2. Create the WebLogic authentication scheme to be used by the WebLogic policy domain with following values.<\/p>\n
Name: Oracle WebLogic Access and Identity authentication scheme<\/address>\nDescription: Used to authenticate users who access WebLogic resources.<\/address>\nLevel: 1<\/address>\nChallenge Method: Basic<\/address>\nChallenge Parameter: realm:Oracle Access and Identity<\/address>\nSSL Required: No<\/address>\nChallenge Redirect: (Leave blank)<\/address>\nEnabled: (Leave as is)<\/address>\nSpecify the credential_mapping and validate_password plugin values as shown below.<\/p>\n
credential_mapping obMappingBase=”o=company,c=us”,obMappingFilter= “(&(&(objectclass=inetorgperson)(uid=%userid%)) (|(!(obuseraccountcontrol=*)) (obuseraccountcontrol=ACTIVATED)))”<\/address>\n validate_password obCredentialPassword=”password”<\/address>\nSpecify the domain name (o=company,c=us) as per your environment.<\/p>\n
3. Create the second authentication scheme for un-protecting certain resources, such as gif images in WebLogic resources using the following details and the Anonymous authentication scheme as a template:<\/p>\n
General tab:<\/address>\nName: Oracle WebLogic Anonymous Authentication<\/address>\nDescription: Used to un-protect gifs, and so on.<\/address>\nLevel: 0<\/address>\nChallenge Method: Anonymous<\/address>\nParameter: (Leave blank)<\/address>\nSSL Required: No<\/address>\nChallenge Redirect: (Leave blank)<\/address>\nEnabled: Yes<\/address>\nProvide the plugin values as shown below.<\/p>\n
credential_mapping obMappingBase=”o=company,c=us”,obMappingFilter=”
\n(uid=OblixAnonymous)”<\/address>\n4. Configure an Access Gate for SSPI connector.\u00a0 This is the access gate used by security providers to communicate with Access Server. Follow the OAM installation guide for creating an access gate. FYI, port need not be specified.<\/p>\n
5. Backup the config.xml and boot.properties.<\/p>\n
6. Install the SSPI connector. The steps are straight forward and I will make a note of few things to remember.<\/p>\n
Select Advanced as Configuration option.<\/p>\n
Enter allow for Map the authorization result obstain.<\/p>\n
Enter the webpass hostname and port.<\/p>\n
Enter the user and group search attributes.<\/p>\n
Select the transport mode option as open or simple or cert.<\/p>\n
Enter the access gate details as specified in Access gate profile.<\/p>\n
Configure SSPI connector:<\/strong><\/p>\n
1. Goto the location sspi_install_dir\/
NetPointSecuProvForWeblogic.<\/code><\/p>\n2. Take backup of files
NetPointResourceMap.conf<\/code>,<\/code>NetPointResourceMap.conf and <\/code><\/code>NetPointProvidersConfig.properties<\/code>.<\/code><\/p>\n3.\u00a0 Edit the file
<\/code>NetPointProvidersConfig.properties<\/code> with following values<\/p>\nOB_LogLevel=Info<\/code><\/address>\nOB_LogLevel=<\/code>sspi_conn_install\/NetPointSecuProvForWeblogic\/<\/code><\/address>\n<\/code><\/address>\nOB_AdminUserName=wlsadmin<\/code><\/address>\n\u00a0OB_AdminUserCreds=password<\/code><\/address>\nOB_CookieDomain=.domain.com (change it as per your environment)<\/code><\/address>\n4. Copy the file
NetPointResourceMap.conf<\/code> andNetPointProvidersConfig.properties<\/code> to weblogic domain directory.<\/p>\n5. Copy the
wl92NetPointSecurityProviders.jar<\/code> from sspi_conn\/NetPointSecuProvForWeblogic\/oblix\/lib\/mbeantypes\/wl92NetPointSecurityProviders.jar <\/code>to wlsserver_103\/server\/lib\/mbeantypes.<\/p>\n6. Take a backup of file setDomainEnv.sh or cmd and edit the file with values as shown below.<\/p>\n
Search for end of file and place this text after export JAVA_OPTIONS line.<\/p>\n
# SET WLSConnector Classpath and other paths
\nexport OAMWLC=\"\/u01\/oracle\/sspi\/NetPointSecuProvForWeblogic\"
\nexport OAMWLCDIR=\"${OAMWLC}\/oblix\/lib\"
\nLD_LIBRARY_PATH=\"${OAMWLCDIR}\"
\nexport LD_LIBRARY_PATH
\nexport PATH=\"${PATH}:${OAMWLCDIR}\"
\nexport WLC_LIB_CLASSPATH=\"${OAMWLCDIR}\/jobaccess.jar${CLASSPATHSEP}${OAMWLCDIR}\/bcprov-jdk14-125.jar${CLASSPATHSEP}
\n${OAMWLCDIR}\/wlNetPoint.jar${CLASSPATHSEP}${OAMWLCDIR}\/xerces.jar\"<\/code><\/p>\nNote:Be careful with WLC_LIB_CLASSPATH value as it should not have any spaces or line breaks.<\/p>\n
7. Comment the existing classpath and replace with a new one as shown below.<\/p>\n
CLASSPATH=”${PRE_CLASSPATH}${CLASSPATHSEP}${WLC_LIB_CLASSPATH}${CLASSPATHSEP}${WEBLOGIC_CLASSPATH}${CLASSPATHSEP}${POST_CLASSPATH}$
\n{CLASSPATHSEP}${WLP_POST_CLASSPATH}”
\nexport CLASSPATH<\/p>\n8. Restart the weblogic server. Now you should see the new jars in the classpath.<\/p>\n
9. Take a backup of file
setupNetPointRealm.properties<\/code> present in the location sspi_connector\/NetPointSecuProvForWeblogic.<\/p>\n10. Edit the file\u00a0
setupNetPointRealm.properties <\/code>with values as shown below.<\/p>\nEnter the hostname, domain name, weblogic server port, username and password details and save it.<\/p>\n
11. Goto the location\u00a0 sspi_connector\/NetPointSecuProvForWeblogic and execute setupNetPointRealm_wl92.sh.<\/p>\n
Note: Though you are using weblogic server 10.3.0, you should execute setupNetPointRealm_wl92.sh file, don’t execute the file setupNetPointRealm.sh.<\/p>\n
12. This script will create the NetPointRealm with necessary security providers.<\/p>\n
Deploy Policy Domains:<\/strong><\/p>\n
1. Take backup of file
NetPointWeblogicTools.properties<\/code>present in location sspi_conn\/<\/code>NetPointSecuProvForWeblogic\/oblix\/tools\/npWLTools <\/code>and edit with values as given below.<\/code><\/p>\nObWLTools.Debug=<\/code>true<\/code><\/address>\nObPolicyDomain.Name=<\/code>WebLogic Server Security Provider<\/code><\/address>\nObWLTools.DeployPolicy=<\/code>false<\/code><\/address>\nObWLSDomain.Dir=weblogic directory location\u00a0 <\/code><\/code><\/address>\nObWLAuthenticationScheme.Name=<\/code>OAM WebLogic Server Basic Authentication<\/code><\/code><\/address>\nObWLNoneAuthenticationScheme.Name=<\/code>OAM WebLogic Anonymous Authentication<\/code><\/address>\n2. Create a file runDeployerTool.sh under this location
sspi_conn\/NetPointSecuProvForWeblogic\/oblix\/tools\/npWLTools<\/code><\/p>\nexport CLASSPATHSEP=”:”
\nexport OAMWLC=”sspi_conn\/NetPointSecuProvForWeblogic”
\nexport OAMWLCDIR=”${OAMWLC}\/oblix”
\nexport CLASSPATH=”${CLASSPATH}${CLASSPATHSEP}${OAMWLCDIR}\/lib\/jobaccess.jar${CLASSPATHSEP}${OAMWLCDIR}\/tools\/npWLTools;
\n${CLASSPATHSEP}${OAMWLCDIR}\/tools\/npWLTools\/npWLTools.jar”
\nexport PATH=”${PATH}:${OAMWLCDIR}\/lib”
\nexport LD_LIBRARY_PATH=”${OAMWLCDIR}\/lib”
\necho $CLASSPATH
\n\/u01\/jdk160_05\/bin\/java com.oblix.weblogic.tools.NetPointPolicyDeployer wlsadmin password<\/p>\nNote: This is for linux environment, if its windows, follow the one shown below.<\/p>\n
set CLASSPATHSEP=;
\nset OAMWLC=D:\/sspi_Connector\/NetPointSecuProvForWeblogic
\nset OAMWLCDIR=%OAMWLC%\/oblix
\nset CLASSPATH=%CLASSPATH%;%OAMWLCDIR%\/lib\/jobaccess.jar;%OAMWLCDIR%\/tools\/npWLTools;%OAMWLCDIR%\/tools\/npWLTools\/npWLTools.jar
\nset PATH=%PATH%;%OAMWLCDIR%\/lib
\nset LD_LIBRARY_PATH=%OAMWLCDIR%\/lib
\necho %CLASSPATH%
\nD:\/bea\/jdk160_05\/bin\/java com.oblix.weblogic.tools.NetPointPolicyDeployer wlsadmin password<\/p>\n3. Run the deployertool and check the log for any errors. This tool will create a policy domain with resources, authorization policies etc., and verify it by logging it to OAM policy manager console.<\/p>\n
4. Now login to weblogic console and inspect the new realm NetPointRealm created. Check for users and groups, security providers etc., Remember that this is not default realm yet.<\/p>\n
5. Goto the providers tab, Certification Path and click the WebLogicCertPathProvivider and enable the check box set current builder.<\/p>\n
6. Enable NetPointRealm as default realm in the console.<\/p>\n
7. Stop the WebLogic server. Change the boot.properties file and edit the username and password with wlsadmin and password values.<\/p>\n
8. Start the weblogic server and you should see Netpointrealm is the default realm and you should be able to login to WLS console using wlsadmin and password.<\/p>\n
Deploy the WebLogic application:\u00a0<\/strong><\/p>\n
You can deploy a sample weblogic application to the server where Netpointrealm is the default realm. Goto the WebLogic policy domain in OAM console and add the resource \/sample\/index.jsp and save it.<\/p>\n
Configure Reverse Proxy:<\/strong><\/p>\n
1. In this case, I have used OHS as reverse proxy.<\/p>\n
2. Create a OHS webgate profile in OAM console and install the OHS webgate. I am not briefing about this more as its pretty straight forward.<\/p>\n
3. Edit the httpd.conf file of OHS server and goto the end of file and enter the following lines.<\/p>\n
ProxyPass \/sample http:\/\/sspi_hostname:port\/sample<\/p>\n
Test the SSO:<\/strong><\/p>\n
1. Now access the application http:\/\/reverseproxy_hostname:port\/sample.<\/p>\n
2. You will be challenged with credentials with the authentication scheme configured for it.<\/p>\n
3. If you access any other resource protected by the OAM with the same authentication level configured for \/sample application, you should be able to access it directly without re-authentication.<\/p>\n
Troubleshooting Tips:<\/strong><\/p>\n
1. Refer the Oracle Documentation <\/a><\/p>\n