Login information and group memberships (identity) often are centrally managed in Enterprises. Many systems use this information to, for example, achieve Single Sign On (SSO) functionality. Surprisingly, access to the Weblogic Server Console and applications is often not centrally managed. I will explain why centralizing management of these identities, in addition to increased security, quickly starts reducing operational cost and even increases developer productivity. During a demonstration, I will introduce several methods for debugging authentication using an external authentication provider in order to lower the bar to apply this pattern. This technically oriented presentation is especially useful for people working in operations managing Weblogic Servers.
3. Introduction
• About AMIS
– Located in the Netherlands
– Oracle Award winning partner
• About me
– Senior Oracle Integration Consultant
– Experience with Oracle SOA Suite since 2007
– Well certified (SOA, BPM, Java, SQL,
PL/SQL among others)
– Author more than 100 blog articles
(http://javaoraclesoa.blogspot.com)
@MaartenSmeetsNL
https://nl.linkedin.com/in/smeetsm
4. 4
Oracle Virtual Technology Summit
http://www.oracle.com/technetwork/community/developer-day/index.html
March 8, 2016, 18:30:00 CET
• Database Application Development
• Oracle DB12c Performance
• MySQL
• Java EE, Microservices and JPA
• All about Java 8!
• The Internet of Things
• WebLogic 12.2.1 and Java EE
• Operating Systems and Virtualization
• Storage,SPARC, and Software
Development
5. Agenda
• Oracle Identity Stores
• Introduction Oracle Platform Security Services (OPSS)
• What to debug
• How to debug WebLogic authentication
• How to debug application authentication
6. 6
Why use an external Identity Store?
Application
WLS SOA
WLS OSB
WLS ADF
WLS WCC
• An application uses company internal users
• Often internal users are already present in an Identity Store
• Management organization in place
• Single environment to manage users
• Single account per user
7. 7
Introduction OPSS
Oracle Identity Store solutions
• Oracle Unified Directory
– Embedded Berkeley Database
– LDAP proxy
– Much faster read/write than ODSEE
– Provides LDAP virtualization
– Elastic scaling
– Strategic Directory Server product
– Designed to address current and future
on-premise, mobile, and cloud needs
• Oracle Directory Server Enterprise
Edition
– ODSEE 5.2 and 6.3 are in Sustaining Support
– No new fixes will be created
• Oracle Virtual Directory
– Provides virtualization of different sources
– OUD does not replace OVD
• Oracle Internet Directory
– Uses external Oracle DB
– Used with Fusion Applications
https://blogs.oracle.com/OracleIDM/entry/why_customers_should_upgrade_directory
8. Agenda
• Oracle Identity Stores
• Introduction Oracle Platform Security Services (OPSS)
• What to debug
• How to debug WebLogic authentication
• How to debug application authentication
10. Agenda
• Oracle Identity Stores
• Introduction Oracle Platform Security Services (OPSS)
• What to debug
• How to debug WebLogic authentication
• How to debug application authentication
11. What to debug
Identity
Store
WebLogic Console
Application
Authentication
API
Virtualization
Platform security
jps-config.xml
jps-config-jse.xml
system-jazn-data.xml
config.xml web.xml
weblogic.xml
LDAP queries
SSL/TLS
Role mappings
Organizational Units
Authentication
provider
12. Agenda
• Oracle Identity Stores
• Introduction Oracle Platform Security Services (OPSS)
• What to debug
• How to debug WebLogic authentication
• How to debug application authentication
15. 15
Debug WebLogic authentication
Embedded LDAP
• Login using:
Bind DN / User: cn=Admin
• Running by default on the
AdminServer port
• Check out cn=Config for
LDAP server properties
18. 18
Debug WebLogic authentication
Authentication provider configuration
• Select the authentication provider (as specific as possible)
• JAAS Control flags
• LDAP connection details
• LDAP search behavior
– Users
– Static groups
– Dynamic groups
• Cache settings
19. 19
Debug WebLogic authentication
using Weblogic Console
• JAAS Control flags
– SUFFICIENT: if authentication is passed, no other authentication
providers are evaluated. If it fails, they are
– REQUIRED: the authentication provider is always called and
authentication must succeed
– OPTIONAL: passing authentication of this provider
is optional. If all providers are optional, one needs to pass
– REQUISITE: authentication has to succeed on
this provider. After that providers of lower priority are evaluated
20. 20
Debug Weblogic authentication
Cache settings
• How to uniquely identify an LDAP entry. The GUID Attribute
• The GUID Attribute is used as cache key
• Provider specific
– OUD, OpenLDAP, ApacheDS: entryuuid
– Active Directory: objectguid
– OVD, OID: orclguid
• Misconfiguration can lead to first login fail, second login success (cache issues)
21. 21
Debug Weblogic authentication
using Weblogic Console
• Connection to external
provider works
• Server trust is
established
• User query works
• Validating
authentication details
works
22. 22
Debug Weblogic authentication
using Weblogic Console
• Dynamic group object class works
• Group Base DN works
• User Dynamic Group DN Attribute works
• Dynamic Group Name Attribute works
24. 24
Demo
• Embedded LDAP
• How to create a user in an LDAP server
• How to configure WebLogic server to use the server
• Debug authentication using the console
• Debug the authentication using the log files
25. Agenda
• Oracle Identity Stores
• Introduction Oracle Platform Security Services (OPSS)
• What to debug
• How to debug WebLogic authentication
• How to debug application authentication
26. Debug application authentication
Identity
Store
WebLogic Console
Application
Authentication
API
Authentication
provider
Virtualization
Platform security
jps-config.xml
jps-config-jse.xml
system-jazn-data.xml
config.xml web.xml
weblogic.xml
LDAP queries
SSL/TLS
Role mappings
Organizational Units
27. 27
OPSS configuration files
in $DOMAIN_HOME/config/fmwconfig
• Java Platform Security: jps-config.xml (Java EE), jps-config.jse.xml (Java SE) login modules,
authentication providers, authorization policy providers, credential stores and auditing services
• jazn-data.xml, system-jazn-data.xml
– users, groups and authorization policies
• cwallet.sso
– credentials used by the application
• adapters.os_xml
– LibOVD plugin configuration
28. 28
Debug application authentication
LibOVD
• Present since 11.1.1.4. Seen several patches since then. Lightweight OVD alternative supplied with
WebLogic Server.
• FMW components which use OPSS can only use the first LDAP authentication provider
LibOVD provides virtualization
• Configuration
Edit <DOMAINDIR>/config/fmwconfig/jps-config.xml manually or from Enterprise Manager
Plugin configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml
http://fusionsecurity.blogspot.nl/2012/06/libovd-when-and-how.html
30. 30
Debug application authentication
LibOVD configuration
• The OPSS API only queries static groups by default. Not dynamic groups.
• Use the LibOVD dynamic group plugin to present dynamic groups like static groups
(configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml)
• Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL
objectclasses
• Only one structural class is allowed per LDAP object
• Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
http://www.ateam-oracle.com/oracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2/
31. 31
Debug application authentication
LibOVD debugging
• Can be used when ADFLogger is
used in application
• Can be used for specific Weblogic
Server component debugging such
as oracle.ods.virtualization for
LibOVD
34. 34
Debug application authentication
ADF Security
• Application configuration files
– jazn-data.xml
Contains development users / roles
Application roles are granted to enterprise roles / users (from the OPSS API which uses the authorization provider).
Resource permissions are granted to application roles or enterprise roles.
– Test with:
Java: ADFContext.getCurrent().getSecurityContext().isUserInRole(“role”)
EL: #{securityContext.userInRole[‘role']}
Users
Enterprise
roles
Application
roles
Permissions
Grants
weblogic.xml jazn-data.xml
35. 35
Debug application authentication
ADF Security
• <DOMAINDIR>/config/fmwconfig/
system-jazn-data.xml
– OOTB file based policy store
– Users, groups, authorization policies
– CredentialAccessPermission
– Change while WebLogic is down or from
EM!
36. 36
Debug application authentication
JVM parameters
• JVM parameters:
– -Djps.auth.debug=true to get AccessControlException among other useful messages
– -Djps.auth.debug.verbose=true to get a lot of debug messages
http://docs.oracle.com/cd/E23943_01/core.1111/e10043/jpsprops.htm#JISEC2229
37. 37
Debug application authentication
Business Process Management
• Authenticate with a user
• User is member of (authentication provider)
groups
• Groups are granted (application) roles
and organization units
• Business Process Management uses application
roles and organization units
38. 38
Debug application authentication
The Identity Service
• Can I authenticate the user?
– authenticateUser
• Can I determine groups?
– getGroups
http://HOST:PORT/integration/services/IdentityService/identity?WSDL
<ORACLE_HOME>/soa/soa/modules/oracle.soa.workflow_11.1.1/bpm-services.jar
• Can I determine granted roles?
– getGrantedRolesToUser
• Can I determine organizational units?
– use the Java API
39. 39
Conclusion
• Many debugging options available
– Looking at WebLogic Console or application behavior
– Using an external client for your authentication provider
– Debug logging in WebLogic Server console
– Log configuration in Enterprise Manager Fusion Middleware Control
– Isolated tests such as IdentityService calls or Java API’s
• It is important to know what is between your application and your authentication provider to structure
your debugging efforts and trace at which layer things go wrong
• WebLogic Console is relatively easy to debug compared to for example LibOVD. Application side
debugging is often also not very difficult.
Hinweis der Redaktion
Recent awards: Oracle EMEA Middleware Partner of the Year, 3 times Oracle Netherlands Middleware partner of the year. One of the rare moments in the Netherlands when it isn’t raining.
What to debug; understand the configuration required
What to debug; understand the configuration required
OPSS provides an abstraction layer application programming interfaces (APIs) that insulate developers from security and identity management implementation details (a developer does need to know and implement LDAP to use users and groups in his application)
What to debug; understand the configuration required
First part of the presentation is about the WebLogic Console to LDAP. Second part of about API to application. JPS, Java Platform Security and LibOVD virtualization. More specific what the configuration files do.
What to debug; understand the configuration required
Creating LDAP queries is errorprone and after most changes in authentication provider configuration, the server needs a restart
Set the password of the Embedded LDAP in order to allow connecting to it. Great source of inspiration for configuring your own LDAP.
Recommend using an external LDAP client. WebLogic Server requires restarts after changing authentication provider configuration. External client can be used to easily test queries. Apache Directory Studio is nice. Replace image
Recommend using an external LDAP client. WebLogic Server requires restarts after changing authentication provider configuration. External client can be used to easily test queries. Apache Directory Studio is nice. Replace image
A specific authentication provider because the generic LDAPAuthenticationProvider has some limitations. Cannot be the first authentication provider. Not supported in LibOVD. Changing configuration (such as LDAP queries) requires restart of the server -> config.xml.
Testing the LDAP Connection During Configuration (12.2.1!)
Similar to the JDBC connection testing, WebLogic Server tests the connection between the Authentication provider and the LDAP server.
On the Provider Specific page, after you configure a new LDAP Authentication provider or make changes to an existing one, when you save your configuration changes, WebLogic Server tests the connection between this provider and the corresponding LDAP server. If the test succeeds, the configuration settings are saved and you may activate them. If the test fails, an error message is displayed indicating a problem. No configuration settings are saved.
JAAS control flags. See http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG171. It is usual to have weblogic in the embedded LDAP, control flag set to sufficient and an external LDAP also set to sufficient. Components using the OPSS API without LibOVD only look at the first LDAP server (and only at static groups) so order is also important. When the user is not found, check if authentication provider containing the user is queried in the log. The order matters!
Can be confirmed that the GUID Attribute is the cache key? Weblogic LDAPAuthenticator configuration; the GUID Attribute: http://javaoraclesoa.blogspot.nl/2014/12/weblogic-ldapauthenticator.html.
Just by clicking around in the Weblogic Console, you can already detect several problems if present.
If you can’t see users/groups, maybe the current user is not an Administrator but Monitor. Working does not mean it performs!
You can see the LDAP server connection
What to debug; understand the configuration required
First LibOVD, then application security for ADF and BPM
http://docs.oracle.com/cd/E25178_01/core.1111/e10043/idstoreadm.htm#JISEC9360 specifies LDAP idstore params. Not all work (JarScan + JD-GUI on WlsLdapIdStoreConfigProvider). Edit adapters.os_xml while WebLogic is down! OPSS API’s do not query dynamic groups by default: http://www.ateam-oracle.com/oracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-2-of-2/. You can virtualize using LibOVD or OVD.
Image from http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html. Application roles are granted to users or enterprise roles. Resource permissions are granted to application roles. Take care jazn-data.xml is merged into system-jazn-data.xml (but not testusers/roles) by ojdeploy. Ojdeploy can be called from Ant, Maven
Also credential store access. This is the runtime policy store. http://secureandgo.blogspot.nl/2010/09/opss-artifacts-life-cycle-in-adf.html. If you want to use DB policy store instead of system-jazn-data.xml; https://redstack.wordpress.com/2011/10/29/soa11g-database-as-a-policy-store/