WebLogic authentication debugging
•Als PPTX, PDF herunterladen•
5 gefällt mir•5,127 views
Login information and group memberships (identity) often are centrally managed in Enterprises. Many systems use this information to, for example, achieve Single Sign On (SSO) functionality. Surprisingly, access to the Weblogic Server Console and applications is often not centrally managed. I will explain why centralizing management of these identities, in addition to increased security, quickly starts reducing operational cost and even increases developer productivity. During a demonstration, I will introduce several methods for debugging authentication using an external authentication provider in order to lower the bar to apply this pattern. This technically oriented presentation is especially useful for people working in operations managing Weblogic Servers.
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (20)
Ähnlich wie WebLogic authentication debugging
Ähnlich wie WebLogic authentication debugging (20)
Mehr von Maarten Smeets
Mehr von Maarten Smeets (16)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
WebLogic authentication debugging
- 1. OGh Oracle Fusion Middleware Experience 2016 bij FIGI Zeist Maarten Smeets, 16-02-2016 Debugging WebLogic authentication
- 3. Introduction • About AMIS – Located in the Netherlands – Oracle Award winning partner • About me – Senior Oracle Integration Consultant – Experience with Oracle SOA Suite since 2007 – Well certified (SOA, BPM, Java, SQL, PL/SQL among others) – Author more than 100 blog articles (http://javaoraclesoa.blogspot.com) @MaartenSmeetsNL https://nl.linkedin.com/in/smeetsm
- 4. 4 Oracle Virtual Technology Summit http://www.oracle.com/technetwork/community/developer-day/index.html March 8, 2016, 18:30:00 CET • Database Application Development • Oracle DB12c Performance • MySQL • Java EE, Microservices and JPA • All about Java 8! • The Internet of Things • WebLogic 12.2.1 and Java EE • Operating Systems and Virtualization • Storage,SPARC, and Software Development
- 5. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
- 6. 6 Why use an external Identity Store? Application WLS SOA WLS OSB WLS ADF WLS WCC • An application uses company internal users • Often internal users are already present in an Identity Store • Management organization in place • Single environment to manage users • Single account per user
- 7. 7 Introduction OPSS Oracle Identity Store solutions • Oracle Unified Directory – Embedded Berkeley Database – LDAP proxy – Much faster read/write than ODSEE – Provides LDAP virtualization – Elastic scaling – Strategic Directory Server product – Designed to address current and future on-premise, mobile, and cloud needs • Oracle Directory Server Enterprise Edition – ODSEE 5.2 and 6.3 are in Sustaining Support – No new fixes will be created • Oracle Virtual Directory – Provides virtualization of different sources – OUD does not replace OVD • Oracle Internet Directory – Uses external Oracle DB – Used with Fusion Applications https://blogs.oracle.com/OracleIDM/entry/why_customers_should_upgrade_directory
- 8. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
- 9. Introduction OPSS Identity Store Providers Authentication Authorization Credential Store Framework User / Role Service Provider Interface Layer OPSS APIs WebLogic Server JavaEE application Java SE application
- 10. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
- 11. What to debug Identity Store WebLogic Console Application Authentication API Virtualization Platform security jps-config.xml jps-config-jse.xml system-jazn-data.xml config.xml web.xml weblogic.xml LDAP queries SSL/TLS Role mappings Organizational Units Authentication provider
- 12. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
- 13. 13 Debug Weblogic authentication using an external client • Using an external client Apache Directory Studio
- 15. 15 Debug WebLogic authentication Embedded LDAP • Login using: Bind DN / User: cn=Admin • Running by default on the AdminServer port • Check out cn=Config for LDAP server properties
- 16. 16 Debug WebLogic authentication Embedded LDAP • Notice the use of dynamic groups
- 17. 17 Debug WebLogic authentication Embedded LDAP • Notice the use of dynamic groups
- 18. 18 Debug WebLogic authentication Authentication provider configuration • Select the authentication provider (as specific as possible) • JAAS Control flags • LDAP connection details • LDAP search behavior – Users – Static groups – Dynamic groups • Cache settings
- 19. 19 Debug WebLogic authentication using Weblogic Console • JAAS Control flags – SUFFICIENT: if authentication is passed, no other authentication providers are evaluated. If it fails, they are – REQUIRED: the authentication provider is always called and authentication must succeed – OPTIONAL: passing authentication of this provider is optional. If all providers are optional, one needs to pass – REQUISITE: authentication has to succeed on this provider. After that providers of lower priority are evaluated
- 20. 20 Debug Weblogic authentication Cache settings • How to uniquely identify an LDAP entry. The GUID Attribute • The GUID Attribute is used as cache key • Provider specific – OUD, OpenLDAP, ApacheDS: entryuuid – Active Directory: objectguid – OVD, OID: orclguid • Misconfiguration can lead to first login fail, second login success (cache issues)
- 21. 21 Debug Weblogic authentication using Weblogic Console • Connection to external provider works • Server trust is established • User query works • Validating authentication details works
- 22. 22 Debug Weblogic authentication using Weblogic Console • Dynamic group object class works • Group Base DN works • User Dynamic Group DN Attribute works • Dynamic Group Name Attribute works
- 23. 23 Debug Weblogic authentication using log files LDAP connections LDAP queries
- 24. 24 Demo • Embedded LDAP • How to create a user in an LDAP server • How to configure WebLogic server to use the server • Debug authentication using the console • Debug the authentication using the log files
- 25. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
- 26. Debug application authentication Identity Store WebLogic Console Application Authentication API Authentication provider Virtualization Platform security jps-config.xml jps-config-jse.xml system-jazn-data.xml config.xml web.xml weblogic.xml LDAP queries SSL/TLS Role mappings Organizational Units
- 27. 27 OPSS configuration files in $DOMAIN_HOME/config/fmwconfig • Java Platform Security: jps-config.xml (Java EE), jps-config.jse.xml (Java SE) login modules, authentication providers, authorization policy providers, credential stores and auditing services • jazn-data.xml, system-jazn-data.xml – users, groups and authorization policies • cwallet.sso – credentials used by the application • adapters.os_xml – LibOVD plugin configuration
- 28. 28 Debug application authentication LibOVD • Present since 11.1.1.4. Seen several patches since then. Lightweight OVD alternative supplied with WebLogic Server. • FMW components which use OPSS can only use the first LDAP authentication provider LibOVD provides virtualization • Configuration Edit <DOMAINDIR>/config/fmwconfig/jps-config.xml manually or from Enterprise Manager Plugin configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml http://fusionsecurity.blogspot.nl/2012/06/libovd-when-and-how.html
- 29. 29 Debug application authentication LibOVD configuration • <DOMAINDIR>/config/fmwconfig/jps-config.xml Provides login modules, authentication providers, credential stores
- 30. 30 Debug application authentication LibOVD configuration • The OPSS API only queries static groups by default. Not dynamic groups. • Use the LibOVD dynamic group plugin to present dynamic groups like static groups (configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml) • Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses • Only one structural class is allowed per LDAP object • Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames http://www.ateam-oracle.com/oracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2/
- 31. 31 Debug application authentication LibOVD debugging • Can be used when ADFLogger is used in application • Can be used for specific Weblogic Server component debugging such as oracle.ods.virtualization for LibOVD
- 32. 32 Debug application authentication ADF Security • Application configuration files – web.xml Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter) – weblogic.xml Maps valid-users to OPSS principal users
- 33. 33 Demo • Use basic authentication in an ADF application
- 34. 34 Debug application authentication ADF Security • Application configuration files – jazn-data.xml Contains development users / roles Application roles are granted to enterprise roles / users (from the OPSS API which uses the authorization provider). Resource permissions are granted to application roles or enterprise roles. – Test with: Java: ADFContext.getCurrent().getSecurityContext().isUserInRole(“role”) EL: #{securityContext.userInRole[‘role']} Users Enterprise roles Application roles Permissions Grants weblogic.xml jazn-data.xml
- 35. 35 Debug application authentication ADF Security • <DOMAINDIR>/config/fmwconfig/ system-jazn-data.xml – OOTB file based policy store – Users, groups, authorization policies – CredentialAccessPermission – Change while WebLogic is down or from EM!
- 36. 36 Debug application authentication JVM parameters • JVM parameters: – -Djps.auth.debug=true to get AccessControlException among other useful messages – -Djps.auth.debug.verbose=true to get a lot of debug messages http://docs.oracle.com/cd/E23943_01/core.1111/e10043/jpsprops.htm#JISEC2229
- 37. 37 Debug application authentication Business Process Management • Authenticate with a user • User is member of (authentication provider) groups • Groups are granted (application) roles and organization units • Business Process Management uses application roles and organization units
- 38. 38 Debug application authentication The Identity Service • Can I authenticate the user? – authenticateUser • Can I determine groups? – getGroups http://HOST:PORT/integration/services/IdentityService/identity?WSDL <ORACLE_HOME>/soa/soa/modules/oracle.soa.workflow_11.1.1/bpm-services.jar • Can I determine granted roles? – getGrantedRolesToUser • Can I determine organizational units? – use the Java API
- 39. 39 Conclusion • Many debugging options available – Looking at WebLogic Console or application behavior – Using an external client for your authentication provider – Debug logging in WebLogic Server console – Log configuration in Enterprise Manager Fusion Middleware Control – Isolated tests such as IdentityService calls or Java API’s • It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong • WebLogic Console is relatively easy to debug compared to for example LibOVD. Application side debugging is often also not very difficult.
Hinweis der Redaktion
- Recent awards: Oracle EMEA Middleware Partner of the Year, 3 times Oracle Netherlands Middleware partner of the year. One of the rare moments in the Netherlands when it isn’t raining.
- What to debug; understand the configuration required
- https://blogs.oracle.com/OracleIDM/entry/why_customers_should_upgrade_directory
- What to debug; understand the configuration required
- OPSS provides an abstraction layer application programming interfaces (APIs) that insulate developers from security and identity management implementation details (a developer does need to know and implement LDAP to use users and groups in his application)
- What to debug; understand the configuration required
- First part of the presentation is about the WebLogic Console to LDAP. Second part of about API to application. JPS, Java Platform Security and LibOVD virtualization. More specific what the configuration files do.
- What to debug; understand the configuration required
- Creating LDAP queries is errorprone and after most changes in authentication provider configuration, the server needs a restart
- Set the password of the Embedded LDAP in order to allow connecting to it. Great source of inspiration for configuring your own LDAP.
- Recommend using an external LDAP client. WebLogic Server requires restarts after changing authentication provider configuration. External client can be used to easily test queries. Apache Directory Studio is nice. Replace image
- Recommend using an external LDAP client. WebLogic Server requires restarts after changing authentication provider configuration. External client can be used to easily test queries. Apache Directory Studio is nice. Replace image
- A specific authentication provider because the generic LDAPAuthenticationProvider has some limitations. Cannot be the first authentication provider. Not supported in LibOVD. Changing configuration (such as LDAP queries) requires restart of the server -> config.xml. Testing the LDAP Connection During Configuration (12.2.1!) Similar to the JDBC connection testing, WebLogic Server tests the connection between the Authentication provider and the LDAP server. On the Provider Specific page, after you configure a new LDAP Authentication provider or make changes to an existing one, when you save your configuration changes, WebLogic Server tests the connection between this provider and the corresponding LDAP server. If the test succeeds, the configuration settings are saved and you may activate them. If the test fails, an error message is displayed indicating a problem. No configuration settings are saved.
- JAAS control flags. See http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG171. It is usual to have weblogic in the embedded LDAP, control flag set to sufficient and an external LDAP also set to sufficient. Components using the OPSS API without LibOVD only look at the first LDAP server (and only at static groups) so order is also important. When the user is not found, check if authentication provider containing the user is queried in the log. The order matters!
- Can be confirmed that the GUID Attribute is the cache key? Weblogic LDAPAuthenticator configuration; the GUID Attribute: http://javaoraclesoa.blogspot.nl/2014/12/weblogic-ldapauthenticator.html.
- Just by clicking around in the Weblogic Console, you can already detect several problems if present.
- If you can’t see users/groups, maybe the current user is not an Administrator but Monitor. Working does not mean it performs!
- You can see the LDAP server connection
- What to debug; understand the configuration required
- First LibOVD, then application security for ADF and BPM
- http://docs.oracle.com/cd/E25178_01/core.1111/e10043/idstoreadm.htm#JISEC9360 specifies LDAP idstore params. Not all work (JarScan + JD-GUI on WlsLdapIdStoreConfigProvider). Edit adapters.os_xml while WebLogic is down! OPSS API’s do not query dynamic groups by default: http://www.ateam-oracle.com/oracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-2-of-2/. You can virtualize using LibOVD or OVD.
- Image from http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html. Application roles are granted to users or enterprise roles. Resource permissions are granted to application roles. Take care jazn-data.xml is merged into system-jazn-data.xml (but not testusers/roles) by ojdeploy. Ojdeploy can be called from Ant, Maven
- Also credential store access. This is the runtime policy store. http://secureandgo.blogspot.nl/2010/09/opss-artifacts-life-cycle-in-adf.html. If you want to use DB policy store instead of system-jazn-data.xml; https://redstack.wordpress.com/2011/10/29/soa11g-database-as-a-policy-store/
- http://www.redheap.com/2013/06/secure-credentials-in-adf-application.html
- Usually ADF and SOA/BPM run on individual servers. A good usecase to use the same authentication provider. SalesRep and BusinessPractices are
- Several other interesting API’s under soa-infra application. IdentityService (or FMW apps such as WCC)