Configuring an OID Authentication Provider in WebLogic

<Do not delete this text because it is a placeholder for the generated list of "main" topics when run in a browser>

Purpose

This tutorial covers configuring an Oracle Internet Directory (OID) authentication provider in Oracle WebLogic Server using the WebLogic Administration console. Oracle Platform Security Services (OPSS) uses the authentication provider configuration within a WebLogic domain to bootstrap its connection with an identity store.

After completing this exercise, you should be able to:

Time to Complete

Approximately 1 hour or less

Overview

OPSS is Oracle's security framework for developing and managing security services in Java SE and EE environments. This tutorial is Configuring an OID Authentication Provider in WebLogic.

Configuring an OID Authentication Provider in WebLogic

This is the architecture that depicts the configuration of an OID LDAP-based authentication provider used by OPSS applications deployed on a WebLogic Server environment. This OBE covers how to configure the OID authentication provider alongside the WebLogic embedded LDAP provider for use with OPSS. The environment consists of the following:

Software and Hardware Requirements

The following is a list of requirements:

Prerequisites

Before starting this tutorial, complete the following prerequisites:

.

This OBE requires that you have completed the OPSS Set Up OBE.

Configure OID Authentication Provider

Follow the steps below to configure an OID authentication provider using the Weblogic Administration Console:

.

Open the Firefox web browser using the icon on the launch panel. Make sure the WebLogic Server is running before continuing on to the next step.

 

.

Open the WebLogic Administration Console by browsing to http://localhost:7001/console.

Login using the following credentials:

Username: weblogic
Password: welcome1

 

.

Click the Security Realms link in the Domain Structure pane to show the list of security realms for the domain.

 

.

Click the myrealm link in the Realms pane to show the settings for the domain's security realm.

 

.

Click the Providers tab to show the security providers configured for myrealm.

 

.

Click the Authentication tab to list the currently configured authentication providers for this domain's security realm. The default out-of-the-box providers are shown for the embedded LDAP authentication provider and identity asserter. This is where you configure the new OID authentication provider.

 

.

Click New to create a new authentication provider for this domain.

 

.

The Create a new Authentication Provider page is displayed. Give your new authentication provider a name, such as OID Authenticator, select the type called OracleInternetDirectoryAuthenticator, and click OK.

 

.

You should now see your new OID authenticator in the list of authentication providers, at the bottom of the list.

 

.

Click the link for your OID authentication provider to configure its settings.

 

.

The Settings for OID Authenticator is displayed. Click the Provider Specific tab to configure the detailed settings for this provider.

 

.

This step guides you through all of the settings for configuring your new OID authentication provider. All the settings are made on a single configuration page, however we go through them one section at a time in this instruction.

The first section contains the Connection settings for the OID server. Use the values from the table below for this section:

Name Value Purpose
Host: localhost The OID host name
Port: 3060 The standard OID listening port
Principal: cn=orcladmin The LDAP user that logs into OID on behalf of your authentication provider
Credentials: welcome1 Password for the principal user
Confirm Credentials: welcome1 Confirmation of the password
SSL Enabled: Unchecked Enables or disables SSL connectivity

Validate your settings against the screen shot below:

The next section contains the Users settings for the OID provider. Use the values from the table below for this section:

Name Value Purpose
User Base DN: cn=Users,dc=us,dc=oracle,dc=com The root (base DN) of the LDAP tree where searches are performed for user data
All Users Filter: Leave as default The LDAP search filter that is used to show all the users below the User Base DN
User From Name Filter: Leave as default The LDAP search filter used to find the LDAP user by name
User Search Scope: Leave as default Specifies how deep in the LDAP tree to search for users
User Name Attribute: Leave as default The attribute of the LDAP user that specifies the user name
User Object Class: Leave as default The LDAP object class that stores users
Use Retrieved User Name as Principal: Checked Specifies if the user name retrieved from the LDAP directory will be used as the Principal in the Subject

Validate your settings against the screen shot below:

The next section contains the Groups settings for the OID provider. Use the values from the table below for this section:

Name Value Purpose
Group Base DN: cn=Groups,dc=us,dc=oracle,dc=com The root (base DN) of the LDAP tree where searches are performed for group data
All Groups Filter: Leave as default The LDAP search filter that is used to show all the groups below the Group Base DN
Group From Name Filter: Leave as default The LDAP search filter used to find the LDAP group by name
Group Search Scope: Leave as default Specifies how deep in the LDAP tree to search for groups
Group Membership Searching: Leave as default Specifies whether group searches into nested groups are limited or unlimited
Max Group Membership Search Level: Leave as default Specifies how many levels of group membership can be searched. This setting is only valid if GroupMembershipSearching is set to limited
Ignore Duplicate Membership: Unchecked Determines whether duplicates members are ignored when adding groups.

Validate your settings against the screen shot below:

Click Save to persist your changes.

 

.

Click the Common tab in the Settings for OID Authenticator pane to show settings common to all authentication providers.

 

.

Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.

 

.

Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to the Authentication Providers page.

 

.

Click the DefaultAuthenticator link to display its common settings so you can change its control flag to SUFFICIENT as well.

 

.

Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.

 

.

Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to the Authentication Providers page.

 

.

Click Reorder to change the order of your configured authentication providers.

If you remember from the OPSS Concepts self-study course, OPSS obtains its authentication configuration from the authentication provider configuration found in the WebLogic Server domain. It also states that OPSS first looks at all of the LDAP-based authentication providers in the list, and chooses the first one in the list with the highest control flag setting. Because we configured both LDAP-based authentication providers to use the SUFFICIENT control flag setting, OPSS would use the default authenticator if we left the configuration as it is now. In order to ensure that OPSS recognizes your new OID authenticator as its authentication provider, you must reorder your list of authentication providers so that the OID authentication provider is first in the list.

 

.

Select the OID Authenticator and use the arrows on the right to move it into the first position. Click OK.

 

Verify OID Configuration

This section guides you through the steps to verify that WebLogic Server is successfully connected to the OID LDAP server.

.

Restart WebLogic Server for your changes to take effect. The fastest way to restart WebLogic is to press Ctrl-C in the terminal window where it was started, and then rerun the startWebLogic.sh script.

 

.

After the WebLogic Server is in RUNNING mode again, login to the WebLogic Administration Console to test the server's connection to OID.


.

Within the WebLogic Administration Console, select Security Realms > myrealm > Users and Groups tab. The Users sub-tab should be selected by default. You should see the users you browsed earlier in the OPSS Set Up OBE, such as joemanager and joeuser. Note how each user also has the authentication provider listed where the user was obtained.

 

.

Click the Groups tab to see the list of groups the server can see. You should see the groups you browsed earlier in the OPSS Set Up OBE, such as employees and supervisors. Note that the screen shot below has been altered slightly to conserve space. The supervisors group may not be visible on the first paginated view of the group list. Click Next to view this group.

 

Summary

You have now completed the Configuring an OID Authentication Provider in WebLogic OBE . You are ready to continue with the other OBE tutorials included in this series. This tutorial is a dependency for all of the other OBE tutorials in this series.

In this tutorial, you have learned how to:

Resources

Credits

Hardware and Software Engineered to Work Together Copyright © 2012, Oracle and/or its affiliates. All rights reserved