Leverage Weblogic LDAPAuthenticator through OEM

Screen Shot 2014-04-14 at 18.16.26
Use Case : 
 
Our use case is to manage the ADF application roles through OEM and assign users located in an enterprise LDAP to them.
The enterprise LDAP is accessible using SSL.
Implementation steps : 
  1. Create a LDAP Authenticator
  2. Import the Authority Certificate in the Weblogic’s trustKeystore
  3. Add the LDAP Authenticator’s reference to OEM
  4. Import the Authority in the OEM trustKeystore
  5. Assign ADF application roles to users located in the LDAP
 

1 – Create an LDAP Authenticator

First we need to create our LDAPAuthenticator. Because this LDAP is reachable through SSL we need to import the certificate in the trustKeystore.
 

2 – Import the certificate in the weblogic’s trustKeystore

keytool -import -v -file /u01/138.3.49.185 -keystore /keystore_path/weblogic_

trust.jks -alias myalias
Enter keystore password:  
Owner: CN=138.3.49.185, OU=uk, O=osc, L=oracle, ST=com, C=GB
Issuer: CN=138.3.49.185, OU=uk, O=osc, L=oracle, ST=com, C=GB
Serial number: 9e0ccb13
Valid from: Mon Jan 20 04:51:11 PST 2014 until: Tue Jan 20 04:51:11 PST 2015
Certificate fingerprints:
         MD5:  C7:29:76:2C:E6:EA:68:43:5F:FF:45:68:10:9C:91:FA
         SHA1: 41:F4:76:18:FC:5E:1B:38:5C:DC:64:09:43:C6:F2:2A:34:9B:B1:31
         Signature algorithm name: SHA256withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing /keystore_path/weblogic_trust.jks]

3 – Add the LDAP authenticator’s reference to OEM

First we need to add custom properties.

 

‘virtualize’ property needs to be set to true if you want to query multiple identity stores, it leverages the libOvd library.


In order to manage the ADF Security we need to use OEM. Because we aren’t using the weblogic embedded LDAP we need to modify the jps-config.xml in order to reference our new LDAPAuthenticator :

$DOMAIN_HOME/config/fmwconfig/jps-config.xml


<serviceInstance name= »idstore.ldap » provider= »idstore.ldap.provider »>

<description>LDAP Identity Store Service Instance</description>

<property name= »idstore.config.provider »     value= »oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider »/>

<property name= »CONNECTION_POOL_CLASS » value= »oracle.security.idm.providers.stdldap.JNDIPool »/>

<property value= »true » name= »virtualize »/>

<serviceInstanceRef ref= »LDAPAuthenticator »/>

</serviceInstance>

<serviceInstance name= »LDAPAuthenticator » provider= »idstore.ldap.provider »>
   <description>Enterprise LDAP Store</description>
   <property name= »idstore.type » value= »ACTIVE_DIRECTORY »/>

</serviceInstance>

The LDAPAuthenticator’s reference relates to the name of our Weblogic Authenticator.

4 – Import the certificate in the OEM’s adapters.jks Keystore

It’s important to notice that OEM uses a specific keystore named adapter.jks for the LDAP connection.

$MW_HOME/oracle_common/bin/libovdconfig.sh -host myhost -port 7001 -userName weblogic -domainPath $DOMAIN_HOME/mydomain -createKeystore
Enter AdminServer password:
Enter OVD Keystore password:
OVD config files already exist for context: default
CSF credential creation successful
Permission grant successful
OVD MBeans already configured for context: default
Successfully created OVD keystore.

$JAVA_HOME/bin/keytool -importcert -keystore $DOMAIN_HOME/config/fmwconfig/ovd/default/keystores/adapters.jks -storepass welcome1 -alias myalias -file my.pem -noprompt

 
Note : If you are facing some issues you can set the debug flag below : -Djava.security.debug=jpspolicy

 

All the adapter configurations are located in the $DOMAIN_HOME/config/fmwconfig/ovd/default/adapters.os_xml file.

5 – Assign ADF application roles to users located in the LDAP

In order to assign users to application roles, we need to use the OEM console.

Create ADF application roles and grant permissions to them.
Then assign groups or users to application roles.
 

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *