Wednesday, May 28, 2014

Configuring an OID Authentication Provider in WebLogic 10.3.6

Configuring an OID Authentication Provider in WebLogic 10.3.6

This is the architecture that depicts the configuration of an OID LDAP-based authentication provider used by OPSS applications deployed on a WebLogic Server environment. 

Follow the steps below to configure an OID authentication provider using the Weblogic Administration Console:
1.Open the Firefox web browser using the  icon on the launch panel. Make sure the WebLogic Server is running before continuing on to the next step.
2.Open the WebLogic Administration Console by browsing to http://localhost:7001/console.
Screenshot for Step
Login using the following credentials:
Username: weblogic
Password: welcome1
Screenshot for Step
3.Click the Security Realms link in the Domain Structure pane to show the list of security realms for the domain.
Screenshot for Step
4.Click the myrealm link in the Realms pane to show the settings for the domain's security realm.
Screenshot for Step
5.Click the Providers tab to show the security providers configured for myrealm.
Screenshot for Step
6.Click the Authentication tab to list the currently configured authentication providers for this domain's security realm. The default out-of-the-box providers are shown for the embedded LDAP authentication provider and identity asserter. This is where you configure the new OID authentication provider.
Screenshot for Step
7.Click New to create a new authentication provider for this domain.
Screenshot for Step
8.The Create a new Authentication Provider page is displayed. Give your new authentication provider a name, such as OID Authenticator, select the type called OracleInternetDirectoryAuthenticator, and click OK.
Screenshot for Step
9.You should now see your new OID authenticator in the list of authentication providers, at the bottom of the list.
Screenshot for Step
10.Click the link for your OID authentication provider to configure its settings.
Screenshot for Step
11.The Settings for OID Authenticator is displayed. Click the Provider Specific tab to configure the detailed settings for this provider.
Screenshot for Step
12.This step guides you through all of the settings for configuring your new OID authentication provider. All the settings are made on a single configuration page, however we go through them one section at a time in this instruction.
The first section contains the Connection settings for the OID server. Use the values from the table below for this section:
NameValuePurpose
Host:localhostThe OID host name
Port:3060The standard OID listening port
Principal:cn=orcladminThe LDAP user that logs into OID on behalf of your authentication provider
Credentials:welcome1Password for the principal user
Confirm Credentials:welcome1Confirmation of the password
SSL Enabled:UncheckedEnables or disables SSL connectivity
Validate your settings against the screen shot below:
Screenshot for Step
The next section contains the Users settings for the OID provider. Use the values from the table below for this section:
NameValuePurpose
User Base DN:cn=Users,dc=us,dc=oracle,dc=comThe root (base DN) of the LDAP tree where searches are performed for user data
All Users Filter:Leave as defaultThe LDAP search filter that is used to show all the users below the User Base DN
User From Name Filter:Leave as defaultThe LDAP search filter used to find the LDAP user by name
User Search Scope:Leave as defaultSpecifies how deep in the LDAP tree to search for users
User Name Attribute:Leave as defaultThe attribute of the LDAP user that specifies the user name
User Object Class:Leave as defaultThe LDAP object class that stores users
Use Retrieved User Name as Principal:CheckedSpecifies if the user name retrieved from the LDAP directory will be used as the Principal in the Subject
Validate your settings against the screen shot below:
Screenshot for Step
The next section contains the Groups settings for the OID provider. Use the values from the table below for this section:
NameValuePurpose
Group Base DN:cn=Groups,dc=us,dc=oracle,dc=comThe root (base DN) of the LDAP tree where searches are performed for group data
All Groups Filter:Leave as defaultThe LDAP search filter that is used to show all the groups below the Group Base DN
Group From Name Filter:Leave as defaultThe LDAP search filter used to find the LDAP group by name
Group Search Scope:Leave as defaultSpecifies how deep in the LDAP tree to search for groups
Group Membership Searching:Leave as defaultSpecifies whether group searches into nested groups are limited or unlimited
Max Group Membership Search Level:Leave as defaultSpecifies how many levels of group membership can be searched. This setting is only valid if GroupMembershipSearching is set to limited
Ignore Duplicate Membership:UncheckedDetermines whether duplicates members are ignored when adding groups.
Validate your settings against the screen shot below:
Screenshot for Step
Click Save to persist your changes.
Screenshot for Step
13.Click the Common tab in the Settings for OID Authenticator pane to show settings common to all authentication providers.
Screenshot for Step
14.Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.
Screenshot for Step
15.Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to theAuthentication Providers page.
Screenshot for Step
16.Click the DefaultAuthenticator link to display its common settings so you can change its control flag toSUFFICIENT as well.
Screenshot for Step
17.Change the Control Flag setting to SUFFICIENT and click Save. This setting allows this provider to participate in the authentication process without requiring the user to be in its identity store.
Screenshot for Step
18.Click the Providers link the breadcrumb displayed near the top of the page to quickly navigate back to theAuthentication Providers page.
Screenshot for Step
19.Click Reorder to change the order of your configured authentication providers.
If you remember from the OPSS Concepts self-study course, OPSS obtains its authentication configuration from the authentication provider configuration found in the WebLogic Server domain. It also states that OPSS first looks at all of the LDAP-based authentication providers in the list, and chooses the first one in the list with the highest control flag setting. Because we configured both LDAP-based authentication providers to use the SUFFICIENTcontrol flag setting, OPSS would use the default authenticator if we left the configuration as it is now. In order to ensure that OPSS recognizes your new OID authenticator as its authentication provider, you must reorder your list of authentication providers so that the OID authentication provider is first in the list.
Screenshot for Step
20.Select the OID Authenticator and use the arrows on the right to move it into the first position. Click OK.
Screenshot for Step


Thursday, May 15, 2014

Weblogic 10.3.6 Export data from a security provider

Weblogic 10.3.6: Export data from a security provider


Security data (authentication, authorization, credential map, and role data) from one security realm can be exported into a file and then imported into another security realm. This feature allows you to develop and test new security realms without recreating all the security data (for example, when moving a development security realm to production). Only information from the WebLogic security providers can be exported and imported. Two options are available:
  • Export all security data from all of the security providers in a security realm. 
  • Export specific data (for example, user and groups or roles) from a specific provider, as described in this topic.
To export security data from a security provider to a file:
  1. In the left pane, select Security Realms and then select the name of the realm you are configuring (for example, myrealm).
  2. Select the type of provider from which you want to export security data (for example, Authentication).
  3. Select the security provider from which you want to export security data.



    4. Select 
Migration > Export.

    5. Specify the directory and filename in which to export the security data in the Export File on Server field. The directory must exist.
Note: The directory and file into which you export the security data should be carefully protected with operating system security as they contain secure information about your deployment.

6.Optionally, define a specific set of security data to be exported in the Export Constraints box.

7. Click Save.

Note: Once the data is exported from the security provider, it can be imported at any time.


OCI Knowledge Series: OCI Infrastructure components

  Oracle Cloud Infrastructure (OCI) provides a comprehensive set of infrastructure services that enable you to build and run a wide range of...