Thursday, February 25, 2010

Troubleshooting SSPI Integration

Hi all,
This time I would like to post the troubleshooting tips for issues that I have come across with the SSPI integration of Oracle Access Manager. I have given most probable solutions for the errors and it may differ based up on environment and approach followed. This is applicable for WebLogic servers till 10.3.0 and not for WebLogic 10.3.1 and higher.
1. Error: 
Problem invoking WLST - Traceback (innermost last):
File “D:\wlsConnector\NetPointSecuProvForWeblogic\”,
line 187, in ?
File “D:\wlsConnector\NetPointSecuProvForWeblogic\”,
line 154, in create_AuthenticationProvider_14
java.lang.AssertionError: java.lang.reflect.UndeclaredThrowableException
at weblogic.descriptor.internal.AbstractDescriptorBean._createChildBean(
Scenario: While running this setupNetPointRealm_wl92.cmd.
Solution:  Weblogic Security Provider policy domain would be existing already in the OAM. So delete that policy domain and run the setupNetPointRealm_wl92.cmd again.
2. Error:
File “D:\oracle\OAM\wlsConnector\NetPointSecuProvForWeblogic\setupNetPointReal”, line 187, in ?
File “D:\oracle\OAM\wlsConnector\NetPointSecuProvForWeblogic\setupNetPointReal”, line 154, in create_AuthenticationProvider_14
java.lang.AssertionError: java.lang.NoClassDefFoundError: com/oblix/access/ObCon
at weblogic.descriptor.internal.AbstractDescriptorBean._createChildBean(
Scenario: While running setupNetPointRealm_wl92.cmd, it has thrown the error NoClassDefFoundError of com/oblix/access/ObConfig.
Solution: Check if the jars path is specified correctly in setDomainEnv.cmd and examine if there are misquotes (”) in the cmd file.
3. Error: Malformed \uxxxx encoding
Scenario: Running the runDeployerTool.cmd resulted with that error
Solution: While modifying changes to, open it in notepad instead of editplus  and change the schemes.
Also, replace \ with /
4. Error: 
D:\wlsConnector\NetPointSecuProvForWeblogic\oblix\tools\npWLTools>D:/bea/jdk160_05/bin/java orcladmin password
Using /D:/wlsConnector/NetPointSecuProvForWeblogic/oblix/tools/npWLTools/NetPoin
Error 11004, 11004, 11004, 11004,
Access SDK ( AM API) initialize failed, please check log file for error messages
and re-run NetPointPolicyDeployer
Scenario: While running the tool runDeployerTool.cmd to create weblogic policy domain.
Solution: Check if you are able to ping machine. It could be connectivity issue.

Configure Reverse Proxy for Oracle Access Manager consoles

Though it is not tough job to implement this, I thought there is nothing wrong in sharing. It is some times necessary to reverse proxy Oracle Access Manger consoles through Oracle HTTP Server or Apache Server etc.,
Lets assume the OAM consoles are like this:
Lets assume you have OHS or Apache server running on port 80. Open the httpd.conf file and goto the end of the file and paste the below lines.
ProxyPass /access/oblix
ProxyPassReverse /access/oblix
ProxyPass /identity/oblix
ProxyPassReverse /identity/oblix
Now, you can access the OAM consoles through Apache server with the url, http://apache_host_name/access/oblix.

Wednesday, February 24, 2010

Integrating Oracle Access Manager with WebLogic Server 10g

Hi all,
This post will talk about the integration between Oracle Access Manager 10g with WebLogic Server 10g. This is not applicable for WebLogic versions 10.3.1 and higher.  The functionality achieved with this integration is to get the Single Sign-On between applications deployed on WebLogic Server (webLogic resource) and non-WebLogic resources. Therefore SSPI connector can be used to achieve Single Sign-On between OAM access gates and web gates.
Infrastructure involved: 
  • Oracle Access Manager and higher
  • WebLogic SSPI
  • Oracle HTTP Server (for reverse proxy)
It is assumed that Oracle Access Manager is already installed and will not talk about any components installation unless needed for this integration.
It is good to upgrade the Oracle Access Manager to if you are using as there are some bugs associated with this integration.
WebLogic SSPI can be downloaded here (linux) or here (windows). Here I have selected OHS as reverse proxy and this can be any other webserver of your choice provided WebGate is already there.
Until WebLogic Server 10.3.0, this integration has been achieved using SSPI connector.
Security Service Provider Interface (SSPI) Connector:
WebLogic security framework and WLS connector are based on J2EE standards and an implementation of JAAS. Together, WebLogic implementation of JAAS is called SSPI.  SSPI consists of several provider modules such as Authentication provider, Identity Asserter, Authorization provider, Role Mapping provider, Deployment Provider.
Authentication Provider: This provider uses OAM authentication services to authenticate users (based on username and password) who acces WebLogic applications. This provider does not provide  Single Sign-On capability.
 Authorization Provider: This provider uses OAM authorization services to authenticate users who access WebLogic resource. The authorization is done based on policies that are specified in the Policy Manager.
Identity Asserter: This is very essential provider when a user wants Single Sign-On capability. This is similar to Authentication provider which validates the already authenticated user based on ObSSOCookie. This is used in case of proxied configuration.
Role Mapper: This provider returns security roles of a user. The groups that the user is part of, are returned as part of actions configured in a authentication policy of policy domain.
Deployment Provider: This provider (though not part of JAAS specification)  monitors the applications that are deployed or undeployed on the WebLogic Server and writes information about these applications to either NetPointDeployPolicy.txt or NetPointUndeployPolicy.txt. 
Process Flow:
  1. User requests for a WebLogic resource protected by OAM. In this case, the authen method configured in web.xml should be CLIENT-CERT.
  2. WebGate intercepts the request and checks wit the Access Server whether the resource is protected or not. If the resource is protected, it fetches the Authentication scheme configured for that resource.
  3. User is challenged for username and password based on the Auth scheme configured for that resource.
  4. User submits the credentials.
  5. WebGate will pass the credentials to Access Server for validation. If the user is authenticated successfully, access server creates session token and passes to WebGate. Webgate will set the ObSSOCookie and appends it in HTTP Header. The plugin configured in the Proxy server (mod_proxy) will forward the request to the WebLogic server.
  6. The WebLogic server plugin passes the cookie to WebLogic server.
  7. WebLogic security framework invokes the SSPI connector which inturn invokes the Identity Asserter. The Identity Asserter expects ObSSOCookie as an external token for validating the user. The Asserter sets the cookie in the HTTP response object once it validates the token.
  8. The Identity Asserter extracts the cookie from HTTP header. The Asserter retrieves the user identity from the Access Server using a return action defined in a special auth scheme in OAM. A resource with URL /Authen/Basic is protected by OAM and is used by SSPI internally to authenticate users.
  9. The Authorization provider talks to the Access Server to verify whether the user is authorized to access the resource or not. The Role Mapping provider uses the access gate to communicate with the Access Server to determine what OAM roles are defined to the user. These roles are mapped to security roles in WebLogic. In OAM, these roles are defined as return action /Authen/Roles when getting an authorization policy.
If the authorization is successful, WebLogic server enables the user to access the requested resource. The ObSSOCookie is set so that when user attempts to access additional OAM protected non-WebLogic resources, re-authentication is not performed. Thus Single Sign-On is achieved between webgates and access gates.
Installation and Configuration:
This integration involves:
  • Configure OAM for SSPI
  • SSPI connector install
  • Configure SSPI Connector
  • Deploy Policy Domains
  • Deploy WebLogic Application
  • Configure Reverse proxy
  • Test for SSO
  • Troubleshooting
Configure OAM for SSPI:
SSPI connector communicates with both Identity and Access Servers. SSPI connector also expects user information about privileges, groups, actions, responses etc., you will need an user with respect to SSPI to talk to access server. Lets name the user as wlsadmin (create the user) and assign the user Master Identity Administrator, Master Administrator, Delegated Identity Administrator.
1. Create the resource type definitions in OAM for the following.
  • wl_url: resource operation as GET and POST
  • wl_svr: resource operation as BOOT and DEFAULT
  • wl_adm: resource operation as DEFAULT
  • wl_ejb: resource operation as EXECUTE
  • wl_authen: resource operation as LOGIN
2. Create the WebLogic authentication scheme to be used by the WebLogic policy domain with following values.
Name: Oracle WebLogic Access and Identity authentication scheme
Description: Used to authenticate users who access WebLogic resources.
Level: 1
Challenge Method: Basic
Challenge Parameter: realm:Oracle Access and Identity
SSL Required: No
Challenge Redirect: (Leave blank)
Enabled: (Leave as is)
Specify the credential_mapping and validate_password plugin values as shown below.
credential_mapping      obMappingBase="o=company,c=us",obMappingFilter=      "(&(&(objectclass=inetorgperson)(uid=%userid%))      (|(!(obuseraccountcontrol=*))      (obuseraccountcontrol=ACTIVATED)))"
validate_password obCredentialPassword="password"
Specify the domain name (o=company,c=us) as per your environment.
3. Create the second authentication scheme for un-protecting certain resources, such as gif images in WebLogic resources using the following details and the Anonymous authentication scheme as a template:
General tab:
Name: Oracle WebLogic Anonymous Authentication
Description: Used to un-protect gifs, and so on.
Level: 0
Challenge Method: Anonymous
Parameter: (Leave blank)
SSL Required: No
Challenge Redirect: (Leave blank)
Enabled: Yes
Provide the plugin values as shown below.
credential_mapping obMappingBase="o=company,c=us",obMappingFilter="
4. Configure an Access Gate for SSPI connector.  This is the access gate used by security providers to communicate with Access Server. Follow the OAM installation guide for creating an access gate. FYI, port need not be specified.
5. Backup the config.xml and
6. Install the SSPI connector. The steps are straight forward and I will make a note of few things to remember.
Select Advanced as Configuration option.
Enter allow for Map the authorization result obstain.
Enter the webpass hostname and port.
Enter the user and group search attributes.
Select the transport mode option as open or simple or cert.
Enter the access gate details as specified in Access gate profile.
Configure SSPI connector:
1. Goto the location sspi_install_dir/NetPointSecuProvForWeblogic.
2. Take backup of files NetPointResourceMap.conf, NetPointResourceMap.conf and
3.  Edit the file with following values
 OB_AdminUserCreds=password (change it as per your environment)
4. Copy the file NetPointResourceMap.conf and to weblogic domain directory.
5. Copy the wl92NetPointSecurityProviders.jar from sspi_conn/NetPointSecuProvForWeblogic/oblix/lib/mbeantypes/wl92NetPointSecurityProviders.jar to wlsserver_103/server/lib/mbeantypes.
6. Take a backup of file or cmd and edit the file with values as shown below.
Search for end of file and place this text after export JAVA_OPTIONS line.
# SET WLSConnector Classpath and other paths
export OAMWLC="/u01/oracle/sspi/NetPointSecuProvForWeblogic"
export OAMWLCDIR="${OAMWLC}/oblix/lib"
export PATH="${PATH}:${OAMWLCDIR}"
export WLC_LIB_CLASSPATH="${OAMWLCDIR}/jobaccess.jar${CLASSPATHSEP}${OAMWLCDIR}/bcprov-jdk14-125.jar${CLASSPATHSEP}
Note:Be careful with WLC_LIB_CLASSPATH value as it should not have any spaces or line breaks.
7. Comment the existing classpath and replace with a new one as shown below.
8. Restart the weblogic server. Now you should see the new jars in the classpath.
9. Take a backup of file present in the location sspi_connector/NetPointSecuProvForWeblogic.
10. Edit the file with values as shown below.
Enter the hostname, domain name, weblogic server port, username and password details and save it.
11. Goto the location  sspi_connector/NetPointSecuProvForWeblogic and execute
Note: Though you are using weblogic server 10.3.0, you should execute file, don’t execute the file
12. This script will create the NetPointRealm with necessary security providers.
Deploy Policy Domains:
1. Take backup of file present in location sspi_conn/NetPointSecuProvForWeblogic/oblix/tools/npWLTools and edit with values as given below.
ObPolicyDomain.Name=WebLogic Server Security Provider
ObWLSDomain.Dir=weblogic directory location 
ObWLAuthenticationScheme.Name=OAM WebLogic Server Basic Authentication
ObWLNoneAuthenticationScheme.Name=OAM WebLogic Anonymous Authentication
2. Create a file under this location sspi_conn/NetPointSecuProvForWeblogic/oblix/tools/npWLTools
export OAMWLC=”sspi_conn/NetPointSecuProvForWeblogic”
export OAMWLCDIR=”${OAMWLC}/oblix”
export PATH=”${PATH}:${OAMWLCDIR}/lib”
/u01/jdk160_05/bin/java wlsadmin password
Note: This is for linux environment, if its windows, follow the one shown below.
set OAMWLC=D:/sspi_Connector/NetPointSecuProvForWeblogic
set CLASSPATH=%CLASSPATH%;%OAMWLCDIR%/lib/jobaccess.jar;%OAMWLCDIR%/tools/npWLTools;%OAMWLCDIR%/tools/npWLTools/npWLTools.jar
D:/bea/jdk160_05/bin/java wlsadmin password
3. Run the deployertool and check the log for any errors. This tool will create a policy domain with resources, authorization policies etc., and verify it by logging it to OAM policy manager console.
4. Now login to weblogic console and inspect the new realm NetPointRealm created. Check for users and groups, security providers etc., Remember that this is not default realm yet.
5. Goto the providers tab, Certification Path and click the WebLogicCertPathProvivider and enable the check box set current builder.
6. Enable NetPointRealm as default realm in the console.
7. Stop the WebLogic server. Change the file and edit the username and password with wlsadmin and password values.
8. Start the weblogic server and you should see Netpointrealm is the default realm and you should be able to login to WLS console using wlsadmin and password.
Deploy the WebLogic application: 
You can deploy a sample weblogic application to the server where Netpointrealm is the default realm. Goto the WebLogic policy domain in OAM console and add the resource /sample/index.jsp and save it.
Configure Reverse Proxy:
1. In this case, I have used OHS as reverse proxy.
2. Create a OHS webgate profile in OAM console and install the OHS webgate. I am not briefing about this more as its pretty straight forward.
3. Edit the httpd.conf file of OHS server and goto the end of file and enter the following lines.
ProxyPass /sample http://sspi_hostname:port/sample
Test the SSO:
1. Now access the application http://reverseproxy_hostname:port/sample.
2. You will be challenged with credentials with the authentication scheme configured for it.
3. If you access any other resource protected by the OAM with the same authentication level configured for /sample application, you should be able to access it directly without re-authentication.
Troubleshooting Tips:
Refer the Oracle Documentation.

Oracle SSPI Integration guide

Tuesday, February 23, 2010

Oracle Access Manager cache flush issue

I have come across an issue with Oracle Access Manager and Identity XML and thought its worth sharing. The scenario is that, when you try to modify an user attribute using Identity XML and if you access any resource where the authorization is provided based on that specific attribute value, then it returns an error “Oracle Access Manager Operation Error”.
         This means that the attribute updated in identity system (with backend as LDAP)  using Identity XML has not been communicated to the Access Server. So when the resource is accessed where the atz is given based on the attribute, the authorization will fail and hence will result with that error. If you have specified an Authorization failure URL, then user will be taken to that URL.
         The solution for this issue is to flush the access server as and when the changes happen to the  identity system and there should be automatic cache flush between identity and access system.
This is done by changing the parameter value of doAccessServerFlush from ‘false’ to ‘true’ in baseddbparams.xm. This file is located in the directory Identity_server_installation_directory/oblix/data/common.
         Also, the cache timeout param values present in the webgates and access gates has to be reduced (for instance, reduce from 1800 to 100), this has to be followed by Identity and Access servers restart.
Refer the Oracle Documentation for this .

Thursday, February 18, 2010

Protecting WebLogic Server application using Oracle Entitlement Server

This post talks about protecting a WebLogic server application using Oracle Entitlement Server. This means coarse grained access which is page level access based on user user roles. Though OES is meant for fine grained access, we will discuss how a basic WL app can be protected at first. Later if you want to provide ATN using OAM and ATZ using OES, you can follow this.

I will talk about installing a WebLogic SSM, configuring the SSM and protecting sample WL app using SSM.

Install WebLogic SSM: WL SSM is used only to protect weblogic apps.
Run the installer and provide the following details.

  1. Select BEA Home (You can install SSM either in the same Admin home or in a different location)
  2. Select only OES SM For WLS [Notice OES SM Common is also selected ]
  3. Enter the SCM name if you want to associate the WL SSM to an SCM (optional) 
  4. Enter the administration url eg., https://admin_host_name:port/
  5. Select the JDK (select latest version available in WebLogic server installation)
 After the installation is finished, click the Finish.

Applying Patch:The latest SSM patch available is CP3.
Extract the patch file and copy the patches folder to the $BEA_HOME/ales32-ssm
Edit the and provide jdk and ssm directory locations.
Run the patch as shown below.
To check status: ./ status
To upgrade SSM to CP3

We will proceed to next step assuming the WebLogic domain is already created.

Configure SSM: This step involves creating an WL SSM instance
Edit the file for the following params.
wls.domain.dir = weblogic_domain_directory = wlsapp (you will see )
db.password = abcd1234 (oes database user password used while running DBConfigTool)
ales.admin.password = abcd1234 (OES admin password) = weblogic (Weblogic domain username)
ssm.admin.password = abcd1234
arme.port = 8000
ales.organization.scope = wlsapp_org (since CP3, Application scope is replaced with Organizational scope )
ales.identity.dir =wlsapp_dir (identity directory where users for this application in OES are stored)
db.jdbc.url = jdbc:oracle:thin:@db_server:1521:db_sid
db.jdbc.driver = oracle.jdbc.driver.OracleDriver (uncomment this line) = adminconfig

Run the ConfigTool as shown below.
To check everything works: ./ -check (Advisory to run this command as it checks if there are any conflicts). The WebLogic server should be stopped before running this command.
To process : ./ -process
This will create the the WL SSM instance, organization with wlsapp in OES and policies.

Open the OES EUI console and access the Resources. Traverse to the organization wlsapp->shared->server and create New AdminServer and map it as Resource. Distribute the policies. Policy distributed is crucial and missing this will not allow weblogic server to start (will throw Authentication failed at booting stage) .

Start the WebLogic server.
Access the WLS console and see the new realm created and marked as true (default realm). Check the providers, Database Authenticator where the OES will authenticate users against the DB using this Authenticator.

Troubleshooting WebLogic Server

This post will present troubleshooting tips for errors that will across in WebLogic server.

Error: Problem invoking WLST - java.lang.UnsupportedClassVersionError: Bad version number in .class file
Scenario: Trying to stop WebLogic Server
Solution: The jdk version used while creating the domain is not supported. Use higher version ( present in the same WebLogic server installed location) and point it while domain creation.

Note: I will be updating this post every now and then.

Monday, February 1, 2010

Troubleshooting tips for LDAP command line tools

This post will talk about the problems and solutions that arises when LDAP command line tools are run for various scenarios.

Error:unable to locate message file: ldap.msb
Scenario: When you run any ldap tools like ldapmodify, ldapadd, ldapbind etc.,
Solution: Set the ORACLE_HOME env variable as shown below.
server@hostname homedir$ export ORACLE_HOME=/u01/orasoft/Oracle/Middleware/idm/Oracle_IDM1
server@hostname homedir$  echo $ORACLE_HOME

Now execute the ldap commands as shown below.
server@hostname homedir$ /u01/orasoft/Oracle/Middleware/idm/Oracle_IDM1/bin/ldapbind -h hostname -p 389 -D cn=orcladmin -w password
bind successful