Oracle Access Manager (OAM) 11.1.2.2.0 and Oracle Unified Directory (OUD) 11.1.2.2.0 and WebLogic 10.3.6 Integration
OAM and WebLogic installed on svrtst02
OUD and WebLogic installed on svrtst03
Assumptions: WebLogic 10.3.6 domain has been created on both svrtst02 and svrtst03 and extended for OAM.
Good idea to backup the configuration or server home before proceeding.
Install OUD on svrtst03 in $MW_HOME.
So, svrtst02 has the following installed:
oracle_common
Oracle_IDM1
Oracle_OAMWebGate1
Oracle_WT1
coherence_3.7
user_projects
wlserver_10.3
And, svrtst03 has the following installed:
oracle_common
Oracle_OUD1
Oracle_WT
user_projects
wlserver_10.3
Run oud-setup on svrtst03 either in GUI mode or CLI. End result being that the following command is executed to create an LDAP directory store:
./oud-setup \
--cli \
--baseDN dc=acme,dc=com \
--addBaseEntry \
--ldapPort 1389 \
--adminConnectorPort 4444 \
--rootUserDN cn=Directory\ Manager \
--rootUserPasswordFile ****** \
--doNotStart \
--ldapsPort 1636 \
--useJavaKeystore /certs/svrtst03.isedlab.org.jks \
--keyStorePasswordFile ****** \
--certNickname svrtst03.isedlab.org\ u.s.\ government\ id \
--serverTuning autotune \
--importTuning autotune \
--no-prompt \
--noPropertiesFile
The LDAP directory instance is created in $MW_HOME/asinst_1/OUD.
export OUD_HOME=$MW_HOME/asinst_1/OUD
Start the instance as follows:
cd $OUD_HOME/bin
./start-ds
The default listening port is 1389, the SSL port is on 1636 and the management port is on 4444.
The instance can be managed from here:
http://svrtst03:7001/odsm
Create a scripts directory in $OUD_HOME/scripts
Quick check to make sure that everything is up and running, from the CLI:
cd $OUD_HOME/bin
./ldapsearch -h localhost -p 1389 -D "cn=directory manager" -w passw0rd -b "dc=acme,dc=com" "(objectclass=*)"
dn: dc=acme,dc=com
dc: acme
objectClass: domain
objectClass: top
Configuring OUD for OAM
The following links are useful:
http://docs.oracle.com/cd/E27559_01/install.1112/e27301/preconfigoud.htm
http://uberether.com/2012/configuring-oracle-unified-directory-as-an-identity-store-for-access-manager-11gr2-11-1-2/
From the Oracle documentation:
"Before you can use your LDAP directory as an Identity store, you must preconfigure it. The procedure in this section enables you to preconfigure Oracle Unified Directory (OUD) for using Oracle Unified Directory (OUD) as your LDAP Identity store."
Create the following file in $MW_HOME/asinst_1/OUD/scripts:
OUDContainers.ldif
dn:cn=oracleAccounts,dc=acme,dc=com
cn:oracleAccounts
objectClass:top
objectClass:orclContainer
dn:cn=Users,cn=oracleAccounts,dc=acme,dc=com
cn:Users
objectClass:top
objectClass:orclContainer
dn:cn=Groups,cn=oracleAccounts,dc=acme,dc=com
cn:Groups
objectClass:top
objectClass:orclContainer
dn:cn=Reserve,cn=oracleAccounts,dc=acme,dc=com
cn:Reserve
objectClass:top
objectClass:orclContainer
Next, import the OUD server:
cd $OUD_HOME/bin
./stop-ds
./import-ldif --backendID userRoot --append --ldifFile $OUD_HOME/scripts/OUDContainers.ldif
./start-ds
Configure OIM proxy users and acis to communicate with OUD after installing OUD. Create the OIM Admin User, Group and the ACIs.
vi $OUD_HOME/scripts/oudadmin.ldif
dn: cn=systemids,dc=acme,dc=com
changetype: add
objectclass: orclContainer
objectclass: top
cn: systemids
dn: cn=oimAdminUser,cn=systemids,dc=acme,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: oimAdminUser
givenname: oimAdminUser
sn: oimAdminUser
cn: oimAdminUser
uid: oimAdminUser
userPassword: passw0rd
dn: cn=oimAdminGroup,cn=systemids,dc=acme,dc=com
changetype: add
objectclass: groupOfUniqueNames
objectclass: top
cn: oimAdminGroup
description: OIM administrator role
uniquemember: cn=oimAdminUser,cn=systemids,dc=acme,dc=com
dn: cn=oracleAccounts,dc=acme,dc=com
changetype: modify
add: aci
aci: (target = "ldap:///cn=oracleAccounts,dc=acme,dc=com")(targetattr =
"*")(version 3.0; acl "Allow OIMAdminGroup add, read and write access to
all attributes"; allow (add, read, search, compare,write, delete, import,export)
(groupdn = "ldap:///cn=oimAdminGroup,cn=systemids,dc=acme,dc=com");)
dn: cn=oimAdminUser,cn=systemids,dc=acme,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset
Run the following command to load the above LDIF file:
./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword passw0rd --defaultAdd --filename $OUD_HOME/scripts/oudadmin.ldif
Create a weblogic account
vi $OUD_HOME/scripts/weblogic.ldif
dn: cn=weblogic,cn=systemids,dc=acme,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
mail: weblogic
givenname: weblogic
sn: weblogic
cn: weblogic
uid: weblogic
userPassword: passw0rd
And add it to the LDAP:
./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword passw0rd --defaultAdd --filename $OUD_HOME/scripts/weblogic.ldif
Add weblogic account to the oimAdminGroup
vi $OUD_HOME/scripts/weblogicGroup.ldif
dn: cn=oimAdminGroup,cn=systemids,dc=acme,dc=com
changetype: modify
add: uniquemember
uniquemember: cn=weblogic,cn=systemids,dc=acme,dc=com
And add it to the LDAP:
./ldapmodify --hostname localhost --port 1389 --bindDN "cn=Directory Manager" \
--bindPassword passw0rd --defaultAdd --filename ../scripts/weblogicGroup.ldif
Add the global-aci to changelog node in OUD (I think this is only necessary if you setup replication. See the documentation listed above for more information).
cd $OUD_HOME/bin
./dsconfig ->
2. Authentication and Authorization ->
2. Access Control Handler ->
1. View and edit the Access Control Handler ->
2. global-aci ->
2. Add one or more values ->
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; allow(read,search,compare,add,write,delete,export) groupdn="ldap:///cn=oimAdminGroup,cn=systemids,dc=acme,dc=com";)
Delete this one:
(target="ldap:///cn=changelog")(targetattr="*")(version 3.0; acl "External changelog access"; deny (all) userdn="ldap:///anyone";)
q from dsconfig
Start OAM...
Configuration -> User Identity Stores
From OAM ID Stores, click Create
Store Name: OUD
Store Type: OUD: Oracle Unified Directory
Location: 10.10.107.49:1389
Login ID Attribute: uid
User Password Attribute: userPassword
User Search Base: dc=acme,dc=com
User Filter Object Class: inetOrgPerson
Group Search Base: dc=acme,dc=com
Test the connection and if successful, click Apply:
Change the Default Store to OUD:
Change the System Store to OUD click the green plus sign to add users:
Click Search and add the selected users:
Then click Apply:
Click Validate. This can error "Group oimAdminGroup is already a member" can be ignored.
Now configure the IDMDomainAgent to use the new OUD store:
Launch Pad -> Access Manager -> Authentication Modules
Click Search, then select LDAP. Change User Identity Store to OUD and click Apply:
Sign out and then sign back in. The new new credential store is in use now.
One way to confirm is to check the OUD access logs on svrtst03.
cd $OUD_HOME/logs
Do a tail -f access and logon to Oracle Access Manager. Typical output is shown below from the access log:
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11517 op=23 msgID=24 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11517 op=23 msgID=24 result=0 nentries=1 etime=3
[06/May/2014:10:33:56 -0400] BIND REQ conn=11526 op=3 msgID=4 type=SIMPLE dn="cn=weblogic,cn=systemids,dc=acme,dc=com"
[06/May/2014:10:33:56 -0400] BIND RES conn=11526 op=3 msgID=4 result=0 authDN="cn=weblogic,cn=systemids,dc=acme,dc=com" etime=2
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11517 op=24 msgID=25 base="cn=weblogic,cn=systemids,dc=acme,dc=com" scope=base filter="(objectclass=inetOrgPerson)" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11517 op=24 msgID=25 result=0 nentries=1 etime=2
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=35 msgID=36 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=35 msgID=36 result=0 nentries=1 etime=3
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=36 msgID=37 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=weblogic,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=36 msgID=37 result=0 nentries=1 etime=2
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=37 msgID=38 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=oimAdminGroup,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=37 msgID=38 result=0 nentries=0 etime=1
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=38 msgID=39 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=38 msgID=39 result=0 nentries=1 etime=3
[06/May/2014:10:33:56 -0400] SEARCH REQ conn=11529 op=39 msgID=40 base="cn=weblogic,cn=systemids,dc=acme,dc=com" scope=base filter="(objectclass=inetOrgPerson)" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:56 -0400] SEARCH RES conn=11529 op=39 msgID=40 result=0 nentries=1 etime=1
[06/May/2014:10:33:57 -0400] SEARCH REQ conn=11529 op=40 msgID=41 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=inetOrgPerson)(uid=weblogic))" attrs="uid,wirelessacctnumber,postalcode,manager,street,orclguid,obresponsetries,dateofbirth,uniquename,defaultgroup,telephonenumber,obresponsetimeout,orgunit,timezone,employeenumber,obYetToBeAnsweredChallenge,initials,activestartdate,description,maidenname,localityname,gender,objectclass,sn,oblastloginattemptdate,fax,middlename,homeaddress,country,obpasswordhistory,cn,oblastsuccessfullogin,oblastfailedlogin,preferredlanguage,pobox,mobile,hiredate,uiaccessmode,oblastresponseattemptdate,department,state,givenname,lastname,org,employeetype,title,obfirstlogin,name,obpasswordcreationdate,homephone,pager,mail,activeenddate,oblockouttime,obAnsweredChallenges,loginid,firstname,obpasswordexpmail,obpasswordchangeflag,postaladdress,obuseraccountcontrol,telephone,displayname,oblogintrycount"
[06/May/2014:10:33:57 -0400] SEARCH RES conn=11529 op=40 msgID=41 result=0 nentries=1 etime=3
[06/May/2014:10:33:57 -0400] SEARCH REQ conn=11529 op=41 msgID=42 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=weblogic,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:57 -0400] SEARCH RES conn=11529 op=41 msgID=42 result=0 nentries=1 etime=1
[06/May/2014:10:33:57 -0400] SEARCH REQ conn=11529 op=42 msgID=43 base="dc=acme,dc=com" scope=sub filter="(&(objectclass=groupofuniquenames)(uniquemember=cn=oimAdminGroup,cn=systemids,dc=acme,dc=com))" attrs="orgunit,mail,cn,description,name,orclguid,rolecategory,org,objectclass,displayname"
[06/May/2014:10:33:57 -0400] SEARCH RES conn=11529 op=42 msgID=43 result=0 nentries=0 etime=2
[06/May/2014:10:34:02 -0400] CONNECT conn=11544 from=10.10.107.89:44839 to=10.10.107.49:1389 protocol=LDAP
[06/May/2014:10:34:02 -0400] DISCONNECT conn=11544 reason="Client Disconnect"
WebLogic Integration
On svrtst02, login to WebLogic.
Security Realms -> my realm -> Providers
From Authentication Providers, click New
Select LDAP Authenticator for Type and click OK.
From Authenticator Providers, click on OUD_LDAP:
Under the Common tab, change Control Flag to SUFFICIENT:
Click on the Provider Specific tab and enter the relevant information for the new provider:
Click Save to complete.
Very nice blog, explained clearly. Thanks.
ReplyDeleteThank You Ashutosh. You saved my day.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete