2010 Wls Adsso

SAGE Computing ServicesConsulting and customised training

workshops

Active Directory Integration

AD, WLS & ADF in Harmony(a case study)

Ray TindallSenior Systems Consultant

www.sagecomputing.com.au

Things have changed since 2006

Active Directory Integration

“OID & AD in Harmony?”WLS

SSO Portal

Things have changed since 2006

Synchronisation of OID & ADAD LDAP Provider

SSO Delegated AuthenticationADF Security

Windows Native Authentication with SSO

Kerberos with WLS

Agenda Overview

Who, What &WhyThe primary Goal

Resources & ReferencesIBM

The Plan & The PathImplementation

How we did it – How you can do it

TestingTroubleshooting & Hints

Wrap upWhere are we now

IBM???

Who, What & Why

What?The System

Why?The Wishlist

Weblogic Server 10.3.2. ADF 11.1.1.2. Active Directory

on Windows Server 2003(now 2008 R2)

Windows workstationswith IE 7

Seamless & transparent authentication (login) against AD

Authorisation against AD (Groups)

Forms to ADF interoperability Scope to expand

The Primary Goal

Resources & References

Administering the SPNEGO TAI: Tips on using Kerberos service principal namesby Martin Lansche, IBM

Configuring Kerberos with Weblogic Serverby Faisal Khan, SecureZone

Troubleshooting Kerberos issues with Weblogic serverby Faisal Khan, SecureZone

Configuring WLS With MS Active Directoryby Chris Muir, SAGE Computing

Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directoryby Chris Muir, SAGE Computing

Oracle® Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1 (10.3.1), 6 Configuring Single Sign-On with Microsoft Clients

This “is” 10.3.2 !

The Plan & The Path

Proof of Concept – DEVNew system on new infrastructure

Target Apps – DEVWLS on VM – Snapshots

Risks:Production AD only!Load Balancing – PROD only

How to Get There

Implementation Key ConceptsAD LDAP Provider

Kerberos with WLS

ADF Security

How to Get There

Implementation Task OverviewNetwork & AD preparationWLS AD AuthenticationWLS Host Kerberos configurationWLS Kerberos configurationClients (Browser/s) configuration

Apps (ADF Application) configuration

Test (with your favourite beverage at hand)

Troubleshoot (with your favourite beverage at hand)

Environment Specifics

KDC server: OURKDC(.dtf.wa.gov.au)Windows domain controller serving as Key Distribution CentreMost doco (inc Official) implies to use IP but use DNS instead!

Default AD domain: dtf.wa.gov.au

Kerberos Realm: DTF.WA.GOV.AUUppercase of Domain

WLS AD account: wlskerberosadacc / obscurepwd“User" AD account used for WLS Host & to map Service PrincipalOfficial doco says just use simple machine name

NO! - Bad idea; make it different and make it descriptive

WLS Virtual Host DNS: ourvirtualwls(.dtf.wa.gov.au)URL you will use to access your Web Applications

Also serves as the basis of the Service PrincipalOfficial doco doesn't even mention Virtual Host as consideration

BUT! - Critical for same Domain Windows WLS host*& good idea in other cases anyway.

*The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD.At runtime Kerberos will derive the basis of the Service Principal from the browser URL.AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD.

Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!

*The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD.At runtime Kerberos will derive the basis of the Service Principal from the browser URL.AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD.

Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!

Network & AD preparation

Implementation Steps:

1. Create Virtual Host DNS

2. Create WLS Service AD “user” account

3. Map SPN (Service Principal) with setspn

& generate Keytab with ktab

Linux – use ktpass instead

Not computer

Not strictly needed with JDK

Must be your user service

account.

Get it right.Not

validated!

WLS AD Authentication

4. Create WLS AD Authentication Provider

WLS LDAPAuthenticator

5. Test Authentication Provider

Configuring a JDev 11g ADF Security app on standalone WLS against MS Active

Directoryby Chris Muir, SAGE Computing

Remove!

Remove?

WLS Host Kerberos configuration

6. Create krb5.ini

7. Copy Keytab to WLS

for Linux ftp – note this is a binary file

8. Test Host Kerberos with kinit

Go no further if this no worky!

6. Create krb5.ini

Not strictly needed with JDK

Case sensitive

6. Create krb5.ini

WLS Kerberos configuration

9. Create krb5Login.conf

10.Add WLS Kerberos startup parameters

startWebLogic.cmd

11.Create Identity Assertion Provider

WLS NegotiateIdentityAsserter

startWebLogic.cmd

Client (Browser/s) configuration

12.Configure Windows Native Authentication

Auto logon for Intranet

Firefox

Apps (ADF Application) configuration

13.Configure ADF Application Security

Run - Configure ADF Security Wizard

Enterprise Roles (AD) Application Roles (ADF)

Web.xml <login-config>

<auth-method>CLIENT-CERT

13 steps; hmmm; is this a sign?

13.Configure ADF Application Security

Run - Configure ADF Security Wizard

Enterprise Roles (AD) Application Roles (ADF)

Web.xml <login-config>

<auth-method>CLIENT-CERT

Testing

LDAP Provider

Kinit (with keytab)

Bringing it all together

ADF Application

Transparent login

Wha…?I followed theInstructions!

LDAP Provider

Kinit (with keytab)

Bringing it all together

ADF Application

Transparent login

Troubleshooting

When things just don’t go your way!

WLS Security debugWLS log level – standard out

Utilities checks (with verbose debug)Check AD user account

inc SPN mapping

Config fileskrb5.ini krb5Login.conf config.xml

AD LDAP Providerbase DNs, filters, search scopes

Wireshark... – in extreme cases

inc SPN mapping

+ standard out log level>= notice

Due toCLIENT-CERT,FORM

inc SPN mapping

Best to have 1 only

Don’t be fooled.Normal!

Success

inc SPN mapping

Server Admin Pack

SofterraLDAP

Browser

inc SPN mapping

Case sensitivity

Syntax

Linux?Has this

changed?

No krb5.prior to JDK

6.0Include

prior options

inc SPN mapping

Debug = java kinit

Success

Checksum failed! ?

Naming & Case sensitivityDon’t name AD account same as WLS HostMind case sensitivity & syntax (especially krb5.ini)

Must be only “one” SPN URL in ADldifde to check for duplicates setspn –D to remove bad or duplicate SPNs

Kerberos / WLS can’t find config files (krb5.ini keytab krb5Login.conf)

Know & use default locations for themTry absolute paths where referenced in dependant configTry WLS/Host reboot

Order of WLS Providers

Asserter followed by LDAP Provider then defaults

Use Virtual URL - not host URL

Configure 2nd DNS – not DNS alias

Clear Browser cache/s

Clock Skew - AD, WLS, Client within 2mins

Does host need WA Daylight Saving patch

Note: Does not require

WLS VH definition

Hints & Tips

WLS / Host reboots at critical points

Check full range of options for utilities (kinit ktab klist)

java core of these for verbose debug output

Use CLIENT-CERT only in ADF Security for troubleshootingCLIENT-CERT,FORM may not produce debug message output

Use client local hosts in lieu of no DNS

Also useful to test specific node in Load Balanced scenario

Load Balanced / Proxy scenario - same keytab / setup on each node

DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes

Performance hits

Mind recursive & deep Group searching

Check & turn off all DEBUG once happy

Multiple technologies – look outside the Oracle box

Linux – ktpass changes AD accountName changes to HTTP/former_name

Mind this for kinit & krb5Login.conf setup

Job Done!Job Done!

““Celebrate”Celebrate”

Current Status

Friends?No Problem!

Proof of Concept – DEV

PRODGo Live – coming weekend

Thankyou!

Questions?

Presentations are available from our website:www.sagecomputing.com.au

ray@sagecomputing.com.au

SAGE Computing ServicesConsulting and customised training

workshops

Peace&

Harmony

2010 Wls Adsso

Documents

Transcript of 2010 Wls Adsso

WLS - Developing Security Providers for WLS

Instalación wls on unix.pdf

Am51 Wls Guide

Sites WLS Information

Educ List WLS Disc WLS Customer Item # Item Description …walearningsource.org/wp-content/uploads/2015/04/F5-Pricing.pdf · Item # Item Description Educ List Price WLS Disc % WLS

GifftTO SERVEed e · 2019-07-15 · Dennis Klatt WLS ’88 Randy Matter Paul Prange WLS ’88 Mark Schroeder WLS ’81 Mark Zarling WLS ’80 *Professor William Pekrul DMLC ’80,

WLS & social media

Srs - Wls - Pcrf

WLS Fiber Pigtails

Install Configure WLS

Hexagon Metrology WlS qFLASH

WLS Sute Technical

TCMT WLS fibers QC

Les 19-Protecting WLS

Chapter 4 WLS: TheBrigadoon of Broadcastingdig.abclocal.go.com/wls/documents/weber49-71.pdf · 50 51 While WLS didn’t deliver much in the way of profit, the company’s publishing

WLS Brchure

WLS 2019 Programwls.futurelearninglab.org/.../2019/06/WLS-2019-Program.pdf · 2019-06-05 · WLS 2019 OFFICIAL PROGRAM • PRINT VERSION Invitation Welcome to this year’s World

Wls Final Draft

WLS Catalog for the Web

WLS Top10 Concepts