2010 Wls Adsso

SAGE Computing ServicesConsulting and customised training

workshops

Active Directory Integration

AD, WLS & ADF in Harmony(a case study)

Ray TindallSenior Systems Consultant

www.sagecomputing.com.au

Things have changed since 2006


Active Directory Integration

“OID & AD in Harmony?”WLS

SSO Portal

Things have changed since 2006


Synchronisation of OID & ADAD LDAP Provider

SSO Delegated AuthenticationADF Security

Windows Native Authentication with SSO

Kerberos with WLS

Forms

Agenda Overview

Who, What &WhyThe primary Goal

Resources & ReferencesIBM

The Plan & The PathImplementation

How we did it – How you can do it

TestingTroubleshooting & Hints

Wrap upWhere are we now

IBM???

Who, What & Why


Who?

What?The System

Why?The Wishlist

Weblogic Server 10.3.2. ADF 11.1.1.2. Active Directory

on Windows Server 2003(now 2008 R2)

Windows workstationswith IE 7

Seamless & transparent authentication (login) against AD

Authorisation against AD (Groups)

Forms to ADF interoperability Scope to expand

The Primary Goal


Resources & References


Administering the SPNEGO TAI: Tips on using Kerberos service principal namesby Martin Lansche, IBM

Configuring Kerberos with Weblogic Serverby Faisal Khan, SecureZone

Troubleshooting Kerberos issues with Weblogic serverby Faisal Khan, SecureZone

Configuring WLS With MS Active Directoryby Chris Muir, SAGE Computing

Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directoryby Chris Muir, SAGE Computing

Oracle® Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1 (10.3.1), 6 Configuring Single Sign-On with Microsoft Clients

This “is” 10.3.2 !

The Plan & The Path


Proof of Concept – DEVNew system on new infrastructure

Target Apps – DEVWLS on VM – Snapshots

Risks:Production AD only!Load Balancing – PROD only

How to Get There


Implementation Key ConceptsAD LDAP Provider

Kerberos with WLS

ADF Security

How to Get There


Implementation Task OverviewNetwork & AD preparationWLS AD AuthenticationWLS Host Kerberos configurationWLS Kerberos configurationClients (Browser/s) configuration

Apps (ADF Application) configuration

Test (with your favourite beverage at hand)

Troubleshoot (with your favourite beverage at hand)

Environment Specifics


KDC server: OURKDC(.dtf.wa.gov.au)Windows domain controller serving as Key Distribution CentreMost doco (inc Official) implies to use IP but use DNS instead!

Default AD domain: dtf.wa.gov.au

Kerberos Realm: DTF.WA.GOV.AUUppercase of Domain

WLS AD account: wlskerberosadacc / obscurepwd“User" AD account used for WLS Host & to map Service PrincipalOfficial doco says just use simple machine name

NO! - Bad idea; make it different and make it descriptive

WLS Virtual Host DNS: ourvirtualwls(.dtf.wa.gov.au)URL you will use to access your Web Applications

Also serves as the basis of the Service PrincipalOfficial doco doesn't even mention Virtual Host as consideration

BUT! - Critical for same Domain Windows WLS host*& good idea in other cases anyway.

*The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD.At runtime Kerberos will derive the basis of the Service Principal from the browser URL.AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD.

Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!

*The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD.At runtime Kerberos will derive the basis of the Service Principal from the browser URL.AD will find and default to the HOST\ Service Principal and try to use the “computer” account instead of finding our HTTP\ Service Principal and using our WLS “user” AD account. The credentials in your Keytab will not match the ticket returned by AD.

Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once!

Network & AD preparation


Implementation Steps:

1. Create Virtual Host DNS

2. Create WLS Service AD “user” account

3. Map SPN (Service Principal) with setspn

& generate Keytab with ktab

Linux – use ktpass instead







Not computer

!

Not strictly needed with JDK

1.5+







Must be your user service

account.

Get it right.Not

validated!

WLS AD Authentication



4. Create WLS AD Authentication Provider

WLS LDAPAuthenticator

5. Test Authentication Provider

Configuring a JDev 11g ADF Security app on standalone WLS against MS Active

Directoryby Chris Muir, SAGE Computing







Remove!

Remove?

WLS Host Kerberos configuration



6. Create krb5.ini

7. Copy Keytab to WLS

for Linux ftp – note this is a binary file

8. Test Host Kerberos with kinit

Go no further if this no worky!


6. Create krb5.ini




Not strictly needed with JDK

1.5+

Case sensitive


6. Create krb5.ini




WLS Kerberos configuration



9. Create krb5Login.conf

10.Add WLS Kerberos startup parameters

startWebLogic.cmd

11.Create Identity Assertion Provider

WLS NegotiateIdentityAsserter


9. Create krb5Login.conf

10.Add WLS Kerberos startup parameters

startWebLogic.cmd

11.Create Identity Assertion Provider

WLS NegotiateIdentityAsserter

Client (Browser/s) configuration



12.Configure Windows Native Authentication

Auto logon for Intranet

IE

Firefox

…


12.Configure Windows Native Authentication

Auto logon for Intranet

IE

Firefox

…

Apps (ADF Application) configuration



13.Configure ADF Application Security

Run - Configure ADF Security Wizard

Enterprise Roles (AD) Application Roles (ADF)

Web.xml <login-config>

<auth-method>CLIENT-CERT

13 steps; hmmm; is this a sign?


13.Configure ADF Application Security

Run - Configure ADF Security Wizard

Enterprise Roles (AD) Application Roles (ADF)

Web.xml <login-config>

<auth-method>CLIENT-CERT

Testing


LDAP Provider

Kinit (with keytab)

Bringing it all together

ADF Application

Transparent login

Wha…?I followed theInstructions!

LDAP Provider

Kinit (with keytab)

Bringing it all together

ADF Application

Transparent login

Troubleshooting


When things just don’t go your way!

WLS Security debugWLS log level – standard out

Utilities checks (with verbose debug)Check AD user account

inc SPN mapping

Config fileskrb5.ini krb5Login.conf config.xml

AD LDAP Providerbase DNs, filters, search scopes

Wireshark... – in extreme cases




inc SPN mapping




+ standard out log level>= notice

Due toCLIENT-CERT,FORM




inc SPN mapping




Best to have 1 only

Don’t be fooled.Normal!

Success




inc SPN mapping




Server Admin Pack

SofterraLDAP

Browser




inc SPN mapping




Case sensitivity

Syntax

Linux?Has this

changed?

No krb5.prior to JDK

6.0Include

prior options




inc SPN mapping







inc SPN mapping




Debug = java kinit

Success

Checksum failed! ?

Traps


Naming & Case sensitivityDon’t name AD account same as WLS HostMind case sensitivity & syntax (especially krb5.ini)

Must be only “one” SPN URL in ADldifde to check for duplicates setspn –D to remove bad or duplicate SPNs

Kerberos / WLS can’t find config files (krb5.ini keytab krb5Login.conf)

Know & use default locations for themTry absolute paths where referenced in dependant configTry WLS/Host reboot

Order of WLS Providers

Asserter followed by LDAP Provider then defaults

Use Virtual URL - not host URL

Configure 2nd DNS – not DNS alias

Clear Browser cache/s

Clock Skew - AD, WLS, Client within 2mins

Does host need WA Daylight Saving patch

Note: Does not require

WLS VH definition

Hints & Tips


WLS / Host reboots at critical points

Check full range of options for utilities (kinit ktab klist)

java core of these for verbose debug output

Use CLIENT-CERT only in ADF Security for troubleshootingCLIENT-CERT,FORM may not produce debug message output

Use client local hosts in lieu of no DNS

Also useful to test specific node in Load Balanced scenario

Load Balanced / Proxy scenario - same keytab / setup on each node

DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes

Performance hits

Mind recursive & deep Group searching

Check & turn off all DEBUG once happy

Multiple technologies – look outside the Oracle box

Linux – ktpass changes AD accountName changes to HTTP/former_name

Mind this for kinit & krb5Login.conf setup


Job Done!Job Done!

““Celebrate”Celebrate”

Current Status


Friends?No Problem!

Proof of Concept – DEV

TEST

UAT

PRODGo Live – coming weekend

Thankyou!

Questions?

Presentations are available from our website:www.sagecomputing.com.au

[email protected]

SAGE Computing ServicesConsulting and customised training

workshops

Peace&

Harmony

mailto:[email protected]

2010 Wls Adsso

Documents

Transcript of 2010 Wls Adsso