Configuring Digest Authentication for WebLogic SIP Server

The following sections describe how to configure WebLogic SIP Server to use Digest authentication with a supported LDAP server:

• Overview of Digest Authentication
• Prerequisites for Configuring Digest Authentication
• Steps for Configuring Digest Authentication
• Sample Digest Authentication Configuration
• Configuring Trusted Hosts
• Auditing Security Events

 

---

Overview of Digest Authentication

The following sections provide a basic overview of Digest authentication, and describe Digest authentication support and configuration in WebLogic SIP Server 2.0.2.

What Is Digest Authentication?

Digest authentication is a simple challenge-response mechanism used to authenticate a user over SIP or HTTP. Digest authentication is fully described in RFC 2617.

When using Digest authentication, if a client makes an un-authenticated request for a protected server resource, the server challenges the client using a nonce value. The client uses a requested algorithm (MD5 by default) to generate an encrypted response—a Digest—that includes a username, password, the nonce value from the challenge, the SIP method, and the requested URI.

The server verifies the client Digest by recreating the Digest value and comparing it with the client's Digest. To recreate the Digest value the server requires a hash of the "A1" value (see RFC 2617) that includes, at minimum, the nonce, username, password and realm name. The server either recreates the hash of the A1 value using a stored clear-text password for the user, or by obtaining a precalculated hash value. Either the clear-text password or precalculated has value can be stored in an LDAP directory. The server then uses the hash of the A1 value to recreate the Digest and compare it to the client's Digest to verify the user's identity.

Digest authentication provides secure authorization over HTTP because the clear text password is never transmitted between the client and server. The use of nonce values in the client challenge also ensures that Digest authentication is resistant to replay attacks. See Figure 1 for a more detailed explanation of the challenge-response mechanism for a typical request.

Digest Authentication Support in WebLogic SIP Server 2.0.2

WebLogic SIP Server 2.0.2 includes an LDAP Digest Identity Asserter security provider for asserting the validity of a client's Digest. A separate authorization provider is required to complete the authentication process (see Configure an LDAP Authenticator Provider).

The Digest Identity Asserter only verifies a user's credentials using the client Digest. After the Digest is verified, the configured authorization provider completes the authentication process by checking for the existence of the user (by username) and also populating group membership for the resulting javax.security.auth.Subject.

The LDAP Digest Identity Asserter provider requires that user credentials be stored in an LDAP server in one of the following ways:

• Unencrypted (clear text) passwords. The simplest configuration stores users' unencrypted passwords in the LDAP store. If you choose this method, BEA recommends using an SSL connection to the LDAP store to reduce the risk of exposing clear text passwords in server-side network traffic. Some LDAP providers do not support storing unencrypted passwords by default; in this case you must create or use a dedicated credential attribute on the LDAP server for storing the password. See Configure the LDAP Server.
• A pre-calculated hash of each password, username, and realm. If storing unencrypted passwords is unacceptable, you can instead store a pre-calculated hash value of the username, security-realm, and password in a new or existing attribute in LDAP. The Digest Identity Asserter then retrieves only the hash value for comparison to the client-generated hash in the Digest. Storing pre-calculated hash values provides additional security.

The LDAP Digest Identity Asserter is compatible with any LDAP provider that permits storage of a clear text password or pre-calculated hash value.

Note: The built-in LDAP store for the DefaultAuthenticator provider does not support storage of clear text passwords or pre-calculated hash values. You must make DefaultAuthenticator an optional provider (ControlFlag="SUFFICIENT" or lower) before you can use Digest authentication, or you must configure a separate LDAP store to use for identity assertion.

Figure 1 Digest Authentication in WebLogic SIP Server 2.0.2

 

Figure 1 shows the basic architecture and use of the LDAP Identity Asserter provider for a typical client request:

The client makes an unauthorized request for a protected application resource. (SIP Servlet resources can be protected by specifying security constraints in the sip-xml deployment descriptor. See Controlling Access to SIP Servlet Resources.)
The Digest Identity Asserter provider generates a challenge string consisting of the nonce value, realm name, and encryption algorithm (either MD5 or MD5-sess). The SIP container delivers the challenge string to the client.

Note: The Digest Identity Asserter maintains a cache of used nonces and timestamps for a specified period of time. All requests with a timestamp older than the specified timestamp are rejected, as well as any requests that use the same timestamp/nonce pair as the most recent timestamp/nonce pair still in the cache.

The client uses the encryption algorithm to create a Digest consisting of the username, password, real name, nonce, SIP method, request URI, and other information described in RFC 2617.
The Digest Identity Asserter verifies the client Digest by recreating the Digest value using a hash of the A1 value, nonce, SIP method, and other information. To obtain a hash of the A1 value, the Identity Asserter either generates HA1 by retrieving a clear-text password from the LDAP store, or the Identity Asserter retrieves the pre-calculated HA1 from the LDAP store.
The generated Digest string is compared to the client's Digest to verify the user's identity.
If the user's identity is verified, an authentication provider then determines if the user exists and if it does, the authentication provider populates the javax.security.auth.Subject with the configured group information. This step completes the authentication process.

Note: If you do not require user existence checking or group population, you can use the special "no-op" Identity Assertion Authenticator to avoid an extra connection connection to the LDAP Server; see Configure an LDAP Authentication Provider for more information.

After authentication is complete, the SIP Servlet container performs an authorization check for the logged in javax.security.auth.Subject against the declarative security-constraints defined in the Servlet's sip.xml deployment descriptor.

The LDAP Digest Identity Asserter and the configured Authentication provider can either use the same LDAP store or different stores.

Note: If you use multiple LDAP stores, you must also create some infrastructure to keep both stores synchronized in response to adding, removing, or changing user credential changes, as shown in Figure 2. Maintaining LDAP stores in this manner is beyond the scope of this documentation.

Figure 2 Multiple LDAP Servers

 

 

---

Prerequisites for Configuring Digest Authentication

In order to configure Digest authentication you must understand the basics of LDAP servers and LDAP administration. You must also understand the requirements and restrictions of your selected LDAP server implementation, and have privileges to modify the LDAP configuration as well as the WebLogic SIP Server configuration.

Table 1 summarizes all of the information you will need in order to fully configure your LDAP server for Digest authentication with WebLogic SIP Server 2.0.2.

Note that the LDAP authentication provider and the Digest Authentication Identity Asserter provider can be configured with multiple LDAP servers to provide failover capabilities. If you want to use more than one LDAP server for failover, you will need to have connection information for each server when you configure Digest Authentication. See Steps for Configuring Digest Authentication.

Table 8 Digest Identity Asserter Checklist

Item	Description	Sample Value
Host	The host name of the LDAP server.	MyLDAPServer
Port	The port number of the LDAP server. Port 389 is used by default.	389
Principal	A Distinguished Name (DN) that WebLogic SIP Server can use to connect to the LDAP Server.	cn=ldapadminuser
Credential	A credential for the above principal name (generally a password).	ldapadminuserpassword
LDAP Connection Timeout	The configured timeout value for connections to the LDAP server (in seconds). For best performance, there should be no timeout value configured for the LDAP server. If a timeout value is specified for the LDAP server, you should configure the Digest Identity Asserter provider timeout to a value equal to or less than the LDAP server's timeout.	30 seconds
User From Name Filter	An LDAP search filter that WebLogic SIP Server will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema.	(&(cn=%u)(objectclass=person))
User Base DN	The base Distinguished Name (DN) of the tree in the LDAP directory that contains users.	cn=users,dc=mycompany,dc=com
Credential Attribute Name	The credential attribute name used for Digest calculation. This corresponds to the attribute name used to store unencrypted passwords or pre-calculated hash values. See Configure the LDAP Server.	hashvalue
Digest Realm Name	The realm name to use for Digest authentication.	mycompany.com
Digest Algorithm	The algorithm that clients will use to create encrypted Digests. WebLogic SIP Server supports both MD5 and MD5-sess algorithms. MD5 is used by default.	MD5
Digest Timeout	The Digest authentication timeout setting. By default this value is set to 120 seconds.	120

 

---

Steps for Configuring Digest Authentication

Follow these steps to configure Digest authentication with WebLogic SIP Server 2.0.2:

Configure the LDAP Server.
Reconfigure the DefaultAuthenticator Provider.

Note: DefaultAuthenticator is set up as a required authentication provider by default. If the DefaultAuthentication provider, which works against the embedded LDAP store, is not used for authentication decisions, you must change the Control Flag to "SUFFICIENT".

Configure an LDAP Authenticator Provider.
Configure a New LDAP Digest Identity Asserter Provider.

The sections that follow describe each step in detail.

Configure the LDAP Server

The LDAP server used for Digest verification must store either unencrypted, clear text passwords or pre-calculated hash values. The sections below provide general information about setting up your LDAP server to store the required information. Keep in mind that each LDAP server uses different schemas and different administration tools, and you may need to refer to your LDAP server documentation for information about how to perform the steps below.

If you are using multiple LDAP servers to enable failover capabilities for the security providers, you must configure each LDAP server as described below.

Using Unencrypted Passwords

If your LDAP server's schema allows storing unencrypted passwords in the user's password attribute, no additional configuration is needed. The Digest Identity Asserter provider looks for unencrypted passwords in the password field by default.

If the schema does not allow unencrypted passwords in the password attribute, you have two options:

• Store the unencrypted password in an existing, unused credential attribute in the LDAP directory.
• Create a new credential attribute to store the unencrypted password.

See your LDAP server documentation for more information about credential attributes available in the schema. Regardless of which method you use, record the exact attribute name used to store unencrypted passwords. You must enter the name of this attribute when configuring the LDAP Digest Identity Asserter provider.

Using Precalculated Hash Values

If you want to use precalculated hash values, rather than unencrypted passwords, you can store the hash values in one of two places in your LDAP directory:

• In an existing, unused credential attribute.
• In a new credential attribute that you create for the hash value.

See your LDAP server documentation for more information using or creating new credential attributes.

WebLogic SIP Server provides a simple method call to generate a hash of the A1 value from a given username, realm name, and unencrypted password. The built-in method is available at com.bea.wcp.sip.util.DigestUtils.getHA1("username", "realm-name", "password"). You can use also use 3rd-party utilities for generating the hash value, or create your own method using information from RFC 2617.

Note that you must also create the necessary infrastructure to update the stored hash value automatically when the user name, password, or realm name values change. Maintaining LDAP information in this manner is beyond the scope of this documentation.

Reconfigure the DefaultAuthenticator Provider

Follow the instructions in this section to change the provider's control flag to "sufficient".

Note: DefaultAuthenticator is set up as a required authentication provider by default. If the DefaultAuthentication provider, which works against the embedded LDAP store, is not used for authentication decisions, you must change the Control Flag to "SUFFICIENT".

To reconfigure the DefaultAuthenticator provider:

Log in to the Administration Console for the WebLogic SIP Server domain you want to configure.
In the left pane of the Console, expand the Security->Realms->myrealm->Providers->Authentication node.
Select the DefaultAuthenticator node in the left pane.
In the General tab on the right pane, change the Control Flag value to SUFFICIENT.
Click Apply to apply your changes.
Reboot the server to realize the changed security configuration.

Configure an LDAP Authenticator Provider

The LDAP Digest Identity Asserter provider requires a separate LDAP authorization provider to perform authorization for verified users. Follow the instructions in Configuring an LDAP Authentication Provider in the WebLogic Server 8.1 SP4 documentation set to create an LDAP authorization provider for your LDAP server. Use the information from Table 1 to configure the provider.

If you do not require user existence checking or group population, you can configure and use the special "no-op" Identity Assertion Authenticator to avoid an extra round-trip connection to the LDAP server. Note that the provider performs no actual authorization, and that only Digest Identity Assertion (via the LDAP Digest Identity Asserter Provider) will be performed in the system. To configure the "no-op" authorization provider:

Log in to the Administration Console for the WebLogic SIP Server domain you want to configure.
In the left pane of the Console, expand the Security->Realms->myrealm->Providers->Authentication node.
Select the Authentication node in the left pane.
Click Configure a new Identity Assertion Authenticator...
Enter a name for the new provider, and set the Control Flag to SUFFICIENT.
Click Create to create the new provider.

Configure a New LDAP Digest Identity Asserter Provider

Follow these instructions to create the LDAP Digest Identity Asserter provider and associate it with your LDAP server:

Log in to the Administration Console for the WebLogic SIP Server domain you want to configure.
In the left pane of the Console, expand the Security->Realms->myrealm->Providers->Authentication node.
Select the Authentication node in the left pane.
In the right pane of the Console, select Configure a new LDAP Digest Identity Asserter...
Enter a name for the new provider in the Name field, or accept the default.
In the Active Types Chooser area, select both of the available types (WWW-Authenticate.DIGEST and Authorization.DIGEST) and use the arrow to move them to the Chosen column.
Click Apply to create the new provider.
Select the Details tab in the right pane to further configure the new provider.
In the Details tab, enter LDAP server and Digest authentication information into the fields as follows (use the information from Table 1):
• User From Name Filter: Enter an LDAP search filter that WebLogic SIP Server will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema.
• User Base DN: Enter the base Distinguished Name (DN) of the tree in the LDAP directory that contains users.
• Pre Calculated Hash: Select this option if you the LDAP directory stores a pre-calculated hash value rather than an unencrypted password.
• Credential Attribute Name: Enter the credential attribute in the LDAP directory that stores either the pre-calculated hash value or the unencrypted password. By default WebLogic SIP Server uses the password attribute of the user entry. If you use a pre-calculated has value instead of an unencrypted password, or if the unencrypted password is stored in a different attribute, you must specify the correct attribute name here.
• Digest Realm Name: Enter the realm name to use for Digest authentication.
• Digest Algorithm: Select either MD5 or MD5-sess as the algorithm to use for encrypting Digests.
• Digest Timeout: This value defines the nonce timeout value for the digest challenge. If the nonce timeout is reached before the client responds, the client is re-challenged with a new nonce. By default, the Digest Timeout is set to 120 seconds.
• LDAP Connection Pool Size: Enter the number of connections to use for connecting to the LDAP Server. This value should be equal to or less than the total number of execute threads configured for WebLogic SIP Server. To view the current number of configured threads, right-click on the WebLogic SIP Server name in the left pane of the Administration Console and select View Execute Queues; the SIP Container uses the Thread Count value of the queue named sip.transport.Default. The default value of LDAP Connection Pool Size is 10.

  Note that stale connections (for example, LDAP connections that are timed out by a load balancer) are automatically removed from the connection pool.

• Host: Enter the host name of the LDAP server to use for Digest verification. If you are using multiple LDAP servers for failover capabilities, enter the hostname:port value for each server separated by spaces. For example: ldap1.mycompany.com:1050 ldap2.mycompany.com:1050

 

See Configuring Failover for LDAP Authentication Providers in the WebLogic Server 8.1 SP4 documentation for more information about configuring failover.

• Port: Enter the port name of the LDAP server.
• SSL Enabled: Select this option if you are using SSL to communicate unencrypted passwords between WebLogic SIP Server and the LDAP Server.
• Principal: Enter the name of a principal that WebLogic SIP Server uses to access the LDAP server.
• Credential: Enter the credential for the above principal name (generally a password).
• Confirm Credential: Re-enter the principal's credential.
• Cache Enabled: Specifies whether a cache should be used with the associated LDAP server.
• Cache Size: Specifies the size of the cache, in Kilobytes, used to store results from the LDAP server. By default the cache size is 32K.
• Cache TTL: Specifies the time-to-live (TTL) value, in seconds, for the LDAP cache. By default the TTL value is 60 seconds.
• Results Time Limit: Specifies the number of milliseconds to wait for LDAP results before timing out. Accept the default value of 0 to specify no time limit.
• Connect Timeout: Specifies the number of milliseconds to wait for an LDAP connection to be established. If the time is exceeded, the connection times out. The default value of 0 specifies no timeout value.
• Parallel Connect Delay: Specifies the number of seconds to delay before making concurrent connections to multiple, configured LDAP servers. If this value is set to 0, the provider connects to multiple servers in a serial fashion. The provider first tries to connect to the first configured LDAP server in the Host list. If that connection attempt fails, the provider tries the next configured server, and so on.
  
  If this value is set to a non-zero value, the provider waits the specified number of seconds before spawning a new thread for an additional connection attempt. For example, if the value is set to 2, the provider first tries to connect to the first configured LDAP server in the Host list. After 2 seconds, if the connection has not yet been established, the provider spawns a new thread and tries to connect to the second server configured in the Host list, and so on for each configured LDAP server.
• Connection Retry Limit: Specifies the number of times the provider tries to reestablish a connection to an LDAP server if the LDAP server throws an exception while creating a connection.
• Base64 Decoding Required: This field is not applicable to the LDAP Digest Identity Asserter provider.
Click Apply to apply your changes.
Reboot the server to realize the changed security configuration.

 

---

Sample Digest Authentication Configuration

After configuring Digest authentication using the preceding steps, you can verify the configuration by examining the config.xml file for your domain. Listing 1 shows the security provider configuration in config.xml for a domain that uses Digest authentication. Note that although the IPlanetAuthenticator provider was selected, the provider is configured to use an Oracle Internet Directory Server.

The Administration Console automatically encrypts credential information stored in config.xml. If you are editing config.xml manually, you can use the weblogic.management.EncryptionHelper utility to encrypt the credentials as described in the WebLogic Server 8.1 documentation.

Listing 1 Sample Security Provider Configuration

<weblogic.security.providers.authentication.IPlanetAuthenticator

   ControlFlag="SUFFICIENT"

   Credential="{3DES}uQtI9MFcc7yR9hqgx39J2g=="

   DisplayName="OIDAuthenticator"

   GroupBaseDN="cn=Groups,dc=bea,dc=com" Host="lcw2k18.bea.com"

   Name="Security:Name=myrealmOIDAuthenticator" Port="389"

   Principal="cn=orcladmin" Realm="Security:Name=myrealm"

   UserBaseDN="cn=users,dc=bea,dc=com"

   UserFromNameFilter="(&(cn=%u)(objectclass=person))"/>

<com.bea.wcp.sip.security.authentication.LdapDigestIdentityAsserter

   ActiveTypes="Authorization.DIGEST|WWW-Authenticate.DIGEST"

   Credential="{3DES}uQtI9MFcc7yR9hqgx39J2g=="

   CredentialAttributeName="middlename"

   DigestRealmName="wcp.bea.com" Host="lcw2k18.bea.com"

   Name="Security:Name=myrealmLdapDigestIdentityAsserter"

   Principal="cn=orcladmin" Realm="Security:Name=myrealm"

   UserBaseDN="cn=users,dc=bea,dc=com"

   UserFromNameFilter="(&(cn=%u)(objectclass=person))"/>

 

---

Configuring Trusted Hosts

WebLogic SIP Server 2.0.2 enables you to configure one or more trusted hosts for which authentication is not performed. When WebLogic SIP Server receives a SIP message, it calls getRemoteAddress() on the SIP Servlet message. If this address matches an address in the server's trusted host list, no further authentication is performed for the message.

To configure one or more trusted hosts:

Log in to the Administration Console for the WebLogic SIP Server domain you want to configure.
In the left pane of the Console, expand the SIP Extension->SIP Servers node.
1. Select the name of a configured SIP Server.
2. In the right pane, select the Configuration->Filters tab.
3. Click Configure a WLSSecurityManagerFilter
4. In the Trusted Host field, enter the names of one or more trusted hosts. To enter multiple host names, separate each name with a comma, as in host1.mycompany.com,host2.mycompany.com.
5. Select Continue to create the trusted hosts list.

The trusted host configuration appears as a new XML element in the sipserver.xml configuration file. The following code listing shows an example trusted host configuration:

        <filter classname="com.bea.wcp.sip.security.WLSSecurityManagerFilter">

          <filter-param>

            <param-name>trustedHost</param-name>

            <param-value>host1.mycompany.com,host2.mycompany.com</param-value>

          </filter-param>

        </filter>

Notes: The XML representation of trusted hosts shown above is deprecated, and may change in a future release.

Auditing Security Events

WebLogic SIP Server provides an auditing provider that you can configure to monitor authentication events in the security realm. See Configuring a WebLogic Auditing Provider in the WebLogic Server 8.1 documentation for more information.