e-docs > WebLogic Server > Managing WebLogic Security > Single Sign-On with Enterprise Information Systems

Managing WebLogic Security

 Previous Next Contents View as PDF  

Single Sign-On with Enterprise Information Systems

This section explains how to create credential maps that allow Enterprise Information System (EIS) users to access protected WebLogic Resources.

Note: This chapter applies to WebLogic Server deployments using the security features in this release of WebLogic Server as well as deployments using Compatibility Security.

 

Overview

Resource adapters defined by the J2EE Connector Architecture can acquire the credentials necessary to authenticate users defined in an EIS when they request access to a protected WebLogic resource. The container in WebLogic Server that hosts resource adapters can retrieve the appropriate set of credentials for the WebLogic resource using a credential map. A credential map creates an association between a user in WebLogic Server security realm and an identity (a username and password combination) used to authenticate that user in an EIS such as an Oracle database, a SQL server, or a SAP application.

Creating a credential map is a two-step process:

  1. Create a WebLogic Server user or group for the EIS user. The user or group needs to be defined in the configured Authentication provider. Multiple WebLogic Server users or groups can be mapped to the same remote user or group. For more efficient management, BEA recommends using groups to create credential maps.

  2. Create a credential map for the EIS users. Use the username and password under which the user is authenticated to the EIS or the group in which the EIS user is a member to define the user. These credential maps are stored in the embedded LDAP server.

For more information using security in resource adapters, see the Security topic in Programming WebLogic J2EE Connectors

WebLogic Server provides two techniques for creating credential maps: deployment descriptors and the WebLogic Server Administration Console. The following sections describe both techniques.

 

Using Deployment Descriptors to Create Credential Maps

Credentials maps can be specified in the <security-principal-map> element of the weblogic-ra.xml deployment descriptor file. The <security-principal-map> element provides the association between the credentials used to login to the EIS and credentials used to authenticate to WebLogic resources. Listing 4-1 contains a credential map specified in a weblogic-ra.xml deployment descriptor file.

Listing 4-1 Sample Credential Map

<security-principal-map>
    -<map-entry> 
        <initiating-principal>raruser</initiating-principal> 
        <initiating-principal>javajoe</initiating-principal> 
        -<resource-principal> 
           <resource-username>scott</resource-username> 
            <resource-password>tiger</resource-password>
        </resource-principal> 
    </map-entry>

The deployment descriptor technique for creating credential maps is deprecated in this release of WebLogic Server. Instead, use the WebLogic Server Administration Console to create credential maps. For more information, see Using the WebLogic Administration Console to Create Credential Maps.

If you deploy a resource adapter that has a weblogic-ra.xml deployment descriptor file containing a defined <security-principal-map> element, the data in this file can be imported into the embedded LDAP server and then used by the WebLogic Credential Mapping provider.

To import the information from the weblogic-ra.xml deployment descriptor file into the embedded LDAP server, enable the Credential Mapping Deployment Enabled attribute on the Credential Mapping provider in the default (active) security realm. When the resource adapter is deployed, the credential map information is loaded into the Credential Mapping provider.

In order to support the Credential Mapping Deployment Enabled attribute, a Credential Mapping provider must implement the DeployableCredentialProvider SSPI. By default, the WebLogic Credential Mapping provider has this attribute enabled. Therefore, information from a weblogic-ra.xml deployment descriptor file is automatically loaded into the WebLogic Credential Mapping provider when the resource adapter is deployed.

It is important to understand that once information from a weblogic-ra.xml deployment descriptor file is loaded into the embedded LDAP server, the original resource adapter remains unchanged. Therefore, if you redeploy the original resource adapter (which will happen if you redeploy it through the WebLogic Server Administration Console, modify it on disk, or restart WebLogic Server), the data will once again be imported from the weblogic-ra.xml deployment descriptor file and credential mapping information may be lost.

To avoid overwriting new credential mapping information with old information in a weblogic-ra.xml deployment descriptor file, set the Ignore Deploy Credential Mapping Deployment Descriptor setting:

  1. Expand the Security node.

  2. Expand the Realms node.

    All security realms available for the WebLogic domain are listed in the Realms table.

  3. Click the name of the realm you are using.

  4. Click the General tab.

  5. Check the Ignore Deploy Credential Mapping Deployment Descriptor setting. This setting specifies that the Credential Mapping providers in the security realm will use only credential maps created using the WebLogic Server Administration Console. By default, this attribute is not checked meaning the Credential Mapping provider will load credential maps specified in a weblogic-ra.xml deployment descriptor file.

  6. Click Apply.

  7. Reboot WebLogic Server.

BEA Systems also recommends modifying the weblogic-ra.xml deployment descriptor file to remove the <security-principal-map> element.

For more information about using the weblogic-ra.xml deployment descriptor file to specify a credential map, see Programming WebLogic J2EE Connectors.

 

Using the WebLogic Administration Console to Create Credential Maps

The mapping between credentials can now done through the WebLogic Server Administration Console. If you are using the WebLogic Credential Mapping provider, the credential maps are stored in the embedded LDAP server.

To create a credential map:

  1. Verify the Ignore Security Data in Deployment Descriptors attribute is enabled on the default (active) security realm. Otherwise, you risk overwriting credential maps with old information in weblogic-ra.xml deployment descriptor files.

  2. Define a user or group for the EIS user. For more information, see Users and Groups in Securing WebLogic Resources.

  3. Expand the Connectors node.

  4. Right-click on the desired resource adapter.

  5. Click the Define Cred Map option.

    The Credential Maps table displays all the credential maps defined in the configured Credential Mapper.

  6. Click the Configure a New Cred Map... link.

  7. Enter the username of the EIS user in the Remote User Cred Map field. For example, scott.

  8. Enter the password for the EIS user inthe Remote Password field. For example, tiger.

  9. Click Apply.

  10. Right-click on the desired resource adapter.

  11. Click the Define Role Map option.

  12. Enter the WebLogic Server user or group name you defined for the EIS user in step 2 in the WLS User field.

  13. Enter the name of the EIS user in Remote User field.

  14. Click Apply.

 

Back to Top Previous Next