1. Using Oracle WebLogic Server for OKE (Release 21.3.2 or earlier)
  2. Manage a Domain in Oracle WebLogic Server for OKE
  3. Authenticate by using an External LDAP Server

Authenticate by using an External LDAP Server

This section describes the steps required to add authenticators for external systems, like OpenLDAP. This helps you to use the groups and users defined in the system for your applications deployed in the Oracle WebLogic Server for OKE domain. Also, it provides information about how to use an OpenLDAP server.

In Oracle WebLogic Server for OKE, you cannot add users and groups to the WebLogic embedded LDAP server for your applications. As the embedded LDAP has limited use when using the domain home in the image model, if you add users to the embedded LDAP through the Administration console, the users are not persisted in the image and disappear when you restart the admin server pod. Also, it is not recommended to change the domain from the administration console.

Prerequisites

Before you authenticate by using an external LDAP sever, ensure that you have completed the required prerequisites.

  1. You must have created a domain with Oracle WebLogic Server for OKE instance. See Create a Domain with Oracle WebLogic Server for OKE.
  2. You must have an OpenLDAP server, which is ready to use.

    The OpenLDAP server must be accessible from the Oracle WebLogic Server for OKE nodes, where your WebLogic domain is running and from the admin host. That is, OpenLDAP server must connect to the OpenLDAP host (either by name or IP address) and use the port where the LDAP server is listening.

    Default ports are 389 for LDAP and 636 for LDAPS (LDAP over SSL).

    If the LDAP server is on premises, then connect the VCN where the stack was created with your datacenter, by using either FastConnect or VPN connect. See Access to Your On-Premises Network.

Add a new OpenLDAP Authenticator to the Domain in Model in Image

For Model in Image, define the authenticators that you want to add to your WebLogic domain in a WDT model file, and then apply this model by using the update-domain pipeline job.

To identify a version that uses the Model in Image source type, see the Supported Image column in Patches Included in Oracle WebLogic Server for OKE.

  1. Create an OpenLDAP_authenticator.yaml file.
    The following is an example of a model file specifying an OpenLDAP authenticator and helps to connect to an OpenLDAP server by using LDAP protocol, that is with SSL disabled. This model is based on the models presented in Modeling Security Providers.

    Note:

    You must create a secret for the administrator password, and you use this secret when you run the update-domain pipeline job.
    Example of an OpenLDAP_authenticator.yaml file: 
    topology:
    SecurityConfiguration:
        Realm:
            myrealm:
                AuthenticationProvider:
                    My OpenLDAP authenticator:
                        OpenLDAPAuthenticator:
                            ControlFlag: SUFFICIENT
                            PropagateCauseForLoginException: True
                            EnableGroupMembershipLookupHierarchyCaching: True
                            Host: myldap.example.com
                            Port: 389
                            UserObjectClass: inetOrgPerson
                            GroupHierarchyCacheTTL: 600
                            SSLEnabled: False
                            UserNameAttribute: cn
                            Principal: 'cn=foo,ou=users,dc=example,dc=com'
                            CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@'
                            UserBaseDn: 'ou=users,dc=example,dc=com'
                            UserSearchScope: subtree
                            UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))'
                            GroupBaseDN: 'ou=groups,dc=example,dc=com'
                            StaticGroupObjectClass: groupofnames
                            StaticGroupNameAttribute: cn
                            StaticMemberDNAttribute: member
                            StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))'
                            UseRetrievedUserNameAsPrincipal: True
                            KeepAliveEnabled: True
                            GuidAttribute: uuid
                    DefaultAuthenticator:
                        DefaultAuthenticator:
                            ControlFlag: SUFFICIENT
                    DefaultIdentityAsserter:
                        DefaultIdentityAsserter:

    In order to keep DefaultAuthenticator and DefaultIdentityAsserter while changing or adding providers, they must be specified in the model with any non-default attributes, as in the example. The order of providers in the model will be the order the providers set in the WebLogic security configuration. See Modeling Security Providers.

  2. Run the update-domain pipeline job to add the authenticators. See Update the Domain Configuration.

Enable SSL Support in Model in Image

For Model in Image, to enable SSL support, you need to perform a few additional steps. Here you need to configure both a trust keystore and an identity keystore, although only trust keystore is required for one-way SSL connection to the LDAP server. You must also configure SSL with the host name verifier.

To identify a version that uses the Model in Image source type, see the Supported Image column in Patches Included in Oracle WebLogic Server for OKE.

  1. Obtain the root Certificate Authority (CA) certificate for the LDAP server.
  2. Create a trust keystore by using the preceding certificate or if you already have an existing trust keystore, import the certificate to the trust keystore.
    Following is an example to create the keystore myTrust.jks with the root CA certificate rootca.pem, by using the keytool command:
    keytool -import -keystore ./myTrust.jks -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt
  3. Create an identity keystore, if you do not have an existing identity keystore.
    Following is an example to create the identity keystore:
    keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore ./myIdentity.jks
  4. Copy the trust and identity keystores to the u01 shared location, and specify the location of these files in the model.yaml file.
  5. Create a model.yaml file, specifying the OpenLDP Authentication Provider with SSL enabled, the DefaultAuthenticator and DefaultIdentityAsserter information, and the custom keystores for admin server and the servers that are part of the dynamic cluster configured in the domain.

    Note:

    You must create a secret for the administrator password, and provide this secret in the model.yaml file; this secret is used when you run the update-domain job. For information see, Update the Domain Configuration.

    You must use ENV macros for server names as specified in the following model.yaml example files for non-JRF anf JRFdomain.

    • Following is a sample of the model.yaml file for a non-JRF domain:

      In this model.yaml file, ServerPrivateKeyAlias, refers to the alias used when you created the DemoIdentity keystore and ServerPrivateKeyPassPhraseEncrypted refers to the password set for ServerPrivateKeyAlias. 

      topology:
    Server:
        '@@ENV:RESOURCE_PREFIX@@-adminserver':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@'
            SSL:
                ServerPrivateKeyAlias: DemoIdentity
                ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@'
    ServerTemplate:
        '@@ENV:RESOURCE_PREFIX@@-cluster-template':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@'
            SSL:
                ServerPrivateKeyAlias: DemoIdentity
                ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@'
    SecurityConfiguration:
        Realm:
            myrealm:
                AuthenticationProvider:
                    My OpenLDAP authenticator:
                        OpenLDAPAuthenticator:
                            ControlFlag: SUFFICIENT
                            PropagateCauseForLoginException: True
                            EnableGroupMembershipLookupHierarchyCaching: True
                            Host: 'pg-openldap'
                            Port: 636
                            UserObjectClass: inetOrgPerson
                            GroupHierarchyCacheTTL: 600
                            SSLEnabled: True
                            UserNameAttribute: cn
                            Principal: 'cn=admin,dc=wlsoketest-ldap,dc=com'
                            CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@'
                            UserBaseDn: 'ou=people,dc=wlsoketest-ldap,dc=com'
                            UserSearchScope: subtree
                            UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))'
                            GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com'
                            StaticGroupObjectClass: groupofnames
                            StaticGroupNameAttribute: cn
                            StaticMemberDNAttribute: member
                            StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))'
                            UseRetrievedUserNameAsPrincipal: True
                            KeepAliveEnabled: True
                            GuidAttribute: entryuuid
                    DefaultAuthenticator:
                        DefaultAuthenticator:
                            ControlFlag: SUFFICIENT
                    DefaultIdentityAsserter:
                        DefaultIdentityAsserter:

    • Following is a sample of the model.yaml file for a JRF domain:

      In this model.yaml file, ServerPrivateKeyAlias, refers to the alias used when you created the DemoIdentity keystore and ServerPrivateKeyPassPhraseEncrypted refers to the password set for ServerPrivateKeyAlias.

      Note:

      • If you want to add the LDAP SSL Authenticator to managed servers, then update the model yaml file with the custom identity trust and keystore values to each server in the cluster.
      • If you scale-out the cluster, then update the domain with the update-domain job. You need to provide the yaml file containing the contents, as listed in the sample yaml file, with the name of the scaled-out managed server. However, you do not have to update the SecurityConfiguration details. 
      topology:
    Server:
        '@@ENV:RESOURCE_PREFIX@@-adminserver':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@'
            SSL:
                ServerPrivateKeyAlias: DemoIdentity
                ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@'
        '@@ENV:RESOURCE_PREFIX@@-managed-server1':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@'
            SSL:
                ServerPrivateKeyAlias: DemoIdentity
                ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@'
        '@@ENV:RESOURCE_PREFIX@@-managed-server2':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@'
            SSL:
                ServerPrivateKeyAlias: DemoIdentity
                ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@'
    SecurityConfiguration:
        Realm:
            myrealm:
                AuthenticationProvider:
                    My OpenLDAP authenticator:
                        OpenLDAPAuthenticator:
                            ControlFlag: SUFFICIENT
                            PropagateCauseForLoginException: True
                            EnableGroupMembershipLookupHierarchyCaching: True
                            Host: 'pg-openldap'
                            Port: 636
                            UserObjectClass: inetOrgPerson
                            GroupHierarchyCacheTTL: 600
                            SSLEnabled: True
                            UserNameAttribute: cn
                            Principal: 'cn=admin,dc=wlsoketest-ldap,dc=com'
                            CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@'
                            UserBaseDn: 'ou=people,dc=wlsoketest-ldap,dc=com'
                            UserSearchScope: subtree
                            UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))'
                            GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com'
                            StaticGroupObjectClass: groupofnames
                            StaticGroupNameAttribute: cn
                            StaticMemberDNAttribute: member
                            StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))'
                            UseRetrievedUserNameAsPrincipal: True
                            KeepAliveEnabled: True
                            GuidAttribute: entryuuid
                    DefaultAuthenticator:
                        DefaultAuthenticator:
                            ControlFlag: SUFFICIENT
                    DefaultIdentityAsserter:
                        DefaultIdentityAsserter:
  6. Apply the model and archive to the running WebLogic Server domain.
    To run the update-domain CI/CD pipeline to update the running domain and add the Authentication Providers and custom keystores, complete the following steps:
    1. Sign in to the Jenkins console for your domain. See Access the Jenkins Console.
    2. On the Dashboard page, click update-domain.
    3. Click Build with Parameters.
    4. Select Shared File System from the Archive_Source list.
    5. For Archive_File_Location, browse to select the archive zip file or specify the path of the zip file on the shared file system.
    6. Select Shared File System from the Domain_Model_Source list.
    7. For Model_File_Location, browse to select the YAML file or specify the path of the YAML on the shared file system.
    8. Select None from the Variable_Source list.
    9. Select the Rollback_On_Failure check box if you do not want to rollback to the previous working domain image (optional).

      If you deselected this check box, you can rollback to the previous image later from the backup.

      The Rollback_On_Failure check box is selected by default.

    10. Click Build to run the Pipeline job.

Configure SSL with host name verifier

  1. In the model.yaml file, add the SSL configuration with custom HostnameVerifier class:

    • For a non-JRF domain, add the configuration in the admin server and the cluster template.

    • For a JRF domain, add the configuration in the admin sever and managed server.

    Following is a sample model.yaml file for a non-JRF domain: 

    topology:  
  Server:
    '@@ENV:RESOURCE_PREFIX@@-adminserver':
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly
  ServerTemplate:
    '@@ENV:RESOURCE_PREFIX@@-cluster-template':
      ListenPort: 8001
      Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster'
      SSL:
        ListenPort: 8100
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly

    Following is a sample model.yaml file for a JRF domain with 2 replicas: 

    topology:  
  Server:
    '@@ENV:RESOURCE_PREFIX@@-adminserver':
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly
      '@@ENV:RESOURCE_PREFIX@@-managed-server1':
      Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster'
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly
      '@@ENV:RESOURCE_PREFIX@@-managed-server2':
      Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster'
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly

    Note:

    You must augment the sample model.yaml based on the number of replicas. For example, in case of a JRF domain with 3 replicas, in the sample model.yaml file, you must add @ENV:RESOURCE_PREFIX@@-managed-server1, @ENV:RESOURCE_PREFIX@@-managed-server2, and @ENV:RESOURCE_PREFIX@@-managedserver3.

  2. Apply the model.yaml to the running WebLogic Server domain. See step 6 in Enable SSL Support in Model in Image.

Add a new OpenLDAP Authenticator to the Domain in Domain in Image

For Domain in Image, define the authenticators that you want to add to your WebLogic domain in a WDT model file, and then apply this model by using the update-domain pipeline job.

To identify a version that uses the Domain in Image source type, see the Supported Image column in Patches Included in Oracle WebLogic Server for OKE.

Important:

From Oracle WebLogic Server for OKE release 21.2.2 onwards, Domain in Image is deprecated.
  1. Create an OpenLDAP_authenticator.yaml file.
    The following is an example of a model file specifying an OpenLDAP authenticator and helps to connect to an OpenLDAP server by using LDAP protocol, that is with SSL disabled. This model is based on the models presented in Modeling Security Providers.

    Note:

    The admin user credentials need to be encrypted. And, you will need the encryption password when you run the update-domain pipeline job.
    Example of an OpenLDAP_authenticator.yaml file: 
    topology:
    SecurityConfiguration:
        Realm:
            myrealm:
                AuthenticationProvider:
                    My OpenLDAP authenticator:
                        OpenLDAPAuthenticator:
                            ControlFlag: SUFFICIENT
                            PropagateCauseForLoginException: True
                            EnableGroupMembershipLookupHierarchyCaching: True
                            Host: myldap.example.com
                            Port: 389
                            UserObjectClass: inetOrgPerson
                            GroupHierarchyCacheTTL: 600
                            SSLEnabled: False
                            UserNameAttribute: cn
                            Principal: 'cn=foo,ou=users,dc=example,dc=com'
                            CredentialEncrypted: '{AES}<encrypted_credential>'
                            UserBaseDn: 'ou=users,dc=example,dc=com'
                            UserSearchScope: subtree
                            UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))'
                            GroupBaseDN: 'ou=groups,dc=example,dc=com'
                            StaticGroupObjectClass: groupofnames
                            StaticGroupNameAttribute: cn
                            StaticMemberDNAttribute: member
                            StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))'
                            UseRetrievedUserNameAsPrincipal: True
                            KeepAliveEnabled: True
                            GuidAttribute: uuid
                    DefaultAuthenticator:
                        DefaultAuthenticator:
                            ControlFlag: SUFFICIENT
                    DefaultIdentityAsserter:
                        DefaultIdentityAsserter:

    In order to keep DefaultAuthenticator and DefaultIdentityAsserter while changing or adding providers, they must be specified in the model with any non-default attributes, as in the example. The order of providers in the model will be the order the providers set in the WebLogic security configuration. See Modeling Security Providers.

  2. Run the update-domain pipeline job to add the authenticators. See Update the Domain Configuration.

Enable SSL Support in Domain in Image

For Domain in Image, to enable SSL support, you need to perform a few additional steps. Here you need to configure both a trust keystore and an identity keystore, although only trust keystore is required for one-way SSL connection to the LDAP server. You must also configure SSL with the host name verifier.

To identify a version that uses the Domain in Image source type, see the Supported Image column in Patches Included in Oracle WebLogic Server for OKE.

Important:

From Oracle WebLogic Server for OKE release 21.2.2 onwards, Domain in Image is deprecated.
  1. Obtain the root Certificate Authority (CA) certificate for the LDAP server.
  2. Create a trust keystore by using the preceding certificate or if you already have an existing trust keystore, import the certificate to the trust keystore.

    Following is an example to create the keystore myTrust.jks with the root CA certificate rootca.pem, by using the keytool command: 

    keytool -import -keystore ./myTrust.jks -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt
  3. Create an identity keystore, if you do not have an existing identity keystore.
    Following is an example to create the identity keystore:
    keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore ./myIdentity.jks
  4. Create an archive file with the trust and identity keystores that will be configured in the admin and managed servers.

    Following is a sample of the contents of the archive file:

    $ unzip -l archive.zip
Archive:  archive.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  11-25-2020 17:22   wlsdeploy/
        0  11-25-2020 17:18   wlsdeploy/servers/
        0  11-25-2020 19:35   wlsdeploy/servers/myoke-adminserver/
     2337  11-25-2020 00:49   wlsdeploy/servers/myoke-adminserver/myIdentity.jks
      853  11-25-2020 00:47   wlsdeploy/servers/myoke-adminserver/myTrust.jks
---------                     -------
     2190                     5 files
  5. Create a model.yaml file, specifying the OpenLDP Authentication Provider with SSL enabled, the DefaultAuthenticator and DefaultIdentityAsserter information, information, and the custom keystores for admin server and the servers that are part of the dynamic cluster configured in the domain.

    Note:

    The credentials for the administrator purpose and the passphrase for the keystores have to be encrypted. You need the encryption passphrase when you run the update-domain job. For information see, Update the Domain Configuration.
    • Following is a sample of the model.yaml file for a non-JRF domain:
      topology:
    Server:
        'myoke-adminserver':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>'
    ServerTemplate:
        'myoke-cluster-template':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>'
    SecurityConfiguration:
        Realm:
            myrealm:
                AuthenticationProvider:
                    My OpenLDAP authenticator:
                        OpenLDAPAuthenticator:
                            ControlFlag: SUFFICIENT
                            PropagateCauseForLoginException: True
                            EnableGroupMembershipLookupHierarchyCaching: True
                            Host: myldap.example.com
                            Port: 636
                            UserObjectClass: inetOrgPerson
                            GroupHierarchyCacheTTL: 600
                            SSLEnabled: True
                            UserNameAttribute: cn
                            Principal: 'cn=foo,ou=users,dc=example,dc=com'
                            CredentialEncrypted: '{AES}<encrypted_credential>'
                            UserBaseDn: 'ou=users,dc=example,dc=com'
                            UserSearchScope: subtree
                            UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))'
                            GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com'
                            StaticGroupObjectClass: groupofnames
                            StaticGroupNameAttribute: cn
                            StaticMemberDNAttribute: member
                            StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))'
                            UseRetrievedUserNameAsPrincipal: True
                            KeepAliveEnabled: True
                            GuidAttribute: uuid
                    DefaultAuthenticator:
                        DefaultAuthenticator:
                            ControlFlag: SUFFICIENT
                    DefaultIdentityAsserter:
                        DefaultIdentityAsserter:

    • Following is a sample of the model.yaml file for a JRF domain:

      Note:

      • If you want to add the LDAP SSL Authenticator to managed servers, then update the model yaml file with the custom identity trust and keystore values to each server in the cluster.
      • If you scale-out the cluster, then update the domain with the update-domain job. You need to provide the yaml file containing the contents, as listed in the sample yaml file, with the name of the scaled-out managed server. However, you do not have to update the SecurityConfiguration details. 
      topology:
   Server:
      'wlsoke-adminserver':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: 'DemoIdentityKeyStorePassPhrase'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: 'TrustKeystorePwd'
      'wlsoke-managed-server1':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: 'DemoIdentityKeyStorePassPhrase'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: 'TrustKeystorePwd'
      'wlsoke-managed-server2':
            KeyStores: CustomIdentityAndCustomTrust
            CustomIdentityKeyStoreType: jks
            CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/DemoIdentity.jks'
            CustomIdentityKeyStorePassPhraseEncrypted: 'DemoIdentityKeyStorePassPhrase'
            CustomTrustKeyStoreType: jks
            CustomTrustKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/myTrust.jks'
            CustomTrustKeyStorePassPhraseEncrypted: 'TrustKeystorePwd'
   SecurityConfiguration:
        Realm:
            myrealm:
                AuthenticationProvider:
                    My OpenLDAP authenticator:
                        OpenLDAPAuthenticator:
                            ControlFlag: SUFFICIENT
                            PropagateCauseForLoginException: True
                            EnableGroupMembershipLookupHierarchyCaching: True
                            Host: myldap.example.com
                            Port: 636
                            UserObjectClass: inetOrgPerson
                            GroupHierarchyCacheTTL: 600
                            SSLEnabled: True
                            UserNameAttribute: cn
                            Principal: 'cn=foo,ou=users,dc=example,dc=com'
                            CredentialEncrypted: '{AES}<encrypted_credential>'
                            UserBaseDn: 'ou=users,dc=example,dc=com'
                            UserSearchScope: subtree
                            UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))'
                            GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com'
                            StaticGroupObjectClass: groupofnames
                            StaticGroupNameAttribute: cn
                            StaticMemberDNAttribute: member
                            StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))'
                            UseRetrievedUserNameAsPrincipal: True
                            KeepAliveEnabled: True
                            GuidAttribute: uuid
                    DefaultAuthenticator:
                        DefaultAuthenticator:
                            ControlFlag: SUFFICIENT
                    DefaultIdentityAsserter:
                        DefaultIdentityAsserter:
  6. Apply the model and archive to the running WebLogic Server domain.
    To run the update-domain CI/CD pipeline to update the running domain and add the Authentication Providers and custom keystores, complete the following steps:
    1. Sign in to the Jenkins console for your domain. See Access the Jenkins Console.
    2. On the Dashboard page, click update-domain.
    3. Click Build with Parameters.
    4. Select Shared File System from the Archive_Source list.
    5. For Archive_File_Location, browse to select the archive zip file or specify the path of the zip file on the shared file system.
    6. Select Shared File System from the Domain_Model_Source list.
    7. For Model_File_Location, browse to select the YAML file or specify the path of the YAML on the shared file system.
    8. Select None from the Variable_Source list.
    9. For Encryption_Passphrase, enter the encrytion passphrase to encrypt the passwords in the model YAML or the variable properties file.
    10. Select the Rollback_On_Failure check box if you do not want to rollback to the previous working domain image (optional).

      If you deselected this check box, you can rollback to the previous image later from the backup.

      The Rollback_On_Failure check box is selected by default.

    11. Click Build to run the Pipeline job.

Configure SSL with host name verifier

  1. In the model.yaml file, add the SSL configuration with custom HostnameVerifier class:

    • For a non-JRF domain, add the configuration in the admin server and the cluster template.

    • For a JRF domain, add the configuration in the admin sever and managed server.

    Following is a sample model.yaml file for a non-JRF domain: 

    topology:  
  Server:
    '@@ENV:RESOURCE_PREFIX@@-adminserver':
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly
  ServerTemplate:
    '@@ENV:RESOURCE_PREFIX@@-cluster-template':
      ListenPort: 8001
      Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster'
      SSL:
        ListenPort: 8100
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly

    Following is a sample model.yaml file for a JRF domain with 2 replicas: 

    topology:  
  Server:
    '@@ENV:RESOURCE_PREFIX@@-adminserver':
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly
      '@@ENV:RESOURCE_PREFIX@@-managed-server1':
      Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster'
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly
      '@@ENV:RESOURCE_PREFIX@@-managed-server2':
      Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster'
      SSL:
        OutboundCertificateValidation: BuiltinSSLValidationOnly
        HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier
        InboundCertificateValidation: BuiltinSSLValidationOnly

    Note:

    You must augment the sample model.yaml based on the number of replicas. For example, in case of a JRF domain with 3 replicas, in the sample model.yaml file, you must add @ENV:RESOURCE_PREFIX@@-managed-server1, @ENV:RESOURCE_PREFIX@@-managed-server2, and @ENV:RESOURCE_PREFIX@@-managedserver3.

  2. Apply the model.yaml to the running WebLogic Server domain. See step 6 in Enable SSL Support in Domain in Image.

Verify the Authenticator

Verify that the authentication provider is created successfully and the expected LDAP provider users and groups are synced.