Authenticate by using an External LDAP Server
This section describes the steps required to add authenticators for external systems, like OpenLDAP. This helps you to use the groups and users defined in the system for your applications deployed in the Oracle WebLogic Server for OKE domain. Also, it provides information about how to use an OpenLDAP server.
In Oracle WebLogic Server for OKE, you cannot add users and groups to the WebLogic embedded LDAP server for your applications. As the embedded LDAP has limited use when using the domain home in the image model, if you add users to the embedded LDAP through the Administration console, the users are not persisted in the image and disappear when you restart the admin server pod. Also, it is not recommended to change the domain from the administration console.
Prerequisites
Before you authenticate by using an external LDAP sever, ensure that you have completed the required prerequisites.
- You must have created a domain with Oracle WebLogic Server for OKE instance. See Create a Domain with Oracle WebLogic Server for OKE.
- You must have an OpenLDAP server, which is ready to use.
The OpenLDAP server must be accessible from the Oracle WebLogic Server for OKE nodes, where your WebLogic domain is running and from the admin host. That is, OpenLDAP server must connect to the OpenLDAP host (either by name or IP address) and use the port where the LDAP server is listening.
Default ports are
389
for LDAP and636
for LDAPS (LDAP over SSL).If the LDAP server is on premises, then connect the VCN where the stack was created with your datacenter, by using either FastConnect or VPN connect. See Access to Your On-Premises Network.
Add a new OpenLDAP Authenticator to the Domain in Model in Image
For Model in Image, define the authenticators that you want to
add to your WebLogic domain in a WDT model file, and then apply this model by using the
update-domain
pipeline job.
To identify a version that uses the Model in Image source type, see the Supported Image column in Patches Included in Oracle WebLogic Server for OKE.
- Create an
OpenLDAP_authenticator.yaml
file.The following is an example of a model file specifying an OpenLDAP authenticator and helps to connect to an OpenLDAP server by using LDAP protocol, that is with SSL disabled. This model is based on the models presented in Modeling Security Providers.Note:
You must create a secret for the administrator password, and you use this secret when you run theupdate-domain
pipeline job.Example of anOpenLDAP_authenticator.yaml
file:topology: SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: myldap.example.com Port: 389 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: False UserNameAttribute: cn Principal: 'cn=foo,ou=users,dc=example,dc=com' CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@' UserBaseDn: 'ou=users,dc=example,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=example,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: uuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
In order to keep
DefaultAuthenticator
andDefaultIdentityAsserter
while changing or adding providers, they must be specified in the model with any non-default attributes, as in the example. The order of providers in the model will be the order the providers set in the WebLogic security configuration. See Modeling Security Providers. - Run the
update-domain
pipeline job to add the authenticators. See Update the Domain Configuration.
Enable SSL Support in Model in Image
For Model in Image, to enable SSL support, you need to perform a few additional steps. Here you need to configure both a trust keystore and an identity keystore, although only trust keystore is required for one-way SSL connection to the LDAP server. You must also configure SSL with the host name verifier.
To identify a version that uses the Model in Image source type, see the Supported Image column in Patches Included in Oracle WebLogic Server for OKE.
- Obtain the root Certificate Authority (CA) certificate for the LDAP server.
- Create a trust keystore by using the preceding certificate or if you
already have an existing trust keystore, import the certificate to the trust
keystore.
Following is an example to create the keystore myTrust.jks with the root CA certificate
rootca.pem
, by using thekeytool
command:keytool -import -keystore ./myTrust.jks -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt
- Create an identity keystore, if you do not have an existing
identity keystore.
Following is an example to create the identity keystore:
keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore ./myIdentity.jks
- Copy the trust and identity keystores to the
u01
shared location, and specify the location of these files in themodel.yaml
file. - Create a
model.yaml
file, specifying the OpenLDP Authentication Provider with SSL enabled, theDefaultAuthenticator
andDefaultIdentityAsserter
information, and the custom keystores for admin server and the servers that are part of the dynamic cluster configured in the domain.Note:
You must create a secret for the administrator password, and provide this secret in the
model.yaml
file; this secret is used when you run theupdate-domain
job. For information see, Update the Domain Configuration.You must use ENV macros for server names as specified in the following
model.yaml
example files for non-JRF anf JRFdomain.-
Following is a sample of the
model.yaml
file for a non-JRF domain:In this
model.yaml
file,ServerPrivateKeyAlias
, refers to the alias used when you created theDemoIdentity
keystore andServerPrivateKeyPassPhraseEncrypted
refers to the password set forServerPrivateKeyAlias
.topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@' SSL: ServerPrivateKeyAlias: DemoIdentity ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@' ServerTemplate: '@@ENV:RESOURCE_PREFIX@@-cluster-template': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@' SSL: ServerPrivateKeyAlias: DemoIdentity ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@' SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: 'pg-openldap' Port: 636 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: True UserNameAttribute: cn Principal: 'cn=admin,dc=wlsoketest-ldap,dc=com' CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@' UserBaseDn: 'ou=people,dc=wlsoketest-ldap,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: entryuuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
-
Following is a sample of the
model.yaml
file for a JRF domain:In this
model.yaml
file,ServerPrivateKeyAlias
, refers to the alias used when you created theDemoIdentity
keystore andServerPrivateKeyPassPhraseEncrypted
refers to the password set forServerPrivateKeyAlias
.Note:
- If you want to add the LDAP SSL Authenticator to managed servers, then update the model yaml file with the custom identity trust and keystore values to each server in the cluster.
- If you scale-out the cluster, then
update the domain with the
update-domain
job. You need to provide the yaml file containing the contents, as listed in the sample yaml file, with the name of the scaled-out managed server. However, you do not have to update theSecurityConfiguration
details.
topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@' SSL: ServerPrivateKeyAlias: DemoIdentity ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@' '@@ENV:RESOURCE_PREFIX@@-managed-server1': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@' SSL: ServerPrivateKeyAlias: DemoIdentity ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@' '@@ENV:RESOURCE_PREFIX@@-managed-server2': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@' SSL: ServerPrivateKeyAlias: DemoIdentity ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@' SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: 'pg-openldap' Port: 636 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: True UserNameAttribute: cn Principal: 'cn=admin,dc=wlsoketest-ldap,dc=com' CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@' UserBaseDn: 'ou=people,dc=wlsoketest-ldap,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: entryuuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
-
- Apply the model and archive to the
running WebLogic Server domain.
To run the
update-domain
CI/CD pipeline to update the running domain and add the Authentication Providers and custom keystores, complete the following steps:- Sign in to the Jenkins console for your domain. See Access the Jenkins Console.
- On the Dashboard page, click update-domain.
- Click Build with Parameters.
- Select Shared File System from the Archive_Source list.
- For Archive_File_Location, browse to select the archive zip file or specify the path of the zip file on the shared file system.
- Select Shared File System from the Domain_Model_Source list.
- For Model_File_Location, browse to select the YAML file or specify the path of the YAML on the shared file system.
- Select None from the Variable_Source list.
- Select the Rollback_On_Failure
check box if you do not want to rollback to the previous working
domain image (optional).
If you deselected this check box, you can rollback to the previous image later from the backup.
The Rollback_On_Failure check box is selected by default.
- Click Build to run the Pipeline job.
Configure SSL with host name verifier
-
In the
model.yaml
file, add the SSL configuration with customHostnameVerifier
class:-
For a non-JRF domain, add the configuration in the admin server and the cluster template.
-
For a JRF domain, add the configuration in the admin sever and managed server.
Following is a sample
model.yaml
file for a non-JRF domain:topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly ServerTemplate: '@@ENV:RESOURCE_PREFIX@@-cluster-template': ListenPort: 8001 Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster' SSL: ListenPort: 8100 OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly
Following is a sample
model.yaml
file for a JRF domain with 2 replicas:topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly '@@ENV:RESOURCE_PREFIX@@-managed-server1': Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster' SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly '@@ENV:RESOURCE_PREFIX@@-managed-server2': Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster' SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly
Note:
You must augment the samplemodel.yaml
based on the number of replicas. For example, in case of a JRF domain with 3 replicas, in the samplemodel.yaml
file, you must add@ENV:RESOURCE_PREFIX@@-managed-server1
,@ENV:RESOURCE_PREFIX@@-managed-server2
, and@ENV:RESOURCE_PREFIX@@-managedserver3
. -
-
Apply the
model.yaml
to the running WebLogic Server domain. See step 6 in Enable SSL Support in Model in Image.
Add a new OpenLDAP Authenticator to the Domain in Domain in Image
For Domain in Image, define the authenticators that you want to
add to your WebLogic domain in a WDT model file, and then apply this model by using the
update-domain
pipeline job.
Important:
From Oracle WebLogic Server for OKE release 21.2.2 onwards, Domain in Image is deprecated.- Create an
OpenLDAP_authenticator.yaml
file.The following is an example of a model file specifying an OpenLDAP authenticator and helps to connect to an OpenLDAP server by using LDAP protocol, that is with SSL disabled. This model is based on the models presented in Modeling Security Providers.Note:
The admin user credentials need to be encrypted. And, you will need the encryption password when you run theupdate-domain
pipeline job.Example of anOpenLDAP_authenticator.yaml
file:topology: SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: myldap.example.com Port: 389 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: False UserNameAttribute: cn Principal: 'cn=foo,ou=users,dc=example,dc=com' CredentialEncrypted: '{AES}<encrypted_credential>' UserBaseDn: 'ou=users,dc=example,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=example,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: uuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
In order to keep
DefaultAuthenticator
andDefaultIdentityAsserter
while changing or adding providers, they must be specified in the model with any non-default attributes, as in the example. The order of providers in the model will be the order the providers set in the WebLogic security configuration. See Modeling Security Providers. - Run the
update-domain
pipeline job to add the authenticators. See Update the Domain Configuration.
Enable SSL Support in Domain in Image
For Domain in Image, to enable SSL support, you need to perform a few additional steps. Here you need to configure both a trust keystore and an identity keystore, although only trust keystore is required for one-way SSL connection to the LDAP server. You must also configure SSL with the host name verifier.
Important:
From Oracle WebLogic Server for OKE release 21.2.2 onwards, Domain in Image is deprecated.- Obtain the root Certificate Authority (CA) certificate for the LDAP server.
- Create a trust keystore by using the preceding certificate or if
you already have an existing trust keystore, import the certificate to the
trust keystore.
Following is an example to create the keystore myTrust.jks with the root CA certificate
rootca.pem
, by using thekeytool
command:keytool -import -keystore ./myTrust.jks -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt
- Create an identity keystore, if you do not have an existing
identity keystore.
Following is an example to create the identity keystore:
keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore ./myIdentity.jks
- Create an archive file with the trust and identity keystores
that will be configured in the admin and managed servers.
Following is a sample of the contents of the archive file:
$ unzip -l archive.zip Archive: archive.zip Length Date Time Name --------- ---------- ----- ---- 0 11-25-2020 17:22 wlsdeploy/ 0 11-25-2020 17:18 wlsdeploy/servers/ 0 11-25-2020 19:35 wlsdeploy/servers/myoke-adminserver/ 2337 11-25-2020 00:49 wlsdeploy/servers/myoke-adminserver/myIdentity.jks 853 11-25-2020 00:47 wlsdeploy/servers/myoke-adminserver/myTrust.jks --------- ------- 2190 5 files
- Create a
model.yaml
file, specifying the OpenLDP Authentication Provider with SSL enabled, theDefaultAuthenticator
andDefaultIdentityAsserter
information, information, and the custom keystores for admin server and the servers that are part of the dynamic cluster configured in the domain.Note:
The credentials for the administrator purpose and the passphrase for the keystores have to be encrypted. You need the encryption passphrase when you run theupdate-domain
job. For information see, Update the Domain Configuration.-
Following is a sample of the
model.yaml
file for a non-JRF domain:topology: Server: 'myoke-adminserver': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>' ServerTemplate: 'myoke-cluster-template': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: 'wlsdeploy/servers/myoke-adminserver/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '{AES}<encrypted_passphrase>' SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: myldap.example.com Port: 636 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: True UserNameAttribute: cn Principal: 'cn=foo,ou=users,dc=example,dc=com' CredentialEncrypted: '{AES}<encrypted_credential>' UserBaseDn: 'ou=users,dc=example,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: uuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
-
Following is a sample of the model.yaml file for a JRF domain:
Note:
- If you want to add the LDAP SSL Authenticator to managed servers, then update the model yaml file with the custom identity trust and keystore values to each server in the cluster.
- If you scale-out the cluster, then
update the domain with the update-domain job. You
need to provide the yaml file containing the
contents, as listed in the sample yaml file, with
the name of the scaled-out managed server.
However, you do not have to update the
SecurityConfiguration
details.
topology: Server: 'wlsoke-adminserver': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: 'DemoIdentityKeyStorePassPhrase' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: 'TrustKeystorePwd' 'wlsoke-managed-server1': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: 'DemoIdentityKeyStorePassPhrase' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: 'TrustKeystorePwd' 'wlsoke-managed-server2': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: 'DemoIdentityKeyStorePassPhrase' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: 'wlsdeploy/servers/wlsoke-adminserver/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: 'TrustKeystorePwd' SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: myldap.example.com Port: 636 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: True UserNameAttribute: cn Principal: 'cn=foo,ou=users,dc=example,dc=com' CredentialEncrypted: '{AES}<encrypted_credential>' UserBaseDn: 'ou=users,dc=example,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: uuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
-
- Apply the model and archive to
the running WebLogic Server domain.
To run the
update-domain
CI/CD pipeline to update the running domain and add the Authentication Providers and custom keystores, complete the following steps:- Sign in to the Jenkins console for your domain. See Access the Jenkins Console.
- On the Dashboard page, click update-domain.
- Click Build with Parameters.
- Select Shared File System from the Archive_Source list.
- For Archive_File_Location, browse to select the archive zip file or specify the path of the zip file on the shared file system.
- Select Shared File System from the Domain_Model_Source list.
- For Model_File_Location, browse to select the YAML file or specify the path of the YAML on the shared file system.
- Select None from the Variable_Source list.
- For Encryption_Passphrase, enter the encrytion passphrase to encrypt the passwords in the model YAML or the variable properties file.
- Select the
Rollback_On_Failure check box if you
do not want to rollback to the previous working domain image
(optional).
If you deselected this check box, you can rollback to the previous image later from the backup.
The Rollback_On_Failure check box is selected by default.
- Click Build to run the Pipeline job.
Configure SSL with host name verifier
-
In the
model.yaml
file, add the SSL configuration with customHostnameVerifier
class:-
For a non-JRF domain, add the configuration in the admin server and the cluster template.
-
For a JRF domain, add the configuration in the admin sever and managed server.
Following is a sample
model.yaml
file for a non-JRF domain:topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly ServerTemplate: '@@ENV:RESOURCE_PREFIX@@-cluster-template': ListenPort: 8001 Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster' SSL: ListenPort: 8100 OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly
Following is a sample
model.yaml
file for a JRF domain with 2 replicas:topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly '@@ENV:RESOURCE_PREFIX@@-managed-server1': Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster' SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly '@@ENV:RESOURCE_PREFIX@@-managed-server2': Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster' SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly
Note:
You must augment the samplemodel.yaml
based on the number of replicas. For example, in case of a JRF domain with 3 replicas, in the samplemodel.yaml
file, you must add@ENV:RESOURCE_PREFIX@@-managed-server1
,@ENV:RESOURCE_PREFIX@@-managed-server2
, and@ENV:RESOURCE_PREFIX@@-managedserver3
. -
-
Apply the
model.yaml
to the running WebLogic Server domain. See step 6 in Enable SSL Support in Domain in Image.