Authenticate by using an External LDAP Server
This section describes the steps required to add authenticators for external systems, like OpenLDAP. This helps you to use the groups and users defined in the system for your applications deployed in the Oracle WebLogic Server for OKE domain. Also, it provides information about how to use an OpenLDAP server.
In Oracle WebLogic Server for OKE, you cannot add users and groups to the WebLogic embedded LDAP server for your applications. As the embedded LDAP has limited use when using the domain home in the image model, if you add users to the embedded LDAP through the Administration console, the users are not persisted in the image and disappear when you restart the admin server pod. Also, it is not recommended to change the domain from the administration console.
Prerequisites
Before you authenticate by using an external LDAP sever, ensure that you have completed the required prerequisites.
- You must have created a domain with Oracle WebLogic Server for OKE instance. See Create a Stack.
- You must have an OpenLDAP server, which is ready to use.
The OpenLDAP server must be accessible from the Oracle WebLogic Server for OKE nodes, where your WebLogic domain is running and from the admin host. That is, OpenLDAP server must connect to the OpenLDAP host (either by name or IP address) and use the port where the LDAP server is listening.
Default ports are
389
for LDAP and636
for LDAPS (LDAP over SSL).If the LDAP server is on premises, then connect the VCN where the stack was created with your datacenter, by using either FastConnect or VPN connect. See Access to Your On-Premises Network.
Add a new OpenLDAP Authenticator to the Domain
Define the authenticators that you want to add to your WebLogic domain in a WDT model file, and then apply this model by using the update-domain
pipeline job.
- Create an
OpenLDAP_authenticator.yaml
file.The following is an example of a model file specifying an OpenLDAP authenticator and helps to connect to an OpenLDAP server by using LDAP protocol, that is with SSL disabled. This model is based on the models presented in Modeling Security Providers.Note:
You must create a secret for the administrator password, and you use this secret when you run theupdate-domain
pipeline job.Example of anOpenLDAP_authenticator.yaml
file:topology: SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: myldap.example.com Port: 389 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: False UserNameAttribute: cn Principal: 'cn=foo,ou=users,dc=example,dc=com' CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@' UserBaseDn: 'ou=users,dc=example,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=example,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: uuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
In order to keep
DefaultAuthenticator
andDefaultIdentityAsserter
while changing or adding providers, they must be specified in the model with any non-default attributes, as in the example. The order of providers in the model will be the order the providers set in the WebLogic security configuration. See Modeling Security Providers. - Run the
update-domain
pipeline job to add the authenticators. See Update a Domain Configuration.
Enable SSL Support
To enable SSL support, you need to perform a few additional steps. Here you need to configure both a trust keystore and an identity keystore, although only trust keystore is required for one-way SSL connection to the LDAP server. You must also configure SSL with the host name verifier.
- Obtain the root Certificate Authority (CA) certificate for the LDAP server.
- Create a trust keystore by using the preceding certificate or if you
already have an existing trust keystore, import the certificate to the trust
keystore.
Following is an example to create the keystore myTrust.jks with the root CA certificate
rootca.pem
, by using thekeytool
command:keytool -import -keystore ./myTrust.jks -trustcacerts -alias oidtrust -file rootca.pem -storepass TrustKeystorePwd -noprompt
- Create an identity keystore, if you do not have an existing
identity keystore.
Following is an example to create the identity keystore:
keytool -genkeypair -alias server_cert -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -dname "CN=example.com,OU=Support,O=Example,L=Reading,ST=Berkshire,C=GB" -keystore ./myIdentity.jks
- Copy the trust and identity keystores to the
u01
shared location, and specify the location of these files in themodel.yaml
file. - Create a
model.yaml
file, specifying the OpenLDP Authentication Provider with SSL enabled, theDefaultAuthenticator
andDefaultIdentityAsserter
information, and the custom keystores for admin server and the servers that are part of the dynamic cluster configured in the domain.Note:
You must create a secret for the administrator password, and provide this secret in the
model.yaml
file; this secret is used when you run theupdate-domain
job. For information see, Update a Domain Configuration.You must use ENV macros for server names as specified in the following
model.yaml
example files for non-JRF domain.Following is a sample of the
model.yaml
file for a non-JRF domain:In this
model.yaml
file,ServerPrivateKeyAlias
, refers to the alias used when you created theDemoIdentity
keystore andServerPrivateKeyPassPhraseEncrypted
refers to the password set forServerPrivateKeyAlias
.topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@' SSL: ServerPrivateKeyAlias: DemoIdentity ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@' ServerTemplate: '@@ENV:RESOURCE_PREFIX@@-cluster-template': KeyStores: CustomIdentityAndCustomTrust CustomIdentityKeyStoreType: jks CustomIdentityKeyStoreFileName: '/u01/shared/DemoIdentity.jks' CustomIdentityKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demosecret:password@@' CustomTrustKeyStoreType: jks CustomTrustKeyStoreFileName: '/u01/shared/myTrust.jks' CustomTrustKeyStorePassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-trustsecret:password@@' SSL: ServerPrivateKeyAlias: DemoIdentity ServerPrivateKeyPassPhraseEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-demokeysecret:password@@' SecurityConfiguration: Realm: myrealm: AuthenticationProvider: My OpenLDAP authenticator: OpenLDAPAuthenticator: ControlFlag: SUFFICIENT PropagateCauseForLoginException: True EnableGroupMembershipLookupHierarchyCaching: True Host: 'pg-openldap' Port: 636 UserObjectClass: inetOrgPerson GroupHierarchyCacheTTL: 600 SSLEnabled: True UserNameAttribute: cn Principal: 'cn=admin,dc=wlsoketest-ldap,dc=com' CredentialEncrypted: '@@SECRET:@@ENV:DOMAIN_UID@@-ldap-secret:password@@' UserBaseDn: 'ou=people,dc=wlsoketest-ldap,dc=com' UserSearchScope: subtree UserFromNameFilter: '(&(cn=%u)(objectclass=inetOrgPerson))' GroupBaseDN: 'ou=groups,dc=wlsoketest-ldap,dc=com' StaticGroupObjectClass: groupofnames StaticGroupNameAttribute: cn StaticMemberDNAttribute: member StaticGroupDNsfromMemberDNFilter: '(&(member=%M)(objectclass=groupofnames))' UseRetrievedUserNameAsPrincipal: True KeepAliveEnabled: True GuidAttribute: entryuuid DefaultAuthenticator: DefaultAuthenticator: ControlFlag: SUFFICIENT DefaultIdentityAsserter: DefaultIdentityAsserter:
- Apply the model and archive to the
running WebLogic Server domain.
To run the
update-domain
CI/CD pipeline to update the running domain and add the Authentication Providers and custom keystores, complete the following steps:- Sign in to the Jenkins console for your domain. See Access the Jenkins Console.
- On the Dashboard page, click update domain.
- From Domain_Name, select the domain that you want to update.
- Click Build with Parameters.
- Select Shared File System from the Archive_Source list.
- For Archive_File_Location, browse to select the archive zip file or specify the path of the zip file on the shared file system.
- Select Shared File System from the Domain_Model_Source list.
- For Model_File_Location, browse to select the YAML file or specify the path of the YAML on the shared file system.
- Select None from the Variable_Source list.
- Select the Rollback_On_Failure
check box if you do not want to rollback to the previous working
domain image (optional).
If you deselected this check box, you can rollback to the previous image later from the backup.
The Rollback_On_Failure check box is selected by default.
- Click Build to run the Pipeline job.
Configure SSL with host name verifier
-
In the
model.yaml
file, for the non-JRF domain, add the SSL configuration with customHostnameVerifier
class in the admin sever and managed server.Following is a sample
model.yaml
file for a non-JRF domain:topology: Server: '@@ENV:RESOURCE_PREFIX@@-adminserver': SSL: OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly ServerTemplate: '@@ENV:RESOURCE_PREFIX@@-cluster-template': ListenPort: 8001 Cluster: '@@ENV:RESOURCE_PREFIX@@-cluster' SSL: ListenPort: 8100 OutboundCertificateValidation: BuiltinSSLValidationOnly HostnameVerifier: weblogic.security.utils.SSLWLSWildcardHostnameVerifier InboundCertificateValidation: BuiltinSSLValidationOnly
-
Apply the
model.yaml
to the running WebLogic Server domain. See step 6 in Enable SSL Support.
Verify the Authenticator
Verify that the authentication provider is created successfully and the expected LDAP provider users and groups are synced.
Create JMS Resources
Java Messaging Service (JMS) resources can be created using the provided templates.
JMS resources can be added to non-JRF domains. It is recommended to use JDBC persistent stores for JMS and Transaction stores to be in the database. So, we need to create a datasource and corresponding leasing table for JDBC store for the non-JRF domain.
- Create a table for database leasing:
- Format of the tablename should be:
<datasourceschemausername>.<tablename>
Example:create table mydbuser.mytable ( SERVER VARCHAR2(255) NOT NULL, INSTANCE VARCHAR2(255) NOT NULL, DOMAINNAME VARCHAR2(255) NOT NULL, CLUSTERNAME VARCHAR2(255) NOT NULL, TIMEOUT DATE, PRIMARY KEY (SERVER, DOMAINNAME, CLUSTERNAME) );
- The tablename has to be specified in the model template yaml for
AutoMigrationTableName
The sample model template yaml file,
non_jrf_domain_jms_resources.yaml
is located at
/u01/shared/scripts/pipeline/templates
.
These are basic sample template model yaml files that can be used and has to be modified according to your requirement. These are not the final model template.
Note:
Irrespective of the number of managed servers, increase the initial and max capacity ofmydatasource
to a
higher value.
For best practices about creating JMS resources, see Best Practices for JMS Beginners and Advanced Users in Administering JMS Resources for Oracle WebLogic Server.