Tuesday, June 7, 2011

WebCenter 11g PS3/PS4 Aggregating Multiple WebLogic LDAP Security Providers (Virtualize = True)

There is one tricky thing about WebCenter 11g PS3/PS4 services you should definitely know. Its related to WebLogic LDAP security providers. WebCenter always consumes only first WebLogic security provider from available providers list. Even SUFFICIENT flag is set for security provider, WebCenter still is using only first one. Thats sounds like a huge limitation, indeed it was before WebCenter 11g PS3/P4 - it was documented. But know situation is much better, we are not constrained anymore with only one single LDAP security provider configuration on WebLogic. I will describe in this blog post, how you can enable virtual aggregator for all defined security providers in WebLogic, so WebCenter will be able to retrieve user data from multiple LDAP servers. For additional info, I would recommend to read WebCenter Developer Guide - 28.7 Aggregating Multiple Identity Store LDAP Servers Using libOVD and Oracle FMW Security Guide 7.3.1.1 Configuring Multi-LDAP Lookup.

Sample application is based on WebCenter People Connections service - Profile:


In case if we would authenticate with user from 2nd or 3rd LDAP security provider, WebCenter service would fail to retrieve user larry information:


However as you can see, ADF authentication is completed successfully - this means security providers are configured correctly. ADF authentication works well, because first security provider is set to be SUFFICIENT, however same rule is not working for WebCenter services:


User larry is defined inside StudentsProvider, however WebCenter is always using only first provider - ProffesorsProvider to look for users info:


Let's fix this, according WebCenter PS3/PS4 and Oracle FMW Security documentation instructions. These instructions looks complex, but at the end it all fairly simple. Open Oracle FMW Enterprise Manager and select WebLogic domain, where your WebCenter application is deployed - wc_domain. From menu go to WebLogic Domain -> Security -> Security Provider Configuration:


Expand Identity Store Provider and press Configure button:


Add new property to Identity Store Configuration - virtualize = true:


This will virtually merge available security providers into one and WebCenter will be able to retrieve user information, no matter where it is defined.

New property is successfully added, all security providers will be virtualized into one now - no matter what order is defined:


Restart WebLogic server and here we go - we are cool again - user information is retrieved from LDAP, defined as second provider in the list:


Download sample application - WebCenterUserProfileApp.zip.

30 comments:

Yemmela said...

Hi Andrejus,

Thank you for sharing this. I have a requirement like, I would like to display the user description instead of username - how can I do this ?

Regards,
Yemmela

Andrej Baranovskij said...

You would need to extend WebCenter task flow through MDS.

Andrejus

Sane Indian said...

Hi,

I have tried this and it is working fine but now it has significantly slowed down our performance and it takes for every to login. Earlier when it was not vitualized, login was very fast.

Any suggestions?

Thanks,

Viral

Andrej Baranovskij said...

Yes, you can buy Oracle Virtual Directory from Oracle :)

Andrejus

Dinesh said...

Hi Andrejus,

I have tried configuring single LDAP in Weblogic and everything works fine for sometime, but randomly I'm getting
javax.naming.CommunicationExceptionjava.net.ConnectException: Connection refused: connect
Caused by: java.net.ConnectException: Connection refused: connect

and the application slows down. I need to restart the server to run the application normally.

Please provide your suggestions.

Thanks,
Dinesh

Dinesh said...

Hi Andrejus,

One small update on the issue which I posted above.

I was able to reproduce the error when 4 users hit a single server.
I think the connection pool and other configuration in the weblogic has not been set correctly.

Could you please tell me the best configuration parameters.

Thanks,
Dinesh

Andrej Baranovskij said...

You are configuring WebLogic to retrieve user info from Active Directory?

Dinesh said...

Hi Andrejus,

It is actually Local and not an Active Directory.

-Dinesh

Andrej Baranovskij said...

What is configuration settings for your WebLogic internal LDAP?

Andrejus

Dinesh said...

Hi Andrejus,

Connection Pool size : 6
connect Time out : 0
Connection Retry Limit: 1
Parallel Connect Delay: 0
Results Time Limit: 0
Keep Alive Enabled ---> Not checked
Follow Referrals ---> checked
Bind Anonymously On Referrals ---> not checked
Propagate Cause For Login Exception --> checked
Cache Enabled --> checked

-Dinesh

Andrej Baranovskij said...

If you increase Connection Pool size, still error is reproduced?

Andrejus

Dinesh said...

Hi Andrejus,

I tried with connection pool size as 1 and 100.
In both the cases we tried hitting single server from multiple machines but in both the cases the error is not occurring. It is working perfectly.

Is this error because of Connection pool or any other parameters? Please give your suggestions?

Thanks,
Dinesh

Andrej Baranovskij said...

Honestly, hard to answer 100% correctly without working on your environment. Most likely misconfiguration issue.

Andrejus

Dinesh said...

Hi Andrejus,

Thank you. Is there anything wrong with the parameters I've mentioned in my previous comments.

-Dinesh

Andrej Baranovskij said...

It might be yes and might be no :) No way to say correctly without working on your system.

Dinesh said...

ok. I'll check my configurations.

Thanks,
Dinesh

Mudi's Blog said...

Hi Andrejus,
Does the Weblogic support multiple AD domains ? We have more than one AD domain ( actually 6 of them). Does the same setup applicable in this case ?


Thanks
Rajesh

Mudi's Blog said...

Andrejus,

I have configured WNA (using SPNEGO and AD with Kerberos). But I am still prompted for the login and password. Do you have any steps which I can use to crosscheck.

Thanks
Rajesh

Andrej Baranovskij said...

Yes, you can try it. It should work for ADF app, i was testing with WebCenter portal - it was working.

Andrej Baranovskij said...

I dont have test case with spnego.

sf said...

Thank you Andrejus! This solution with virtualization is exactly what I was looking for.

Anonymous said...

Hi,
I am using a SQL Authentication provider.I got the error user not found in identity store,even thouth i set virtualize = true

Could you please tell me how to fix this problem?

Thanks,
joe

Unknown said...

Hello ,
Will this solution works when i user OAM for SSO also ? in this case the first provider is the OAM Identity Isserter.

Andrej Baranovskij said...

Hard to say, this would require a test.

Andrejus

Deepan R said...

Did you crack OAM thing, we are also in the same situation. we need to use OAM and 2 authenticators.

Anonymous said...

Hi Shay,

Great post. BTW, Johnny Bravo was awesome. I miss those days :)

Tajib Zunic said...

Andrejus,

i have same issue as Joe, I use sql authetication provider, and even if I set virtualize=true and restart server, still have error
So, could you please tell me how to fix this problem
Regards,
Tajib Zunic

Andrej Baranovskij said...

I don't know, this would require to do a test on your environment.

Andrejus

Anonymous said...

Hi Andrejus,

I have OVDProvider (DB Adapter) on my first list and DefaultAuthenticator on the second list.
When I'm login into portal using user from OVD Provider.
It always produce log: " ".
I'm cannot access any webcenter taskflow (profile, discussion, announcement etc)

But it's work fine if I login using Default Authenticator (ex: weblogic)

Don't know why..

Anonymous said...

Hello,
Thank you for this share. It was very helpful for me.