There is one tricky thing about WebCenter 11g PS3/PS4 services you should definitely know. Its related to WebLogic LDAP security providers. WebCenter always consumes only first WebLogic security provider from available providers list. Even SUFFICIENT flag is set for security provider, WebCenter still is using only first one. Thats sounds like a huge limitation, indeed it was before WebCenter 11g PS3/P4 - it was documented. But know situation is much better, we are not constrained anymore with only one single LDAP security provider configuration on WebLogic. I will describe in this blog post, how you can enable virtual aggregator for all defined security providers in WebLogic, so WebCenter will be able to retrieve user data from multiple LDAP servers. For additional info, I would recommend to read WebCenter Developer Guide - 28.7 Aggregating Multiple Identity Store LDAP Servers Using libOVD and Oracle FMW Security Guide 7.3.1.1 Configuring Multi-LDAP Lookup.
Sample application is based on WebCenter People Connections service - Profile:
In case if we would authenticate with user from 2nd or 3rd LDAP security provider, WebCenter service would fail to retrieve user larry information:
However as you can see, ADF authentication is completed successfully - this means security providers are configured correctly. ADF authentication works well, because first security provider is set to be SUFFICIENT, however same rule is not working for WebCenter services:
User larry is defined inside StudentsProvider, however WebCenter is always using only first provider - ProffesorsProvider to look for users info:
Let's fix this, according WebCenter PS3/PS4 and Oracle FMW Security documentation instructions. These instructions looks complex, but at the end it all fairly simple. Open Oracle FMW Enterprise Manager and select WebLogic domain, where your WebCenter application is deployed - wc_domain. From menu go to WebLogic Domain -> Security -> Security Provider Configuration:
Expand Identity Store Provider and press Configure button:
Add new property to Identity Store Configuration - virtualize = true:
This will virtually merge available security providers into one and WebCenter will be able to retrieve user information, no matter where it is defined.
New property is successfully added, all security providers will be virtualized into one now - no matter what order is defined:
Restart WebLogic server and here we go - we are cool again - user information is retrieved from LDAP, defined as second provider in the list:
Download sample application - WebCenterUserProfileApp.zip.
Sample application is based on WebCenter People Connections service - Profile:
In case if we would authenticate with user from 2nd or 3rd LDAP security provider, WebCenter service would fail to retrieve user larry information:
However as you can see, ADF authentication is completed successfully - this means security providers are configured correctly. ADF authentication works well, because first security provider is set to be SUFFICIENT, however same rule is not working for WebCenter services:
User larry is defined inside StudentsProvider, however WebCenter is always using only first provider - ProffesorsProvider to look for users info:
Let's fix this, according WebCenter PS3/PS4 and Oracle FMW Security documentation instructions. These instructions looks complex, but at the end it all fairly simple. Open Oracle FMW Enterprise Manager and select WebLogic domain, where your WebCenter application is deployed - wc_domain. From menu go to WebLogic Domain -> Security -> Security Provider Configuration:
Expand Identity Store Provider and press Configure button:
Add new property to Identity Store Configuration - virtualize = true:
This will virtually merge available security providers into one and WebCenter will be able to retrieve user information, no matter where it is defined.
New property is successfully added, all security providers will be virtualized into one now - no matter what order is defined:
Restart WebLogic server and here we go - we are cool again - user information is retrieved from LDAP, defined as second provider in the list:
Download sample application - WebCenterUserProfileApp.zip.
Hi Andrejus,
ReplyDeleteThank you for sharing this. I have a requirement like, I would like to display the user description instead of username - how can I do this ?
Regards,
Yemmela
You would need to extend WebCenter task flow through MDS.
ReplyDeleteAndrejus
Hi,
ReplyDeleteI have tried this and it is working fine but now it has significantly slowed down our performance and it takes for every to login. Earlier when it was not vitualized, login was very fast.
Any suggestions?
Thanks,
Viral
Yes, you can buy Oracle Virtual Directory from Oracle :)
ReplyDeleteAndrejus
Hi Andrejus,
ReplyDeleteI have tried configuring single LDAP in Weblogic and everything works fine for sometime, but randomly I'm getting
javax.naming.CommunicationExceptionjava.net.ConnectException: Connection refused: connect
Caused by: java.net.ConnectException: Connection refused: connect
and the application slows down. I need to restart the server to run the application normally.
Please provide your suggestions.
Thanks,
Dinesh
Hi Andrejus,
ReplyDeleteOne small update on the issue which I posted above.
I was able to reproduce the error when 4 users hit a single server.
I think the connection pool and other configuration in the weblogic has not been set correctly.
Could you please tell me the best configuration parameters.
Thanks,
Dinesh
You are configuring WebLogic to retrieve user info from Active Directory?
ReplyDeleteHi Andrejus,
ReplyDeleteIt is actually Local and not an Active Directory.
-Dinesh
What is configuration settings for your WebLogic internal LDAP?
ReplyDeleteAndrejus
Hi Andrejus,
ReplyDeleteConnection Pool size : 6
connect Time out : 0
Connection Retry Limit: 1
Parallel Connect Delay: 0
Results Time Limit: 0
Keep Alive Enabled ---> Not checked
Follow Referrals ---> checked
Bind Anonymously On Referrals ---> not checked
Propagate Cause For Login Exception --> checked
Cache Enabled --> checked
-Dinesh
If you increase Connection Pool size, still error is reproduced?
ReplyDeleteAndrejus
Hi Andrejus,
ReplyDeleteI tried with connection pool size as 1 and 100.
In both the cases we tried hitting single server from multiple machines but in both the cases the error is not occurring. It is working perfectly.
Is this error because of Connection pool or any other parameters? Please give your suggestions?
Thanks,
Dinesh
Honestly, hard to answer 100% correctly without working on your environment. Most likely misconfiguration issue.
ReplyDeleteAndrejus
Hi Andrejus,
ReplyDeleteThank you. Is there anything wrong with the parameters I've mentioned in my previous comments.
-Dinesh
It might be yes and might be no :) No way to say correctly without working on your system.
ReplyDeleteok. I'll check my configurations.
ReplyDeleteThanks,
Dinesh
Hi Andrejus,
ReplyDeleteDoes the Weblogic support multiple AD domains ? We have more than one AD domain ( actually 6 of them). Does the same setup applicable in this case ?
Thanks
Rajesh
Andrejus,
ReplyDeleteI have configured WNA (using SPNEGO and AD with Kerberos). But I am still prompted for the login and password. Do you have any steps which I can use to crosscheck.
Thanks
Rajesh
Yes, you can try it. It should work for ADF app, i was testing with WebCenter portal - it was working.
ReplyDeleteI dont have test case with spnego.
ReplyDeleteThank you Andrejus! This solution with virtualization is exactly what I was looking for.
ReplyDeleteHi,
ReplyDeleteI am using a SQL Authentication provider.I got the error user not found in identity store,even thouth i set virtualize = true
Could you please tell me how to fix this problem?
Thanks,
joe
Hello ,
ReplyDeleteWill this solution works when i user OAM for SSO also ? in this case the first provider is the OAM Identity Isserter.
Hard to say, this would require a test.
ReplyDeleteAndrejus
Did you crack OAM thing, we are also in the same situation. we need to use OAM and 2 authenticators.
ReplyDeleteHi Shay,
ReplyDeleteGreat post. BTW, Johnny Bravo was awesome. I miss those days :)
Andrejus,
ReplyDeletei have same issue as Joe, I use sql authetication provider, and even if I set virtualize=true and restart server, still have error
So, could you please tell me how to fix this problem
Regards,
Tajib Zunic
I don't know, this would require to do a test on your environment.
ReplyDeleteAndrejus
Hi Andrejus,
ReplyDeleteI have OVDProvider (DB Adapter) on my first list and DefaultAuthenticator on the second list.
When I'm login into portal using user from OVD Provider.
It always produce log: " ".
I'm cannot access any webcenter taskflow (profile, discussion, announcement etc)
But it's work fine if I login using Default Authenticator (ex: weblogic)
Don't know why..
Hello,
ReplyDeleteThank you for this share. It was very helpful for me.