Tuesday, June 7, 2011

WebCenter 11g PS3/PS4 Aggregating Multiple WebLogic LDAP Security Providers (Virtualize = True)

There is one tricky thing about WebCenter 11g PS3/PS4 services you should definitely know. Its related to WebLogic LDAP security providers. WebCenter always consumes only first WebLogic security provider from available providers list. Even SUFFICIENT flag is set for security provider, WebCenter still is using only first one. Thats sounds like a huge limitation, indeed it was before WebCenter 11g PS3/P4 - it was documented. But know situation is much better, we are not constrained anymore with only one single LDAP security provider configuration on WebLogic. I will describe in this blog post, how you can enable virtual aggregator for all defined security providers in WebLogic, so WebCenter will be able to retrieve user data from multiple LDAP servers. For additional info, I would recommend to read WebCenter Developer Guide - 28.7 Aggregating Multiple Identity Store LDAP Servers Using libOVD and Oracle FMW Security Guide 7.3.1.1 Configuring Multi-LDAP Lookup.

Sample application is based on WebCenter People Connections service - Profile:


In case if we would authenticate with user from 2nd or 3rd LDAP security provider, WebCenter service would fail to retrieve user larry information:


However as you can see, ADF authentication is completed successfully - this means security providers are configured correctly. ADF authentication works well, because first security provider is set to be SUFFICIENT, however same rule is not working for WebCenter services:


User larry is defined inside StudentsProvider, however WebCenter is always using only first provider - ProffesorsProvider to look for users info:


Let's fix this, according WebCenter PS3/PS4 and Oracle FMW Security documentation instructions. These instructions looks complex, but at the end it all fairly simple. Open Oracle FMW Enterprise Manager and select WebLogic domain, where your WebCenter application is deployed - wc_domain. From menu go to WebLogic Domain -> Security -> Security Provider Configuration:


Expand Identity Store Provider and press Configure button:


Add new property to Identity Store Configuration - virtualize = true:


This will virtually merge available security providers into one and WebCenter will be able to retrieve user information, no matter where it is defined.

New property is successfully added, all security providers will be virtualized into one now - no matter what order is defined:


Restart WebLogic server and here we go - we are cool again - user information is retrieved from LDAP, defined as second provider in the list:


Download sample application - WebCenterUserProfileApp.zip.

30 comments:

  1. Hi Andrejus,

    Thank you for sharing this. I have a requirement like, I would like to display the user description instead of username - how can I do this ?

    Regards,
    Yemmela

    ReplyDelete
  2. You would need to extend WebCenter task flow through MDS.

    Andrejus

    ReplyDelete
  3. Hi,

    I have tried this and it is working fine but now it has significantly slowed down our performance and it takes for every to login. Earlier when it was not vitualized, login was very fast.

    Any suggestions?

    Thanks,

    Viral

    ReplyDelete
  4. Yes, you can buy Oracle Virtual Directory from Oracle :)

    Andrejus

    ReplyDelete
  5. Hi Andrejus,

    I have tried configuring single LDAP in Weblogic and everything works fine for sometime, but randomly I'm getting
    javax.naming.CommunicationExceptionjava.net.ConnectException: Connection refused: connect
    Caused by: java.net.ConnectException: Connection refused: connect

    and the application slows down. I need to restart the server to run the application normally.

    Please provide your suggestions.

    Thanks,
    Dinesh

    ReplyDelete
  6. Hi Andrejus,

    One small update on the issue which I posted above.

    I was able to reproduce the error when 4 users hit a single server.
    I think the connection pool and other configuration in the weblogic has not been set correctly.

    Could you please tell me the best configuration parameters.

    Thanks,
    Dinesh

    ReplyDelete
  7. You are configuring WebLogic to retrieve user info from Active Directory?

    ReplyDelete
  8. Hi Andrejus,

    It is actually Local and not an Active Directory.

    -Dinesh

    ReplyDelete
  9. What is configuration settings for your WebLogic internal LDAP?

    Andrejus

    ReplyDelete
  10. Hi Andrejus,

    Connection Pool size : 6
    connect Time out : 0
    Connection Retry Limit: 1
    Parallel Connect Delay: 0
    Results Time Limit: 0
    Keep Alive Enabled ---> Not checked
    Follow Referrals ---> checked
    Bind Anonymously On Referrals ---> not checked
    Propagate Cause For Login Exception --> checked
    Cache Enabled --> checked

    -Dinesh

    ReplyDelete
  11. If you increase Connection Pool size, still error is reproduced?

    Andrejus

    ReplyDelete
  12. Hi Andrejus,

    I tried with connection pool size as 1 and 100.
    In both the cases we tried hitting single server from multiple machines but in both the cases the error is not occurring. It is working perfectly.

    Is this error because of Connection pool or any other parameters? Please give your suggestions?

    Thanks,
    Dinesh

    ReplyDelete
  13. Honestly, hard to answer 100% correctly without working on your environment. Most likely misconfiguration issue.

    Andrejus

    ReplyDelete
  14. Hi Andrejus,

    Thank you. Is there anything wrong with the parameters I've mentioned in my previous comments.

    -Dinesh

    ReplyDelete
  15. It might be yes and might be no :) No way to say correctly without working on your system.

    ReplyDelete
  16. ok. I'll check my configurations.

    Thanks,
    Dinesh

    ReplyDelete
  17. Hi Andrejus,
    Does the Weblogic support multiple AD domains ? We have more than one AD domain ( actually 6 of them). Does the same setup applicable in this case ?


    Thanks
    Rajesh

    ReplyDelete
  18. Andrejus,

    I have configured WNA (using SPNEGO and AD with Kerberos). But I am still prompted for the login and password. Do you have any steps which I can use to crosscheck.

    Thanks
    Rajesh

    ReplyDelete
  19. Yes, you can try it. It should work for ADF app, i was testing with WebCenter portal - it was working.

    ReplyDelete
  20. Thank you Andrejus! This solution with virtualization is exactly what I was looking for.

    ReplyDelete
  21. Hi,
    I am using a SQL Authentication provider.I got the error user not found in identity store,even thouth i set virtualize = true

    Could you please tell me how to fix this problem?

    Thanks,
    joe

    ReplyDelete
  22. Hello ,
    Will this solution works when i user OAM for SSO also ? in this case the first provider is the OAM Identity Isserter.

    ReplyDelete
  23. Hard to say, this would require a test.

    Andrejus

    ReplyDelete
  24. Did you crack OAM thing, we are also in the same situation. we need to use OAM and 2 authenticators.

    ReplyDelete
  25. Hi Shay,

    Great post. BTW, Johnny Bravo was awesome. I miss those days :)

    ReplyDelete
  26. Andrejus,

    i have same issue as Joe, I use sql authetication provider, and even if I set virtualize=true and restart server, still have error
    So, could you please tell me how to fix this problem
    Regards,
    Tajib Zunic

    ReplyDelete
  27. I don't know, this would require to do a test on your environment.

    Andrejus

    ReplyDelete
  28. Hi Andrejus,

    I have OVDProvider (DB Adapter) on my first list and DefaultAuthenticator on the second list.
    When I'm login into portal using user from OVD Provider.
    It always produce log: " ".
    I'm cannot access any webcenter taskflow (profile, discussion, announcement etc)

    But it's work fine if I login using Default Authenticator (ex: weblogic)

    Don't know why..

    ReplyDelete
  29. Hello,
    Thank you for this share. It was very helpful for me.

    ReplyDelete