AD, WLS & ADF in Harmony (a case study) Ray Tindall Senior Systems Consultant
www.sagecomputing.com.au Things have changed since 2006 www.sagecomputing.com.au Active Directory Integration
OID & AD in Harmony?
SSO Portal Things have changed since 2006 www.sagecomputing.com.au Synchronisation of OID & AD AD LDAP Provider
SSO Delegated Authentication ADF Security
Windows Native Authentication with SSO Kerberos with WLS Forms Agenda Overview Who, What &Why The primary Goal Resources & References IBM The Plan & The Path Implementation How we did it How you can do it Testing Troubleshooting & Hints Wrap up Where are we now
IBM??? Who, What & Why www.sagecomputing.com.au Who?
What? The System
Why? The Wishlist Weblogic Server 10.3.2. ADF 11.1.1.2. Active Directory on Windows Server 2003 (now 2008 R2) Windows workstations with IE 7 Seamless & transparent authentication (login) against AD Authorisation against AD (Groups) Forms to ADF interoperability Scope to expand The Primary Goal www.sagecomputing.com.au Resources & References www.sagecomputing.com.au Administering the SPNEGO TAI: Tips on using Kerberos service principal names by Martin Lansche, IBM Configuring Kerberos with Weblogic Server by Faisal Khan, SecureZone Troubleshooting Kerberos issues with Weblogic server by Faisal Khan, SecureZone Configuring WLS With MS Active Directory by Chris Muir, SAGE Computing Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing Oracle Fusion Middleware Securing Oracle WebLogic Server, 11g Release 1 (10.3.1), 6 Configuring Single Sign-On with Microsoft Clients This is 10.3.2 ! The Plan & The Path www.sagecomputing.com.au Proof of Concept DEV New system on new infrastructure Target Apps DEV WLS on VM Snapshots
Risks: Production AD only! Load Balancing PROD only How to Get There www.sagecomputing.com.au Implementation Key Concepts AD LDAP Provider
Kerberos with WLS
ADF Security How to Get There www.sagecomputing.com.au Implementation Task Overview Network & AD preparation WLS AD Authentication WLS Host Kerberos configuration WLS Kerberos configuration Clients (Browser/s) configuration Apps (ADF Application) configuration
Test (with your favourite beverage at hand) Troubleshoot (with your favourite beverage at hand) Environment Specifics www.sagecomputing.com.au KDC server: OURKDC(.dtf.wa.gov.au) Windows domain controller serving as Key Distribution Centre Most doco (inc Official) implies to use IP but use DNS instead! Default AD domain: dtf.wa.gov.au Kerberos Realm: DTF.WA.GOV.AU Uppercase of Domain WLS AD account: wlskerberosadacc / obscurepwd User" AD account used for WLS Host & to map Service Principal Official doco says just use simple machine name NO! - Bad idea; make it different and make it descriptive WLS Virtual Host DNS: ourvirtualwls(.dtf.wa.gov.au) URL you will use to access your Web Applications Also serves as the basis of the Service Principal Official doco doesn't even mention Virtual Host as consideration BUT! - Critical for same Domain Windows WLS host* & good idea in other cases anyway.
*The machine name URL will already exist in a Windows Domain, being HOST\machine.dtf.wa.gov.au, as a Service Principal against the Machine Computer account in AD. At runtime Kerberos will derive the basis of the Service Principal from the browser URL. AD will find and default to the HOST\ Service Principal and try to use the computer account instead of finding our HTTP\ Service Principal and using our WLS user AD account. The credentials in your Keytab will not match the ticket returned by AD.
Bottom line: ignoring the protocol HTTP\, the URL of the Service Principal that will be used to access your Web Applications should exist in AD only once! Network & AD preparation www.sagecomputing.com.au Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD user account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux use ktpass instead
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD user account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux use ktpass instead
Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD user account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux use ktpass instead
Not computer! Not strictly needed with JDK 1.5+ Implementation Steps:
1. Create Virtual Host DNS
2. Create WLS Service AD user account
3. Map SPN (Service Principal) with setspn
& generate Keytab with ktab
Linux use ktpass instead
Must be your user service account. Get it right. Not validated! WLS AD Authentication www.sagecomputing.com.au Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing
Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing
Remove! Remove? Implementation Steps:
4. Create WLS AD Authentication Provider
WLS LDAPAuthenticator
5. Test Authentication Provider
Configuring a JDev 11g ADF Security app on standalone WLS against MS Active Directory by Chris Muir, SAGE Computing
13 steps; hmmm; is this a sign? Implementation Steps:
13. Configure ADF Application Security
Run - Configure ADF Security Wizard
Enterprise Roles (AD) Application Roles (ADF)
Web.xml <login-config> <auth-method>CLIENT-CERT
Testing www.sagecomputing.com.au LDAP Provider
Kinit (with keytab)
Bringing it all together
ADF Application
Transparent login Wha? I followed the Instructions! LDAP Provider
Kinit (with keytab)
Bringing it all together
ADF Application
Transparent login Troubleshooting www.sagecomputing.com.au When things just dont go your way! WLS Security debug WLS log level standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... in extreme cases When things just dont go your way! WLS Security debug WLS log level standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... in extreme cases + standard out log level >= notice Due to CLIENT-CERT,FORM When things just dont go your way! WLS Security debug WLS log level standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... in extreme cases Best to have 1 only Dont be fooled. Normal! Success When things just dont go your way! WLS Security debug WLS log level standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... in extreme cases Server Admin Pack Softerra LDAP Browser When things just dont go your way! WLS Security debug WLS log level standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... in extreme cases Case sensitivity Syntax Linux? Has this changed? No krb5. prior to JDK 6.0 Include prior options When things just dont go your way! WLS Security debug WLS log level standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... in extreme cases When things just dont go your way! WLS Security debug WLS log level standard out Utilities checks (with verbose debug) Check AD user account inc SPN mapping Config files krb5.ini krb5Login.conf config.xml AD LDAP Provider base DNs, filters, search scopes Wireshark... in extreme cases Debug = java kinit Success Checksum failed! ? Traps www.sagecomputing.com.au Naming & Case sensitivity Dont name AD account same as WLS Host Mind case sensitivity & syntax (especially krb5.ini) Must be only one SPN URL in AD ldifde to check for duplicates setspn D to remove bad or duplicate SPNs Kerberos / WLS cant find config files (krb5.ini keytab krb5Login.conf) Know & use default locations for them Try absolute paths where referenced in dependant config Try WLS/Host reboot Order of WLS Providers Asserter followed by LDAP Provider then defaults Use Virtual URL - not host URL Configure 2nd DNS not DNS alias Clear Browser cache/s Clock Skew - AD, WLS, Client within 2mins Does host need WA Daylight Saving patch
Note: Does not require WLS VH definition Hints & Tips www.sagecomputing.com.au WLS / Host reboots at critical points Check full range of options for utilities (kinit ktab klist) java core of these for verbose debug output Use CLIENT-CERT only in ADF Security for troubleshooting CLIENT-CERT,FORM may not produce debug message output Use client local hosts in lieu of no DNS Also useful to test specific node in Load Balanced scenario Load Balanced / Proxy scenario - same keytab / setup on each node DNS/Virtual URL (for SPN) is the URL the LBR/Proxy routes Performance hits Mind recursive & deep Group searching Check & turn off all DEBUG once happy Multiple technologies look outside the Oracle box Linux ktpass changes AD account Name changes to HTTP/former_name Mind this for kinit & krb5Login.conf setup www.sagecomputing.com.au Job Done! Celebrate Current Status www.sagecomputing.com.au Friends? No Problem! Proof of Concept DEV
TEST
UAT
PROD Go Live coming weekend
Thankyou! Questions?
Presentations are available from our website: www.sagecomputing.com.au
ray@sagecomputing.com.au
SAGE Computing Services Consulting and customised training workshops