Thursday, January 30, 2014

User Authentication in EM12c via Weblogic Framework Security

Update Feb 14, 2014: I posted a detailed followup note on EM12c, Weblogic, and Finding Your Way in Active Directory. In it, I’ve illustrated how to find your way in active directory when attempting to setup authentication.
 
On my current project involving EM12c, I had to configure the Weblogic Server with LDAP Authentication against Active Directory (AD). The instructions in the Enterprise Manager Security Guide documentation are quite clear on the required fields, and as expected, aim to illustrate a very basic example of an AD membership. EM12c (named EMGC_OMSx) is a managed server within a domain which resides on a Weblogic Application Server and leverages the latter’s framework, in our example, security authentication. It wouldn’t be fair to you if I didn’t take a moment to explain the architecture for a little perspective.

To quote Oracle’s Weblogic Documentation: “WebLogic Server includes numerous Authentication security providers. Most of them work in similar fashion: given a username and password credential pair, the provider attempts to find a corresponding user in the provider's data store. These Authentication providers differ primarily in what they use as a data store: one of many available LDAP servers, a SQL database, or other data store. In addition to these username/password based security providers, WebLogic Server includes identity assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.”

In a nutshell, providers are defined within a security realm called “myrealm”. Once a new provider, in our case “ADAuthenticator - IT Oracle DBA” is added, it needs to be re-ordered and placed on top. I could describe in detail the steps to configure an LDAP provider, but after speaking with Tim Hall (@oraclebase), turns out he already blogged about it!



Enterprise Manager supports the following sources:

  1. Repository Based (Default)
  2. Oracle Access Manager (OSM) SSO
  3. Oracle SSO Based
  4. Enterprise User Security Based
  5. LDAP; either Oracle Internet Directory or Active Directory

When an attempt to login is made from EM12c’s console, a request is sent via the security layer to the configured providers. I’ve done my best to illustrate the routes where a possible authentication request may take - either the Admin or Managed servers can request authentication via the Security Realm, which in turn (depending on the provider order) will authenticate the relevant credentials. If the credentials are not present within the first provider, the subsequent ones will be attempted.


Once credentials are authenticated against the Active Directory source, they are then authorized within EM12c. Should the user not exist in EM12c, by default, the authentication will fail because auto-provisioning is disabled. According to the Oracle Documentation the parameter can be set from either emctl or the console UI. I have not found where to perform the latter, however my post here described how to enable it via emctl. Alternatively, you could register the external users via the emcli create_user command. For example, and this is just one of many ways of doing this:

emcli create_user
   -name=“manjum"
   -email=“maaz.anjum@iwish.com;miles.andrew@iwish.com”
   -roles=“public;em_user;<custom_role>”
   -type=“EXTERNAL_USER"


In addition to auto-provisioning, you could also enable mapping of LDAP user attributes to EM user attributes. For example, mapping of email address, department, first name, last name etc. Don Seiler (@dtseiler) alludes to this in one of his posts about authentication quirks. I haven’t had the opportunity to explore this feature yet.

If you had to troubleshoot any issues, there’s a good bit of troubleshooting help available in the Oracle Documentation here (thanks to @Seth_M_Miller for pointing it out).

I hope this brief overview was helpful to understanding the parts and pieces (assuming thats all of them) for user authentications in EM12c with Weblogic’s Security Framework. I plan to publish a few more posts related to the issues I came across during my adventures.

Cheers!

1 comment :

  1. You can get to the system properties via the console UI by going to Setup -> Manage Cloud Control -> Management Services, then click on Configuration Properties in the upper right corner with the spanner icon.

    ReplyDelete