Thursday, January 30, 2014

User Authentication in EM12c via Weblogic Framework Security

Update Feb 14, 2014: I posted a detailed followup note on EM12c, Weblogic, and Finding Your Way in Active Directory. In it, I’ve illustrated how to find your way in active directory when attempting to setup authentication.
 
On my current project involving EM12c, I had to configure the Weblogic Server with LDAP Authentication against Active Directory (AD). The instructions in the Enterprise Manager Security Guide documentation are quite clear on the required fields, and as expected, aim to illustrate a very basic example of an AD membership. EM12c (named EMGC_OMSx) is a managed server within a domain which resides on a Weblogic Application Server and leverages the latter’s framework, in our example, security authentication. It wouldn’t be fair to you if I didn’t take a moment to explain the architecture for a little perspective.

To quote Oracle’s Weblogic Documentation: “WebLogic Server includes numerous Authentication security providers. Most of them work in similar fashion: given a username and password credential pair, the provider attempts to find a corresponding user in the provider's data store. These Authentication providers differ primarily in what they use as a data store: one of many available LDAP servers, a SQL database, or other data store. In addition to these username/password based security providers, WebLogic Server includes identity assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.”

In a nutshell, providers are defined within a security realm called “myrealm”. Once a new provider, in our case “ADAuthenticator - IT Oracle DBA” is added, it needs to be re-ordered and placed on top. I could describe in detail the steps to configure an LDAP provider, but after speaking with Tim Hall (@oraclebase), turns out he already blogged about it!



Enterprise Manager supports the following sources:

  1. Repository Based (Default)
  2. Oracle Access Manager (OSM) SSO
  3. Oracle SSO Based
  4. Enterprise User Security Based
  5. LDAP; either Oracle Internet Directory or Active Directory

When an attempt to login is made from EM12c’s console, a request is sent via the security layer to the configured providers. I’ve done my best to illustrate the routes where a possible authentication request may take - either the Admin or Managed servers can request authentication via the Security Realm, which in turn (depending on the provider order) will authenticate the relevant credentials. If the credentials are not present within the first provider, the subsequent ones will be attempted.


Once credentials are authenticated against the Active Directory source, they are then authorized within EM12c. Should the user not exist in EM12c, by default, the authentication will fail because auto-provisioning is disabled. According to the Oracle Documentation the parameter can be set from either emctl or the console UI. I have not found where to perform the latter, however my post here described how to enable it via emctl. Alternatively, you could register the external users via the emcli create_user command. For example, and this is just one of many ways of doing this:

emcli create_user
   -name=“manjum"
   -email=“maaz.anjum@iwish.com;miles.andrew@iwish.com”
   -roles=“public;em_user;<custom_role>”
   -type=“EXTERNAL_USER"


In addition to auto-provisioning, you could also enable mapping of LDAP user attributes to EM user attributes. For example, mapping of email address, department, first name, last name etc. Don Seiler (@dtseiler) alludes to this in one of his posts about authentication quirks. I haven’t had the opportunity to explore this feature yet.

If you had to troubleshoot any issues, there’s a good bit of troubleshooting help available in the Oracle Documentation here (thanks to @Seth_M_Miller for pointing it out).

I hope this brief overview was helpful to understanding the parts and pieces (assuming thats all of them) for user authentications in EM12c with Weblogic’s Security Framework. I plan to publish a few more posts related to the issues I came across during my adventures.

Cheers!

continue reading "User Authentication in EM12c via Weblogic Framework Security"

Enable Auto-Provisioning of Users in EM12c

While writing a separate article on EM12c’s Security Authentication, I felt the need to separate out the various parts and pieces which make up the discussion. Rather than have one quite long post, a few smaller ones would make for an easier read.

In this one, I’d like to show you how to enable auto-provisioning for external users in EM12c. Quoting the documentation below, the intent is self explanatory.

"Typically the external LDAP users need to be created in Enterprise Manager before they can log in to the Enterprise Manager console. Auto provisioning removes that requirement by automatically creating the Enterprise Manager user account upon successful authentication of the user the first time he logs on to Enterprise Manager.”

Basically, if the property is not enabled, during the authentication-authorization phase the attempt to log will fail with an “Authentication Failed” message. You would have to dig down quite deep in the EMGC_OMSx Server LDAP logs to find that during the authorization phase the user would not map.

When I first had to do this in version 12.1.0.2.0, I found a neat video that Oracle posted which described the process of LDAP Authentication from start to finish. With respect to my post, the relevant steps are below - these need to be run on each OMS server.

-bash-4.1$ emctl set property -name "oracle.sysman.core.security.auth.autoprovisioning" -value "true"
Oracle Enterprise Manager Cloud Control 12c Release 3 Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved. SYSMAN password: Property oracle.sysman.core.security.auth.autoprovisioning for oms p-oem-app02.acme.com:4889_Management_Service has been set to value true OMS restart is not required to reflect the new property value

Finally, restart all OMS servers and voila!

Hope this helps.

Cheers!

continue reading "Enable Auto-Provisioning of Users in EM12c"

Friday, January 24, 2014

How to Change Properties of a Target in EM12c

One of my colleagues asked me a good question this morning about how to go about changing the properties of a target, specifically the “Contact” field. 

NewImage

The properties fields for a target are often over-looked, but are important to the prioritization algorithm for event management. For example, if a target’s Lifecycle Status is Production or Mission Critical, its events will be given a preference over one with a lower lifecycle status. That being said, in this example it was a listener type target. The same method applies for any target. You simply need to go to the menu under the targets name and follow the screenshot below. Please note, this method is only applicable in EM12c.

My colleague didn’t mention “why” he wanted it removed, however one picture was worth a handful of words.

NewImage

Hope this helps.

Cheers!

continue reading "How to Change Properties of a Target in EM12c"