This discussion is archived
10 Replies Latest reply: Nov 22, 2009 2:37 PM by mdsabir RSS

[SOLVED] SOA Suite 11g and OID

441056 Newbie
Currently Being Moderated
How should I configure OC4J in TP4 such that Human Tasks can be assigned to users in an LDAP directory, e.g Oracle Internet Directory?

Thanks,
Eyðun

Message was edited by:
Eyðun E. Jacobsen

Message was edited by:
Eyðun E. Jacobsen
  • 1. SOA Suite 11g and OID
    441056 Newbie
    Currently Being Moderated
    Has anybody had any luck with configuring SOA suite 11g to authenticate against Oracle Internet Directory?

    Kind Regards,
    Eyðun
  • 2. Re: SOA Suite 11g and OID
    441056 Newbie
    Currently Being Moderated
    Since this thread is quiet, I guess that this is not possible in TP4. It would be very desirable to see this feature in a preview release.

    Eyðun
  • 3. Re: SOA Suite 11g and OID
    domdebailleux Newbie
    Currently Being Moderated
    Hi Eyðun

    The users you see when you access the Identity Lookup popup are hard coded inside a file calld system-jazn-data.xml referenced by jazn.xml .
    (.../o.j2ee/embedded-oc4j/config/)
    In order to access an ldap server, check the end of this jazn.xml file. You should see a commented <jazn> part that looks like:

    <jazn
    xmlns:xsi="......
    .....     
    provider="LDAP" location="<ldap://your_oid_server:port>"
    />

    According to me, if you want to access your own users (those stored in you ldap server), you just ;-) have to dig this. I didn't try yet.

    Hope this helps

    Dominique
  • 4. Re: SOA Suite 11g and OID
    457889 Newbie
    Currently Being Moderated
    Association with OID is possible in the standalone OC4J env. I will send across a document describing the steps.
  • 5. Re: SOA Suite 11g and OID
    mkamath Newbie
    Currently Being Moderated
    The following steps need to be followed to configure
    Identity Service to use LDAP providers in a standalone
    environment.

    [1] Configure the JPS layer to use LDAP.


    Open jps-config.xml. This file is located in
    $ORACLE_HOME/j2ee/oc4j_soa/config/jps-config.xml
    Locate the <serviceProviders> element. See if an LDAP
    service provider is configured.

    [1.1] Try to locate the <serviceProvider> fragment in
    the file.


    <serviceProvider type="IDENTITY_STORE"
    name="idstore.ldap.provider"
    class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
    <description>Generic LDAP-based ID store</description>
    </serviceProvider>
    Note: If the above fragment is not found, insert it as a child of the
    <serviceProviders> element.


    [1.2] Next, locate the <serviceInstances> element.

    Add a new <serviceInstance> for LDAP using the service
    provider configured above. For example, an OID service
    instance configuration will look like:

    <serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
    <property name="subscriber.name" value="dc=us,dc=oracle,dc=com"/>
    <property name="idstore.type" value="OID"/>
    <property name="security.principal.alias" value="JPS"/>
    <property name="security.principal.key" value="oid.credentials"/>
    <property name="ldap.url" value="ldap://machine1.us.oracle.com:389"/>
    <extendedProperty>
    <name>user.search.bases</name>
    <values>
    <value>dc=us,dc=oracle,dc=com</value>
    </values>
    </extendedProperty>
    <extendedProperty>
    <name>group.search.bases</name>
    <values>
    <value>dc=us,dc=oracle,dc=com</value>
    </values>
    </extendedProperty>
    <property name="username.attr" value="cn"/>
    <propperty name="group.attr" value="cn"/>
    <property name="PROPERTY_ATTRIBUTE_MAPPING" value="im=mail"/>
    </serviceInstance>

    Note:

    The credentials will have to be added to the credential store. In the
    above configuration, the credentials are marked by the
    security.principal.alias (JPS) and the security.principal.key
    (oid.credentials). Follow step [3] to do this. Change other properties
    as appropriate.

    [1.3] Next, add/modify a Jps context to use the service instance
    configured above for the identity store.

    For example:

    <jpsContext name="oid">
    <serviceInstanceRef ref="credstore"/>
    <serviceInstanceRef ref="idstore.oid"/>
    <serviceInstanceRef ref="policystore.xml"/>
    <serviceInstanceRef ref="idstore.loginmodule"/>
    <serviceInstanceRef ref="idm"/>
    </jpsContext>

    Note:
    You can also change the default JPS Context, but that will reflect in all
    components that use the context.

    [2] Change the Identity Service configuration to point to the JPS Context
    configured above.



    Locate the workflow-identity-config.xml file under
    OH/j2ee/oc4j_soa/applications/soa-infra/configuration
    Change the value of the jpsContextName property to point to the JPS Context
    configured above.
    For example:
    <provider providerType="JPS"
    name="JpsProvider" service="Identity">
    <property name="jpsContextName" value="oid" />
    </provider>

    [3] Add the LDAP credentials to the credential store

    Locate the soa-infra-users.xml file under OH/install/bpel.
    Add the following ant-task to the file
    <target name="seed-oid-csf">
    <echo message="==Storing oid user credential in csf =="/>
    <java classname="oracle.bpel.services.common.util.CSFStore"
    fork="yes"
    dir="${instance.home}">
    <arg line="-jpsContext default -mapName JPS -keyName oid.credentials
    -userName ${oid.cn} -password ${oid.passwd}"/>
    <classpath>
    <pathelement path="${seeding.classpath}"/>
    </classpath>
    </java>
    </target>
    Note: Run the above task using the following command:
    OH/install/bpel/runconfig seed-oid-csf
    -Doid.cn='cn=orcladmin' -Doid.passwd=welcome

    [4] To seed users to the LDAP, execute the following command:
    OH/install/bpel/runconfig seed-users

    [5] Restart the server after these steps.
  • 6. Re: SOA Suite 11g and OID
    mkamath Newbie
    Currently Being Moderated
    The resulting jps-config.xml will be as follows:

    <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
    <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1">

    <!-- This property can be used to configure 3rd party IdM at application level jps-config -->
    <!--property name="oracle.security.jps.idm.authentication" value="CUSTOM_AUTH"/-->

    <!-- This property is for jaas mode. Possible values are "off", "doas" and "doasprivileged" -->
    <property name="oracle.security.jps.jaas.mode" value="off"/>

    <!-- These are various jps common properties used for LDAP operations -->
    <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/>
    <property name="oracle.security.jps.ldap.root.name" value="cn=OracleJpsContainer"/>
    <property name="oracle.security.jps.ldap.max.retry" value="5"/>

    <propertySets>
    <!-- SAML Trusted Issuer -->
    <propertySet name="saml.trusted.issuers.1">
    <property name="name" value="www.oracle.com"/>
    </propertySet>

    <!-- This property points to valid Access SDK installation directory -->
    <propertySet name="access.sdk.properties">
    <property name="access.sdk.install.path" value="$ACCESS_SDK_HOME"/>
    </propertySet>
    </propertySets>

    <serviceProviders>
    <serviceProvider type="CREDENTIAL_STORE" name="credstoressp" class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider">
    <description>SecretStore-based CSF provider</description>
    </serviceProvider>

    <serviceProvider type="IDENTITY_STORE" name="idstore.xml.provider" class="oracle.security.jps.internal.idstore.xml.XmlIdentityStoreProvider">
    <description>XML-based IdStore Provider</description>
    </serviceProvider>

         <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
    <description>XML-based IdStore Provider</description>
    </serviceProvider>

    <serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
    <description>XML-based PolicyStore Provider</description>
    </serviceProvider>

    <serviceProvider type="ANONYMOUS" name="anonymous.provider" class="oracle.security.jps.internal.anonymous.idm.IdmAnonymousServiceProvider">
    <description>Anonymous Service Provider</description>
    </serviceProvider>

    <serviceProvider type="LOGIN" name="jaas.login.provider" class="oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider">
    <description>This is Jaas Login Service Provider and is used to configure login module service instances</description>
    </serviceProvider>

    <serviceProvider type="POLICY_STORE" name="policy.xds" class="oracle.security.jps.internal.policystore.xds.XsPolicyServiceProvider">
    <description>JAAS+ policy service provider</description>
    </serviceProvider>

    <serviceProvider type="XDS_AUTHENTICATION_PROVIDER" name="authentication.xds" class="oracle.security.jps.internal.idstore.xds.XsAuthenticationProvider">
    <description>JAAS+ authentication service provider</description>
    </serviceProvider>

    <serviceProvider type="XDS_SESSION_PROVIDER" name="sessioncookie.xds" class="oracle.security.jps.internal.policystore.xds.session.SessionCookieProvider">
    <description>JAAS+ Session Cookie service provider</description>
    </serviceProvider>

    <!-- 3rd Party Custom Idm Provider -->
    <serviceProvider type="IDM" name="idm.provider" class="oracle.security.jps.internal.idm.IdmServiceProvider">
    <description>3rd Party Custom Idm Provider</description>
    </serviceProvider>

    <serviceProvider name="keystore.provider" type="KEY_STORE" class="oracle.security.jps.internal.keystore.KeyStoreProvider">
    <description>PKI Based Keystore Provider</description>
    <property name="provider.property.name" value="owsm"/>
    </serviceProvider>
    </serviceProviders>

    <serviceInstances>
    <serviceInstance name="credstore" provider="credstoressp" location="./oc4j-credstore">
    <description>File Based Credential Store Service Instance</description>
    </serviceInstance>

    <serviceInstance name="idstore.xml" provider="idstore.xml.provider" location="./system-jazn-data.xml">
    <description>File Based Identity Store Service Instance</description>
    <property name="subscriber.name" value="jazn.com"/>
    </serviceInstance>

    <serviceInstance name="policystore.xml" provider="policystore.xml.provider" location="./system-jazn-data.xml">
    <description>File Based Policy Store Service Instance</description>
    </serviceInstance>

    <serviceInstance name="anonymous" provider="anonymous.provider">
    <description>Anonymous Service Instance</description>
    <!-- Anonymous user name must be defined for anonymous service -->
    <property name="anonymous.user.name" value="anonymous"/>
    <!-- This property set defines the anonymous role -->
    <property name="anonymous.role.name" value="anonymous-role"/>
    </serviceInstance>

    <serviceInstance name="idm" provider="idm.provider">
    <description>JSSO Authentication Configuration</description>
    <property name="idm.authentication.name" value="JavaSSO"/>
    <property name="idm.token.asserter.class" value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
    <property name="idm.token.collector.class" value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
    <property name="idm.token.type" value="COOKIE_TOKEN"/>
    <property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
    <property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
    <property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
    <property name="custom.sso.cred.key" value="JSSO_KEY"/>
    <property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
    </serviceInstance>

    <serviceInstance name="idm.osso" provider="idm.provider">
    <description>Oracle SSO Authentication Configuration</description>
    <property name="idm.authentication.name" value="OSSO"/>
    <property name="idm.token.asserter.class" value="oracle.security.jps.internal.osso.OSSOTokenAsserter"/>
    <property name="idm.token.collector.class" value="oracle.security.jps.internal.osso.OSSOTokenCollector"/>
    <property name="idm.token.type" value="HEADER_TOKEN"/>
    </serviceInstance>

    <serviceInstance name="idstore.loginmodule" provider="jaas.login.provider">
    <description>Identity Store Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    </serviceInstance>

    <serviceInstance name="anonymous.loginmodule" provider="jaas.login.provider">
    <description>Anonymous Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.anonymous.AnonymousLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    </serviceInstance>

    <serviceInstance name="xds.loginmodule" provider="jaas.login.provider">
    <description>JAAS+ LWS LoginModule</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.xds.XsLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUISITE"/>
    </serviceInstance>

    <!-- KeyStore Service Instance -->
    <serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
    <description>Default JPS Keystore Service</description>
    <property name="keystore.type" value="JKS"/>
         <property name="keystore.csf.map" value="oracle.wsm.security"/>
    <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
    <property name="keystore.sig.csf.key" value="enc-csf-key"/>
    <property name="keystore.enc.csf.key" value="enc-csf-key"/>      
    </serviceInstance>

    <!-- SAML Login Module -->
    <serviceInstance name="saml.loginmodule" provider="jaas.login.provider">
    <description>SAML Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.saml.JpsSAMLLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    <propertySetRef ref="saml.trusted.issuers.1"/>
    </serviceInstance>

    <!-- This is Kerberos Login Module Instance. -->
    <serviceInstance name="krb5.loginmodule" provider="jaas.login.provider">
    <description>Kerberos Login Module</description>
    <property name="loginModuleClassName" value="com.sun.security.auth.module.Krb5LoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    <property name="storeKey" value="true"/>
    <property name="useKeyTab" value="true"/>
    <property name="doNotPrompt" value="true"/>
    <property name="keyTab" value="./krb5.keytab"/>
    <property name="principal" value="HOST/localhost@EXAMPLE.COM"/>
    </serviceInstance>

    <!-- This is OAM Login Module Instance. -->
    <serviceInstance name="oam.loginmodule" provider="jaas.login.provider">
    <description>Oracle Access Manager Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.oam.OAMLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    <propertySetRef ref="access.sdk.properties"/>
    </serviceInstance>

    <!-- For 10.1.3. Should be removed if not needed. JAZN User Manager Login Module Instance -->
    <serviceInstance name="admin.tool.loginmodule" provider="jaas.login.provider">
    <description>Realm Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jazn.login.module.RealmLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    </serviceInstance>

    <!-- Digest Authenticator Login Module Instance -->
    <serviceInstance name="digest.authenticator.loginmodule" provider="jaas.login.provider">
    <description>Digest Authenticator Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.DigestLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    </serviceInstance>

    <!-- Certificate Authenticator Login Module Instance -->
    <serviceInstance name="certificate.authenticator.loginmodule" provider="jaas.login.provider">
    <description>X509 Certificate Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.x509.X509LoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    </serviceInstance>

    <!-- WSS Username token digest login module -->
    <serviceInstance name="wss.digest.loginmodule" provider="jaas.login.provider">
    <description>WSS Digest Login Module</description>
    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.WSSDigestLoginModule"/>
    <property name="jaas.login.controlFlag" value="REQUIRED"/>
    </serviceInstance>

         <serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
    <property name="subscriber.name" value="dc=us,dc=oracle,dc=com"/>
    <property name="idstore.type" value="OID"/>
    <property name="security.principal.alias" value="JPS"/>
    <property name="security.principal.key" value="oid.credentials"/>
    <property name="ldap.url" value="ldap://stapm51.us.oracle.com:389"/>
    <extendedProperty>
    <name>user.search.bases</name>
    <values>
    <value>dc=us,dc=oracle,dc=com</value>
    </values>
    </extendedProperty>
    <extendedProperty>
    <name>group.search.bases</name>
    <values>
    <value>dc=us,dc=oracle,dc=com</value>
    </values>
    </extendedProperty>
    <property name="username.attr" value="cn"/>
    <propperty name="group.attr" value="cn"/>
         <property name="PROPERTY_ATTRIBUTE_MAPPING" value="im=mail"/>
         </serviceInstance>
    </serviceInstances>

    <jpsContexts default="default">
    <!-- This is the default JPS context. All the mendatory services and Login Modules
    must be configured in this default context -->
    <jpsContext name="default">
    <serviceInstanceRef ref="credstore"/>                                   
    <serviceInstanceRef ref="keystore"/>
    <serviceInstanceRef ref="idstore.xml"/>
    <serviceInstanceRef ref="policystore.xml"/>
    <serviceInstanceRef ref="idstore.loginmodule"/>
    <serviceInstanceRef ref="idm"/>
    </jpsContext>

         <jpsContext name="oid">
    <serviceInstanceRef ref="credstore"/>
    <serviceInstanceRef ref="keystore"/>
    <serviceInstanceRef ref="idstore.oid"/>
    <serviceInstanceRef ref="policystore.xml"/>
    <serviceInstanceRef ref="idstore.loginmodule"/>
    <serviceInstanceRef ref="idm"/>
    </jpsContext>

    <!-- This is default owsm security context -->
    <jpsContext name="oracle.wsm.security.default">
    <serviceInstanceRef ref="credstore"/>
    <serviceInstanceRef ref="idstore.xml"/>
    <serviceInstanceRef ref="keystore"/>
    <serviceInstanceRef ref="anonymous.loginmodule"/>
    <serviceInstanceRef ref="idstore.loginmodule"/>
    <serviceInstanceRef ref="certificate.authenticator.loginmodule"/>
    <serviceInstanceRef ref="saml.loginmodule"/>
    <serviceInstanceRef ref="krb5.loginmodule"/>
    <serviceInstanceRef ref="oam.loginmodule"/>
    <serviceInstanceRef ref="wss.digest.loginmodule"/>
    </jpsContext>

    <!-- This is the default anonymous Login Module context -->
    <jpsContext name="anonymous">
    <serviceInstanceRef ref="anonymous"/>
    <serviceInstanceRef ref="anonymous.loginmodule"/>
    </jpsContext>

    <!-- Default Idm Login Module -->
    <jpsContext name="oracle.security.jps.fmw.authenticator.IdmAuthenticator">
    <serviceInstanceRef ref="idstore.loginmodule"/>
    </jpsContext>

    <!-- For 10.1.3. Should be removed if not needed. Admin Tool Login Module -->
    <jpsContext name="oracle.security.jazn.tools.Admintool">
    <serviceInstanceRef ref="idstore.loginmodule"/>
    </jpsContext>

    <!-- Digest Authenticator Login Module -->
    <jpsContext name="oracle.security.jps.fmw.authenticator.DigestAuthenticator">
    <serviceInstanceRef ref="digest.authenticator.loginmodule"/>
    </jpsContext>

    <!-- Basic Authenticator Login Module -->
    <jpsContext name="oracle.security.jps.fmw.authenticator.BasicAuthenticator">
    <serviceInstanceRef ref="idstore.loginmodule"/>
    </jpsContext>

    <!-- Certificate Authenticator Login Module -->
    <jpsContext name="X509CertificateAuthentication">
    <serviceInstanceRef ref="certificate.authenticator.loginmodule"/>
    </jpsContext>

    <!-- SAML Login Module Context -->
    <jpsContext name="SAML">
    <serviceInstanceRef ref="saml.loginmodule"/>
    </jpsContext>

    </jpsContexts>
    </jpsConfig>
  • 7. Re: SOA Suite 11g and OID
    mkamath Newbie
    Currently Being Moderated
    The resulting workflow-identity-config.xml will be as follows:

    <?xml version = '1.0' encoding = 'UTF-8'?>
    <ISConfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig" >
    <configurations>
    <configuration realmName="jazn.com">
    <provider providerType="JPS" name="JpsProvider" service="Identity">
    <property name="jpsContextName" value="oid" />
    </provider>
    </configuration>
    </configurations>
    </ISConfiguration>
  • 8. Re: SOA Suite 11g and OID
    441056 Newbie
    Currently Being Moderated
    Thanks a lot. I've managed to connect SOA Suite 11g TP4 to OID.

    A few things that I had to do differently:

    1) On my system the oracle instance is not a subdirectory of the jdev install-directory. The steps I performed was configure SOA normally and then change the config files: soa-infra-users.xml was under jdev install dir and jps-config.xml and workflow-identiry-config.xml under the oracle instance dir.

    2) Provide more parameters to runconfig, e.g.
    /export/home/oracle/jdevelopertp4/install/bpel/runconfig seed-users -Doid.cn='cn=orcladmin' -Doid.passwd=pw1 -Doracle.instance=/oracle/app/oracle/jdevworktp4/system11.1.1.0.22.49.49 -Dsoasuite.jdbc.connectstring=xxx:1521:sid -Dsoasuite.db.user=jdev_soainfra -Dsoasuite.db.password=pw2

    3) Add the anonymous user to OID manually since neither the worklist app nor the jdev human task design environment could connect to the OID.

    Eyðun

    Edited by: Eyðun E. Jacobsen on Aug 25, 2008 10:34 AM
  • 9. Re: SOA Suite 11g and OID
    mdsabir Newbie
    Currently Being Moderated
    Hi Mohan
    I did follow the steps mentioned by you to configure the OID on 11g SOA and Worklist Application.
    Steps Right click on the SOADomain and Security Credentials added the LDAP details and JS property did add the following
    Propertyname - BaseUser and Base Group were added
    Still I dont see users from the OID repository.
    Any suggestion would be much appreciated.
    Regards
    Sabir

    Edited by: sab2 on Nov 17, 2009 12:33 AM
  • 10. Re: SOA Suite 11g and OID
    mdsabir Newbie
    Currently Being Moderated
    Hi Mohan,
    I dont see the soa-infra-user.xml file on my our server instance.I have search the complete directory but with no luck
    Any Suggestions or pointer would help
    Regards
    Sabir

    Edited by: sab2 on Nov 22, 2009 2:37 PM