10 Replies Latest reply: Nov 22, 2009 4:37 PM by mdsabir RSS

    [SOLVED] SOA Suite 11g and OID

    441056
      How should I configure OC4J in TP4 such that Human Tasks can be assigned to users in an LDAP directory, e.g Oracle Internet Directory?

      Thanks,
      Eyðun

      Message was edited by:
      Eyðun E. Jacobsen

      Message was edited by:
      Eyðun E. Jacobsen
        • 1. SOA Suite 11g and OID
          441056
          Has anybody had any luck with configuring SOA suite 11g to authenticate against Oracle Internet Directory?

          Kind Regards,
          Eyðun
          • 2. Re: SOA Suite 11g and OID
            441056
            Since this thread is quiet, I guess that this is not possible in TP4. It would be very desirable to see this feature in a preview release.

            Eyðun
            • 3. Re: SOA Suite 11g and OID
              domdebailleux
              Hi Eyðun

              The users you see when you access the Identity Lookup popup are hard coded inside a file calld system-jazn-data.xml referenced by jazn.xml .
              (.../o.j2ee/embedded-oc4j/config/)
              In order to access an ldap server, check the end of this jazn.xml file. You should see a commented <jazn> part that looks like:

              <jazn
              xmlns:xsi="......
              .....     
              provider="LDAP" location="<ldap://your_oid_server:port>"
              />

              According to me, if you want to access your own users (those stored in you ldap server), you just ;-) have to dig this. I didn't try yet.

              Hope this helps

              Dominique
              • 4. Re: SOA Suite 11g and OID
                457889
                Association with OID is possible in the standalone OC4J env. I will send across a document describing the steps.
                • 5. Re: SOA Suite 11g and OID
                  mkamath
                  The following steps need to be followed to configure
                  Identity Service to use LDAP providers in a standalone
                  environment.

                  [1] Configure the JPS layer to use LDAP.


                  Open jps-config.xml. This file is located in
                  $ORACLE_HOME/j2ee/oc4j_soa/config/jps-config.xml
                  Locate the <serviceProviders> element. See if an LDAP
                  service provider is configured.

                  [1.1] Try to locate the <serviceProvider> fragment in
                  the file.


                  <serviceProvider type="IDENTITY_STORE"
                  name="idstore.ldap.provider"
                  class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
                  <description>Generic LDAP-based ID store</description>
                  </serviceProvider>
                  Note: If the above fragment is not found, insert it as a child of the
                  <serviceProviders> element.


                  [1.2] Next, locate the <serviceInstances> element.

                  Add a new <serviceInstance> for LDAP using the service
                  provider configured above. For example, an OID service
                  instance configuration will look like:

                  <serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
                  <property name="subscriber.name" value="dc=us,dc=oracle,dc=com"/>
                  <property name="idstore.type" value="OID"/>
                  <property name="security.principal.alias" value="JPS"/>
                  <property name="security.principal.key" value="oid.credentials"/>
                  <property name="ldap.url" value="ldap://machine1.us.oracle.com:389"/>
                  <extendedProperty>
                  <name>user.search.bases</name>
                  <values>
                  <value>dc=us,dc=oracle,dc=com</value>
                  </values>
                  </extendedProperty>
                  <extendedProperty>
                  <name>group.search.bases</name>
                  <values>
                  <value>dc=us,dc=oracle,dc=com</value>
                  </values>
                  </extendedProperty>
                  <property name="username.attr" value="cn"/>
                  <propperty name="group.attr" value="cn"/>
                  <property name="PROPERTY_ATTRIBUTE_MAPPING" value="im=mail"/>
                  </serviceInstance>

                  Note:

                  The credentials will have to be added to the credential store. In the
                  above configuration, the credentials are marked by the
                  security.principal.alias (JPS) and the security.principal.key
                  (oid.credentials). Follow step [3] to do this. Change other properties
                  as appropriate.

                  [1.3] Next, add/modify a Jps context to use the service instance
                  configured above for the identity store.

                  For example:

                  <jpsContext name="oid">
                  <serviceInstanceRef ref="credstore"/>
                  <serviceInstanceRef ref="idstore.oid"/>
                  <serviceInstanceRef ref="policystore.xml"/>
                  <serviceInstanceRef ref="idstore.loginmodule"/>
                  <serviceInstanceRef ref="idm"/>
                  </jpsContext>

                  Note:
                  You can also change the default JPS Context, but that will reflect in all
                  components that use the context.

                  [2] Change the Identity Service configuration to point to the JPS Context
                  configured above.



                  Locate the workflow-identity-config.xml file under
                  OH/j2ee/oc4j_soa/applications/soa-infra/configuration
                  Change the value of the jpsContextName property to point to the JPS Context
                  configured above.
                  For example:
                  <provider providerType="JPS"
                  name="JpsProvider" service="Identity">
                  <property name="jpsContextName" value="oid" />
                  </provider>

                  [3] Add the LDAP credentials to the credential store

                  Locate the soa-infra-users.xml file under OH/install/bpel.
                  Add the following ant-task to the file
                  <target name="seed-oid-csf">
                  <echo message="==Storing oid user credential in csf =="/>
                  <java classname="oracle.bpel.services.common.util.CSFStore"
                  fork="yes"
                  dir="${instance.home}">
                  <arg line="-jpsContext default -mapName JPS -keyName oid.credentials
                  -userName ${oid.cn} -password ${oid.passwd}"/>
                  <classpath>
                  <pathelement path="${seeding.classpath}"/>
                  </classpath>
                  </java>
                  </target>
                  Note: Run the above task using the following command:
                  OH/install/bpel/runconfig seed-oid-csf
                  -Doid.cn='cn=orcladmin' -Doid.passwd=welcome

                  [4] To seed users to the LDAP, execute the following command:
                  OH/install/bpel/runconfig seed-users

                  [5] Restart the server after these steps.
                  • 6. Re: SOA Suite 11g and OID
                    mkamath
                    The resulting jps-config.xml will be as follows:

                    <?xml version="1.0" encoding="UTF-8" standalone='yes'?>
                    <jpsConfig xmlns="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/oracleas/schema/11/jps-config-11_1.xsd" schema-major-version="11" schema-minor-version="1">

                    <!-- This property can be used to configure 3rd party IdM at application level jps-config -->
                    <!--property name="oracle.security.jps.idm.authentication" value="CUSTOM_AUTH"/-->

                    <!-- This property is for jaas mode. Possible values are "off", "doas" and "doasprivileged" -->
                    <property name="oracle.security.jps.jaas.mode" value="off"/>

                    <!-- These are various jps common properties used for LDAP operations -->
                    <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/>
                    <property name="oracle.security.jps.ldap.root.name" value="cn=OracleJpsContainer"/>
                    <property name="oracle.security.jps.ldap.max.retry" value="5"/>

                    <propertySets>
                    <!-- SAML Trusted Issuer -->
                    <propertySet name="saml.trusted.issuers.1">
                    <property name="name" value="www.oracle.com"/>
                    </propertySet>

                    <!-- This property points to valid Access SDK installation directory -->
                    <propertySet name="access.sdk.properties">
                    <property name="access.sdk.install.path" value="$ACCESS_SDK_HOME"/>
                    </propertySet>
                    </propertySets>

                    <serviceProviders>
                    <serviceProvider type="CREDENTIAL_STORE" name="credstoressp" class="oracle.security.jps.internal.credstore.ssp.SspCredentialStoreProvider">
                    <description>SecretStore-based CSF provider</description>
                    </serviceProvider>

                    <serviceProvider type="IDENTITY_STORE" name="idstore.xml.provider" class="oracle.security.jps.internal.idstore.xml.XmlIdentityStoreProvider">
                    <description>XML-based IdStore Provider</description>
                    </serviceProvider>

                         <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
                    <description>XML-based IdStore Provider</description>
                    </serviceProvider>

                    <serviceProvider type="POLICY_STORE" name="policystore.xml.provider" class="oracle.security.jps.internal.policystore.xml.XmlPolicyStoreProvider">
                    <description>XML-based PolicyStore Provider</description>
                    </serviceProvider>

                    <serviceProvider type="ANONYMOUS" name="anonymous.provider" class="oracle.security.jps.internal.anonymous.idm.IdmAnonymousServiceProvider">
                    <description>Anonymous Service Provider</description>
                    </serviceProvider>

                    <serviceProvider type="LOGIN" name="jaas.login.provider" class="oracle.security.jps.internal.login.jaas.JaasLoginServiceProvider">
                    <description>This is Jaas Login Service Provider and is used to configure login module service instances</description>
                    </serviceProvider>

                    <serviceProvider type="POLICY_STORE" name="policy.xds" class="oracle.security.jps.internal.policystore.xds.XsPolicyServiceProvider">
                    <description>JAAS+ policy service provider</description>
                    </serviceProvider>

                    <serviceProvider type="XDS_AUTHENTICATION_PROVIDER" name="authentication.xds" class="oracle.security.jps.internal.idstore.xds.XsAuthenticationProvider">
                    <description>JAAS+ authentication service provider</description>
                    </serviceProvider>

                    <serviceProvider type="XDS_SESSION_PROVIDER" name="sessioncookie.xds" class="oracle.security.jps.internal.policystore.xds.session.SessionCookieProvider">
                    <description>JAAS+ Session Cookie service provider</description>
                    </serviceProvider>

                    <!-- 3rd Party Custom Idm Provider -->
                    <serviceProvider type="IDM" name="idm.provider" class="oracle.security.jps.internal.idm.IdmServiceProvider">
                    <description>3rd Party Custom Idm Provider</description>
                    </serviceProvider>

                    <serviceProvider name="keystore.provider" type="KEY_STORE" class="oracle.security.jps.internal.keystore.KeyStoreProvider">
                    <description>PKI Based Keystore Provider</description>
                    <property name="provider.property.name" value="owsm"/>
                    </serviceProvider>
                    </serviceProviders>

                    <serviceInstances>
                    <serviceInstance name="credstore" provider="credstoressp" location="./oc4j-credstore">
                    <description>File Based Credential Store Service Instance</description>
                    </serviceInstance>

                    <serviceInstance name="idstore.xml" provider="idstore.xml.provider" location="./system-jazn-data.xml">
                    <description>File Based Identity Store Service Instance</description>
                    <property name="subscriber.name" value="jazn.com"/>
                    </serviceInstance>

                    <serviceInstance name="policystore.xml" provider="policystore.xml.provider" location="./system-jazn-data.xml">
                    <description>File Based Policy Store Service Instance</description>
                    </serviceInstance>

                    <serviceInstance name="anonymous" provider="anonymous.provider">
                    <description>Anonymous Service Instance</description>
                    <!-- Anonymous user name must be defined for anonymous service -->
                    <property name="anonymous.user.name" value="anonymous"/>
                    <!-- This property set defines the anonymous role -->
                    <property name="anonymous.role.name" value="anonymous-role"/>
                    </serviceInstance>

                    <serviceInstance name="idm" provider="idm.provider">
                    <description>JSSO Authentication Configuration</description>
                    <property name="idm.authentication.name" value="JavaSSO"/>
                    <property name="idm.token.asserter.class" value="oracle.security.jps.internal.jsso.SSOCookieTokenAsserter"/>
                    <property name="idm.token.collector.class" value="oracle.security.jps.internal.jsso.SSOCookieTokenCollector"/>
                    <property name="idm.token.type" value="COOKIE_TOKEN"/>
                    <property name="idm.token.collector.cookie.1" value="ORA_OC4J_SSO"/>
                    <property name="custom.sso.url.login" value="/jsso/SSOLogin"/>
                    <property name="custom.sso.url.logout" value="/jsso/SSOLogout"/>
                    <property name="custom.sso.cred.key" value="JSSO_KEY"/>
                    <property name="custom.sso.cred.alias" value="JSSO_ALIAS"/>
                    </serviceInstance>

                    <serviceInstance name="idm.osso" provider="idm.provider">
                    <description>Oracle SSO Authentication Configuration</description>
                    <property name="idm.authentication.name" value="OSSO"/>
                    <property name="idm.token.asserter.class" value="oracle.security.jps.internal.osso.OSSOTokenAsserter"/>
                    <property name="idm.token.collector.class" value="oracle.security.jps.internal.osso.OSSOTokenCollector"/>
                    <property name="idm.token.type" value="HEADER_TOKEN"/>
                    </serviceInstance>

                    <serviceInstance name="idstore.loginmodule" provider="jaas.login.provider">
                    <description>Identity Store Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.idstore.IdStoreLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    </serviceInstance>

                    <serviceInstance name="anonymous.loginmodule" provider="jaas.login.provider">
                    <description>Anonymous Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.anonymous.AnonymousLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    </serviceInstance>

                    <serviceInstance name="xds.loginmodule" provider="jaas.login.provider">
                    <description>JAAS+ LWS LoginModule</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.xds.XsLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUISITE"/>
                    </serviceInstance>

                    <!-- KeyStore Service Instance -->
                    <serviceInstance name="keystore" provider="keystore.provider" location="./default-keystore.jks">
                    <description>Default JPS Keystore Service</description>
                    <property name="keystore.type" value="JKS"/>
                         <property name="keystore.csf.map" value="oracle.wsm.security"/>
                    <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
                    <property name="keystore.sig.csf.key" value="enc-csf-key"/>
                    <property name="keystore.enc.csf.key" value="enc-csf-key"/>      
                    </serviceInstance>

                    <!-- SAML Login Module -->
                    <serviceInstance name="saml.loginmodule" provider="jaas.login.provider">
                    <description>SAML Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.saml.JpsSAMLLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    <propertySetRef ref="saml.trusted.issuers.1"/>
                    </serviceInstance>

                    <!-- This is Kerberos Login Module Instance. -->
                    <serviceInstance name="krb5.loginmodule" provider="jaas.login.provider">
                    <description>Kerberos Login Module</description>
                    <property name="loginModuleClassName" value="com.sun.security.auth.module.Krb5LoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    <property name="storeKey" value="true"/>
                    <property name="useKeyTab" value="true"/>
                    <property name="doNotPrompt" value="true"/>
                    <property name="keyTab" value="./krb5.keytab"/>
                    <property name="principal" value="HOST/localhost@EXAMPLE.COM"/>
                    </serviceInstance>

                    <!-- This is OAM Login Module Instance. -->
                    <serviceInstance name="oam.loginmodule" provider="jaas.login.provider">
                    <description>Oracle Access Manager Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.oam.OAMLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    <propertySetRef ref="access.sdk.properties"/>
                    </serviceInstance>

                    <!-- For 10.1.3. Should be removed if not needed. JAZN User Manager Login Module Instance -->
                    <serviceInstance name="admin.tool.loginmodule" provider="jaas.login.provider">
                    <description>Realm Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jazn.login.module.RealmLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    </serviceInstance>

                    <!-- Digest Authenticator Login Module Instance -->
                    <serviceInstance name="digest.authenticator.loginmodule" provider="jaas.login.provider">
                    <description>Digest Authenticator Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.DigestLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    </serviceInstance>

                    <!-- Certificate Authenticator Login Module Instance -->
                    <serviceInstance name="certificate.authenticator.loginmodule" provider="jaas.login.provider">
                    <description>X509 Certificate Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.x509.X509LoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    </serviceInstance>

                    <!-- WSS Username token digest login module -->
                    <serviceInstance name="wss.digest.loginmodule" provider="jaas.login.provider">
                    <description>WSS Digest Login Module</description>
                    <property name="loginModuleClassName" value="oracle.security.jps.internal.jaas.module.digest.WSSDigestLoginModule"/>
                    <property name="jaas.login.controlFlag" value="REQUIRED"/>
                    </serviceInstance>

                         <serviceInstance name="idstore.oid" provider="idstore.ldap.provider">
                    <property name="subscriber.name" value="dc=us,dc=oracle,dc=com"/>
                    <property name="idstore.type" value="OID"/>
                    <property name="security.principal.alias" value="JPS"/>
                    <property name="security.principal.key" value="oid.credentials"/>
                    <property name="ldap.url" value="ldap://stapm51.us.oracle.com:389"/>
                    <extendedProperty>
                    <name>user.search.bases</name>
                    <values>
                    <value>dc=us,dc=oracle,dc=com</value>
                    </values>
                    </extendedProperty>
                    <extendedProperty>
                    <name>group.search.bases</name>
                    <values>
                    <value>dc=us,dc=oracle,dc=com</value>
                    </values>
                    </extendedProperty>
                    <property name="username.attr" value="cn"/>
                    <propperty name="group.attr" value="cn"/>
                         <property name="PROPERTY_ATTRIBUTE_MAPPING" value="im=mail"/>
                         </serviceInstance>
                    </serviceInstances>

                    <jpsContexts default="default">
                    <!-- This is the default JPS context. All the mendatory services and Login Modules
                    must be configured in this default context -->
                    <jpsContext name="default">
                    <serviceInstanceRef ref="credstore"/>                                   
                    <serviceInstanceRef ref="keystore"/>
                    <serviceInstanceRef ref="idstore.xml"/>
                    <serviceInstanceRef ref="policystore.xml"/>
                    <serviceInstanceRef ref="idstore.loginmodule"/>
                    <serviceInstanceRef ref="idm"/>
                    </jpsContext>

                         <jpsContext name="oid">
                    <serviceInstanceRef ref="credstore"/>
                    <serviceInstanceRef ref="keystore"/>
                    <serviceInstanceRef ref="idstore.oid"/>
                    <serviceInstanceRef ref="policystore.xml"/>
                    <serviceInstanceRef ref="idstore.loginmodule"/>
                    <serviceInstanceRef ref="idm"/>
                    </jpsContext>

                    <!-- This is default owsm security context -->
                    <jpsContext name="oracle.wsm.security.default">
                    <serviceInstanceRef ref="credstore"/>
                    <serviceInstanceRef ref="idstore.xml"/>
                    <serviceInstanceRef ref="keystore"/>
                    <serviceInstanceRef ref="anonymous.loginmodule"/>
                    <serviceInstanceRef ref="idstore.loginmodule"/>
                    <serviceInstanceRef ref="certificate.authenticator.loginmodule"/>
                    <serviceInstanceRef ref="saml.loginmodule"/>
                    <serviceInstanceRef ref="krb5.loginmodule"/>
                    <serviceInstanceRef ref="oam.loginmodule"/>
                    <serviceInstanceRef ref="wss.digest.loginmodule"/>
                    </jpsContext>

                    <!-- This is the default anonymous Login Module context -->
                    <jpsContext name="anonymous">
                    <serviceInstanceRef ref="anonymous"/>
                    <serviceInstanceRef ref="anonymous.loginmodule"/>
                    </jpsContext>

                    <!-- Default Idm Login Module -->
                    <jpsContext name="oracle.security.jps.fmw.authenticator.IdmAuthenticator">
                    <serviceInstanceRef ref="idstore.loginmodule"/>
                    </jpsContext>

                    <!-- For 10.1.3. Should be removed if not needed. Admin Tool Login Module -->
                    <jpsContext name="oracle.security.jazn.tools.Admintool">
                    <serviceInstanceRef ref="idstore.loginmodule"/>
                    </jpsContext>

                    <!-- Digest Authenticator Login Module -->
                    <jpsContext name="oracle.security.jps.fmw.authenticator.DigestAuthenticator">
                    <serviceInstanceRef ref="digest.authenticator.loginmodule"/>
                    </jpsContext>

                    <!-- Basic Authenticator Login Module -->
                    <jpsContext name="oracle.security.jps.fmw.authenticator.BasicAuthenticator">
                    <serviceInstanceRef ref="idstore.loginmodule"/>
                    </jpsContext>

                    <!-- Certificate Authenticator Login Module -->
                    <jpsContext name="X509CertificateAuthentication">
                    <serviceInstanceRef ref="certificate.authenticator.loginmodule"/>
                    </jpsContext>

                    <!-- SAML Login Module Context -->
                    <jpsContext name="SAML">
                    <serviceInstanceRef ref="saml.loginmodule"/>
                    </jpsContext>

                    </jpsContexts>
                    </jpsConfig>
                    • 7. Re: SOA Suite 11g and OID
                      mkamath
                      The resulting workflow-identity-config.xml will be as follows:

                      <?xml version = '1.0' encoding = 'UTF-8'?>
                      <ISConfiguration xmlns="http://www.oracle.com/pcbpel/identityservice/isconfig" >
                      <configurations>
                      <configuration realmName="jazn.com">
                      <provider providerType="JPS" name="JpsProvider" service="Identity">
                      <property name="jpsContextName" value="oid" />
                      </provider>
                      </configuration>
                      </configurations>
                      </ISConfiguration>
                      • 8. Re: SOA Suite 11g and OID
                        441056
                        Thanks a lot. I've managed to connect SOA Suite 11g TP4 to OID.

                        A few things that I had to do differently:

                        1) On my system the oracle instance is not a subdirectory of the jdev install-directory. The steps I performed was configure SOA normally and then change the config files: soa-infra-users.xml was under jdev install dir and jps-config.xml and workflow-identiry-config.xml under the oracle instance dir.

                        2) Provide more parameters to runconfig, e.g.
                        /export/home/oracle/jdevelopertp4/install/bpel/runconfig seed-users -Doid.cn='cn=orcladmin' -Doid.passwd=pw1 -Doracle.instance=/oracle/app/oracle/jdevworktp4/system11.1.1.0.22.49.49 -Dsoasuite.jdbc.connectstring=xxx:1521:sid -Dsoasuite.db.user=jdev_soainfra -Dsoasuite.db.password=pw2

                        3) Add the anonymous user to OID manually since neither the worklist app nor the jdev human task design environment could connect to the OID.

                        Eyðun

                        Edited by: Eyðun E. Jacobsen on Aug 25, 2008 10:34 AM
                        • 9. Re: SOA Suite 11g and OID
                          mdsabir
                          Hi Mohan
                          I did follow the steps mentioned by you to configure the OID on 11g SOA and Worklist Application.
                          Steps Right click on the SOADomain and Security Credentials added the LDAP details and JS property did add the following
                          Propertyname - BaseUser and Base Group were added
                          Still I dont see users from the OID repository.
                          Any suggestion would be much appreciated.
                          Regards
                          Sabir

                          Edited by: sab2 on Nov 17, 2009 12:33 AM
                          • 10. Re: SOA Suite 11g and OID
                            mdsabir
                            Hi Mohan,
                            I dont see the soa-infra-user.xml file on my our server instance.I have search the complete directory but with no luck
                            Any Suggestions or pointer would help
                            Regards
                            Sabir

                            Edited by: sab2 on Nov 22, 2009 2:37 PM