3 Replies Latest reply on Jul 20, 2011 7:49 PM by Kevin Smith-Oracle

    Weblogic administrator account is inactive after enabling DB Authenticator

      Hello experts,

      after following the steps for developing a custom database authenticator for a BPM domain as described in:

      - Developing with the User and Role API ( [Fusion docs|http://download.oracle.com/docs/cd/E14571_01/core.1111/e10043/devuserole.htm] )
      - Metalink note 1194815.1 (How to setup a custom DB Authenticator for BPM 11g)

      the weblogic account that was by default set as the administrator of the SOA/BPM domain can neither connect to BPM workspace or perform any administrative tasks in terms of API. The same holds for any other account of the domain. Even though that is pretty much expected as a result of diverting the default authentication provider, it also lays open some questions:

      - Is there any possibility to create an administrative account using the custom DB authenticator ?
      - What kind of groups should be assigned into this kind of user ?
      - In what places these groups should be defined (Enterprise Manager, DB, other ?)
      - Effectively this user can use the authenticateOnBehalfOf() API call of Workflow API and also interact with the Administration link in the BPM workspace application ?

      Many thanks,
        • 1. Re: Weblogic administrator account is inactive after enabling DB Authenticator
          Ravi Jegga
          Hi Serafeim
          1. As far as I know, SOA/BPM domain can work only with One Authentication provider which is the top most in the list of Providers. So in your case you have a custom DB Authenticator. Thats fine. I guess from weblogic admin console -> sercurity realms ....in the Providers tab you re-order the providers and put your custom DB authenticator in the top.

          2. Yes, you will not be able to login into BPM workspace anymore with the user who was in the default authenticator like weblogic. BUT note that you can still login into weblogic admin console and em console with the same userid. Its just the soa/bpm applications only like Worklist application, workspace application etc.

          3. Login into EM Console. In left side, expand SOA -> soa-infra (soa_server1) -> Right Click -> From Menu -> Select Security -> Application Roles. In this opened Window, Click the blue arrow next to the Role Name. There is no need to enter anything in the text field. It will list out all the Roles. Click on the Role named BPMWorkflowAdmin. In this new window, in the bottom section, you can add New Roles/Users from your custom db provider. Say in Users section, click on + Add Users button, in popup window, type some username and search and move it to right side. Then click OK in all the windows. Note that default role is already there which is SOAAdmin.

          4. Now, login into the BPM Workspace, with the above user and he will be the Administrator. He can see the link on the top right hand corner.

          Ravi Jegga
          • 2. Re: Weblogic administrator account is inactive after enabling DB Authenticator
            Many thanks Ravi for the detailed a prompt reply. The workaround you provided worked like charm!

            Thanks again, you saved me a lot of time.
            • 3. Re: Weblogic administrator account is inactive after enabling DB Authenticator
              Kevin Smith-Oracle
              Does the external user need to be listed in the BPMWorkflowAdmin role directly?

              This is what I have

              Role Member
              -------------------------- ------------------------------------------
              BPMWorkflowAdmin SOAAdmin
              SOAAdmin Administrators, wlx_content

              Where wlx_content is the external user I am trying to use.

              Also do I need to restart the SOA managed server or admin sever after making the changes?