1 2 3 Previous Next 43 Replies Latest reply on May 3, 2010 6:03 AM by 752248

    setting a new realm as default realm

    752248
      Hi all,

      I need to integrate weblogic server 9.2 with OAM using SSPI connector.
      I configured web logic policies in OAM and configured weglogic server.
      But I couldnt get the NetPointRealm as a realm in weblogic admin console.
      So configured a realm named NetPointRealm manually and provided required security providers.
      So to activate this realm,we need to set this realm as default realm.
      But I'm not able to set that as default realm.

      Could anyone please provide any suggestions to set the new realm as default realm.

      Thanks & Regards,

      Swathi

      Edited by: user9116523 on Apr 19, 2010 10:46 PM
        • 1. Re: setting a new realm as default realm
          Jay SenSharma MiddlewareMagic
          Hi,

          Please login to the AdminConsole Click on "Lock & Edit" Button

          Home---> DomainName(Click)-->Security (Tab)--->General (SubTab)-->Default Realm (ComboBox)----> Just change it to : *"NetPointRealm"*

          Save the Changes and then Restart The Servers sothat the Changes will take affect.
          .
          .
          Thanks
          Jay SenSharma
          http://jaysensharma.wordpress.com (WebLogic Wonders Are Here)
          1 person found this helpful
          • 2. Re: setting a new realm as default realm
            752248
            Hi Jay SenSharma

            Thaks a lot for your reply.
            I foollowed the steps provided by you and hence could find out how to set a new realm as deafault realm.
            But there are certain errors which says that configuration of NetPointRealm is not proper.The error message is as follows

            An error occurred during activation of changes, please see the log for details.
            [Management:141191]The prepare phase of the configuration update failed with an exception:
            [Security:090519]The realm NetPointRealm is not properly configured. Follow the directions in the following errors to correctly configure the realm. [Security:090520]The realm NetPointRealm does not have an authenticator configured. To correct the problem, configure an authenticator. [Security:090592]The realm NetPointRealm does not have a cert path builder configured. To correct the problem, select one of the realm"s cert path providers as the realm"s cert path builder.

            Is the authenticator it is talking about the authenticator in the provider?If so,i configured it.
            Can you please tell how to configure cert path builder?

            Thanks & Regards,

            Swathi.
            • 3. Re: setting a new realm as default realm
              sandeep_singh
              Hi,

              Actually when you create a new security realm then there are some security providers that should be created for the security realm or otherwise the realm cannot be used.

              So, in order to create a new security realm we should have the following providers present in the realm:
              1: Authentication Provider -
              2: Authorization Provider --
              3: Adjudication Provider --
              4: Role Mapper --
              5: Credential Provider --
              6: Weblogic Cert Path Provider--

              All the above Providers can be created using the default weblogic Provider .
              So I believe you are missing the Weblogic Cert Path provider in the realm and to create it first of all you need to revert back to the default Security Realm so that you can start the server and access the console.
              Then Go to:
              Your Security Realm---- Providers ----Certification Path--
              Click New >>> Then you can choose the Weblogic Cert Path Provider as the Certificate Path Provider.

              thanks,
              Sandeep
              1 person found this helpful
              • 4. Re: setting a new realm as default realm
                user10417700
                Hi Sandeep,

                Thanks a lot for your reply.
                I could configure NetPointRealm as default by following the steps provided by you.

                As i said earlier i need to integrate weblogic server with OAM using SSPI connector,i followed the steps provided in the following URL

                http://download.oracle.com/docs/cd/E12530_01/oam.1014/e10356/weblogic.htm#BHCJBJCJ

                As my script failed,i configured NetPointRealm manually and could set it as default realm

                And after that according to that URL,after we set NetPointRealm as default realm we need to restart the weblogic server and the next time we log in to the WebLogic console,we must provide Master Oracle Access Manager Administrator credentials and then we will be authenticated using NetPointRealm.

                But after i set NetPointRealm as default realm and restart the weblogic server i'm not able to log in to the WebLogic console by providing Master Oracle Access Manager Administrator credentials.

                Can you please provide a solution to this issue.

                Thanks & Regards,

                Swathi.
                • 5. Re: setting a new realm as default realm
                  Faisal WebLogic Wonders
                  In the Net Point realm try creating a default authenticator as well and keep the control flag as OPTIONAL/SUFFICIENT.
                  Keep the CONTROL flag of the other Authenticator as OPTIONAL/SUFFICIENT as well.

                  Are u abl to acess the application with OAM Users?


                  Add the following debug flag in the startup Scripts and paste the debug info

                  -Dweblogic.DebugSecurityAtz=true
                  -Dweblogic.DebugSecurityAtn=true

                  HTH,
                  Faisal
                  1 person found this helpful
                  • 6. Re: setting a new realm as default realm
                    user10417700
                    Hi Faisal

                    Thanks for your reply.
                    Could you please tell where to add those debug flag in the startup Scripts and how to in paste the debug info

                    -Dweblogic.DebugSecurityAtz=true
                    -Dweblogic.DebugSecurityAtn=true

                    Thanks & Regards,

                    Swathi.
                    • 7. Re: setting a new realm as default realm
                      sandeep_singh
                      you can apply these flags in the startWeblogic script as JAVA_OPTIONS :
                      if it is windows then you need to apply it in startWeblogic.cmd

                      set SAVE_JAVA_OPTIONS= -Dweblogic.DebugSecurityAtz=true -Dweblogic.DebugSecurityAtn=true %JAVA_OPTIONS%

                      All should be in a single line separated with single whitespace.

                      in startWeblogic.sh file:

                      SAVE_JAVA_OPTIONS=" -Dweblogic.DebugSecurityAtz=true -Dweblogic.DebugSecurityAtn=true *${JAVA_OPTIONS}"*


                      You can also apply these debug flags from the Admin Console.
                      Go to Servers >>> Your_Server >>> Debug >>>
                      Expand the weblogic tree.
                      then expand the security tree.
                      Then check the atn and atz options and enable it.
                      1 person found this helpful
                      • 8. Re: setting a new realm as default realm
                        752248
                        Hi Sandeep,

                        Thanks a lot for your reply.
                        I could enable these debug flags with the help of your instructions.
                        And I restarted the weblogic server but still couldnt login the weblogic server using the OAM Master Administrator credentials

                        While configuring Identity Asserter i couldnt select the Token Type ObSSOCookie and in the Details tab, i couldn't uncheck "Base64Decoding Required".
                        So is this the issue??

                        Thanks & Regards,

                        Swathi.
                        • 9. Re: setting a new realm as default realm
                          sandeep_singh
                          the flags provided are only for getting detailed message in the server log file so that the exact reason for the failing of log-in to the Admin console can be determined.

                          Can you paste the complete server log after trying log-in to the Admin console multiple times

                          thanks,
                          sandeep
                          1 person found this helpful
                          • 10. Re: setting a new realm as default realm
                            752248
                            Hi Sandeep,

                            Thanks a lot for your reply.
                            Actually i have a basic doubt regarding the creation of identity asserter in providers for a realm in weblogic server.
                            As you know i have created a NetPointRealm manually and i'm trying to use this to integrate weblogic server with OAM.

                            For this i need to set base64-decofing-required for identity asserter in weblogic 9.2 as false.

                            And according to the below forum and the URL mentioned in the forum i tried out to make changes in cofig.xml file.
                            But i couldn't find the cnfig.xml file mentioned in the forum.

                            Re: how to disable Base64 encoding

                            Can you please check it out and please provide some steps to continue with the integration procedure.

                            Thanks & Regards,

                            Swathi
                            • 11. Re: setting a new realm as default realm
                              sandeep_singh
                              Hi Swathi,

                              I have already replied to the forum with the exact location where you can apply the tag to make base64-encoding-required to false.

                              As far as config.xml is required you can find the config.xml file at the following location:

                              %WLS_HOME%/user_projects/domains/Your_domain/config :

                              You should always keep a backup of the config.xml file before updating it manually so that you can easily revert back the changes if anything goes wrong.

                              cheers,
                              sandeep
                              • 12. Re: setting a new realm as default realm
                                Faisal WebLogic Wonders
                                Is the NetPoint realm using the default identity asserter? If so, only then u can speficy base decoding as false in the config.xml where Sandeep specified. Also i belive it can be done from the console under Provider> Authenticatoor > Defualt IdentityAsser

                                BUT if the realm is using a Custom Identity Asserter, then you will have to check if the Custom Identity Asserter provides the console option or not.

                                U can paste your config.xml here for us to have a look.
                                • 13. Re: setting a new realm as default realm
                                  752248
                                  Hi Sandeep,

                                  Thanks a lot for your reply.
                                  As you said i added those lines in the config.xml file located in the path you specified and restarted the weblogic server
                                  But still Base64 decoding is set to be true.

                                  Could you please find out the way out of this issue.

                                  Thanks & Regards,

                                  Swathi
                                  • 14. Re: setting a new realm as default realm
                                    752248
                                    Hi Faisal,

                                    Thanks a lot for your reply.

                                    Yes,the NetPoint realm is using the default identity asserter.

                                    Config.xml file is as follows:


                                    <?xml version="1.0" encoding="UTF-8"?>
                                    <domain xsi:schemaLocation="http://www.bea.com/ns/weblogic/920/domain
                                    http://www.bea.com/ns/weblogic/920/domain.xsd" xmlns="http://www.bea.com/ns/weblogic/920/domain" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                                    <name>base_domain</name>
                                    <domain-version>9.2.3.0</domain-version>
                                    <security-configuration xmlns:xacml="http://www.bea.com/ns/weblogic/90/security/xacml">
                                    <name>base_domain</name>
                                    <realm>
                                    <sec:authentication-provider xsi:type="wls:default-authenticatorType"/>
                                    <sec:authentication-provider xsi:type="wls:default-identity-asserterType">
                                    <sec:active-type>AuthenticatedUser</sec:active-type>
                                    <sec:active-type>wsse:PasswordDigest</sec:active-type>
                                    <sec:active-type>X.509</sec:active-type>
                                    <sec:base64-decoding-required>false</sec:base64-decoding-required>
                                    <wls:use-default-user-name-mapper>true</wls:use-default-user-name-mapper>
                                    <wls:default-user-name-mapper-attribute-type>CN</default-user-name-mapper-attribute-type>
                                    </sec:authentication-provider>
                                    <sec:role-mapper xsi:type="xacml:xacml-role-mapperType"/>
                                    <sec:authorizer xsi:type="xacml:xacml-authorizerType"/>
                                    <sec:adjudicator xsi:type="wls:default-adjudicatorType"/>
                                    <sec:credential-mapper xsi:type="wls:default-credential-mapperType"/>
                                    <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"/>
                                    <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
                                    <sec:name>myrealm</sec:name>
                                    </realm>
                                    <default-realm>myrealm</default-realm>
                                    <credential-encrypted>{3DES}Vi5yoJAzEZYw/U5nkiNT9B8M043431Rfr/QF2dMB65KlW2rbV3d7a0uGF9YxUnfFZwBv0q0BNLhzmIi/wjJ/sGUnWQ2SvNMK</credential-encrypted>
                                    <node-manager-username>weblogic</node-manager-username>
                                    <node-manager-password-encrypted>{3DES}RCc8ftzF/irGNnXbhZ3nRA==</node-manager-password-encrypted>
                                    </security-configuration>
                                    <server>
                                    <name>AdminServer</name>
                                    <listen-address/>
                                    </server>
                                    <embedded-ldap>
                                    <name>base_domain</name>
                                    <credential-encrypted>{3DES}tYhX7HO2bVJh5Pn4ldTY45UYYd2zBw/URUs++SXMZ8U=</credential-encrypted>
                                    </embedded-ldap>
                                    <configuration-version>9.2.3.0</configuration-version>
                                    <admin-server-name>AdminServer</admin-server-name>
                                    </domain>

                                    Thanks & Regards,

                                    Swathi
                                    1 2 3 Previous Next