4 Replies Latest reply: Jul 30, 2012 4:00 AM by SOAFusionA RSS

    Issue with External LDAP Configuration in SOA 11.1.1.4

    809104
      Hi,

      I have a requirement to configure external SunOne LDAP in my 11.1.1.4 implementation.

      I have configured it and able to hit the LDAP server successfully.

      I have tested it with a OSB Proxy service attached with OWSM policy.

      Issue is even though there is a success response from external LDAP. Authentication is failing and unable to invoke the OSB Proxy service.

      I am not sure why weblogic is not taking the success response from LDAP server.

      Below are the configuration details.

      In Security Realms->myrealm->providers tab

      Already Existing DefaultAuthenticator control flag is sufficient

      Created new Authentication provider with control flag sufficient and type is LDAPAuthenticator

      Tried type as IPlanetAuthenticator and OpenLdap also. But still same issue.

      Below is the order of Authentication providers

      DefaultAuthenticator - (control flag - sufficient )
      DefaultIdentityAsserter
      NewAuthenticator - (control flag - sufficient )

      Below is the success log from LDAP Server.

      conn=74923 op=236 msgId=238 - BIND dn="uid=aaa1216,ou=people,dc=apcm,dc=com" method=128 version=3
      conn=74923 op=236 msgId=238 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=aaa1216,ou=people,dc=apcm,dc=com"

      Below is the error message from OSB Logs


      ####<Sep 8, 2011 10:15:25 AM MST> <Error> <OSB Security> <02HW8235> <osb_server1> <[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <> <108caf8005cc68f0:76d93e21:13249f4755b:-8000-000000000000002f> <1315502125000> <BEA-387022> <An error ocurred during web service security inbound request processing [error-code: SecurityHeaderUnmarshallingError, message-id: 5704865912453472675-76d93e21.13249f4755b.-7fdc, proxy: LDAPTest/NormalLoanSecureOWSM, operation: null]
      --- Error message:

      oracle.wsm.security.SecurityException: WSM-00008 : Web service authentication failed.
           at oracle.wsm.security.jps.JpsManager.authenticate(JpsManager.java:232)
           at oracle.wsm.security.jps.JpsManager.basicAuthenticate(JpsManager.java:309)
           at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.receiveRequest(WssUsernameTokenScenarioExecutor.java:152)
           at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:583)
           at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
           at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeSimpleAssertion(WSPolicyRuntimeExecutor.java:666)
           at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.executeAndAssertion(WSPolicyRuntimeExecutor.java:342)
           at oracle.wsm.policyengine.impl.runtime.WSPolicyRuntimeExecutor.execute(WSPolicyRuntimeExecutor.java:289)
           at oracle.wsm.policyengine.impl.PolicyExecutionEngine.execute(PolicyExecutionEngine.java:102)
           at oracle.wsm.agent.WSMAgent.processCommon(WSMAgent.java:937)
           at oracle.wsm.agent.WSMAgent.processRequest(WSMAgent.java:454)
           at oracle.wsm.agent.handler.WSMEngineInvoker.handleRequest(WSMEngineInvoker.java:366)
           at com.bea.wli.sb.security.wss.wsm.WsmInboundHandler.processRequest(WsmInboundHandler.java:150)



      Please advise if i missed anything or configured anything wrongly.

      Thanks alot.

      Edited by: Rajesh1218 on Sep 8, 2011 9:30 AM
        • 1. Re: Issue with External LDAP Configuration in SOA 11.1.1.4
          Ravi Jegga
          Hi Rajesh
          Try Re-Ordering your authentication providers, so that your custom LDAP authenticator is in the top and is the first one. The thing is, SOA 11.x has a limitation that looks for the users only in the first authentication provider that it hits. Now weblogic console, em console will work fine even though you have admin users in the default authenticator that is way below in the end. But acutal users that connect to worklist or workspace application can be looked up only in first provider.

          NewAuthenticator - (control flag - sufficient )
          DefaultAuthenticator - (control flag - sufficient )
          DefaultIdentityAsserter

          This limitation is NOT from weblogic side but from SOA side. In general, weblogic server is smart enough to look for a user in all the providers one after another untill it finds the user in one of them. Make sure to set SUFFICIENT for all the providers.

          Refer a post of mine for more details:
          Weblogic administrator account is inactive after enabling DB Authenticator

          Thanks
          Ravi Jegga
          • 2. Re: Issue with External LDAP Configuration in SOA 11.1.1.4
            809104
            Hi Ravi,

            Thank you for your immediate response and suggestions. Tried changing order as per your suggestions and still have the same issue.

            Note: I didn't do any changes in EM Console.

            *1.When type is IPlanetAuthenticator*

            <Sep 8, 2011 2:48:01 PM MST> <Error> <oracle.wsm.resources.security> <WSM-00006> <Error in receiving the request: oracle.wsm.security.SecurityException: WSM-00008 : Web service authentication failed..
            >
            <Sep 8, 2011 2:48:01 PM MST> <Error> <oracle.wsm.resources.enforcement> <WSM-07607> <Failure in execution of assertion {http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-username-token executor
            class oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.>
            <Sep 8, 2011 2:48:01 PM MST> <Error> <oracle.wsm.resources.enforcement> <WSM-07602> <Failure in WS-Policy Execution due to exception.>
            <Sep 8, 2011 2:48:01 PM MST> <Error> <oracle.wsm.resources.enforcement> <WSM-07501> <Failure in Oracle WSM Agent processRequest, category=security, function=agent.function.service, application=XBus Ke
            rnel, composite=null, modelObj=NormalLoanApprovalService, policy=oracle/wss_username_token_service_policy, policyVersion=null, assertionName={http://schemas.oracle.com/ws/2006/01/securitypolicy}wss-us
            ername-token.>
            <Sep 8, 2011 2:48:01 PM MST> <Error> <OSB Security> <BEA-387022> <An error ocurred during web service security inbound request processing [error-code: SecurityHeaderUnmarshallingError, message-id: 272
            0732006073363314-497888fc.1324b01e6d6.-7fdc, proxy: LDAPTest/NormalLoanSecureOWSM, operation: null]
            --- Error message:

            oracle.wsm.security.SecurityException: WSM-00008 : Web service authentication failed.
            at oracle.wsm.security.jps.JpsManager.authenticate(JpsManager.java:232)
            at oracle.wsm.security.jps.JpsManager.basicAuthenticate(JpsManager.java:309)
            at oracle.wsm.security.policy.scenario.executor.WssUsernameTokenScenarioExecutor.receiveRequest(WssUsernameTokenScenarioExecutor.java:152)
            at oracle.wsm.security.policy.scenario.executor.SecurityScenarioExecutor.execute(SecurityScenarioExecutor.java:583)
            at oracle.wsm.policyengine.impl.runtime.AssertionExecutor.execute(AssertionExecutor.java:41)
            Truncated. see log file for complete stacktrace
            Caused By: javax.security.auth.login.LoginException: [Security:090306]Authentication Failed Getting Groups for User 721test3 weblogic.security.providers.authentication.LDAPAtnDelegateException: [Secur
            ity:090278]Error listing member groups 721test3
            at oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule.login(JpsUserAuthenticationLoginModule.java:71)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:597)
            Truncated. see log file for complete stacktrace
            Caused By: oracle.security.jps.internal.jaas.module.AuthenticationException: [Security:090306]Authentication Failed Getting Groups for User 721test3 weblogic.security.providers.authentication.LDAPAtnD
            elegateException: [Security:090278]Error listing member groups 721test3
            at oracle.security.jps.wls.jaas.module.authentication.WlsUserAuthenticator.authenticate(WlsUserAuthenticator.java:61)
            at oracle.security.jps.internal.jaas.module.authentication.JpsUserAuthenticationLoginModule.login(JpsUserAuthenticationLoginModule.java:62)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            Truncated. see log file for complete stacktrace
            Caused By: javax.security.auth.login.FailedLoginException: [Security:090306]Authentication Failed Getting Groups for User 721test3 weblogic.security.providers.authentication.LDAPAtnDelegateException:
            [Security:090278]Error listing member groups 721test3
            at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:306)
            at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
            at java.security.AccessController.doPrivileged(Native Method)
            at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            Truncated. see log file for complete stacktrace

            *2.When type is LDAP Authenticator*

            Admin Server is not coming up. below is the error.


            <Sep 8, 2011 2:30:28 PM MST> <Notice> <Log Management> <BEA-170019> <The server log file C:\Oracle\Middleware\home_11gR1\user_projects\domains\base_domain\servers\AdminServer\logs\AdminServer.log is o
            pened. All server side log events will be written to this file.>
            oracle.security.jps.service.idstore.IdentityStoreException: JPS-00056: Failed to create identity store service instance idstore.ldap.provider:idstore.ldap. Reason: oracle.security.jps.JpsRuntimeExcept
            ion: JPS-00027: internal error You configured a generic WLS LDAPAuthenticator.
            The identity store type cannot be determined. Please choose an LDAP Authentication provider that matches your LDAP server.
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getIdStoreConfig(LdapIdentityStoreProvider.java:195)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.access$300(LdapIdentityStoreProvider.java:70)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider$NoLibOvd.getInstance(LdapIdentityStoreProvider.java:242)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:114)
            at oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider.getInstance(LdapIdentityStoreProvider.java:70)
            at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.findServiceInstance(ContextFactoryImpl.java:139)
            at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:170)
            at oracle.security.jps.internal.core.runtime.ContextFactoryImpl.getContext(ContextFactoryImpl.java:191)
            at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:132)
            at oracle.security.jps.internal.core.runtime.JpsContextFactoryImpl.getContext(JpsContextFactoryImpl.java:127)
            at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:798)
            at oracle.security.jps.internal.policystore.PolicyUtil$1.run(PolicyUtil.java:792)
            at java.security.AccessController.doPrivileged(Native Method)
            at oracle.security.jps.internal.policystore.PolicyUtil.getDefaultPolicyStore(PolicyUtil.java:792)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:289)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:282)
            at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:261)
            at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
            at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
            at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
            at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
            at java.lang.Class.newInstance0(Class.java:355)
            at java.lang.Class.newInstance(Class.java:308)
            at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1339)
            at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
            at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
            at weblogic.security.SecurityService.start(SecurityService.java:141)
            at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
            at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)
            at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)
            <Sep 8, 2011 2:30:31 PM MST> <Error> <Security> <BEA-090892> <The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root c
            ause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while gettin
            g default policy Provider>
            <Sep 8, 2011 2:30:31 PM MST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: The loading of OPSS java security policy prov
            ider failed due to exception, see the exception stack trace or the server log file for root cause. If still see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more info
            rmation. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
            weblogic.security.SecurityInitializationException: The loading of OPSS java security policy provider failed due to exception, see the exception stack trace or the server log file for root cause. If st
            ill see no obvious cause, enable the debug flag -Djava.security.debug=jpspolicy to get more information. Error message: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default p
            olicy Provider
            at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadOPSSPolicy(CommonSecurityServiceManagerDelegateImpl.java:1398)
            at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1018)
            at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
            at weblogic.security.SecurityService.start(SecurityService.java:141)
            at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
            Truncated. see log file for complete stacktrace
            Caused By: oracle.security.jps.JpsRuntimeException: oracle.security.jps.JpsException: [PolicyUtil] Exception while getting default policy Provider
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:291)
            at oracle.security.jps.internal.policystore.PolicyDelegationController.<init>(PolicyDelegationController.java:282)
            at oracle.security.jps.internal.policystore.JavaPolicyProvider.<init>(JavaPolicyProvider.java:261)
            at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
            at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)

            Edited by: Rajesh1218 on Sep 8, 2011 11:54 AM
            • 3. Re: Issue with External LDAP Configuration in SOA 11.1.1.4
              skt
              Not sure if the issue has been resolved. However, here a few guidelines.
              - Always use type specific authentication provider. When Directory servers are from Sun/iPlanet use the iPlanetAuthenticationProvider; if MS Active Directory is used, then configure ActiveDirectory authn provider in the WLS console.
              - Review the control flag settings for the authn providers. For example, if two providers are present (iPlanetAuthenticator and DefaultAuthenticator), you may have to set both to sufficient.
              - whenever identity store service is used to query user profile information (SOA always does this), then the order of the authn providers becomes important.
              - by default, identity store service can only search one LDAP directory. One resolution is to make the external LDAP provider the first in the list -- review in WLS console or config.xml
              - can you see all the users/groups from all the different LDAPs in the WLS console (security -> myrealm -> users/groups)?
              - if you don't see some users or groups then either the authn provider search filters are wrong or there could an access issue i.e., is there an acl set on the ldap server to restrict query capabilities?
              • 4. Re: Issue with External LDAP Configuration in SOA 11.1.1.4
                SOAFusionA
                Try Restoring the LDap if not then check the folder and contents of

                $DOMAIN_HOME/config/fmwconfig/ovd/default/adapters.os_xml

                if its zero the try the steps below.

                1) Take a backup of $DOMAIN_HOME/config/fmwconfig/ovd/default/adapters.os_xml

                2) Delete $DOMAIN_HOME/config/fmwconfig/ovd/default/adapters.os_xml

                3) copy adapters.os_xml from $MW_HOME/oracle_common/modules/oracle.ovd_11.1.1/templates/ to $DOMAIN_HOME/config/fmwconfig/ovd/default/

                4) Restart the server.

                If still problem persists then try to find the contents of the file -
                $DOMAIN_HOME/servers/Adminserver/data/ldap/conf

                see that there is no file with 0 size if yes then rename the file and restart the server.

                Hope it helps

                Regards
                Gourav