Sunday, October 23, 2011

Using FMW IdentityStore for your User management

In Fusion Middleware you can use IdentityStore framework to do all your user, role and password management. This IDM and JPS frameworks will give you a lot options which you don't have with the standaard JAAS framework of WebLogic ( you need to create your authentication provider and add a private principal to the subject).  IDM framework works really great with LDAP identity providers like the default WebLogic internal LDAP, OpenLDAP, Oracle Internet Directory ( OID ) or Microsoft Active Directory.
With this you don't need to make your own software to do some user management on a particular LDAP provider, IDM can do it for you and IDM will detect the right LDAP provider. So you just need to implement this and IDM will do all the work.

This is what you can do with IDM.
  • Retrieving and changing LDAP attributes of a user.
  • User management, search, create users in a particular LDAP provider.
  • Role management, search, create etc.
  • Retrieve a username and password from the credential store and use it in your own application.  
I will try to explain the different use cases in this blogpost.

Before we begin, is good to know how the IdentityStore will work with LDAP providers. Default it only works with the internal WebLogic LDAP. If you also want to use AD or OID, then you need to add it to WebLogic authentication provider of the myrealm security realm ( no need to add it to the jps-config.xml located at domain/config/fmwconfig ,this is only necessary when you don't use WebLogic ).
The jps serviceInstance called idstore.ldap can detect all the LDAP providers which are configured in WebLogic.
But when you have more then one LDAP providers then you got two options.
  • Add the virtualize property with value true to the idstore.ldap serviceInstance ( in jps-config.xml located at domain/config/fmwconfig ) . This will switch IDM from WebLogic to Oracle Virtual Directory mode. This will make sure that FMW applications will see all the users and roles. When you use Webcenter or SOA Suite / BPM Human worklist application then you need to add this property when you have more then one LDAP provider. In this OVD mode you can't retrieve the LDAP attributes of a user, OVD did not implement this option. 
  • Re-order the LDAP authentication providers. The first authenticator provider will be used and the other will be ignored, ( WebLogic will still use all it's authenticators for JAAS but FMW will not  ).  That's why in some forums or blogposts talk about re-ordering of the authentications providers. In most cases is setting the virtualize a better approach.  
Let's start with retrieving all the things we know about a user. Here I will retrieve its roles and all the LDAP attributes. ( this will not work with virtualize property on true and only on the first authentication provider )
Using LDAP attributes can be very handy for retrieving particular information which you can use in your application, like location information else you need to create a lot of roles to achieve the same. You can retrieve for example the location attribute and pass this value to the database ( Use it in Virtual Private Database VPD what Larry said it is a false cloud feature :-) ) or use it to disable some region screens.


Here I need to create JpsContext and lookup the IdentityStore. After that I can lookup the User with its UserProfile and retrieve the LDAP attributes by retrieving the PropertySet.


Important to know that these user operations will use the account defined in the authentication provider, there is no check if your normal user should be able to do so. So test this for a possible abuse.


These are the steps to create a new Role in your LDAP repository. Lookup the RoloManager and use the createRole method.




We can also create a user and assign a role to this new user. In this case also need to provide a AD property called samaccountname. After that I can retrieve the UserManager and use the createUser method. Lookup the role and assign to this user.


The last part is about how you can store your passwords in a safe way on the WebLogic Server. Every environment can have its own passwords and this can be managed by your Administrators.


To store a password in the credential store you can use the following wlst script.


start wlst.cmd from oracle_common\common\bin not from the the weblogic server home

connect('weblogic','weblogic1','t3://localhost:7101')
createCred(map="JPS",key="AD_ldap",user="CN=Administrator,CN=Users,DC=alfa,DC=local",password="Welcome02" ,desc="Windows LDAP user")
exit()


To allow FMW to retrieve this password I need to give the authenticated role some permissions on this map.

Open the jazn-data.xml of your FMW application, lookup the authenticated role and add the following entries
oracle.security.jps.service.credstore.CredentialAccessPermission with read permission for context=SYSTEM,mapName=JPS,keyName=AD_ldap.

Somehow I also need to do this for mapName=j2ee-app#V2.0. The WebLogic will provide some logging to say what you are missing.

And here the code to retrieve it.


You can download my sample application at github https://github.com/biemond/jdev11g_examples/tree/master/ADFSecurity

3 comments:

  1. Use the grantPermission() wlst command instead of directly editing the policy store file. This will ensure that the store gets updated correctly. Note that the policy store is in system-jazn-data.xml only in out of the box cases. If 'reassociation' is performed then the store could be in Oracle DB or OID.
    Similarly, instead of editing jps-config.xml directly, use Fusion Middleware Control (EM) and navigate to Security->Configuration->Identity Store and mark the checkbox.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete