Monthly Archive: November 2009

Steps to use userconfig file and userkey file

Steps to use userconfig file and userkey file

First create the user config file and the key file with the following method (Alternatively Weblogic Admin utility can be used to create the user config files).

storeUserConfig(‘C:/bea922/user_projects/domains/config-file’,’C:/bea922/user_projects/domains/keyfile’)

You can connect to the nodemanger using the userKeyFile and userConfigFile :
nmConnect(userConfigFile=’C:/bea922/user_projects/domains/config-file’,userKeyFile=’C:/bea922/user_projects/domains/keyfile’, host=’10.10.71.79′, port=’5556′, domainName=’SAML_SOURCE’, domainDir=’C:/bea922/user_projects/domains/SAML_SOURCE’, nmType=’plain’)

Similarly you can connect to the server:
connect(userConfigFile=’C:/bea922/user_projects/domains/config-file’,userKeyFile=’C:/bea922/user_projects/domains/keyfile’,url=’t3://10.10.71.79:7001′)
Note: I have tested in WLS 9.2.

The username and password stored in the config files can be read from the JAVA code in the following way.

import weblogic.security.UserConfigFileManager;
import weblogic.security.UsernameAndPassword;

UsernameAndPassword usernameAndPassword=UserConfigFileManager.getUsernameAndPassword(“C:/bea922/user_projects/domains/config-file”,”C:/bea922/user_projects/domains/keyfile”,”weblogic.management”);

String username=new String(usernameAndPassword.getUsername());
String password=new String(usernameAndPassword.getPassword());

Registering Custom MBeans with Weblogic Server

Registering Custom Mbeans with Weblogic Server.

Example.java

package jmxMbeans;

public class Example implements ExampleMBean {

public void sayHello(String str) {

System.out.println(“Hello ” + str + “‘!”);

}

}

ExampleMbean.java

package jmxMbeans;

public interface ExampleMBean {

void sayHello(String name);

}

Index.jsp

<%@ page import=”javax.management.MBeanServer”%>

<%@ page import=”javax.management.ObjectName”%>

<%@ page import=”javax.naming.Context”%>

<%@ page import=”javax.naming.InitialContext”%>

<%@ page import=”java.util.Hashtable”%>

<%@ page import=”jmxMbeans.ExampleMBean”%>

<%@ page import=”jmxMbeans.Example”%>

<html>

<body>

<p>Registering Mbeans.</p>

<%

Example ex = new Example();

MBeanServer mbeanServer = null;

Hashtable<String, String> env = new Hashtable<String, String>();

env.put(Context.SECURITY_PRINCIPAL, “weblogic”);

env.put(Context.SECURITY_CREDENTIALS, “weblogic”);

InitialContext ic = new InitialContext(env);

mbeanServer = (MBeanServer) ic.lookup(“java:comp/env/jmx/runtime”);

String MBEAN_OBJECT_NAME = “jmxMbeans:Name=Example,Type=ExampleMBean”;

registerMBean(mbeanServer,MBEAN_OBJECT_NAME,ex);

unregisterMBean(mbeanServer,MBEAN_OBJECT_NAME);

%>

<%!

void registerMBean(MBeanServer server,String mbeanObjectName,Object obj) {

ObjectName objectName = null;

try {

objectName = new ObjectName(mbeanObjectName);

server.registerMBean(obj, objectName);

System.out.println(“MBean registered:” + objectName);

} catch (Exception e) {

//log.log(Level.SEVERE, “Error registering MBean ” + objectName, e);

}

}

%>

<%!

void unregisterMBean(MBeanServer server,String mbeanObjectName) {

ObjectName objectName = null;

try {

objectName = new ObjectName(mbeanObjectName);

server.unregisterMBean(objectName);

System.out.println(“MBean unregistered: ” + objectName);

} catch (Exception e) {

System.out.println(“Error unregistering MBean ” + objectName);

e.printStackTrace();

}

}

%>

</body>

</html>


Invoking the Custom MBean

test.jsp

Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY,”weblogic.jndi.WLInitialContextFactory”);
env.put(Context.SECURITY_PRINCIPAL, “weblogic”);
env.put(Context.SECURITY_CREDENTIALS, “weblogic”);
InitialContext ctx = new InitialContext(env);

try{

String MBEAN_OBJECT_NAME = “jmxMbeans:Name=Example,Type=ExampleMBean”;
MBeanServer server = (MBeanServer) ctx.lookup(“java:comp/env/jmx/runtime”);
ObjectName objName = new ObjectName(MBEAN_OBJECT_NAME);
Object[] params = new Object[] {“Faisal”};
String[] sigs = new String[] {“java.lang.String”};
server.invoke(objName, “sayHello”, (Object[])params, sigs);
}
catch(Exception e){
e.printStackTrace();
}
ctx.close();

Plan.xml usage for Message Driven Bean

This post is an illustration of usage of plan.xml for overriding features of Message Driven Bean application dynamically.

Administrators use deployment plans to easily change an application’s WebLogic Server configuration for a specific environment without modifying existing Java EE or WebLogic-specific deployment descriptors. Multiple deployment plans can be used to reconfigure a single application for deployment to multiple, differing WebLogic Server environments.

In the plan.xml we will override the specified in the element tag of the weblogic-ejb-jar.xml file.

Steps to be followed:-

1:- Create a MDB listening to the Queue with the specified in the weblogic-ejb-jar.xml file.

2:- Generate the plan.xml file using the weblogic.PlanGenerator.

Ex:- java weblogic.PlanGenerator D:\ TestApp\TestMDB.jar –configurables

Once the plan.xml file is generated we can override the value for the provider-url as below.

<variable>

<name>MessageDrivenDescriptor_ProviderUrl_125717420773411</name>

<value>t3://localhost:7001</value>

</variable>

After overriding the value from the plan.xml, run the weblogic.Deployer command to deploy the application specifying the deployment plan as below.

 

java weblogic.Deployer -adminurl t3://localhost:7001 -user weblogic -password weblogic -deploy -name TestAPP -source D:\TestAPP.ear -targets AdminServer -stage -plan D:\plan.xml

 

This would override the dynamically, not requiring to manually edit the weblogic-ejb-jar.xml.

Hope the post is helpful for those who would like to use the same archive files for different environments overcoming the tedious job of manually editing the deployment descriptors.

I have uploaded the sample application as well for further references.

http://www.4shared.com/file/161924469/59a49461/Planxml-Usage.html

References:-

http://download.oracle.com/docs/cd/E13222_01/wls/docs90/deployment/wlplangenerator.html

Cheers,

Wonders Team. 🙂

Configuring SQUID

Last night I had to replicate an issue which involved configuring SQUID on a Windows environment. I had to look for the installer, and then check out the configuration steps.
I needed a very basic setup, just to proxy the Client requests to the Server.
I found few very useful links, and also the configuration steps.
After going through them, this is what I did.

Unzipped the installer and kept in C:\squid
Renamed mime.conf.default to mime.conf, squid.conf.default to squid.conf and cachemgr.conf.default to cachemgr.conf
Created cache directory under c:\squid\var.
Ran C:\squid\sbin\squid -z to create swap directories.
In the squid.conf specified the folllowing
http_port 3128
htcp_port 4827
icp_port 3130

Ran C:\squid\sbin\squid.exe and it started listening on port 3128.
I needed to confgure Squid to listen over SSL.
I created the key and certificate from the following steps.

openssl genrsa -des3 -out server.key 1024
openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost
openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt

Converted the certificate to pem usings java utils.der2pem server.der
And specifying the following in the squid.conf
https_port 3129 cert=C:\squid\server.pem key=C:\squid\server.key
Ran C:\squid\sbin\squid.exe and it started listening on port 3129.
For those who are completely new to SQUID, they can go through its introduction below:-
Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and HTTP data objects. Unlike traditional caching software, Squid handles all requests in a single, non-blocking, I/O-driven process.

Squid keeps meta data and especially hot objects cached in RAM, caches DNS lookups, supports non-blocking DNS lookups, and implements negative caching of failed requests.It supports SSL, extensive access controls, and full request logging. By using the lightweight Internet Cache Protocol, Squid caches can be arranged in a hierarchy or mesh for additional bandwidth savings.

Squid consists of a main server program squid, a Domain Name System lookup program dnsserver, some optional programs for rewriting requests and performing authentication, and some management and client tools. When squid starts up, it spawns a configurable number of dnsserver processes, each of which can perform a single, blocking Domain Name System (DNS) lookup. This reduces the amount of time the cache waits for DNS lookups.

This web caching software works on a variety of platforms including Linux, FreeBSD, and Windows. Squid is created by Duane Wessels.

References:-

1. http://squid.acmeconsulting.it/
2. http://www.visolve.com/squid/squid30/network.php#https_port
3. http://www.my-proxy.com/content/proxy-tools/squid-proxy-server-software-tutorial.html
4. http://www.visolve.com/squid/Squid_tutorial.php

Configuring Kerberos with Weblogic Server

Details

Domain Name: BEATEST.COM
Domain Controller Name: BEAAD (This machine runs Active Directory)
WL Server Machine Name: beaiis (This machine runs Weblogic server).

For BEAAD:-

Username : beauser
Password :

For beaiis :-

Username : beaiis
Password : Secure04

Steps on Domain Controller (BEAAD)

1) Create a User beawin in Active Directory. Go to user properties > account and under account options, select Use DES encryption types for this account. After this, reset the password for this user.

2) Set the Service Principal Name.

setspn -a HTTP/ beaiis.BEATEST.COM beawin

3. Test the service principal name.

setspn –L beawin

3) Generate a key tab using ktab

ktab -k beawin.keytab –a beawin@BEATEST.COM

4) Test the keytab file

klist –k beawin.keytab

Note: klist is a jdk utility

5) Copy the generated keytab file (beawin.keytab) to the domain directory of weblogic.
D:\bea922\user_projects\domains\Kerberos_New

6) Place krb5.ini file in C:\winnt folder. Content of the file shown later in the document.

Steps on Machine Hosting Weblogic Server (beaiis)

1) Set the environment and run the kinit utility

java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t D:\bea922\user_projects\domains\Kerberos_New\beawin.keytab beawin@BEATEST.COM

This should generate a new Kerberos key and place it in the user’s home folder.

2) Make sure you have all the parameters correctly set in

C:\WinNT\krb5.ini

krb5.ini

[libdefaults]
default_realm = BEATEST.COM
kdc_timesync = 1
ccache_type = 4
ticket_lifetime = 600
clockskew = 1200

[realms]
BEATEST.COM = {
kdc = 192.168.1.1
admin_server = BEAAD
default_domain = BEATEST.COM
}

[domain_realm]
.beatest.com = BEATEST.COM

[appdefaults]
autologin = true
forward = true
forwardable = true
encrypt = true

3) Create a krb5login.conf file with the following entries in your domain directory D:\bea922\user_projects\domains\Kerberos_New

krb5login.conf

com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};
com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal=”beawin@BEATEST.COM” useKeyTab=true
keyTab=beawin.keytab storeKey=true debug=false;
};

4) Add the following parameters in the startup script startweblogic.cmd

-Djava.security.auth.login.config=krb5Login.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dweblogic.security.enableNegotiate=true

5) Configure NegotiateIdentityAsserter from the console

Home > Summary of Security Realms > myrealm > Providers > Authentication >
Create new NegotiateIdentityAsserter

Leave the default Active Types
Under Provider Specific, uncheck Form Based Negotiation Enabled

Activate the changes and restart the server.

7) Create a user beawin in Weblogic Server.

8) Deploy the web application

Web.xml

<web-app>
<display-name>SEC81</display-name>
<security-constraint>
<display-name>Security Constraint for SSO </display-name>
<web-resource-collection>
<web-resource-name>My webapp</web-resource-name>
<description>Group of Users</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>SSOrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<description>Role description</description>
<role-name>SSOrole</role-name>
</security-role>
</web-app>

Weblogic.xml

<weblogic-web-app>
<security-role-assignment>
<role-name>SSOrole</role-name>
<principal-name>beawin</principal-name>
</security-role-assignment>
</weblogic-web-app>
28. Deploy the web app in weblogic.
29. Start the weblogic server.

Configuring Internet Explorer

NOTE: THIS STEPS NEEDS TO BE DONE ON EACH CLIENT MACHINE THAT BROWSES THE PROTECTED WEB APPLICATION

1. Got to Tools –> Internet Options
2. Select the “Security” tab
3. Click on “Local Intranet” Icon. This will enable the “Sites” button.
4. Click “Sites” button. This will show a “Local Intranet” Popup.
5. Make sure the option “Include all local (intranet) sites not listed in other zones” option selected. (Windows XP Only).
6. Click on “Advanced” Button. In the new popup window add the URL for the machine hosting weblogic.
7. Click OK to save your settings.
8. In the “Security” tab, Click “Custom Level” button.
9. In the “Security Settings” dialog, under “User Authentication” section, make sure “Automatic logon only in Intranet zone” option is selected.
10. Click OK to save your settings.
11. Go to “Connections” tab —> LAN Settings.
12. If you have a proxy server enabled, Click on “Advanced” button. Make sure you add the URL for the machine hosting weblogic in the “Exceptions” box.
13. In the “Internet Options —> Advanced” tab, make sure “Enable Integrated Windows Authentication (requires restart)” option is checked. Click “OK”. (If this option is not selected previously, you need to close all browser instances for the setting to take effect).

Configuring Dynamic LDAP Groups with IPlanetAuthenticator on Weblogic Server

IPlanet LDAP Server implements dynamic ldap groups by having schema as objectclass = groupOfURLs. A groupOfURLS class can have multiple memberURL attributes, each one consisting of an LDAP URL that enumerates a set of objects in the directory. The members of the group would be the union of these sets.

In the example below, TestDynamic Group has a single memberURL attribute

memberURL ldap:///dc=oracle,dc=com??sub?(&(objectclass=person)(description=dynUser))

All users having the description as dynUser belong to this group.

In this article we will learn to configure Weblogic Sever with iPlanet Authenticator having dynamic ldap groups.

Create a User in the iPlanet Server.

uid=faisal,ou=People,dc=oracle,dc=com

Go to Advance Properties of the user

Click on Add Attribute and select description

Give the description as dynUser and click OK.

Create a Group

cn=TestDynamic,ou=Groups,dc=oracle,dc=com

Select Members, Dynamic Members, click Add
Give the following ldap url
ldap:///dc=oracle,dc=com??sub?(&(objectclass=person)(description=dynUser))
Click Test

Create an iPlanetAuthenticator on Weblogic Server

Under Provider Specific

Principal:uid=faisal,ou=People,dc=oracle,dc=com
Host:localhost
Port:500 (the port at which your ldap server is running)
User Base DN:ou=People,dc=oracle,dc=com
Group Base DN:ou=Groups,dc=oracle,dc=com
Credential: password

Leave the others as default.
IPlanet Authenticator has the default settings to determine dynamic group membership.

Restart the server, go to Security Realm and click on Users tab.

Check the group faisal belongs to.


Dynamic Membership is successfully determined by Weblogic Server.

References

http://docs.sun.com/app/docs/doc/820-5704/bhact?a=view