Monthly Archive: December 2009

Create Active Directory Authentication Provider from WLST

connect(‘weblogic’,’weblogic’,’t3://localhost:7001′)
edit()
startEdit(-1,-1,’false’)
cmo.getSecurityConfiguration().getDefaultRealm().createAuthenticationProvider(‘ADAuthenticator’, ‘weblogic.security.providers.authentication.ActiveDirectoryAuthenticator’)
cmo.getSecurityConfiguration().getDefaultRealm().lookupAuthenticationProvider(‘ADAuthenticator’).setControlFlag(‘OPTIONAL’)
cd(‘/SecurityConfiguration’)
cd(‘base_domain’)
cd(‘Realms/myrealm/AuthenticationProviders’)
cd(‘ADAuthenticator’)
cmo.setGroupBaseDN(‘CN=Users,DC=faisal,DC=bea,DC=com’)
cmo.setUserBaseDN(‘CN=Users,DC=faisal,DC=bea,DC=com’)
cmo.setAllGroupsFilter(‘(objectclass=group)’)
cmo.setPrincipal(‘CN=Administrator,CN=Users,DC=faisal,DC=bea,DC=com’)
cmo.setCredential(‘Passw0rd’)
cmo.setPort(389)
cmo.setHost(‘localhost’)
save()
activate()

BASIC Authentication with Apache

Create user.txt with the username and password separated by colon

user.txt
testuser:testuser

Then use the htpasswd to encrypt the password

Apache2\bin>htpasswd.exe -b user.txt testuser testuser
Automatically using MD5 format.
Updating password for user testuser

Add the following in the httpd.conf file present in C:\Program Files\Apache Group\Apache2\bin

LoadModule weblogic_module modules/mod_wl128_20.so

<Location />
SetHandler weblogic-handler
WebLogicHost localhost
WebLogicPort 7001
Debug ALL
WLLogFile c:/muthu/wlproxy.log
WLTempDir c:/muthu
AuthUserFile C:/muthu/user.txt
AuthName “This is a protected area”
AuthType Basic
Require valid-user
</Location>

Also copy WL_HOME\server\plugin\win\32\mod_wl_22.so to C:\Program Files\Apache Group\Apache2\modules

Restart the Apache Server.

Now if we try to access any unprotected resource on Weblogic Server, a BASIC Authentication Window will be popped up for authentication against Apache.

If authentication is successful, the request will go through provided we set the following in the config.xml

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

Otherwise Weblogic Server will try to validate the BASIC authentication Header.

Updating invalidation-interval-secs Using Plan.xml

This article describes the usage of plan.xml to update deploment descriptors on the fly.
In this example we will update the value of invalidation-interval-secs from 90 seconds to 30 seconds using plan.xml.

invalidation-interval-secs

Sets the time, in seconds, that WebLogic Server waits between doing house-cleaning checks for timed-out and invalid sessions, and deleting the old sessions and freeing up memory. Use this element to tune WebLogic Server for best performance on high traffic sites.
The default value is 60 seconds.

Our weblogic.xml looks like this

<?xml version=”1.0″ encoding=”ISO-8859-1″?>

<weblogic-web-app xmlns=”http://www.bea.com/ns/weblogic/90″>

<security-role-assignment>
<role-name>admin</role-name>
<principal-name>weblogic</principal-name>
</security-role-assignment>

<session-descriptor>
<invalidation-interval-secs>90</invalidation-interval-secs>
</session-descriptor >

</weblogic-web-app>

And our plan.xml looks this this

<?xml version=’1.0′ encoding=’UTF-8′?>
<deployment-plan xmlns=”http://www.bea.com/ns/weblogic/90″ xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance” xsi:schemaLocation=”http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-deployment-plan.xsd” global-variables=”false”>

<application-name>SessionApp</application-name> <!– You need to change this Line and Put your Web Application Name –>
<variable-definition>
<variable>
<name>SessionInvalidationInt</name>
<value>30</value>
</variable>
</variable-definition>

<module-override>
<module-name>SessionApp</module-name> <!– You need to change this Line and Put your Web Application Name –>
<module-type>war</module-type>
<module-descriptor external=”true”>
<root-element>web-app</root-element>
<uri>WEB-INF/web.xml</uri>
<variable-assignment>
<name>SessionInvalidationInt</name>
<xpath>/web-app/session-descriptor/invalidation-interval-secs</xpath>
</variable-assignment>
</module-descriptor>
</module-override>
<config-root>D:\Replications</config-root> <!– You need to change this Line and Put the location of plan.xml file wherever u have pasted it –>
</deployment-plan>

These are the steps that we need to folow to update our application.

References:-

http://download.oracle.com/docs/cd/E11035_01/wls100/webapp/weblogic_xml.html

Resetting Admin UserName And Password in Weblogic Server 11g

Step 1 – Set the environment

C:\Oracle\Middleware\user_projects\domains\FirstDomain\bin>setDomainEnv.cmd

Step 2 – Create a new Admin Account

C:\Oracle\Middleware\user_projects\domains\FirstDomain>java weblogic.security.utils.AdminAccount faisal faisal123 .

Note: Don’t forget to add a dot(.) at the end.

Step 3 – Verify the creation of a new DefaultAuthenticatorInit.ldift file.

C:\Oracle\Middleware\user_projects\domains\FirstDomain>dir
Volume in drive C has no label.
Volume Serial Number is ECEA-2BF5

Directory of C:\Oracle\Middleware\user_projects\domains\FirstDomain

11/29/2010  10:27 AM    <DIR>          .
11/29/2010  10:27 AM    <DIR>          ..
10/27/2010  10:56 AM    <DIR>          autodeploy
10/27/2010  10:56 AM    <DIR>          bin
10/27/2010  10:56 AM    <DIR>          config
10/27/2010  10:56 AM    <DIR>          console-ext
11/29/2010  10:27 AM             3,380 DefaultAuthenticatorInit.ldift
10/29/2010  12:25 PM               156 edit.lok
10/27/2010  10:56 AM               472 fileRealm.properties
10/27/2010  10:56 AM    <DIR>          init-info
10/27/2010  10:56 AM    <DIR>          lib
10/29/2010  12:25 PM    <DIR>          pending
10/27/2010  10:56 AM    <DIR>          security
10/29/2010  12:11 PM    <DIR>          servers
10/27/2010  10:56 AM               318 startWebLogic.cmd
10/27/2010  10:56 AM               270 startWebLogic.sh
10/29/2010  12:25 PM    <DIR>          tmp
5 File(s)          4,596 bytes
12 Dir(s)  47,722,737,664 bytes free
You will see a DefaultAuthenticatorInit.ldift in the domain directory

Step 5 – Use the new DefaultAuthenticatorInit.ldift

Go to the following location

C:\Oracle\Middleware\user_projects\domains\FirstDomain\security

Rename the existing DefaultAuthenticatorInit.ldift and place the DefaultAuthenticatorInit.ldift file in this directory that we just created.

Step 6 – Rename ldap directory

Now go to the following location.

C:\Oracle\Middleware\user_projects\domains\FirstDomain\servers\AdminServer\data

Note:- This will delete all your existing users/groups so it is recomemded to export the security realm data, or export the users.

Step 7 – Delete boot.properties file

Rename ldap directory to something else.

Delete the boot.properties file from the following location

C:\Oracle\Middleware\user_projects\domains\FirstDomain\servers\AdminServer\security

Step 8– Start your Weblogic Server  using startWebLogic.cmd and provide the credentials at the prompt.
Enter username to boot WebLogic server:faisal
Enter password to boot WebLogic server:

Step 9 – Log in to Weblogic Console using the new admin user.

If you stil face issues feel free to post a comment, and we will be glad to help.

Use specific SSL protocol version with Weblogic Server.

If we want the Weblogic Server to use only a specific protocol version of SSL,we can do it with the command line options below.
-Dweblogic.security.SSL.protocolVersion=SSL3—Only SSL V3.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=TLS1—Only TLS V1.0 messages are sent and accepted.
-Dweblogic.security.SSL.protocolVersion=ALL—This is the default behavior.

We can test it by using openssl.
I my test I enabled TLS1 and below is the test result when connected with openssl

openssl s_client -connect 10.10.71.79:

543 -tls1
Loading ‘screen’ into random state – done
CONNECTED(00000788)
depth=0 /CN=Fabrizio
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=Fabrizio
verify return:1

Certificate chain
0 s:/CN=Fabrizio
i:/CN=Fabrizio

Server certificate
—–BEGIN CERTIFICATE—–
MIIBlDCB/gIBADANBgkqhkiG9w0BAQQFADATMREwDwYDVQQDEwhGYWJyaXppbzAe
Fw0wOTA1MTUxNDMyNDlaFw0xOTA1MTMxNDMyNDlaMBMxETAPBgNVBAMTCEZhYnJp
emlvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnRIgweBu10re3Fl2RlCU8
KL2rZE8agEKJZ6rQ+jTaJgDt/KvQvQJGQojusGBQTWc0ZXhsMD6gU1bB8lRjPLyt
QXhqeA35Bs+xgXgrHUXq1UP+yo8Z3/haL02bCDXxIMz0Q2aAmCue2GwB7IPCseZZ
1Rmif7Wlc5/quBEis9G+KQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAC+b0wZ5wMLX
o0eJT3DX/7ICT9mnNKq498xgAemcsjE3FbMG2DYshHuPyh842meN7zWl1gbMd5MX
yDkOlvRIYlK3sAoCyZ4m7qFdgAhAKbiSXlhPOhpUMt8BYd4km6Hn+uqyJmWuj+Wv

QQj/jzJszsFD0Qa7KxuOznHyDITu9r3j
—–END CERTIFICATE—–

subject=/CN=Fabrizio
issuer=/CN=Fabrizio

No client certificate CA names sent

SSL handshake has read 544 bytes and written 268 bytes

New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 630E00003F6152564FEFD2A802ACBD561898F759F1B5FF7A7C4E41D264C6F061
Session-ID-ctx:
Master-Key: 51D181CBE700DA9CDAD8EFBBC8340F95F871ABCAB533A5BFACC4EF6F36C6707A
CF26F4CE59BB5DFC005753F1620F7388
Key-Arg : None
Start Time: 1245761507
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)

Weblogic Server accepted connections only over TLS1.

References:-

1. http://download.oracle.com/docs/cd/E13222_01/wls/docs92/secmanage/ssl.html

How to Restrict Key Size Larger that 128 bit on Weblogic Server.

To restrict keysize larger than 128 bit we need to select only those cipher suites in the configuration which use 128 bit key.

Sample config:-

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>

List of Ciphersuites Supported by Weblogic Server are:-

Cipher Suite Symmetric Key Strength
TLS_RSA_WITH_RC4_128_SHA 128
TLS_RSA_WITH_RC4_128_MD5 128
TLS_RSA_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT_WITH_RC4_40_MD5 40
TLS_RSA_EXPORT_WITH_DES40_CBC_SHA 40
TLS_RSA_WITH_3DES_EDE_CBC_SHA 112
TLS_RSA_WITH_NULL_SHA 0
TLS_RSA_WITH_NULL_MD5 0
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA 56
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA 56
TLS_RSA_WITH_AES_128_CBC_SHA 128
TLS_RSA_WITH_AES_256_CBC_SHA 256

In the past I have seen that AES_256 does not work until we download the unlimited jurisdiction jars from SUN.

Download JCE_policy_1.5_0.zip
Place it in /JRE/lib/Security/
Also Replace localpolicy.jar & US_Export_Policy.jar

This helps in getting rid of Cipher Suite not initialized errors.

Reference:-

1) http://download.oracle.com/docs/cd/E11035_01/wls100/secintro/concepts.html#wp1123076