Monthly Archive: April 2010

Site Minder Weblogic Server Integration

In this article I will be providing the steps the install and configure Site Minder Policy Server to secure resources on Weblogic Server.You must have the necessary Site Minder Installers along with other prerequisites.

nete-ps-6.0-win32.exe (Site Minder Policy Server)
nete-wls81-asa-2.0-win32.exe (Site Minder Application Server Agent for WLS 8.1)
nete-wa-6.0-win32.exe   (Site Minder Web Agent)

SUN JDK (j2re-1_4_1_02-windows-i586-i.exe)
Microsoft IIS 5.0/6.0
Sun One Directory Server d51sp4diu.zip
Apache Webserver (apache_2.0.59-win32-x86-openssl-0.9.7j.msi)

I installed all the softwares on the same box, with Apache running on port 8080, IIS on 80 and Sun LDAP Server on 400.

To install Sun One Directory Server follow the steps mentined in the post below.

http://weblogic-wonders.com/weblogic/2010/04/10/installing-sun-one-ldap-server/

Install the Site Minder Policy server following the screenshots given in the following post

http://weblogic-wonders.com/weblogic/2010/04/11/installing-site-minder-policy-server-6-0/

Remember the encryption key that you provide at the time of installation.

After installing the SiteMinder Policy Server, log in to the Netegrity Policy Server User Interface from the following URL with SiteMinder and the super user password.

http://localhost/siteminder

Go to your System Configuration, Click on host conf object and create a duplicate of the DefaulHostSettings

Name the new host conf object as MyHostSettings.
Select the “#PolicyServer” Parameter in the Configuration Values list box, click Edit, and remove the leading # from “PolicyServer”. Change the value from “,44441,44442,44443” to “localhost,44441,44442,44443” in order to show the actual Policy Server address.

Right-click on System > System Configuration > Agents and right click–>select Create Agent. Name the new agent “MyAgent”. Check “Support 4.x agents” and enter the following data.
Description:   WebLogic Application Server Agent
IP Address:    localhost
Shared Secret: Same as Policy Server Encryption Key

Right-click on System > System Configuration > Agent Conf Objects >ApacheDefaultSettings and select Duplicate Configuration Object. Name the new Agent Conf Object “WebLogicAgentSettings”.  Remove

LDAP Authentication on JBoss

The below post demonstrates a sample configuration of LDAP Server with JBoss Server

Steps:

1. Install OpenDS Directory Server.

2. Import the following LDIF file

***********************************

base.ldif

dn: ou=People,dc=bea,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People

dn: uid=faisal,ou=People,dc=bea,dc=com
objectclass: top
objectclass: uidObject
objectclass: person
uid: faisal
cn: Java Duke
sn: Duke
userPassword: faisal

dn: ou=Roles,dc=bea,dc=com
objectclass: top
objectclass: organizationalUnit
ou: Roles

dn: cn=DomainAdmin,ou=Roles,dc=bea,dc=com
objectclass: top
objectclass: groupOfNames
cn: domainAdmin
member: uid=faisal,ou=People,dc=bea,dc=com
description: the domainAdmin group

***********************************

3.  Edit the Application Deployment Descriptor (web.xml)

In the web.xml, secure the resource using security constraint

***********************************

web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>HtmlAdaptor</web-resource-name>
<description>An example security config that only allows users with the
role my-domainAdmin to access the HTML JMX console web application
</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>my-domainAdmin</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>

<security-role>
<role-name>my-domainAdmin</role-name>
</security-role>

***********************************

4. In the jboss-web.xml enable the security domain

jboss-web.xml

***********************************

<jboss-web>
<security-domain>java:/jaas/SecureApp</security-domain>
</jboss-web>

***********************************

5. Specify the LDAP Login Module.

In the $JBOSS_HOME/server/<server-profile>/conf/login-config.xml apply the application related policy.

***********************************

<application-policy name=”SecureApp”>
<authentication>
<login-module code=”org.jboss.security.auth.spi.LdapLoginModule”
flag=”required”>
<module-option name=”java.naming.factory.initial”>
com.sun.jndi.ldap.LdapCtxFactory
</module-option>
<module-option name=”java.naming.provider.url”>
ldap://192.168.96.80:389/
</module-option>
<module-option name=”java.naming.security.authentication”>
simple
</module-option>
<module-option name=”principalDNPrefix”>uid=</module-option>
<module-option name=”principalDNSuffix”>
,ou=People,dc=bea,dc=com
</module-option>

<module-option name=”rolesCtxDN”>
ou=Roles,dc=bea,dc=com
</module-option>
<module-option name=”uidAttributeID”>member</module-option>
<module-option name=”matchOnUserDN”>true</module-option>

<module-option name=”roleAttributeID”>cn</module-option>
<module-option name=”roleAttributeIsDN”>false </module-option>
</login-module>
</authentication>

</application-policy>

***********************************

6: Test the application.

Deploy the application by placing it in the deploy folder and access it.
A BASIC Authentication window will be popped up.

Log in as faisal/faisal!

Cheers,

Wonders Team. 🙂