Recently I had to configure two way
SSL authentication to the worklist, validating the client certificate with one
saved in the Ldap.
To do this is necessary to configure
the LdapX509Asserter and the LdapAuthenticator. I put all the instructions I
had to follow to complete this configuration.
Create PKS12
Have or create the bundle with the
certificates necessaries in pks12 format (also called pfx or just p12) to add
to Weblogic
You need to add to the bundle the
server certificate and the private key.
openssl
pkcs12 -name alias -export -in mycert.crt -inkey mykey.key > server.p12
Create KeyStores
Weblogic saves all the certificates
in two keystores
- TrusKeyStore: Save here all the CAs
- IdentityKeyStore: Save here all the certificates and
private keys
Create empty
TrustKeyStore
keytool
-genkey -alias TrustAlias -keyalg RSA -keystore TrustKeyStore.jks
Import the certificates to the
keystores
Importar CA a TrustKeyStore
keytool
-importcert -file my-ca-file.crt-keystore TrustKeyStore.jks -storepass
TrustKeyStorePassPhrase
Import pk12 bundle to IdentityStore
keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcalias alias -destkeystore IdentityKeyStore.jks -deststoretype jks -deststorepass password -destalias alias
See [2] for Common SSL commands.
Weblogic Configuration
Transport
Follow instructions in [1] in "Transport" section.
- Enable "SSL Listener Port" in server General
tab.
- Configure the identity and trust keystores. Sever ->
Configuration -> KeyStores. Select "Custom Identity and Java
Standard Trust", configure all values.
- Specify the certificate to use for weblogic using the
alias of the certificate used in the IdentityKeyStore. Go to Server ->
Configuration -> SSL, configure the alias and the password of
IdentityKeyStore
- Configure Weblogic to "Two way Client Cer Behavior"
Sever -> Configuration -> SSL -> Advanced, choose
"Client Cert Requested and Enforced"
Authentication
Follow instruction to configure LdapX509Asserter [
3].
- Configure the ldap connection data
- User name attribute in LDAP
- User filter attributes, the fields to match between the certificate and the LDAP entry. (check the certificate metadata and your ldap
Follow instruction to configure LdapAuthenticator [
4]
- Configure the ldap connection
- Configure the user section
- Configure the group section
(Read this article [
1], it is very helpful to understand about authenticators and asserters)
The configuration of the asserter and the authenticator is not hard You need to know the data to connect to the LDAP and the information to identify the user
About those instructions there are
couple of important things
- It's important to know that the IdentityAsserters needs
to work with the Authenticators. So it's necessary to configure
first the LdapX509Asserter and next the LdapAuthenticator.
- Make sure to "reorder" the asserters and
authenticator in your realm. Put them in the order you want they be
executed. (Security Realms -> your realm -> Providers -> Reorder)
- If you have more than one Authenticator configure the
flag "Control Flag" to "SUFFICENT" in "all" the authenticators.
- In the LdapX509Authenticator there is a field to
configure where is the certificate. It could be
"usercertificate" or "usercertificate;binary". I got a
problem because my ldap browser shows me the field as
"usercertificate;binary" but after testing i had to change it to
"usercertificate".
Configure Custom Authenticator
Besides the configuration in the
console of the LdapAuthenticator, you have change the property "idstore.type"
in the jps-config.xml.
You can change it manually in
jps-config.xml [5], or using the Enterprise Manager going to,
Farm -> Weblogic Domain, right click on your domain, Security ->
Security Provider Configuration. In the section "Identity Store
Provider" click on "Configure" add the property
"idstore.type" according with your provider
The possible values are OID ,
OVD , IPLANET , ACTIVE_DIRECTORY , EDIRECTORY , OPEN_LDAP
[6]
Update Https port in Human Task
For any already deployed workflow task detail applications, change the workflow task display URL to use the correct protocol and port number.
Go to the enterprise manager and open the afected composite. In the "Component Metrics" section click over the human task, "administration" tab, and update the https port [
9]
Debug
There two things you could do to
debug.
- Activate the logger of the Authenticators. Go to Server
-> Debug. Activate the logger weblogic->security->atn->DebugSecurityAtn.
(This is very useful) [7]
- Use the next flags -Dssl.debug=true
-Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true
[8]
Test
To test that your
LdapX509Asserter is working install the client certificates on your browser and
open the worklist on the ssl port.
The browser it's going
to show you the list of certificates that you could use to
authenticate. If the certificate validates against the server and is
equals to the one in the ldap you are inside the worklist.
Thanks!
References
- Configure LdapAuthenticator https://docs.oracle.com/middleware/1213/wls/SECMG/ldap_atn.htm#SECMG175
- Configure custom authenticators http://docs.oracle.com/cd/E28280_01/core.1111/e10043/idstoreadm.htm#JISEC9738
- Supported LDAPhttp://docs.tpu.ru/docs/oracle/en/fmw/11.1.1.6.0/core.1111/e10043/devauthn.htm
- Troubleshooting with authenticators https://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_troubleshoot.htm#EMSEC12981
- SSL TroubleShooting and Debugging https://blogs.oracle.com/WebLogicServer/entry/ssl_troubleshooting_and_debugg
- Managing the URI of the Human Task. http://docs.oracle.com/cd/E23943_01/admin.1111/e10226/hwf_mang.htm#SOAAG3757
