jueves, 7 de enero de 2016

Soa Worklist Authentication with LdapX509Asserter


Recently I had to configure two way SSL authentication to the worklist, validating the client certificate with one saved in the Ldap.

To do this is necessary to configure the LdapX509Asserter and the LdapAuthenticator. I put all the instructions I had to follow to complete this configuration.

Create PKS12

Have or create the bundle with the certificates necessaries in pks12 format (also called pfx or just p12) to add to Weblogic

You need to add to the bundle the server certificate and the private key.

     openssl pkcs12 -name alias -export -in mycert.crt -inkey mykey.key > server.p12

Create KeyStores
Weblogic saves all the certificates in two keystores
  • TrusKeyStore: Save here all the CAs
  • IdentityKeyStore: Save here all the certificates and private keys

Create empty TrustKeyStore
     keytool -genkey -alias TrustAlias -keyalg RSA -keystore TrustKeyStore.jks

Import the certificates to the keystores

Importar CA a TrustKeyStore
     keytool -importcert -file my-ca-file.crt-keystore TrustKeyStore.jks -storepass TrustKeyStorePassPhrase

Import pk12 bundle to IdentityStore
     keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12  -srcalias alias -destkeystore IdentityKeyStore.jks  -deststoretype jks -deststorepass password -destalias alias

See [2] for Common SSL commands. 

Weblogic Configuration

Transport
Follow instructions in [1] in "Transport" section.
  1. Enable "SSL Listener Port" in server General tab.
  2. Configure the identity and trust keystores. Sever -> Configuration -> KeyStores. Select "Custom Identity and Java Standard Trust", configure all values.
  3. Specify the certificate to use for weblogic using the alias of the certificate used in the IdentityKeyStore. Go to Server -> Configuration -> SSL, configure the alias and the password of IdentityKeyStore
  4. Configure Weblogic to "Two way Client Cer Behavior" Sever -> Configuration -> SSL -> Advanced,  choose "Client Cert Requested and Enforced"
Authentication

Follow instruction to configure LdapX509Asserter [3].
  • Configure the ldap connection data
  • User name attribute in LDAP 
  • User filter attributes, the fields to match between the certificate and the LDAP entry. (check the certificate metadata and your ldap


Follow instruction to configure LdapAuthenticator [4]
  • Configure the ldap connection
  • Configure the user section
  • Configure the group section


(Read this article [1],  it is very helpful to understand about authenticators and asserters)

The configuration of the asserter and the authenticator is not hard You need to know the data to connect to the LDAP and the information to identify the user

About those instructions there are couple of important things
  1. It's important to know that the IdentityAsserters needs to work with the Authenticators. So it's necessary to configure first the LdapX509Asserter and next the LdapAuthenticator.
  2. Make sure to "reorder" the asserters and authenticator in your realm. Put them in the order you want they be executed. (Security Realms -> your realm -> Providers -> Reorder)
  3. If you have more than one Authenticator configure the flag "Control Flag" to "SUFFICENT" in "all" the authenticators. 
  4. In the LdapX509Authenticator there is a field to configure where is the certificate. It could be "usercertificate" or "usercertificate;binary". I got a problem because my ldap browser shows me the field as "usercertificate;binary" but after testing i had to change it to "usercertificate".
Configure Custom Authenticator
Besides the configuration in the console of the LdapAuthenticator, you have change the property "idstore.type"  in the jps-config.xml.

You can change it manually in jps-config.xml [5], or using the Enterprise Manager going to,  Farm -> Weblogic Domain, right click on your domain, Security -> Security Provider Configuration. In the section "Identity Store Provider" click on "Configure" add the property "idstore.type" according with your provider

The possible values are OID ,  OVD , IPLANET , ACTIVE_DIRECTORY , EDIRECTORY , OPEN_LDAP  [6]

Update Https port in Human Task

For any already deployed workflow task detail applications, change the workflow task display URL to use the correct protocol and port number.

Go to the enterprise manager and open the afected composite. In the "Component Metrics" section click over the human task, "administration" tab, and update the https port [9]


Debug
There two things you could do to debug.
  1. Activate the logger of the Authenticators. Go to Server -> Debug. Activate the logger  weblogic->security->atn->DebugSecurityAtn. (This is very useful) [7]
  2. Use the next flags  -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Dweblogic.security.SSL.verbose=true   [8]
Test
To test that your LdapX509Asserter is working install the client certificates on your browser and open the worklist on the ssl port.

The browser it's going to show you the list of certificates that you could use to authenticate. If the certificate validates against the server and is equals to the one in the ldap you are inside the worklist.

Thanks!

References

       3. Configuring an LDAP X509 Identity Assertion Provider https://docs.oracle.com/cd/E13222_01/wls/docs81/secmanage/providers.html#1197612
  1. Configure LdapAuthenticator https://docs.oracle.com/middleware/1213/wls/SECMG/ldap_atn.htm#SECMG175
  1. Configure custom authenticators http://docs.oracle.com/cd/E28280_01/core.1111/e10043/idstoreadm.htm#JISEC9738
  1. Supported LDAPhttp://docs.tpu.ru/docs/oracle/en/fmw/11.1.1.6.0/core.1111/e10043/devauthn.htm
  1. Troubleshooting with authenticators https://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_troubleshoot.htm#EMSEC12981
  1. SSL TroubleShooting and Debugging https://blogs.oracle.com/WebLogicServer/entry/ssl_troubleshooting_and_debugg 
  2. Managing the URI of the Human Task. http://docs.oracle.com/cd/E23943_01/admin.1111/e10226/hwf_mang.htm#SOAAG3757


No hay comentarios: