Global Trust Between WebLogic Domains ?

Similar Messages

• Enabling Trust Between WebLogic Server Domains

  Hi everyone,
  We have two sites, each one running one WL 8.1 instance. The problem is that we have different users in each one, and they need to access both sites (using a RMI call).
  When the user is created in both sites, there is no problem. But we do not want to replicate all users in all sites.
  So this is what we are trying to do:
  Create the user in one site and enable trust between Weblogic Server domains (giving both sites the same password), so once one user is authenticated, the other site will not try to authenticate this user again. But since this user does not exist in the other site, he has no permission to do anything at all. Because of that we receive the following error message: "User a7ax does not have permission on br to perform lookup operation."
  Does anyone have any idea about how we can handle this, and enable the users to use other sites, without creating the user in both sites?
  Thanks in advance.
  Cesar

  In order to debug this issue you need to determine which kind of security has been applied on the web service deployed on remote weblogic server.
  Whether it requires username/password from the calling web service ?
  or it requires any kind of digital certificate from the calling web service etc......
  the most usual secnario where cross-domain security is required is as:
  If a user- Test calls a service- ServiceA on Weblogic Domain-domainA and provides its credentials and is authenticated properly.
  Then if this service requires to call another service -ServiceB on another Weblogic Domain - DomainB which is also secured then there should be a cross-domain trust should be enabled between the domains DomainA and DomainB so that the subject populated in the domainA can be transferred to DomainB.
  Now you should determine whether this is the secnario you are trying to achieve or it is something else.
  Also try to use the following debug flag in the DomainB where the provider service is deployed to get the exact reason why it is failing to verify the security check.
  -Dweblogic.DebugSecurityAtn=true
  This debug flag is enabled as JAVA_OPTIONS.
  Thanks,
  Sandeep

• How to create Trust between two domain

  How to create Trust between two domain:
  please help

  Hi,
  By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation
  Wizard. The two default trust types are defined in the following table. However there have others many types of the AD trust, please refer the following KB to determine which type you need:
  Trust types
  http://technet.microsoft.com/en-us/library/cc775736%28v=ws.10%29.aspx
  More relate KB:
  Creating Domain and Forest Trusts
  http://technet.microsoft.com/en-us/library/cc740018(WS.10).aspx
  The related third party article:
  How to configure Forest Level Trust in Windows Server
  http://blogs.interfacett.com/how-to-configure-forest-level-trust-in-windows-server
  *** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control
  these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the
  use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***
  Hope this helps.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• No authentication prompt using DFS links to fileserver into another domain with no trusts between both domains

  Users  , Fileservers  and DFS root with DFS links in Domain A all work fine.
  each users from Domain A have also credentials and passwords from Domain B
  There is NO trust between Domain A and Domain B, both Domains are in different site connected with VPN-tunnel.
  Projectdata is stored at fileservers in both Domains. Now DFS links are added in the Domain A to a fileserver from Domain B
  When users from Domain A connects to fileserver in Domain B  first he/she gets a prompt to authenticated, then DFS link to the fileserver in  Domain B work.
  When users just use DFS link they get a prompt "not accessible" + "Logon failure unknown user or bad password"
  No prompt is given to users from Domain A to enter the credential for Domain B.
  We cannot created a trust between these 2 Domains due other policy's

  Hi,
  According to your description, there is no trust between domain A and domain B, right?
  Based on my research, if there is no trust between domains/forests, then it is not possible
  to share information across domain boundaries, because without trust, no authentication traffic can be passed across domain/forest.
  That is why the user cannot access the file he has rights to access across domain.
  Here is an article below for your references:
  Trust Technologies
  http://technet.microsoft.com/en-us/library/cc759554(v=WS.10).aspx
  I hope this helps.
  Amy Wang

• A trust between wls domains disables weblogic account

  Hi,
  I have a foreign jndi provider between two wls servers , the first is 10.3 and the second which has a foreign jndi provider to the first is 10.3.1
  I enabled Cross Domain Security Enabled and put the same password weblogic on these domains
  In 10.3.1 the user weblogic has weblogic1 as password.
  The 10.3.1 app works perfectly with the ejb's on 10.3 server
  but after a while I get this error User weblogic in security realm myrealm has had 5 invalid login attempts, locking account for 30 minutes.
  thanks Edwin

  Hi
  I already changed all password ( domain and weblogic account ) to weblogic1. but without results

• Moving SP2013 and SQL2008R2 to new domain - no trusts between domain

  Hello,
  I'm looking to move a customized installation of SharePoint 2013 (Microsoft server 2012 std VM) and it's db (SQL 2008 r2 VM) from one domain to another domain. There will be no trust between the domains and assume that no users or service accounts will be
  migrated. Has anyone performed a similar operation? If so, can you provide guidance as to the best way to tackle this situation. Currently we plan on exporting the SP2013 VM from the old domain, importing (re-creating) that VM in the new domain and importing
  the DB to an existing SQL server in the new domain. My concern is being able to log in to Central Admin afterwards because the domain accounts are no longer valid. Should we change all accounts to local admins first, detach the db and change those accounts
  as well? Or would a totally different approach make more sense? Any help would be appreciated..
  Thanks in advance, 
  Alex

  You need to build a new SharePoint farm, changing SharePoint server's domain membership isn't supported.
  What you'll do is build a new farm, create the Web Application(s), etc. and then restore SQL database backups from the old farm into the new farm.
  Trevor Seward
  Follow or contact me at...
  &nbsp&nbsp
  This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Do I need to enable trust between domains in the following scenario

  I have a domain x and domain y on 2 seperate machines. My client logs into domain x does stuff and logs out. The same client now logs into domian y and needs to do stuff, but the second domain kicks out the client by throwing an exception saying "invalid subject" etc .. But the same scenario works if I enable trust between both domains or have my client restart. What should I do so that the client can logout of domain x and login to domain y without having to enable trust betweeen domain x and y and without having to restart the client.
  Thanks
  Prashanth

  Hi Mike,
  there is no switching circuitry on the UMI, that could disable the Iso Power outputs and there is nothing you need to configure in MAX. If you can't measure a voltage between Iso Power and Iso Common pins on the Dsub outputs, the UMI might be defective (e. g. blown fuse). Please contact your local NI branch for repair options.
  Thanks and kind regards,
  Jochen

• Problem creating external trust between domains

  Hello,
  When I try to create one-way incoming external trust between 2 domains (to DomainA from DomainB) in separate forests I get this info:
  This domain already has a one-way trust relationshp with specified domain.
  But I cannot see it on the list of trusts either incoming or outgoing (in both domains).
  For sure trust was never setup before.
  In DomainA there are several other external not transitive trusts with other domains. But for sure DomainB do not have any incoming or outgoing trusts on list. Name resolution betwen domains is OK. I can ping domain name on both sides.
  Any help is welcome.
  Darek.

  Hi,
  Were there error events logged in Event Viewer? Besides, did we open necessary firewall ports for creating external trust?
  Regarding firewall ports, the following thread can be referred to for more information.
  Creating external trust between domain on different forest
  http://social.technet.microsoft.com/Forums/en-US/efe56730-ff95-4d6b-b95c-fc2c01ebd2d3/creating-external-trust-between-domain-on-different-forest?forum=winserverDS
  Best regards,
  Frank Shen

• Global Trust

          Can anybody tell me the global trust uses in weblogic and how  to configure it between domains?

  Enable global trust between domains
  Before you begin
  Read Enabling Global Trust
  When this feature is enabled, identity is passed between WebLogic Server domains over an RMI connection without requiring authentication in the second domain. When inter-domain trust is enabled, transactions can commit across domains. A trust relationship is established when the Domain Credential for one domain matches the Domain Credential for another domain.
  By default, the Domain Credential is randomly generated and therefore, no two domains will have the same Domain Credential. If you want two WebLogic Server domains to interoperate, you need to replace the generated credential with a credential you select, and set the same credential in each of the domains.
  Instead of enabling global trust between domains, consider using the CrossDomainConnector role, as described in Enable Cross Domain Security between domains.
  If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
  In the left pane, click the name of the domain.
  Select Security > General. Scroll down and click Advanced.
  Enter a password for the domain in the Credential text field. Choose the password carefully. Oracle Systems recommends using a combination of upper and lower case letters and numbers.
  Click Save.
  To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
  Not all changes take effect immediately—some require a restart (see Use the Change Center).
  After you finish
  Perform the same procedure in each domain for which you want to enable global trust.

• Unable to create a JMS Message bridge between Weblogic 12c and Weblogic 8.1

  Hi,
  I am unable to successfully create a Message Bridge between Weblogic 12.1.1.0 and Weblogic 8.1. The error message being received is:
  eis/jms/WLSConnectionFactoryJNDINoTX > ResourceAllocationException generated by resource adapter on call to ManagedConnectionFactory.createManagedConnection(): "javax.resource.ResourceException: ConnectionFactory: failed to get initial context (InitialContextFactory =weblogic.jndi.WLInitialContextFactory, url = t3://localhost:8001, user name = System) ">
  The error on the monitoring tab is WARN: failed to connect to target.
  Both domains are deployed on one box for testing purposes. The bridge itself is deployed on Weblogic 12c. The areas of config that may be of interest are:
  <server>
  <name>AdminServer</name>
  <listen-address></listen-address>
  </server>
  <messaging-bridge>
  <name>Bridge</name>
  <target>AdminServer</target>
  <source-destination>JMSBridgeSource12c</source-destination>
  <target-destination>JMSBridgeTarget81</target-destination>
  <selector>Test</selector>
  <quality-of-service>Exactly-once</quality-of-service>
  <qos-degradation-allowed>false</qos-degradation-allowed>
  <durability-enabled>true</durability-enabled>
  <idle-time-maximum>60</idle-time-maximum>
  <async-enabled>true</async-enabled>
  <started>true</started>
  <preserve-msg-property>false</preserve-msg-property>
  </messaging-bridge>
  <app-deployment>
  <name>jms-xa-adp</name>
  <target>AdminServer</target>
  <module-type>rar</module-type>
  <source-path>D:\ORACLE~3\WLSERV~1.1\server\lib\jms-xa-adp.rar</source-path>
  <security-dd-model>DDOnly</security-dd-model>
  </app-deployment>
  <jms-bridge-destination>
  <name>JMSBridgeSource12c</name>
  <adapter-jndi-name>eis.jms.WLSConnectionFactoryJNDIXA</adapter-jndi-name>
  <user-name>System</user-name>
  <user-password-encrypted>{AES}nfFzhs+0J/O2Cenf0g4zDsDyvIKENMF7cZ5sAVUehX0=</user-password-encrypted>
  <classpath></classpath>
  <connection-factory-jndi-name>JMSConnectionFactory12c</connection-factory-jndi-name>
  <connection-url>t3://localhost:7001</connection-url>
  <destination-jndi-name>JMSQueue12c</destination-jndi-name>
  </jms-bridge-destination>
  <jms-bridge-destination>
  <name>JMSBridgeTarget81</name>
  <adapter-jndi-name>eis.jms.WLSConnectionFactoryJNDIXA</adapter-jndi-name>
  <user-name>System</user-name>
  <user-password-encrypted>{AES}eBkO46cHvtrzEraOMIOdXow6WvEAtA4NCUDTQ4mC+9w=</user-password-encrypted>
  <classpath></classpath>
  <connection-factory-jndi-name>JMSConnectionFactory81</connection-factory-jndi-name>
  <connection-url>t3://localhost:8001</connection-url>
  <destination-jndi-name>JMSQueue81</destination-jndi-name>
  </jms-bridge-destination>
  I have enforced global trust between the two domains. I have disabled the guest user on the 8.1 domain but can’t see where to do this on 12c.
  Any suggestions would be much appreciated.
  Regards
  John
  Edited by: 958336 on 13-Sep-2012 03:11

  Thanks for the recommendation. Unfortunately it did not help solve the problem.
  I have managed to get a JMS bridge working between 12c and 8.1 by including the 8.1 weblogic.jar on the classpath. This setup was using eis.jms.WLSConnectionFactoryJNDINoTX.
  After trying to use the adapter that supports transactions, WLSConnectionFactoryJNDIXA I received the following error:
  java.lang.IllegalStateException: can only be called from server
  Is this because the Weblogic 12c server now views the 8.1 server as being foreign?

• One way trust relationship between different domain windows server 2012 in different forest

  I'd like to build trust correctly between the domains A.local and B.int. A.local is on a Windows 2012 . B.int is on a Windows 2012 . Both machines are
  connected to the same LAN. The forest level in A.local
  machine is Windows Server 2008 and The forest level in B.int
  is Windows server 2012.
  I want a one-way trust relationship, i.e. users from A.local gain access to B.local.
  my problem it i create the trust put when i go to validate the trust between A.Local and B.int give me this error :
   The secure channel (SC) reset on Active Directory Domain Controller \\dc2.B.int of domain B.int to domain A.Local failed with error: There are currently no logon servers available to service the logon request.
  NOTE : Recently I
  UPGRADE THE Active Directory FROM 2008 R2 TO 2012 and i ping on A.local to B.int
  it is ping by name and IP but from b.int ping by IP JUST >>>
  ihab

  Hi,
  yes i already do it the setup conditional forwarding between the 2 domains and
  the firewall it is off 
  ihab

• Unable to create Trust between domains

  Scenario. I am trying to build 2 way trust between two Windows forests abc.com & xyz.com
  Highest OS in both domain is Win 2008 R2
  FFL and DFL in both is Win2003
  I added forwarders in DNS in both - It is resolving
  I disabled Antivirus
  I stopped Windows firewall in all the DCs of the domains and no n/w level port restrictions is there
  I am able to ping to all DCs from each of the DCs in both domains.
  Doing above all I am unable to create trust - in the trust wizard it is not identifying Domain names.
  Another thing is I have a Primary zone exists in name of each of the domain name. ie In abc.com I have another Primary zone created in xyz.com, Likewise in XYZ.com I have ABC.com primary zone . Will this be an issue?, If not guidelines please...

  Hi,   
  >>In ABC.com I have a Primary zone created as xyz.com, Likewise in XYZ.com I have ABC.com primary zone .
  How
  did
  you create these Primary zones?  Is there a ABC.com zone in ABC.com?
  >>I am unable to put Conditional forwarders because I have a Primary zone exists in name
  of each of the domain name
  If
  there is
  a
  DNS zone of another domain
  then we cannot create a conditional forwarder for the other domain.
  Besides,I
  suggest you check the SRV Records. You can try to restart the netlogon services
  to re-register SRV records.More
  specifically, in the command
  prompt, type
  net stop netlogon to stop netlogon services, then type net start netlogon to start netlogon services.
  Best Regards,
  Erin

• Two-way forest trust between two (single domain) forests with multiple identical user ID's

  Domain and forest levels - Windows 2003 (they both have one 2008 R2 DC)
  We need to create a two-way forest trust between two separate single-domain forests. The problem is that these two forests already access each others resources through a S2S. Users have the same login names and passwords on both forests/domains. Now, we
  are combining their infrastructures and need to set up a trust. From what I'm reading, you can't create forest trusts if you have the same SIDs, user ID's, or computer name in each of the forests.
  I'm looking into AD migration tool to copy the userSIDs (SID history?) between forest/domain, deleting the user ID's in the domain we migrated from, and then setting up the trust, but I'm leery about doing it this way as there is no easy 'recovery' should
  something go wrong. 
  Any suggestions for the easiest way to setup this forest trust?

  Hi,
  To eliminate your worries, two user accounts have the same user name doesn’t mean that they have the same SID. Moreover, the user’s SID remains the same even after it has been renamed.
  The SID for domain account/group consists of a
  Domain Identifier and a Relative Identifier. Domain Identifier is unique in every domain within a forest, and a Relative Identifier is unique within domain. It is unlikely that two user accounts with or without the same account
  name from two forests have the same SID.
  The Technet article you mentioned is talking about duplicate SIDs instead of “duplicate computer name or user account”, I will submit a change request to Microsoft about this.
  If there are duplicate SIDs when you create forest trust, you need to delete one of them as the article guides.
  Here are some related articles below for your references:
  How Security Identifiers Work
  http://technet.microsoft.com/en-us/library/cc778824(v=WS.10).aspx
  Security Identifier Structure
  http://technet.microsoft.com/en-us/library/cc962011.aspx
  Security Identifier
  http://en.wikipedia.org/wiki/Security_Identifier
  I hope this helps.
  Amy Wang

• What difference between a domain trust and a forest trust?

  What difference between a domain trust and a forest trust?

  Greetings!
  The answer is right on the question! :)
  I think it is best to distinguish properly between forest and domain. This article is a good one:
  What Are Domains and Forests?
  But in a nutshell, a forest trust is mostly used between two organizations, Suppose company A has a unique forest and company B has another unique forest as well, when they are merged they can simply create a forest trust between each other, This trust can
  be one-way or two-way depending on your needs.
  Domain trusts are between a single instance (domain) of a forest to another instance (domain) of another forest. It is worth mentioning that trust can be transitive as well.
  What Are Domain and Forest Trusts?
  I hope you got the answer.
  Regards.
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or
  to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• SSL Between Weblogic and IBM MQ

  Dear All,
  I would like to know the SSL configuration steps between Weblogic and MQ Communication.
  The existing setup is, To put message in MQ, We are using MQ Java API directly. To get message from MQ, We are using JMS API with binding file.
  Now, we are in a position to enable SSL in those communication between Weblogic and MQ. Here Weblogic is Treated as Client & MQ is treated as Server. If any one throw some light here would be greatful for us to enable 2-way SSL.
  In High Level, Initially we planned for One-Way SSL like below,
  1. Create the Trust Store in MQ Server
  gsk7capicmd -keydb -create -db "/var/mqm/qmgrs/WLMQTest/ssl/WLMQTest.kdb" -pw serverpass -type cms -expire 365 -stash -fips
  2. Create Self-Signed Certificate Initially for MQ Server
  gsk7capicmd -cert -create -db "/var/mqm/qmgrs/WLMQTest/ssl/WLMQTest.kdb" -pw serverpass -label ibmwebspheremqwlmqtest -dn "CN=WLMQTest,O=,C=" -expire 365 -fips -sigalg sha1
  gsk7capicmd -cert -extract -db "/var/mqm/qmgrs/WLMQTest/ssl/WLMQTest.kdb" -pw serverpass -label ibmwebspheremqwlmqtest -target "/var/mqm/qmgrs/WLMQTest/ssl/*WLMQTest.crt*" -format ascii -fips
  3. Create the Key Store in Weblogic Server
  keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048
  4. Copy the Public SSL Server Certificate to the Weblogic Server
  Copied the WLMQTest.crt from MQ Server into a directory under Weblogic Server Domain
  The below command list the content of the keystore.jks
  keytool -list -keystore keystore.jks
  Keystore type: JKS
  Keystore provider: SUN
  Your keystore contains 1 entry
  mydomain, Dec 26, 2011, PrivateKeyEntry,
  Certificate fingerprint (MD5): E7:B6:4C:02:A7:DE:A3:66:27:66:38:A1:87:DF:8F:0F
  And tried to import the WLMQTest.crt
  keytool -import -alias mydomain -file WLMQTest.crt -keystore keystore.jks -storepass serverpass
  We got the error like below,
  keytool error: java.lang.Exception: Public keys in reply and keystore don't match
  5. Configuring the Channels.
  Please advice, Is it a right way? Positively expected your valuable comments
  Edited by: user10094300 on Dec 26, 2011 1:17 AM

  Check this:
  http://www.ibm.com/developerworks/websphere/library/techarticles/0510_fehners/0510_fehners.html