LDAP Configuration in weblogic server

Similar Messages

• How to access an External LDAP on a weblogic server using OPSS APIs.

  Hi,
  Can anyone let me know how I can access an External LDAP configured on a weblogic server using OPSS APIs( or alternative APIs).
  I'm currently using the below snippet and I'm getting only the Users and groups from the DefaultAutheticator on the weblogic server and not the external LDAP Server.
  I've verified the providers, users and groups on the weblogic server console and can see that external LDAP server content is being picked, but my below code does not query them.
  import oracle.security.idm.IMException;
  import oracle.security.idm.IdentityStore;
  import oracle.security.idm.Role;
  import oracle.security.jps.JpsContext;
  import oracle.security.jps.JpsContextFactory;
  import oracle.security.jps.JpsException;
  import oracle.security.jps.service.idstore.IdentityStoreService;
  List<Role> rowData = null;
  JpsContextFactory ctxf = JpsContextFactory.getContextFactory();
  JpsContext ctx = ctxf.getContext();
  IdentityStoreService storeService = ctx.getServiceInstance(IdentityStoreService.class);
  IdentityStore idStore = storeService.getIdmStore();
  rowData = this.getRoles(idStore, "*");
  Any help or pointers are highly appreciated.
  Thanks,
  Bhasker

  Can anyone please provide any suggestions. I trying to google around but still not able to find any solution.
  Thanks,
  Bhasker

• How to Configure the Weblogic Server 6.0 Beta version with Solaris 8

  Hello,
  I have problem in starting the weblogic server 6.0 beta version.
  It is occupying hell of space and running very slow. When I try
  to deploy the bean it is throwing exception like timeout.
  Plese do suggest me what to do. and how to configure properly.
  Thank you,

  That typically happens when you have your database connections configured
  incorrectly. WebLogic is timing out on accessing the database.
  Michael Girdley
  BEA Systems Inc
  "Laxmikanth" <[email protected]> wrote in message
  news:3a35523c$[email protected]..
  >
  Hello,
  I have problem in starting the weblogic server 6.0 beta version.
  It is occupying hell of space and running very slow. When I try
  to deploy the bean it is throwing exception like timeout.
  Plese do suggest me what to do. and how to configure properly.
  Thank you,

• Installing and Configuring Oracle WebLogic Server 11g

  Hi, I have a question about the installation of Oracle WebLogic Server 11g (10.3.5) high availability, there is some documentation of best practices on this issue.
  Thanks

  http://download.oracle.com/docs/cd/E21764_01/web.1111/e13709/toc.htm

• External LDAP - Configuring the External LDAP to the Weblogic Server 10.3.3

  I m new to LDAP concepts. Is there any documentation link to configure any of the External LDAP for WLS 10.3.3?
  Where can I download to install the Extarnal LDAP?
  Thanks

  To use Active Directory for quick testing with Weblogic, you can use either Suns Sun One Active Directory Server or OpenLDAP which is an open source LDAP. We use OpenLDAP on unix and configure this with WLS. All our users are in OpenLDAP. Try googling around like "OpenLDAP Download" or "Sun One Directory Server" etc. All these are LDAP sources with very minor differences (Some extra attributes here and there). Configuration wise all are same from WLS point of view. We define LDAPs Host, Port, admin useranme/password, User basedn and Group basedn. These are minimum things we need to know upfront.
  Thanks
  Ravi Jegga

• How has access.log file configured in WebLogic server 10.0?

  1.) I am using BEA Weblogic 10.0 and my access.log is not getting updated.
  2.) I also need any information as to how this Webblogic server forms chunks (ex....access00011.log,access00012.log) because i have a software called AWStats which merges all these chunks into 1 single access.log file under its subdirectory.
  3.) I also need information as to how and where the user can specify/ form his own fields which gets displayed in the access.log
  FYI i have 2 servers and i checked under Logging->HTTP->advanced, in both the servers options and configurations are same but in 1 it works fine and access.log is updating but not in the other one.
  Kindly let me know i you have any leads into this issue!
  Thanks,
  Varun

  Hi Ravish,
  Firstly thanks for the reply.
  1.) -----
  What you can do is to set the buffer-size-kb parameter value to "0" in config.xml so that it can start logging once the server starts coming up rather then waiting for the default size which is 8kb to pass.
  Something like below:
  <web-server-log>
  <buffer-size-kb>0</buffer-size-kb>
  <web-server-log>
  For more details check the below link:
  Search for: CR302493
  http://download.oracle.com/docs/cd/E11035_01/wls100/issues/known_resolved.html
  --- for this issue i had browsed throught the forum before posting but in my conf file i have something like this instead of <buffer-size-kb>0</buffer-size-kb>
  <web-server>
  <web-server-log>
  <number-of-files-limited>false</number-of-files-limited>
  <log-file-format>extended</log-file-format>
  </web-server-log>
  </web-server>
  So how do i go about the path of debugging now??
  2.) -------
  If you do not want rotation of access.log then you can just disable it from the below console path just by putting Rotation type as None
  Server -> <YOUR_SERVER_NAME> -> Logging (tab) -> HTTP (sub-tab) -> Rotation type: None
  ---- for this in both my servers i have the settings like this,
  Rotation type--> By Size
  Rotation File size 5000
  Begin rotation time 00:00
  rotation interval 24
  files to retain 7
  and Log file rotation directory is left blank (to get created in same directory)
  and also Rotate log file on startup is unchecked.
  so??? what do you suggest!?
  3.) ------
  I also need information as to how and where the user can specify/ form his own fields which gets displayed in the access.log
  ---- regarding this, in my main server the access.log is getting updated and after 4.8Mb its creating 5Mb chunks. So, for example if the entire log is of 15 Mb then access.log stops updating at 4.98Mb and accesslog.out0001 and accesslog.out0002 is created with 5Mb each but the latest entry will be stored in accesslog.out0002 file. I hope i didn't complicate this :)
  Regards,
  Varun

• Error Configuring BEA Weblogic Server v9.2

  I'm using Eclipse 3.4 (Ganymede) with the new Enterprise Pack for Eclipse. When I try to create a New Server Runtime Environment for Weblogic 9.2, I get the following error:
  "RE is selected, but the path is invalid."
  The path is D:\export\webapps\sbea\weblogic92 which is correct because I successfully used that with Eclipse 3.3 with BEA Weblogic Weblogic 9.2 runtime that you could access from Eclipse 3.3.

  I was able to fix this by uninstalling all BEA products and re-installing WLS 9.2M1.

• LDAP Configuration in Weblogic 9.1 on HP-UX

  Application unable to login, getting invalid login user.
  LDAP in Windows Box. In log file following lines we getting, Suggest how to resolve this issue:
  <XACML Authorization isAccessAllowed(): returning DENY>
  ####<Oct 26, 2006 11:07:42 AM IST> <Debug> <SecurityAdjudicator> <> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1161841062279> <000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
  ####<Oct 26, 2006 11:07:42 AM IST> <Debug> <SecurityAtz> <> <[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1161841062279> <000000> <AuthorizationManager.isAccessAllowed returning adjudicated: false>

  Rahul,
  Can you try viewing the console from a different machine with a
  different browser?
  Raj Alagumalai
  Rahul Kumar wrote:
  Hi All,
  I installed weblogic 6.1 on HP-UX 11.0 successfully.
  I conect to the http://myserver:7001/console give ib the user nam and
  password.
  But i am not able to see the java applet initialized on the left frame of
  the browser window.
  Although i am able to see normal applet initialized but this specific applet
  is notvisible on HP-UX browser..
  This window is accessible from any other windows ie or netscape.
  I am using netscape 4.78 on HP ux 11.0
  Somebody help

• IPlanet LDAP configuration in Weblogic 8.1 SP3

  We use iPlanet LDAP provider for app authentication. We need only the authentication and no authorization. However when we do not specify information in Groups and Membership tabs, and provide only User information, authentication fails. Does iPlanet provider need Group and Membership information for simple authemtication?

  We use iPlanet LDAP provider for app authentication. We need only the authentication and no authorization. However when we do not specify information in Groups and Membership tabs, and provide only User information, authentication fails. Does iPlanet provider need Group and Membership information for simple authemtication?

• Weblogic Server 10.3.0 and LDAP authentication Issue

  Hi - I have configured my WebLogic Server 10.3.0 for LDAP authentication (OID = 10.1.4.3.0) and so far the authentication works fine but I am having issue in terms of authorization.
  I am not able to access the default web logic administrator console app using any of the LDAP user, getting Forbiden message.
  It appears to me that the Weblogic Server is not pulling out the proper groups from the LDAP where user belongs too.
  Can anyone please point me towards the right direction to get this resolved.
  Thanks,
  STEPS
  Here are my steps I have followed:
  - Created a group called Administrators in OID.
  - Created a test user call uid=myadmin in the OID and assigned the above group to this user.
  - Added a new Authentication Provider to the Weblogic and configured it what is required to communicate with OID (the config.xml file snipet is below)
  <sec:authentication-provider xsi:type="wls:ldap-authenticatorType">
  <sec:name>OIDAuthentication</sec:name>
  <sec:control-flag>SUFFICIENT</sec:control-flag>
  <wls:propagate-cause-for-login-exception>false</wls:propagate-cause-for-login-exception>
  <wls:host>pmpdeva-idm.ncr.pwgsc.gc.ca</wls:host>
  <wls:port>1389</wls:port>
  <wls:principal>cn=orcladmin</wls:principal>
  <wls:user-base-dn>ou=AppAdmins, o=gc, c=ca</wls:user-base-dn>
  <wls:credential-encrypted>removed from here</wls:credential-encrypted>
  <wls:group-base-dn>ou=IDM, ou=ServiceAccounts, o=gc, c=ca</wls:group-base-dn>
  </sec:authentication-provider>
  - Marked the default authentication provider as sufficient as well.
  - Re-ordered the authentication provide such that the OIDauthentication is first in the list and default one is the last.
  - Looking at the log file I see there are no groups returned for this user and that is the problem in my opinion.
  <LDAP Atn Login username: myadmin>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <authenticate user:myadmin>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <authentication succeeded>
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <LDAP Atn Authenticated User myadmin>
  <List groups that member: myadmin belongs to>
  <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  *<search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>*
  *<Result has more elements: false>*
  <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <login succeeded for username myadmin>
  - I see the XACML RoleMapper getRoles() only returning the Anonymous role as oppose to Admin (because the OID user is a part of Administrators group in OID then it should be returning Admin as fars I can tell. Here is the log entry that shows that:
  <XACML RoleMapper getRoles(): returning roles Anonymous>
  - I did a ldap search and I found no issues in getting the results back:
  C:\>ldapsearch -h localhost -p 1389 -b"ou=IDM, ou=ServiceAccounts, o=gc, c=ca" -D cn=orcladmin -w "removed from here" (uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupOfUniqueNames)
  cn=Administrators,ou=IDM,ou=ServiceAccounts,o=gc,c=ca
  objectclass=groupOfUniqueNames
  objectclass=orclGroup
  objectclass=top
  END
  Here are the log entries:
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will use NameCallback to retrieve name>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=myadmin>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=MBR_Domain", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685624> <BEA-000000> <returnConnection conn:LDAPConnection { ldapVersion:2 bindDN:""}>
  <1291668685624> <BEA-000000> <[Security:090302]Authentication Failed: User myadmin denied>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize LoginModuleClassName=weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize ClassLoader=java.net.URLClassLoader@facf0b>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize created delegate login module>
  <1291668685624> <BEA-000000> <LDAP ATN LoginModule initialized>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.initialize delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login>
  <1291668685624> <BEA-000000> <LDAP Atn Login>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[0] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle callbcacks[1] will be delegated>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle will delegate all callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle delegated callbacks>
  <1291668685624> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle did not get username from a callback>
  <1291668685624> <BEA-000000> <LDAP Atn Login username: myadmin>
  <1291668685624> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685624> <BEA-000000> <authenticate user:myadmin>
  <1291668685624> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685671> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authenticate user:myadmin with DN:uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685671> <BEA-000000> <authentication succeeded>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <LDAP Atn Authenticated User myadmin>
  <1291668685686> <BEA-000000> <List groups that member: myadmin belongs to>
  <1291668685686> <BEA-000000> <getConnection return conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <getDNForUser search("ou=AppAdmins, o=gc, c=ca", "(&(uid=myadmin)(objectclass=person))", base DN & below)>
  <1291668685686> <BEA-000000> <DN for user myadmin: uid=myadmin,ou=AppAdmins,o=gc,c=ca>
  <1291668685686> <BEA-000000> <search("ou=IDM, ou=ServiceAccounts, o=gc, c=ca", "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))", base DN & below)>
  <1291668685686> <BEA-000000> <Result has more elements: false>
  <1291668685686> <BEA-000000> <returnConnection conn:LDAPConnection {ldaps://pmpdeva-idm.ncr.pwgsc.gc.ca:1389 ldapVersion:3 bindDN:"cn=orcladmin"}>
  <1291668685686> <BEA-000000> <login succeeded for username myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.login delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning false>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit>
  <1291668685686> <BEA-000000> <LDAP Atn Commit>
  <1291668685686> <BEA-000000> <LDAP Atn Principals Added>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.LoginModuleWrapper.commit delegated, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login logged in>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login subject=Subject:
       Principal: myadmin
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principals)>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685686> <BEA-000000> <Signed WLS principal myadmin>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) PrincipalValidator signed the principal>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) All required PrincipalValidators signed this PrincipalClass, returning true>
  <1291668685686> <BEA-000000> <com.bea.common.security.internal.service.JAASLoginServiceImpl.login identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user myadmin, Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.UserLockoutServiceImpl$ServiceImpl.isLocked(myadmin)>
  <1291668685686> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and myadmin was not previously locked out>
  <1291668685702> <BEA-000000> <Using Common RoleMappingService>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity>
  <1291668685702> <BEA-000000> <PrincipalAuthenticator.validateIdentity will use common security service>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals)>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=myadmin>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalClassName=weblogic.security.principal.WLSUserImpl>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) trying PrincipalValidator for interface weblogic.security.principal.WLSPrincipal>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator handles this PrincipalClass>
  <1291668685702> <BEA-000000> <Validate WLS principal myadmin returns true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) PrincipalValidator said the principal is valid>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) One or more PrincipalValidators handled this PrincipalClass, returning true>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principals) validated all principals>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/*>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=*.jsp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console, uri=/>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp, contextPath=/console>
  <1291668685702> <BEA-000000> <     Parent: type=<url>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<app>, application=consoleapp>
  <1291668685702> <BEA-000000> <     Parent: type=<url>>
  <1291668685702> <BEA-000000> <     Parent: null>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AdminChannelUsers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AdminChannelUser:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AdminChannelUser: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(AppTesters,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:AppTester:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role AppTester: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(everyone,[everyone,users]) -> true>
  <1291668685702> <BEA-000000> <primary-rule evaluates to Permit>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Anonymous:, 1.0 evaluates to Permit>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Anonymous: GRANTED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Monitors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Monitor:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Monitor: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Operators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Operator:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Operator: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(CrossDomainConnectors,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:CrossDomainConnector:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role CrossDomainConnector: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Deployers,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Deployer:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Deployer: DENIED>
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:group, SC=null, Value=[everyone,users]>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-is-in(Administrators,[everyone,users]) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:role:Admin:, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML RoleMapper: accessing role Admin: DENIED>
  <1291668685702> <BEA-000000> <XACML RoleMapper getRoles(): returning roles Anonymous>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.RoleMappingServiceImpl.getRoles returning [ "Anonymous" ]>
  <1291668685702> <BEA-000000> <AuthorizationManager will use common security for ATZ>
  <1291668685702> <BEA-000000> <weblogic.security.service.WLSAuthorizationServiceWrapper.isAccessAllowed>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Identity=Subject: 1
       Principal = class weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Roles=[ "Anonymous" ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed Direction=ONCE>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): input arguments:>
  <1291668685702> <BEA-000000> <     Subject: 1
       Principal = weblogic.security.principal.WLSUserImpl("myadmin")
  >
  <1291668685702> <BEA-000000> <     Roles:Anonymous>
  <1291668685702> <BEA-000000> <     Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <     Direction: ONCE>
  <1291668685702> <BEA-000000> <     Context Handler: >
  <1291668685702> <BEA-000000> <Accessed Subject: Id=urn:oasis:names:tc:xacml:2.0:subject:role, SC=null, Value=Anonymous>
  <1291668685702> <BEA-000000> <Evaluate urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of([Admin,Operator,Deployer,Monitor],Anonymous) -> false>
  <1291668685702> <BEA-000000> <primary-rule evaluates to NotApplicable because of Condition>
  <1291668685702> <BEA-000000> <urn:bea:xacml:2.0:entitlement:resource:type@E@Furl@G@M@Oapplication@Econsoleapp@M@OcontextPath@E@Uconsole@M@Ouri@E@U, 1.0 evaluates to Deny>
  <1291668685702> <BEA-000000> <XACML Authorization isAccessAllowed(): returning DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=consoleapp, contextPath=/console, uri=/index.jsp, httpMethod=GET>
  <1291668685702> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY >
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value>
  <1291668685702> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false>

  Okay Finally the issue is resolved. Here is the findings to help others in case they ran into the same issue.
  The OID version that we are using is not returning the groups the way Weblogic is building the ldapsearch command. We captured the ldap traffic to go deeper and noticed the filters and attributes list that wls was asking. For example, the filter was like:
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" cn
  its was the "cn" attribute that was causing the result set to be empty.
  from a command line we tried
  "(&(uniquemember=uid=myadmin,ou=AppAdmins,o=gc,c=ca)(objectclass=groupofuniquenames))" uniquemember
  and got the results back.
  Then we start looking into OID configuration and one of my coworker pointed me towards the orclinmemfiltprocess attributes in cn=dsaconfig entry and told me that they had lot of issues in the past in relation to this attribute.
  So as a test we removed the groupofuniquenames objectclass from the orclinmemfiltprocess attribute list and bingo it worked!
  Since we needed the groupofuniquenames in this list for performance/other reasons and decided to use a different objectclass for our groups instead i.e. orclGroup.
  Thanks everyone for showing interest on the problem and providing suggestions.

• Problems unwrapping SPNEGO token for Single Signon (SSO) in WebLogic Server

  First of all, a quick description of our issue. We’ve tried many different things, but cannot get WebLogic to unwrap the SPNEGO token so it authenticates using Kerberos. We received several errors while trying to debug, here’s the one we see most:
  KDC has no support for encryption type (14)
  But we doubt it has anything to do with the encryption type, as these are set correctly everywhere.
  We’ve tried following some of the instructions on the BEA website (which contain several errors).
  One of them was also adding a host/ SPN (in krb5login.conf) but then, when using HTTP/ SPN we get the following error (it seems with multiple SPN’s it only takes the first or last SPN that was set):
  Client not found in Kerberos database (6)
  Next try was using the host/ SPN but that results in the following error:
  Integrity check on decrypted field failed (31)
  We’ve tried changing the default_enctypes in KRB5.INI (We’ve removed the entries, and also tried only DESCBC_MD5 and DES_CBC_CRC) but that did not change the behaviour.
  We’ve tried adding the AllowTGTSessionKey registry key on client and server, but that didn’t change it either.
  We are not sure what details you need for this to debug, so here’s what we’ve done to install the environment (please note that ip-addresses, domain, client and server names are made up and are different in real-life),
  We have two domains:
  Domain1 (DOMAIN1.COM) contains:
  Domain Controller      “AD1”      with IP 192.168.0.1
  Domain Controller      “AD2”      with IP 192.168.1.1
  Client           “Client1”      with IP 192.168.2.1
  Domain2 (DOMAIN2.COM) contains:
  Domain Controller      “AD3”      with IP 10.0.0.1
  Server (WebLogic)     “Server1”      with IP 10.0.1.2
  Between Domain1 and Domain2 a firewall exists in which we’ve opened the relevant ports like LDAP (TCP 389), Kerberos (UDP 88), WebLogic (7001/7002).We do not see any firewall blocks on other ports…
  We’ve configured AD1 (Microsoft AD with KDC) as follows:
  1. Account “SSOAccountAD” created
  2. Password never expires
  3. DES encryption on
  4. Do not require Kerberos preauthentication off
  5. Password “Password” was reset several times
  6. ServicePrincipalName was set using this
      setspn -A HTTP/Server1.DOMAIN1.COM SSOAccountAD7. ServicePrincipalName on AD1 was checked (and found to be ok) using this command:
      setspn -L SSOAccountAD8. KTPass was executed:
  ktpass -princ HTTP/[email protected] -mapuser SSOAccountAD -pass Password9. User Logon name was checked, it's set to "HTTP/Server1"
  10. ServicePrincipalName on AD2 was checked (and found to be ok) using this command:
  setspn -L SSOAccountADWe’ve configured the WebLogic Server (Server1) as follows:
  1. LDAP authentication was activated and test ok
  2. Single Pass Negotiate Identity Asserter was created with Chosen Type “Authorization”
  3. KRB5.INI file was created and added to %windir% (and C:\WINNT folder to be able to test with Java ktab and kinit which do not look in the %windir% folder):
  [libdefaults]
  default_realm = DOMAIN1.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  default_tkt_enctypes=DES-CBC-CRC
  default_tgs_enctypes=DES-CBC-CRC
  [realms]
  DOMAIN1.COM = {
  kdc = 192.168.0.1
  admin_server = 192.168.0.1
  default_domain = DOMAIN1.COM
  [domain_realm]
  .domain1.com = DOMAIN1.COM
  domain1.com = DOMAIN1.COM
  [appdefaults]
  autologin = true
  forward = true
  forwardable = true
  encrypt = true4. We’ve installed JDK 1.5.0.12: jdk-1_5_0_12-windows-i586-p.exe
  5. Keytab File was created (with password “Password”):
  ktab -k SSOKeyTabFile -a HTTP/[email protected]. Keytab File and Kerberos communication was tested using:
  kinit -k -t SSOKeyTabFile HTTP/[email protected]. Keytab File and Kerberos communication was tested using Java (incl. Debugging):
  java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Kinit -k -t SSOKeyTabFile HTTP/[email protected]. Keytab was listed:
  java -Dsun.security.krb5.debug=true sun.security.krb5.internal.tools.Klist9. SSOKeyTabFile was copied to the WebLogic ProductionDomain folder
  10. The krb5login.conf file was created and copied to the WebLogic ProductionDomain folder:
  com.sun.security.jgss.initiate {
       com.sun.security.auth.module.Krb5LoginModule required
       principal="HTTP/[email protected]" useKeyTab=true
       keyTab=SSOKeyTabFile storeKey=true debug=true;
  com.sun.security.jgss.accept {
       com.sun.security.auth.module.Krb5LoginModule required
       principal=" HTTP/[email protected] " useKeyTab=true
       keyTab=SSOKeyTabFile storeKey=true debug=true;
  };11. WebLogic service and startWeblogic.cmd were modified with the following parameters:
  -Djava.security.krb5.realm=DOMAIN1.COM
  -Djava.security.krb5.kdc=192.168.0.1
  -Djava.security.auth.login.config=<ProductionFolder>\krb5login.conf
  -Djavax.security.auth.useSubjectCredsOnly=false
  -Dweblogic.security.enableNegotiate=true
  -DDebugSecurityAdjudicator=true
  -Dweblogic.debug.DebugSecurityAtn=true
  -Dweblogic.debug.DebugSecurityAtz=true
  -Dweblogic.Debug.DebugSecurityATN=true
  -Dweblogic.StdoutSeverityLevel=64
  -Dweblogic.StdoutDebugEnabled=true
  For the client pc (Client1) we’ve checked the browser settings:
       Automatic Logon only in Intranet Zone
       Enable Integrated Windows Authentication
  On the client we’ve used “kerbtray.exe” to see whether a kerberos token is created, and it is (although with the full domain name, HTTP/Server1.domain1.com).
  We’ve checked for Kerberos communication with Wireshark and see that the client does communicate, and passes the SPNEGO token to the WebLogic server, but we do not see any Kerberos communication on the WebLogic server. The server simply requests Authorisation again…
  If required we have the full wireshark traces of the WebLogic Server and the Client. We also have very detailed WebLogic tracing which I can provide.
  Any thoughts?
  Kind Regards,
  Nika.

  It turned out to be solved by removing the SSOAccount in AD and recreating it (including re-setting the password, which had already been done several times).
  Regards,
  Nika.

• How to create additional WLS_REPORTS in Weblogic Server 10.3.3

  Hi,
    Below is my configuration:
    Oracle Weblogic Server 10.3.3.0
    Oracle Fusion Middleware 11.1.1.3.0
    Windows 2008 R2 - in 2 servers
    I am configuring High Availability and Load Balancer on both servers. I have installed WLS_FORMS and WLS_REPORTS in the 1st server, and WLS_FORMS1 and WLS_REPORTS1 in the 2nd server. Also installed ohs, default FORMS & REPORTS servlets in both servers.
    I have tested HA and LB on both server and they are working OK.
  Currently, I have 3 new extra report servlets that I need to installed in the servers. Since I am working on HA and LB, the servlets need to be clustered, like the following:
  1st Server=report_servlet_a1, report_servlet_b1, report_servlet_c1
  2nd Server=report_servlet_a2, report_servlet_b2, report_servlet_c2
  cluster_report_a=report_servlet_a1 and report_servlet_a2
  cluster_report_b=report_servlet_b1 and report_servlet_b2
  cluster_report_c=report_servlet_c1 and report_servlet_c2
  Therefore, the new WLSs will be setup in this way:
  wls_reports_a1 <-report_servlet_a1 in 1st Server
  wls_reports_a2 <-report_servlet_a2 in  2nd Server
  wls_reports_b1 <-report_servlet_b1  in 1st Server
  wls_reports_b2 <-report_servlet_b2  in 2nd Server
  wls_reports_c1 <-report_servlet_c1  in 1st Server
  wls_reports_c2 <-report_servlet_c2  in 2nd Server
  Kindly provide steps and/or notes how to perform the above. Thank you in advance!

  One piece of advise I can give is to NOT* use the Shopping Cart fuctnionality inherent in WLP (com.beasys.commerce.ebusiness.shoppingcart. The Online Commerce functionality in WebLogic Portal has been deprecated.
  Brad

• Installing new Secuirty provider on the WebLogic Server

  Hi Everyone,
  I think you guys can find a solution for the problem i'm facing in configuring
  the weblogic server. I'm evaluting the server a possible client and need to relpy
  to him regarding the possible purchase before the mid of next week.
  Problem: The problem i'm facing is as follows. I wrote a web service, I'm trying
  to install a new service provider on the server. I did copied the jar files to
  the java_home\jre\lib\ext directory and did made the change to the java.security
  file as suggested in the "Professiona Java Security" book by wrox publication
  . But when i run the code it doesn't works on the BEA Server. Even though i tested
  successfully on the java server.
  The client wwritten in Java works fine. but the server, when tries to make call
  to service, it fails on the call to the Encryption algorithm class.
  Does any one of you have a solution for this problem. I'm waiting for your reply.
  Thanks in advance?
  Sumit
  SETA Corporation
  Virginia

  Hi Boris,
  Looks like you have not run the post upgrade script for 10.1.3.4.
  You need to install SOA 10.1.3.4 Basic Installation. Then start following : http://download.oracle.com/docs/cd/E12524_01/core.1013/e13058/weblogic.htm#BHCIIBFB
  You basically, first install 10.1.3.4 basic SOA install, Apply the Opatch 7337034 (HOTPLUG: SOASUITE 10.1.3.4 ON WEBLOGIC 9.2 - CHANGES FOR HOTPLUGGABILITY). Install WLS 9.2 MP3.
  Now, Download the Oracle SOA Suite 10.1.3.4 WebLogic Server 9.2 : patch : 7490612.
  Then , Modify the following mandatory installation properties in the Weblogic_SOA10134_Base\SOADomain.properties file as per the documentation above.
  Cheers
  Anirudh Pucha

• Solaris 10 64 bit and 64 bit JVM support for Weblogic Server 9.1

  Does the following configuration supported:
  Weblogic Server 9.1
  Sun Solaris 10 (64 bit)
  Sun JVM 5.0 (64 bit)
  I could only find reference to 32 bit JVM on bea site.
  Any help is appreciated.
  Thanks

  Hi.
  answers inline:
  sanjay wrote:
  Hi,
  Can Weblogic Express (Cluster edition)6.1J sp2 be installed on Sun Solaris(Sparc)
  8(64 bit) ?Yes - http://edocs.bea.com/wls/platforms/index.html#solaris8
  >
  >
  Can Weblogic Express (Cluster edition)6.1J sp2 JDBC driver be used for Oracle 8.1.7(Solaris
  64 bit) ?
  Yes - http://edocs.bea.com/wls/platforms/index.html#jdbc
  Michael Young
  Developer Relations Engineer
  BEA Support

• How to see registered mbeans in weblogic server 10.3.3.0 in web console

  Hi ,
  I am new in mbeans registration in weblogic. I have written code to registered mbeans in weblogic server 10.3.3.0. And I have successfully configured this through weblogic. I can see my registered mbeans in JConsole. I have referred the below link to get help of registering my mbeans :
  https://blogs.oracle.com/WebLogicServer/entry/developing_custom_mbeans_to_ma
  My problem is :_ I can not ask my client to check or do some modification through JConsole. The solution which I was looking for this, If we could get some way to see those registered mbeans through web console such as Weblogic administration console. Is there any way to make this possible ? Do we have any configuration in weblogic server through which I can see my registered mbeans through web console.
  Or By goggling, I found we can use JMX console to registered our mbeans. But I do not have any idea how?
  I am rigorously looking for help. Thanks in advance who come forward to help me.
  Regards,
  Niraj Kumar Singh

  Niraj,
  According to [url http://docs.oracle.com/cd/E12840_01/wls/docs103/jmxinst/accesscust.html#wp1107240]the docs, you cannot access mbeans through the WLS console. JConsole is a JMX console, so you do know how already :)
  If you have Enterprise Manager (aka Fusion Middleware Control) installed in your domain, you can use that to see the mbeans as well.
  John