Weblogic 8.1 and Novell LDAP SSL

Similar Messages

• WebLogic 6.1 and iPlanet LDAP v5

  Per a proof of concept, I am having trouble getting WL6.1 to see
  group members as defined in iPlanet LDAP. I can see the groups,
  but modifies to create groups only create them in the local DB.
  Created users also only get placed in the local DB. I can bind
  for searches as Directory Manager via ldapsearch and run queries,
  and the DS gateway works fine. I can dump the LDIF file and the
  entries look fine.
  I copied and modified the template for the Netscape server and
  have the realm setup per the GUI.
  For sanity, everything is very generic as:
  the Root DN is "o=test.org"
  and my "Configuration" part from the config.xml looks like:
  server.authprotocol=simple;
  server.host=localhost;
  membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames));
  server.port=390;
  group.dn=o=test.org;
  group.filter=(&(cn=%g)(objectclass=groupofuniquenames));
  server.principal=cn=Directory Manager;
  user.dn=o=test.org;
  server.groupiscontext=false;
  user.filter=(&(uid=%u))
  I added the "authprotocol" as a guess. Note that the server is
  running on port 390, this is not a typo.
  Any ideas what is going wrong?

  hi,
  there are two versions of ldap supported in wls6.1 , ldapv1 and ldavp2
  ldap v1 only has the functionality of listing groups.
  but where ldapv2 doesn't have that functionality,
  by looking at your config , it seems you are using ldap v2..
  if u need that functionality u can use ldapv1.
  thanks
  kiran
  "Bert Cliche" <[email protected]> wrote in message
  news:[email protected]..
  Per a proof of concept, I am having trouble getting WL6.1 to see
  group members as defined in iPlanet LDAP. I can see the groups,
  but modifies to create groups only create them in the local DB.
  Created users also only get placed in the local DB. I can bind
  for searches as Directory Manager via ldapsearch and run queries,
  and the DS gateway works fine. I can dump the LDIF file and the
  entries look fine.
  I copied and modified the template for the Netscape server and
  have the realm setup per the GUI.
  For sanity, everything is very generic as:
  the Root DN is "o=test.org"
  and my "Configuration" part from the config.xml looks like:
  server.authprotocol=simple;
  server.host=localhost;
  membership.filter=(&(uniquemember=%M)(objectclass=groupofuniquenames));
  server.port=390;
  group.dn=o=test.org;
  group.filter=(&(cn=%g)(objectclass=groupofuniquenames));
  server.principal=cn=Directory Manager;
  user.dn=o=test.org;
  server.groupiscontext=false;
  user.filter=(&(uid=%u))
  I added the "authprotocol" as a guess. Note that the server is
  running on port 390, this is not a typo.
  Any ideas what is going wrong?

• EDSPermissionError(-14120) problems with LDAP, SSL and Directory Utility

  Hello everyone,
  Apologies for the repost but I think I may have made a mistake by posting this originally in the Installation, Setup and Migration forum instead of the Open Directory forum. At least I think that may be why I didn't receive any responses.
  Anyway, I've been trying to get my head around Open Directory and SSL as they are implemented in Mac OS X Server 10.5 Leopard, and have been having a few issues. I would like to set up a secure internal infrastructure based around a local Certificate Authority that signs certificates for other internal services like LDAP, email, websites, etc.
  I only have one Mac OS X Server and it is kind of a small office so I have gone against best practice and simply made it a CA (through Keychain Utility). I then generated a self-signed SSL certificate through Server Admin, and used the "Generate CSR" option to create a Certificate Signing Request. This went fine, but I did have some problems signing it with the CA, because the server documentation suggested that once I signed it it would pop open a Mail message containing the ASCII version of the signed certificate - it did not, and it took me a loooong time to realize that I could simply export the copy of the signed certificate it put in my local Keychain on the server as a PEM file and paste this back into the "Add Signed or Renewed Certificate from Certificate Authority" dialog box in Server Admin. Hopefully this can be fixed in a forthcoming patch, but I thought I would mention it here in case anyone else is stuck on this issue.
  Once I did this I was able to use this certificate in the web server on the same machine and sure enough I was able to connect to it with with clients who had installed the CA certificate in their system Keychains without getting any error messages - very cool.
  However, I haven't had quite as much luck getting it going with LDAP/Open Directory. I installed the certificate there as well, but have run into a number of problems. At first I could not get clients (also running 10.5.2) to talk to the server at all over SSL, receiving an error in Directory Utility that the server did not support SSL. I eventually discovered that the problem seemed to lie in the fact that the OpenLDAP implementation on Leopard is not tied in with the system Keychain, necessitating some command-line voodoo to install a copy of the CA cert in a local directory and point /etc/openldap/ldap.conf at it, as documented here: http://www.afp548.com/article.php?story=20071203011158936
  This allowed me to do an ldapsearch command over SSL, and seemingly turn SSL on on clients that were previously bound to the directory, and additionally allowed me to run Directory Utility on new clients and put in the server name with the SSL box checked and begin to go through the process of binding. Once this seemed to work, I turned off all plaintext LDAP communication and locked down the service by checking the "Enable authenticated directory binding," "Require authenticated binding," "Disable clear text passwords," and "Encrypt all packets" options in Server Admin. However, I am now running into a new problem, specifically that I cannot successfully bind a local account to a directory account over SSL.
  Here's what happens:
  1) I run Directory Utility, (or it auto-runs) and add a server, typing in the DNS name and clicking the SSL box.
  2) I get asked to authenticate, and type in user credentials, including computer name (incidentally, should this be a FQDN or just a hostname?)
  3) Provided I put admin credentials in here and not user-level credentials, I get taken to the "Do you want to set up Mail, VPN, etc.?" box that normally appears when you autodiscover or connect to an Open Directory server.
  4) I click through, and am asked for a username and password on the server, as well as the password for my local account.
  5) When I put this information in, I get a popup with the dreaded "eDSPermissionError(-14120)" and it fails.
  Checking the logs in Server Admin reveals nothing special, and while I have seen a couple other threads on this error and various other binding problems:
  http://discussions.apple.com/thread.jspa?messageID=5967023
  http://discussions.apple.com/message.jspa?messageID=5982070
  these have not solved the problem. In the Open Directory user name field I am putting the short username. I have tried putting [email protected] and the user's longname but this fails by saying the account does not exist. For some reason it does seem to work if I bind it to the initial admin account I created, but no other user accounts.
  If I turn all the encryption stuff off I am able to join just fine, so I am suspecting that the error may lie in some other "under the hood" piece of software that doesn't get the CA trust settings from the Keychain or the ldap.conf file, but I'm stymied as to which piece of software this might be. Does anyone have any clues on what I might be able to do here?
  Thanks,
  Andrew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• LDAP SSL requirement and setup

  Can someone point me the direction on setting up LDAP SSL in Apex 2.2?
  Is there any documentation available? Thank you.

  I have same request. Only information i could find was here: LDAP Authentication Failed

• Convergence with LDAP SSL Failure

  Hello,
  I'm now having a problem securing connections between Convergence and my LDAP server.
  Once I set it in iwcadmin, ugldap.enablessl to true and change the port to 636, the following error occurs and convergence just couldn't authenticate.
  server.log in Glassfish 2.1.1, enterprise profile using NSS keystore
  [#|2010-11-12T20:17:15.208+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|LDAPS:Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values|#]
  [#|2010-11-12T20:17:15.209+0000|SEVERE|sun-appserver2.1|com.sun.comms.shared.ldap.LDAPSingleHostPool|_ThreadID=19;_ThreadName=Thread-114;_RequestID=f4814afe-c0b0-4245-b21b-64be2d4a39e3;|buildConnection: got LDAPException while connecting to Pool number:0. Host=<ldaphost> :netscape.ldap.LDAPException: Error occured during SSL handshake java.lang.RuntimeException: Could not parse key values (91)|#]
  HTTP SSL connections to Webmail server and calendar servers are fine. I tried deploying the same configuration using developer profile with JKS keystore, the SSL authentication goes through then, but I need clustering for high availability.
  Does anyone have any ideas?
  Thanks so much in advance!
  Mathew

  Hard to tell what is happening without looking at the application
  source, knowing what OS & hardware you're using etc. You might want to
  try running with different JVM versions to see if it's actually the VM
  that is the problem. If you have a support contract with BEA you could
  ask support to help you diagnose this.
  Regards,
  /Helena
  Ayub Khan wrote:
  I have an application running on Weblogic 8.1 ( with JRockit as the JVM). This
  application in turns talks to an iPlanet Directory server via LDAP/SSL. The problem
  seems to happen on loading the machine..the performance progressively gets worse
  and after a couple of seconds, all the threads stop responding. I checked the
  heap, cpu and the idle threads in the execute queue and there is nothing there
  to trigger alarms...there are quite a few idle threads still and the heap and
  the cpu utilization seem OK. On doing a thread dump, Is see that all the other
  threads seem to be in a state where they are waiting for data from LDAP and it
  is basically read only data that they are waiting on.
  Does anyone know what it is going on and help point me in the right direction.
  -Ayub

• Debug Weblogic 10.0 with 2-Way SSL: Error 401--Unauthorized

  Hi,
  I am working on Weblogic 10.0 with 2-Way SSL configuration. User uses X.509 certificate to login into the system. I have a default UserNameMapper which maps the CN to the a user name in the LDAP user store. User can login without problem. But after user login, when he tries to hit a new page before the original page fully loaded, he will get a "Error 401--Unauthorized".
  I turned on the Weblogic security debug and got the following warning with stack trace. Can anybody help me to figure out what's wrong? How do I troubleshoot this issue? Any help is really appreciated.
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned PERMIT>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecurityAtz> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: true>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 0, length = 167>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write APPLICATION_DATA, offset = 6, length = 1518>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 0
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.closeWriteHandler(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.close(Unknown Source)
       at javax.net.ssl.impl.SSLSocketImpl.close(Unknown Source)
       at weblogic.socket.SocketMuxer.closeSocket(SocketMuxer.java:449)
       at weblogic.socket.SocketMuxer.cleanupSocket(SocketMuxer.java:795)
       at weblogic.socket.SocketMuxer.deliverExceptionAndCleanup(SocketMuxer.java:759)
       at weblogic.socket.SocketMuxer.deliverEndOfStream(SocketMuxer.java:700)
       at weblogic.servlet.internal.VirtualConnection.close(VirtualConnection.java:327)
       at weblogic.servlet.internal.ServletResponseImpl.send(ServletResponseImpl.java:1431)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1375)
       at weblogic.work.ExecuteRequestAdapter.execute(ExecuteRequestAdapter.java:21)
       at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:145)
       at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:117)
  >
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <write ALERT, offset = 0, length = 2>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <close(): 14324285>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.removeContext(ctx): 7034906>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Filtering JSSE SSLSocket>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLIOContextTable.addContext(ctx): 19096081>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <SSLSocket will be Muxing>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <isMuxerActivated: false>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 SSL3/TLS MAC>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <18691735 received HANDSHAKE>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <HANDSHAKEMESSAGE: ClientHello>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Will use default Mac for algorithm MD5>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Using JCE Cipher: SunJCE version 1.5 for algorithm RC4>
  <Oct 31, 2008 7:34:27 PM GMT> <Debug> <SecuritySSL> <BEA-000000> <Ignoring not supported JCE Mac: SunJCE version 1.5 for algorithm HmacMD5>
  Thanks,
  Wayne

  I decided to use pki with jaas/custom authentication provider to solve this problem. It works. If you want more details, please let me know.

• Novell LDAP Group - Role

  Hi,
  I have created a Novell LDAP Group. In my realm I have now two authentication
  providers: default and novell, both optional. If I authenticate my user which
  is stored in the novell ldap the user is correctly authenticated (request.getRemoteUser()
  != null), although the log says user denied (no matter if the user is in the embedded
  ldap or the novell, but maybe the other one always complains). (novell user gets
  rejected if password is wrong)
  For a novell group i create a role with the condition: caller is a member of the
  group"novell group" this seems not to work. with request.isUserInRole("novell
  group") i get "false" !!
  any ideas??
  regards
  tobias

  found my mistake. i created a role in the weblogic console which i also have defined
  in the web.xml. then i also need to assign this role to the principal (my group)
  in the weblogic.xml.
  if i have a role not defined in the web.xml the request.isUserInRole(<RoleName>)
  works fine, but not in the above described case without assignment in the weblogic.xml.
  "Tobias Voigt" <[email protected]> wrote:
  >
  Actually groups are also configured correctly as it seems for me. On
  the group
  page, the ldap group is also listed (in the provider column it says NovellAuthenticator).
  Also if i look at the output of weblogic.security.Security.getCurrentSubject()
  the LDAP group is also listed as a Principal.
  weblogic.security.SubjectUtils.isUserInGroup(<Subject>,<LDAPGroup>) says
  true.
  but request.isUserInRole(<Role for Members in LDAPGroup>) says false.
  (Btw: Weblogic 8.1 sp1)
  "tm" <no-reply> wrote:
  Hi Tobias,
  It sounds like you can successfully use users
  in your Novell LDAP server but you cannot
  successfully use groups from the LDAP server.
  (ie. when you login, it's finding the user, but it
  isn't finding the user's groups thus the role isn't working).
  I'm assuming that you have configured a NovellAuthenticator.
  You must configure the NovellAuthenticator to tell
  how groups are stored in your Novell LDAP server
  (ie. tell it about the group schema). If this is not
  correctly configured, then groups won't work.
  See http://e-docs.bea.com/wls/docs81/secmanage/providers.html#1172008
  for more information on configuring group schemas for LDAP authentication
  providers.
  -tm
  "Tobias Voigt" <[email protected]> wrote in message
  news:[email protected]...
  Hi,
  I have created a Novell LDAP Group. In my realm I have now twoauthentication
  providers: default and novell, both optional. If I authenticate myuser
  which
  is stored in the novell ldap the user is correctly authenticated(request.getRemoteUser()
  != null), although the log says user denied (no matter if the useris in
  the embedded
  ldap or the novell, but maybe the other one always complains). (novelluser gets
  rejected if password is wrong)
  For a novell group i create a role with the condition: caller is amember
  of the
  group"novell group" this seems not to work. withrequest.isUserInRole("novell
  group") i get "false" !!
  any ideas??
  regards
  tobias

• OSX 10.6.2 and Novell Netware eDirectory 8.8 SP5

  Ok, forgive the long winded post - but I thought some background would be in order. Briefly, the problem we have is:
  We create a new user in eDirectory, extended them with apple-user,
  add apple-user-homeDirectory of:
  /Network/Servers/<ip of server>/SERVER.VOLUME/HomeDirectory
  and an apple-user-homeurl of:
  afp://<ip of server>/SERVER.VOLUME/HomeDirectory
  AFP works fine, I can manually mount this volume with login / password in OSX with Command-K
  LDAP authentication works great.
  After login, no home directory is mounted or exists, so we get an error (login still occurs).
  Now, if I change the apple-user-homeurl to:
  <home_dir><url>afp://<ip of server>/SERVER.VOL</url><path>HomeDirectory</path></home_dir> (this is how an X Serve stores this value in Open Directory) and attempt to login, login fails "because an 'error' occurred"
  If I check the console / system logs on the OSX client, I see:
  authorizationhost[455]: afp home directory mount failed in theEnumerator->Count in AFP_OpenSession: status = Unknown error: -5023
  Now, for the weird part, if I change apple-user-homeurl on the user back to:
  afp://<ip of server>/SERVER.VOLUME/HomeDirectory - login then works fine and their home directory is created and they are able to use the Mac normally.
  Any ideas? I will post this to Apple forums as well. If I get any answers I will cross-post them.
  Thanks,
  Joe Jenkins
  ps: Novell, please please please, we really need a working OSX client for Netware / OES!!!
  Background:
  New Netware 6.5SP8 server / eDirectory 8.8 SP5 / latest NMAS
  Latest Novell AFP FTF patch from mid Sept 2009
  Edirectory schema extended and LDAP mappings made with documentation I pieced together on the web. If I browse via ldap, I am seeing proper returns for all the objects I need to login.
  Mount object created in Edirectory for the AFP mount corresponding to users home directories.
  OSX test client is Snow Leopard 10.6.2 (patched this morning, clean install)
  Authentication works fine, client works fine once I do the switcheroo with the apple-user-homeurl as indicated above, AFP mounts work fine in OSX, no weird errors in NMAS/LDAP dstrace, AFPTCP.log etc
  By the way, if anyone else is trying to figure this out, my LDIF and my LDAP template may be of use:
  http://www.nerdnet.com/edirldifandplist.zip
  The LDIF is the Apple schema you apply to your eDirectory to support OS X computers. The template is used by the Directory Utility on OSX for mapping eDirectory values to their OSX values. It's taken me about two weeks of work off and on to get a working set of these, hope they save someone else some time!
  Thanks to whoever wrote the "Integrating Mac OS X and Novell eDirectory" document - it was a great help, as is Randy Saek's posts here and his written document "Mac OS X and Novell eDirectory integration" - with these documents and numerous posts on Novell's forums, I've almost got this working well (these documents are available all over the web, but if you can't find them, let me know and I'll put them on my webserver)
  Cheers,
  Joe Jenkins

  A long winded post deserves a long winded reply! Are you serving the home directories from Novell's AFP file server? If not -- if you're serving them from a Mac server -- then nevermind all this.
  If so, you may need to create a generic mount object in your eDirectory tree (not an AppleShare object -- I've never been able to get that working)
  Get Properties of the mount object and, under the "Other" tab (I'm assuming you're using ConslowOne) add the following attributes: values (or whatever variations of them are appropriate for you)
  apple-mountDirectory: /Network/Servers
  apple-mountOption: net
  apple-mountOption: url==afp://;AUTH=NO%20USER%[email protected]/staff-network-drive
  (yes, apple-mountOption gets two values! i just wrote the attribute twice for clarity)
  apple-mountType: url
  Once I had this in place I still had to do some fiddling with how to specify the home directory for each user. I settled on
  OSX Home: /Network/Servers/10.9.7.11/student-network-drive/Users/stevejobs
  (you would put this in apple-user-homeDirectory, not OSX Home. We just mapped things a little differently.)
  apple-user-homeurl: <homedir><url>afp://10.9.7.11/student-network-drive</url><path>Users/stevejobs</path> </homedir>
  Note how we have Users/stevejobs in the path section. This is different than how Workgroup Manager will save it, even though it will appear to be the same path if you look at it in WGM (thanks, apple.) Unfortunately the way WGM saves it doesn't work (at least, I couldn't get it to) so you can't use WGM to assign this attribute. I ended up writing a shell script to do it.
  Hope that helps. If you want the shell script, I can probably dig it up but make sure you know what you're doing with it. It is tailored to our system and I didn't bother writing any exception handling, so it could very well nuke your system, call you names and eat your dog.

• WLS :: Will Vista web client work with Weblogic Server 8.1.6 over SSL?

  Hello,
  I have installed 51-2 bit SSL cert on weblogic 7 and found that the secure site doesn't work on Vista web client.
  Weblogic gives error in handshaking and says algorithm is not supported.
  Vista web client uses some algorithms which were not supported by weblogic 7.
  So would like to know if would Vista web client work with Weblogic Server 8.1.6 over SSL?
  Any information in this regard would be helpful.
  Thanks in Advance.

  can you use the following debug flags in the weblogic server as java_options and paste the complete ssl handshake exception here.
  -Dweblogic.StdoutDebugEnabled=true
  -Dssl.debug=true
  thanks,
  sandeep

• Apach1 .1.3.22+ mod_ssl /Weblogic 5.1  Browser to Apache SSL does not work

  We are using Weblogic 5.1 and apache 1.3.22+mod_ssl. HTTPS requests to the apache
  server for jsp do not work. However if
  a HTTP request for the same jsp is made, it works.
  SSL requests only work if the ServerName directive for HTTP
  server and the 443 Virtual Server are commented out in httpd.conf. Is this right?

  Hi.
  Firstly, this is not a supported configuration. The latest version of apache we
  certify is 1.3.19. See the following link for supported platforms:
  http://edocs.bea.com/wls/platforms/index.html#apach.
  Without seeing your httpd.conf file this should work. You probably already know this,
  but with WLS 5.1 https between the server and the plugin is not supported, so apache
  needs to translate all http/https requests to http for WLS.
  I recommend you try posting this question to the plugin newsgroup -
  weblogic.developer.interest.plugin.
  Thanks,
  Michael
  shakeel rao wrote:
  We are using Weblogic 5.1 and apache 1.3.22+mod_ssl. HTTPS requests to the apache
  server for jsp do not work. However if
  a HTTP request for the same jsp is made, it works.
  SSL requests only work if the ServerName directive for HTTP
  server and the 443 Virtual Server are commented out in httpd.conf. Is this right?--
  Michael Young
  Developer Relations Engineer
  BEA Support

• Weblogic 6.1's 2-way SSL

  I'm using wsl proxy plug-in between iPlanet Webserver 4.1SP9 and
  wsl 6.1.
  The obj.conf of iPlanet web server was configured to use path proxy:
  -------- httpd.conf --------
  Init fn="load-modules" funcs="wl_proxy,wl_init" shlib="/usr/netscape/web/plugin\
  s/lib/libproxy.so"
  Init fn="wl_init"
  <Object name="weblogic" ppath="*/weblogic/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7001" Pat
  hTrim="/weblogic"
  </Object>
  The "Seccurity" parameter "magnus.conf" is set to on and an certificate
  was installed on this iPlnet web server.
  I was able to open:
  https://iplanet.test.com:443/weblogic/console
  to set 'Client Certificate Enforced' option in
  Petstore's SSL section with port 7002.
  I can also access:
  https://iplanet.test.com:443/weblogic/estore
  to bring up the top page and some pages of the petstore sample
  program. But the browser got no data fromt the web server
  when I clicked on "Enter the "Store". I then tried to "Enter the Store"
  directly through port 7002 (without proxying through iPlanet web server)
  and it also returned on data.
  I suppose that I have to modify petstore sample codes SSL protocol -
  even in 1-way SSL verification. Is this true?
  I also tried to change WebLogicPort="7001" to "7002" in obj.conf.
  which is tied to the SSL port of wsl61 with some sample certificates.
  When I open:
  https://iplanet.test.com:443/weblogic/console
  The server couldn't locate that object. I checked the adminGuide of
  of wsl6.1 on page 13-10. It mentioned 'SecurieProxy' parameter in
  the 'Service' directive in the obj.conf has to be set to ON.
  So I appended SecureProxy="on" as the following:
  <Object name="weblogic" ppath="*/weblogic/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat
  hTrim="/weblogic" SecureProxy="on"
  </Object>
  But it still failed to connect to port 7002 of wsl61.
  In the FAQs of wsl61 has the section:
  Does the 6.1 plug-in support two-way SSL?
  No. But the plug-in can be set-up to require the client certificate and
  pass it on to WebLogic Server. For example:
  apache ssl
  SSLVerifyClient require
  SSLVerifyDepth 10
  SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
  +StrictRequire
  I am confused with adminGuide's page 14-49. It talked about how to
  confiure 'Mutual Authentification' breifly - it only mentioned
  the opton of 'Client Certificate Enforced' besides copying root
  certificates into 'config' directory.
  Can someone explain to me whether the 2-way authentication can be done
  via plug-in proxy? If not, what is the right way/best way for 2-way
  authentication? Is anyone have some sample programs like petstore
  that work with iPlnet Web server and wsl61 with 2-way authentication?
  Thanks in advance.
  -kl

  I got some progress after digging into appendix
  of adminGuide.
  I added two more paramaters into obj.conf
  service directive:
  <Object name="weblogics" ppath="*/weblogics/*">
  Service fn="wl_proxy" WebLogicHost="wsl61.test.com" WebLogicPort="7002" Pat\
  hTrim="/weblogics" SecureProxy="ON" TrustedCAFile="/usr/netscape/server4/alias/\
  ca.pem"
  </Object>
  When I tried:
  https://iplanet.test.com:443/weblogics/
  It didn't hang. The browser showed:
  No backend server available for connection: timed out after 10 seconds.
  But I tested backend server. It was alive.
  Anyone got this working?
  Thanks.
  -kl

• Webcenter and standard LDAP connection

  I am trying to create a webcenter application that used LDAP authentication.
  I do not have much ADF experience so i really don't know were to start... i read some documentation but it is so overwhelming i don't know where to start.... THere is security in ADF, webcenter, weblogic server,... i really don't know were to configure what.
  THis is what i curently have done (don't know if i'm on the right track...)
  In the weblogic server i added an LDAP provider in de security realm. THis is working just fine. WHen i look at the users, the users from my ldap are listed and the groups are also their. Can i use these users to login from my webcenter application or do i have to link them in another way?

  You can use those users to login to WebCenter. For Oracle Discussions you have to rerun the setup tool to have it running under the same LDAP.
  For more details see [http://download.oracle.com/docs/cd/E12839_01/webcenter.1111/e12405/wcadm_security.htm#BGBGGJJF] .
  Edited by: George Maggessy on Aug 24, 2009 1:19 PM

• Weblogic redirects to administration port, not ssl port, for confidential

  Using WLS 9.2 MP2.
  I added the following into web.xml to make sure all requests are using https.
  It works fine when the administration port is not enabled (weblogic redirects the request to the ssl port).
  But when the administration port is enabled, weblogic redirects the request to the administration port, not the ssl port, and hence get a 404 error for the page.
  I opened BEA case 759384 in Nov last year, and CR354916 was filed, but have not heard back.
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>All Pages</web-resource-name>
  <description>These pages are only accessible by over SSL.</description>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
  </web-resource-collection>
  <user-data-constraint>
  <description>This is how the user data must be transmitted</description>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>

  setting the setDomainEnv solved the issue.
  set MEM_ARGS=-Xms256m -Xmx512m -XX:PermSize=128m
  Regards,
  Sam.

• How to connect to Novell Ldap

  Hi,
  i tried to connect to our ldap server via novell's jdbc:ldap bridge. but this caused a classDefNotFoundError in the runtime version.
  May you explain how i have to build an anonymous connection to a novell ldap server via JNDI?
  there's no ssl available.
  regards,
  Patrick

  thanks.
  i'll first try to get the jdbc:ldap bridge running.
  in the last two weeks i also tried to build the jndi connection on the basis of the jndi tutorial. unsuccessfully.
  maybe i'll get the ldap bridge working.

• How can i config WLS7 and iPlanet LDAP

  How can i config WLS7 and iPlanet LDAP?
  failed during initialization. Exception:java.lang.SecurityException: Authenticat
  ion for user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:978)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >

  Yos:
  Series of steps to get WLS working with some external LDAP server follows:
  I. create a new domain /mydomain
  II. start server
  III. open WebLogic console in a browser
  IV. in left frame, go to
  security->realms->myrealm->providers->AuthenticationProviders and click
  V. in right frame, click on “Configure a new iPlanet Authenticator”
  VI. In the new screen, under General, make sure the Control Flag is set to Required,
  select a name for this authenticator, and click Create.
  VII. Select iPlanet LDAP tab and fill in values for Host, Port, Principal where
  these values reflect the settings for your LDAP server. (Note: the default
  principal for an iPlanet LDAP server is uid=admin, ou=Administrators,
  ou=TopologyManagement, o=NetscapeRoot). Click Apply.
  VIII. Click on Credential: Change. At the new screen, enter the credential
  associated with the Principal that you entered in step VII in both boxes. This will
  be the password that is used to do a bind to your LDAP server with the principal.
  Click Apply.
  IX. Select Users tab and make sure these properties accurately reflect the structure
  of your LDAP server. Most of the time the only property that needs to be changed is
  the User Base DN property, from ou=people,o=example.com to
  ou=people,o=myCompany.com. Click Apply.
  X. Select Groups tab and make sure these properties accurately reflect the structure
  of your LDAP server. Most of the time the only property that needs to be changed is
  the Groups Base DN property, from ou=people,o=example.com to
  ou=groups,o=myCompany.com. Click Apply.
  XI. Now, the boot identity of your server absolutely must be a user that exists on
  your LDAP server. You must also have an “Administrators” group on your LDAP server,
  and the boot identity must be a user that exists in this “Administrators” group, or
  the server will not start. So open your LDAP console (this will be a console that
  is specific to the LDAP server you are using) and use the management tools to create
  the “Administrators” group and a user that you place in the “Administrators” group
  that is the boot identity that you use to start WebLogic.
  XII. Make these changes and restart the server.
  XIII. You can verify that the LDAP setup is correct by doing a thread dump. You
  should see a thread like:
  “LDAPConnThread localhost:389" daemon prio=5 tid=0x8d9b308 nid=0x8f8 runnable
  [0x9e2f000..0x9e2fdbc]
  at java.net.SocketInputStream.socketRead(Native Method)
  at java.net.SocketInputStream.read(SocketInputStream.java:86)
  at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
  at java.io.BufferedInputStream.read(BufferedInputStream.java:204)
  - locked <3281d98> (a java.io.BufferedInputStream)
  at netscape.ldap.ber.stream.BERElement.getElement(BERElement.java:101)
  at netscape.ldap.LDAPConnThread.run(LDAPConnThread.java:420)
  where “localhost:389” is the server name and port of your LDAP
  server. This means that your Authenticator has been set up correctly.
  XIV. Now you can delete your default authenticator. Open the WebLogic console and
  go to security->realms->myrealm->providers->AuthenticationProviders in the left
  frame, and click
  XV. In the right frame, look for DefaultAuthenticator and click on the trash can to
  the far right. Say “Yes” when it asks if you are sure, then click Continue.
  XVI. Restart the WebLogic server. If the server boots correctly, you’re done.
  Everything is working correctly.
  Please note that the "default authenticator" refers to the embedded LDAP server that
  ships with WebLogic.
  Hope this helps.
  Joe Jerry
  Yos wrote:
  How can i config WLS7 and iPlanet LDAP?
  failed during initialization. Exception:java.lang.SecurityException: Authenticat
  ion for user weblogic denied
  java.lang.SecurityException: Authentication for user weblogic denied
  at weblogic.security.service.SecurityServiceManager.doBootAuthorization(
  SecurityServiceManager.java:978)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
  erviceManager.java:1116)
  at weblogic.t3.srvr.T3Srvr.initialize1(T3Srvr.java:703)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:588)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:276)
  at weblogic.Server.main(Server.java:31)
  >