OBWebPass.CreatUserWorkFlowComment=Added user $UID$ from WebLogic portal server.
If the workflow is modified to use different attributes, the preceding sample lines in the NetPointProvidersConfig.properties file need to change. If workflow is modified to use another attribute, the DS attribute name must be specified in this file.
For example, if you change the first attribute from cn Name to cn Mail (that is obmail in DS) then do the following:
OBWebPass.CreatUserWorkFlowAttrName_1=obmail
OBWebPass.CreatUserWorkFlowAttrValue_1= [email protected]
Similarly, if this is a new parameter being added to the workflow, you need to increase the number of fields and add two new lines for attribute:
Increase the number of fields as indicated in the following: OBWebPass.CreatUserWorkFlowNumOfFields=4 Add two new lines, as indicated in the following:
OBWebPass.CreatUserWorkFlowAttrName_4=obmail
[email protected] The same approach is to be followed during group creation and user deletion. For group deletion, determination of the workflow to be used is made by Oracle Access Manager. The delete group operation requires only the Group DN, which is obtained from the Portal Admin interface at runtime.
Configuration Files
The following configuration files are required for the integration of Oracle Access Manager and WebLogic:
■ NetPointProvidersConfig.properties ■ NetPointWeblogicTools.properties
NetPointProvidersConfig.properties
The NetPointProvidersConfig.properties file describes all common configuration items. There are also items written by the installer when you select the
Typical/Advanced install of the Security Provider for WebLogic. A sample file containing all of the parameters in the
A sample file containing all of the parameters in the SampleNetPointProvidersConfig.properties is located in: Security_Provider_install_dir/examples
where Security_Provider_install_dir is the directory where the Security Provider for WebLogic is installed. Table 9–2 describes these parameters.
Table 9–2 NetPointProvidersConfig.properties
Parameter Description and Value
ObDebugMode Specifies whether Oracle Access Manager debugging information is recorded in the WebLogic log files. Default=false
Configuration Files
ObRoles.Cache.TTL Specifies the length of time for which security roles are cached.
Default=60 seconds
ObRoles.Cache.CleanupSchedule Specifies when expired items in the Roles cache are flushed. This is to reclaim memory.
Default=60 seconds ObAuthorization.ActionOn
UnprotectedResource
Specifies default access to resources not protected by Oracle Access Manager.
Default=allow
Ob_InstallDir Specifies the installation directory for the Oracle Access Manager Security Provider.
OB_AuthnSchemeResourceTypeName The Security Provider uses a special policy to authenticate users in WebLogic. The resource type specified on this parameter is used in this special authentication policy. This resource
type contains a resource with a URL prefix of /Authen/Basic.
Value: Name of the resource type.
OB_AuthnSchemeResourceName The Security Provider uses a special policy to
authenticate users in WebLogic. The resource specified on this parameter is used in this special authentication policy. This resource
contains a URL prefix of /Authen/Basic. Value: Name of the resource.
ObAuthentication.Anonymous. ResourceName
The name of the resource used in the policy for anonymous authentication.
OB_AuthnSchemeOperation The operations specified on the resource for this policy. Example: LOGIN
ObAuthentication.LoginIdParam The userID challenge parameter that is used in the authentication scheme for the policy. This value is the same as the userID challenge parameter specified in the credential_mapping plug-in.
Example: userid
ObAuthentication.passwordParam The password challenge parameter that is used in the authentication scheme for the policy. This value is the same as the password challenge parameter specified in the validate_password plug-in.
Example: password
OB_AuthzActionType The authorization action that retrieves the user's login ID from the ObSSOCookie.
Example: WL_REALM
OB_AuthzActionName The action that retrieves the user's login ID from the ObSSOCookie.
Example: uid
Table 9–2 (Cont.) NetPointProvidersConfig.properties
Configuration Files
ObFormAuthenticationSSO.Dummy UserName
This dummy user name is used with a form login when single sign-on is configured. In this scenario, there is no WebGate on the proxy HTTP server. See "Completing Advanced Installation" on page 9-12 for details. ObWebAppResourceTypes WebLogic resource types that are used for Web
applications.
ObRoles.ResourceType This parameter specifies the resource type defined for the policy that retrieves the user's role information. Example: wl_authen
ObRoles.ResourceName This parameter specifies the URL prefix of the resource (not the resource type) defined for the policy that retrieves the user's role information.
Example: /Authen/Roles
ObRoles.ResourceOperation The operation specified on the resource in this policy. Example: LOGIN
ObRoles.ActionType The action specified on the authorization rule for the policy that obtains the user's role.
Example: WL_REALM
ObAuthorization.AbstainMapsTo If you do not want to use the Abstain result of an isAuthorized call, you can map the result to allow or deny. See "Completing Advanced Installation" on page 9-12 for details.
ObAuthorization.OnDenyRedirectTo Url
If access to a resource is denied, then you can redirect the user to this page. This is optional.
OB_LogLevel The logging level that is recorded in the log file. Values are none, info, and debug. This is optional.
OB_LogFileName The file name for log messages. Default = install_dir/log. This is optional.
OB_LogMilliSeconds The data/time format of log messages in the file specified with OB_LogFileName. When true, log messages are time formatted in milliseconds. Default =true. This is optional.
OB_WebPassHost The WebPass server host machine name. The host name must be fully qualified; for example, OB_
WebPassHost=hostname.acme.com.
To configure multiple WebPass instances for failover purposes, separate the names with a comma. For example:
OB_WebPassHost=foo.domain.com, bar.domain.com
Note that the host name corresponds to the port number in the specified order. See the example in the Ob_ WebPassPort description section. This is optional.
Table 9–2 (Cont.) NetPointProvidersConfig.properties
Configuration Files
OB_WebPassPort The port number of the host machine.
To configure multiple WebPass instances, separate the port numbers with a comma, for example: OB_ WebPassPort=80, 81.
Note that the host name corresponds to the port number in the specified order. In the example provided in the previous paragraph, the hostname:port number pairing is as follows:
foo.domain.com:80 bar.domain.com:81
For failover to work, all other variables such as user name, credentials and webgate protection must be the same. This is Mandatory.
OB_WebPassIsProtected Values are true and false. If WebPass is protected, set value=true. This is mandatory.
OB_AdminUserName Oracle Access Manager requires the Admin username and
password to make IdentityXML calls to the WebPass. This is mandatory.
OB_AdminUserCreds Oracle Access Manager requires the Admin username and password to make IdentityXML calls to the WebPass. Without the password the Security Provider will not work.
Note: You need to enter a clear-text password, which the program will encrypt and rewrite to the properties file after the first run. This is mandatory.
OB_CookieDomain The cookie domain specified in the WebGate installer configuration. Needed if WebPass is protected. For example, .xyz.com.
This is mandatory.
OB_CookiePath The cookie path specified in the WebGate configuration. Needed if WebPass is protected. Default = /.
This is mandatory.
OB_WebPassSSLEnabled Specifies whether WebPass needs HTTPS connection. Values are true and false. Default = false.
This is Mandatory.
OB_UserAttr The unique user identification (for example, uid). This is mandatory.
OB_UserSearchAttr The DN prefix for users from LDAP (for example, cn). This is mandatory.
OB_GroupSearchAttr The DN prefix for groups from LDAP (for example, cn). This is mandatory.
Table 9–2 (Cont.) NetPointProvidersConfig.properties
Configuration Files
OB_WebPassADDomain Optional. The domain of the Admin user. To be used in case of Active Directory Forest with multiple domains. For example,
OB_
WebPassADDomain=ou=company,dc=qalab,dc=acme,d c=com
The ADDomain must be the same as the default defined in the Identity System. This is optional.
OB_WebPassXPIRecordsReturned Optional. The number of records to return for getUsers or getGroups. Default = return all.
This is optional.
OB_UserGroupsCache_enabled Enables caching of list groups of which the user is a member. Values are true and false.
Maintains a cache of all the groups a logged in user belongs to.
This is optional.
OB_UserGroupsCache_timeout The timeout for cache of the list of groups for a user. The timeout is per user. This value should not be very high. If the user's group membership changes the new membership will only take affect at cache timeout. For example, a value of 3600 equates to 1 hour.
This is optional.
OB_GroupMembersCache_enabled Enables caching of list of groups and list of members in each group. Values are true and false. Stores members for each groups (not a frequently used cache). This is optional.
OB_GroupMembersCache_timeout Specifies the timeout for cache of list of groups and the list of members in each group.
This is optional.
OB_UserAttributesCache_enabled Enables Caching of User Attributes. Values are true and false.
This is optional.
OB_UserAttributesCache_timeout The timeout for the cache of user attributes. Timeout is for the whole cache.
This is optional. OB_UserAttributesCacheElement_
timeout
The timeout for the cached user attributes. The Timeout is per user.
This is Optional.
OB_GroupAttributesCache_enabled Enables Caching of Group Attributes. Values are true and false.
This is optional.
OB_GroupAttributesCache_timeout The timeout for the cache of group attributes. Timeout is for the whole cache.
This is optional. OB_GroupAttributesCacheElement_
timeout
The timeout for the cached group attributes. The Timeout is per group.
Table 9–2 (Cont.) NetPointProvidersConfig.properties
Configuration Files
OB_Keystore Specifies the keystore file used by the Security Provider for WebLogic SSPI when it makes SSL connections to HTTPS WebPass. The keystore contains the requestor's public and private key pairs, X.509 certificate, and certificates for Certificate Authorities trusted to certify responder servers. The keystore is managed using the JDK keytool. For example: install_
dir/oblix/config/jssecacerts. This is optional.
OB_KeystorePassword The password for the keystore. This is optional.
OB_UserTabId For future use. Do not change the default. Default = Employees
OB_GroupTabId For future use. Do not change the default. Default = Groups
OB_NestedGroupsEnabled Values are true and false. The default is true. To improve GroupSrvCenter performance when nested groups are not used, set the value to false.
■ Nested groups will not be included in the search;
the uniquemember attribute will not be requested in a group search when OB_
NestedGroupsEnabled=false.
■ A value of true retrieves the uniquemember
attribute in the group search, uses this for nested group computation, then removes it before the group is recorded.
This is optional.
OB_DynamicGroupsEnabled Values are true and false.
To improve GroupSrvCenter performance when you are not using dynamic groups, set the value to false. Dynamic groups will not be included in the search. This is optional.
OB_UserPasswordAttr User Password Attribute. Example: userpassword. This is mandatory.
OB_UserDescriptionAttr User Description Attribute. Example: description. This is mandatory.
OBWebPass.CreatUserWorkFlowID WorkflowID for create user workflow.
This is mandatory if user creation is supported. OBWebPass.CreatUserWorkFlow
Domain
WorkflowDomain for create user workflow. This is mandatory if user creation is supported. OBWebPass.CreatUserWorkFlow
NumOfFields
Number of attributes present in the create user workflow.
This is mandatory if user creation is supported.
Table 9–2 (Cont.) NetPointProvidersConfig.properties
Configuration Files
NetPointWeblogicTools.properties
Table 9–3 describes the NetPointWeblogicTools.properties file located in: SecurityProvider_install_dir/oblix/tools/npWLTools
where SecurityProvider_install_dir is the directory where the Security Provider for WebLogic is installed.
OBWebPass.CreatUserWorkFlow AttrName_{number}
OBWebPass.CreatUserWorkFlow AttrValue_{number} pair
Name/Value pair for an attribute during user creation.
OBWebPass.CreatUserWorkFlow Comment
Comment while creating a user. OBWebPass.DeactivateUserWorkFlow
ID
WorkflowID for delete user workflow.
This is mandatory if user deletion is supported. OBWebPass.DelUserWorkFlowNum
OfFields
Number of attributes present in the delete user workflow.
This is mandatory if user deletion is supported. OBWebPass.DelUserWorkFlowAttr
Name_{number}
OBWebPass.DelUserWorkFlowAttr Value_{number} pair
Name/ Value pair for an attribute during user deletion.
OBWebPass.DelUserWorkFlow Comment
Comment while deleting a user. OB_GroupIDAttr Group Name Attribute. Example: cn.
This is mandatory.
OB_GroupDescriptionAttr Group Description Attribute. Example: description. This is mandatory.
OB_GroupUniqueMemberAttr Group Uniquemenber Attribute. Example: uniquemenber.
This is mandatory.
OBWebPass.CreatGroupWorkFlowID WorkflowID for create group workflow.
This is mandatory if group creation is supported. OBWebPass.CreatGroupWorkFlow
Domain
WorkflowDomain for create group workflow. This is mandatory if group creation is supported. OBWebPass.CreatGroupWorkFlow
NumOfFields
Number of attributes present in the create group workflow.
This is mandatory if group creation is supported. OBWebPass.CreatGroupWorkFlow
AttrName_{number}
OBWebPass.CreatGroupWorkFlow AttrValue_{number} pair
Name/ Value pair for an attribute during group creation.
OBWebPass.CreatGroupWorkFlow Comment
Comment while creating a group.
Table 9–2 (Cont.) NetPointProvidersConfig.properties
Configuration Files
Table 9–3 SampleNetPointWebLogicTools.properties Parameters
Parameter Description and Value
ObWLTools.Debug Creates a debug file. Default = true ObWLTools.LogFile Creates a log file.
Default = NetPointWeblogicTools.log
ObPolicyDomain.Name The WebLogic domain name created by the Policy Deployer.
Default = SecuProvForWeblogic ObPolicyDomain.Description Description of the WebLogic Domain.
ObPolicyDomain.LoginAttribute The return attribute in the action of an authentication policy that retrieves the user's login ID from the
ObSSOCookie. The return attribute is necessary for Oracle Access Manager single sign-on.
Default = uid ObWLTools.SetupInitialNetpointSS
PIPolicies
Sets up the initial Oracle Access Manager policies for WebLogic such as /Authen/Bank. Use the default value when you first run the Oracle Access Manager Policy Deployer tool. When you run the tool subsequently, change value to false.
Default = true
ObWLTools.DeployPolicy If set to true, the tool reads the NetPointDeployPolicy.txt file and creates the policies in Oracle Access Manager. ObWLTools.UnDeployPolicy Deletes policies.
Default = false
ObWLSDomain.Dir The local directory where the WebLogic domain is located. Default = c:/bea/user_projects/mydomain
ObWLAuthenticationScheme. Name
The authentication scheme used for WebLogic. This should be created manually before running the tool.
Default = Oracle WebLogic Access and Identity ObWLNoneAuthenticationScheme.
Name
The Anonymous authentication scheme used for WebLogic. This should be created manually before running the tool. Default = Oracle WebLogic Anonymous Authentication ObWLWebResource.usingIdentity
Assertion
Whether identity assertion is used to protect Web applications.
Default=false.
ObWLWebResource.proxyPrefix The string trimmed from the beginning of the URL that the user originally specifies, before the request is forwarded to the WebLogic Server. For example, if the URL
http://myWeb.server.com/weblogic/foo
is requested, the URL forwarded to the WebLogic Server is: http://myWeb.server.com:7001/foo
The part of the request that is trimmed is what you specify on the ObWLWebResource.proxyPrefix parameter.