One can follow the metalink note
to set up a bpel with active directory however the same note can not be used for setting up bpel with active directory when your bpel is running on top of weblogic server.some steps are applicable however one need to apply some extra steps in order to configure your bpel with active directory when bpel is in top of weblogic server.
SO we will start.
the first few steps as provided in the metalink note are to be followed.
Active directory is noting but an authentication tool.
so that your request will now be routed via active directory authentication.
We define certain user and groups and assign them priviledges and the uses who have the right priviledge can only access.
The concept of configuring bpel with active directory is to create the users and groups (or to seed users and groups)which are used to access bpel in to your active directory.Then we will configure our weblogic with active directory so that all the request will be routed via active directory.
So since all the users and groups will be in active directory the authentication will occur from Active directory.I hope you might have got a little idea about it.If not lets go through the screens shots and explanation and may be then you will get some idea.
So the very first step in this is to have a windows AD machine and a bpel on weblogic server.
You need to open the following file in notepad
$SOA_HOME/bpel/system/services/config/ldap/system-winServer2003-ActDir.sbs
if you will open this file you will get the details about various users and groups as bpeladmin,workflowadmin etc.
We want all these users and groups to be seeded in to active directory.
so for that purpose you need to supply the DN for the users and groups.
These DN should correspond to the users and groups in ACtive directory.
Lets suppose the users in your active directory is in following DN
cn=Users,dc=us,dc=oracle,dc=com
Then just replace all the occurence of
%s_UserContainerDN% with that particular DN
Similarly for groups also if suppose it is in following DN
cn=Users,dc=us,dc=oracle,dc=com
Then replace all the occurence of %s_GroupContainerDN% with the DN of the group.
Ideally the users and groups have same DN name.
so after these changes your configuration should look like this
dn: cn=bpeladmin,cn=Users,dc=ad,dc=vm,dc=oracle,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: bpeladmin
sn: bpeladmin
userPassword: CHANGE_ME
displayName: bpeladmin
description: BPEL System Administrator
name: bpeladmin
sAMAccountName: bpeladmin
distinguishedName: cn=bpeladmin,cn=Users,dc=ad,dc=vm,dc=oracle,dc=com
here cn=Users,dc=ad,dc=vm,dc=oracle,dc=com is my DN name for user and groups.
The same entry will be there for all the users and groups.
then after completing this we sholud do one more change in this file
Remove all the occurence of
userAccountControl: 512 in the system-winServer2003-ActDir.sbs file
Well why we remove this i am not sure of but you can have a idea about this flag through this link
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
so now all the changes are compelted inside the file.
Now we need to save the file as .ldif
i.e now the system-winServer2003-ActDir.sbs should be saved as system-winServer2003-ActDir.ldif file.
Just have a look in this link and you will get an idea what is ldif and why is it used
http://whatis.techtarget.com/definition/0,,sid9_gci549219,00.html
so we will save the file as
system-winServer2003-ActDir.ldif
Now the next step is to copy this file in the machine where you have your active directory.
and then open a command window and run the following command
ldifde.exe -i -k -f system-winServer2003-ActDir.ldif
This command will seed all the user and groups for BPEL.
YOu might get following issue while running the following command
I am sorry if the screen shot is not clear but probalby you will get an error message
YOu can not nest global groups in a mixed domain if the group is security enabled.
There is a very simple steps to ged rid of this issue. i.e follow the link
http://technet.microsoft.com/en-us/library/cc776703(WS.10).aspx
i.e just raise the domain functional level to Windows 2000 native, click Windows 2000 native, and then click Raise an now try to run the same script and yup it will complete successfully.
Again sorry as i dont have screen shot for the same.
So one the command will run successfull you will get all the users and groups in the active directory Users list as
Well there are some extra users and groups that i have created so you might not get the exact users and groups as there in the screen shot.
So now half of the work is done that is all the users and groups are created in active directory.Now the main task that is to authenticate the weblogic server with active directory.
For this i will suggest you the following document
http://edocs.bea.com/wls/docs81/ConsoleHelp/security_activedirectoryauthenticator_config_active-directory.html
This document guide you on how to authenticate your weblogic with active directory.
It might be a tedious job to do R & D and set up so i will just let you know all which we need to do in order to authenticate.
Log in to your weblogic console
Choose the Security realms
By default weblogic has a realm "myrealm"
Go to realms and providers and create a new provider.Let it be AD
Select ActiveDirectoryAuthenticator as type.
Now provide the following information for the new provider as per your environment example
Group Based DN = CN=Users,DC=ad,DC=vm,DC=oracle,DC=com
Hostname = hostname.something.com
Port = 389
User Based DN = CN=Users,DC=ad,DC=vm,DC=oracle,DC=com
Principal = CN=Administrator,CN=Users,DC=ad,DC=vm,DC=oracle,DC=com
Credentials = Provide the credentials for the Principal.It is the login id and password for the machine in which active directory resides.
Save it.
When you configure multiple Authentication providers, use the JAAS Control Flag attribute on the Authenticator-->General tab to control how the Authentication Providers are used in the login sequence.
somce we have created a new provider we will change the JAAS Control Flag for the DefaultAuthenticator which is set to 'REQUIRED' by default.
we can also reorder the providers to place the provider created for ActiveDirectory in first place.
So, set the JAAS Control Flag for the DefaultAuthenticator to 'OPTIONAL'.
This is because if it is set to 'REQUIRED', the Authentication provider is always called, and the user must always pass its authentication test.
So, since AD authentication has to be used, we change it to 'OPTIONAL' and the user is allowed to pass or fail the authentication test of this Authentication Provider. And the next Authentication Provider is called and it authenticates successfully with AD.
The JAAS Control Flag Attribute for the "AD" will be 'OPTIONAL' by default. Do not change it.
Now go to active directory and create a new group called SOAGroup.
Assign all the bpel roles to this group.This is the default group created when we integrate soa with weblogic.
Now restart your weblogic managed server and weblogic server and try to login to the bpel console.
Now create a new user in active directory.make this user a member of group SOAgroup and try to login you will be able to login in to the console .If you will remove the user from SOAGroup members you will not be able to log in.HOpe this will help
No comments:
Post a Comment