Tuesday, April 27, 2010

Worklistapp, Weblogic, Webgate, LDAP, SSO

All the items in my subject were a good challenge for me over last month, finally some success and so the blog-post. Generally all worklistapp customization documents which is here is on OC4J, only weblogic documentaion I could find is this. I had to get the worklistapp do authentication against LDAP and SSO with a weblogic portal application.

Now first some basics, worklistapp works out-of-box with JAZN (even with the SOA10.1.3.4 on Weblogic9.2). JAZN is a XML-file based user/group repository, this cannot work with any enterprise-wide deployment. All enterprises have centralized LDAP/OAM (Oracle Access Manager) for managing all their user identities. Now to change worklistapp to use LDAP was actually easy following this, only catch was metalink ID[729163.1], you need to make sure is_config.xml have all the correct attributes.


The next challenge was installing webgate on our 64bit linux, I tried with 64-bit webgate, correct libraries but the following error persisted -
httpd: Syntax error on line 425 of /app/soatst/apache2.2.6/conf/httpd.conf: API module structure 'obWebgateModule' in file /app/soatst/netpoint05/webgate/access/oblix/apps/webgate/bin/webgate.so is garbled - expected signature 41503232 but saw 41503230 - perhaps this is not an Apache module DSO, or was compiled for a different Apache version?

Finally I got the solution in metlaink ID [982922.1], which basically suggested compiling the apache in a 32 bit linux and moving the binaries, and then use 32bit webgate, and that just worked perfect. Not to forget the target 64bit linux cannot be a lower Linux version than the source.

Doing SSO was the last and final challenge, it took a good amount of discussion as how SSO works with webgate/OAM. We had a portal app running on a portal server, and worklistapp running on a different soa server both weblogic. We fronted both servers with webgate agent/apache, so when any protected URL is accessed webgate pushed the Login page in the portal, provided with userid/password, webgate did authentication, and set an obSSOCoockie and some header variables in the request. Same with SSO, when the SSOed application URL is accessed, webgate provided the same header variables and Cookie.

For worklistapp SSO, we had to deploy the customworklistapp, the code comes with the samples, it has to be built and deployed. Again to build and deploy in weblogic, one major error we faced was the local ejb references, which got resolved by using hot deployment of the customworklist.war directly under /soaApps/BPELPM and making an entry in META-INF/application.xml. Looking at the already deployed worklistapp.war helped package the customworklist.war with the weblogic.xml and weblogic-application.xml.

Anyway, to make SSO work, Login.Java required to be changed. The change I did is to introduce a usercn that I read from the header and use authenticate on behalf of admin user which required only the userid, which I could get from the header variables set by Webgate.

Using SSPI or SAML was not possible as the authentication was directly with LDAP and not through the weblogic realm. So for Identity assertions probably a custom authenticator could be required, need to explore that. good article here.

No comments: