Weblogic 10.3.5 Configuring a PKI Credential Mapping Provider

Weblogic 10.3.5 Configuring a PKI Credential Mapping Provider

The PKI (Public Key Infrastructure) Credential Mapping provider included in WebLogic Server maps (a) a WebLogic Server subject (the initiator) and target resource (and an optional credential action) to (b) a key pair or public certificate that can be used by applications when accessing the targeted resource. The PKI Credential Mapping provider uses the subject and resource name to retrieve the corresponding credential from the keystore.

Configure the infrastructure for using key pair or certificate credential mappings:

1. Configure a PKI Credential Mapping provider. A PKI Credential Mapping provider is not already configured in the default security realm (myrealm).  
2. Configure keystores with appropriate keys and distribute the keystores on all machines in a WebLogic Server cluster. For information about setting up keystores, see the help for the Java keytool utility at http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html . 

To create a key pair or certificate based credential mapping for the WebLogic Credential Mapping provider:

1. In the left pane, select Security Realms and click the name of the realm you are configuring (for example, myrealm)
2. Select Credential Mappings > PKI. The PKI Credential Mappings table lists the PKI Credential Mappings configured in this security realm.
   
3. Click New. The Create a New Security Credential Mapping page appears.
   
4. Enter information about the remote resource to be accessed using this credential mapping. This information is used to identify the remote resource and can include one or more of the following:
   1. Protocol—The protocol to use to reach the remote resource.
   2. Remote Host—The host name of the remote resource.
   3. Remote Port—The port number of the remote resource.
   4. Path—If the remote resource is identified by a path, rather than a hostname and port.
   5. Method—The method on the remote resource this credential is used with.
   Click Next.
   
5. On the Create a New Security Credential Map Entry page, select Key Pair or Certificate to indicate the type of credential you are mapping to.
6. Enter the name of the principal that you are mapping from. This is the WebLogic username that will be the initiator when you want to access the remote resource using this credential mapping.
7. Indicate whether the principal that you are mapping from is a user or a group.
8. Optionally, specify a credential action.  
9. Enter the alias used in the keystore to identify the credential.
10. If this is a Key Pair credential, enter the password used to retrieve the credential from the keystore.
11. Click Finish.

 

Weblogic 10.3.5: Steps for Using WLST

Weblogic 10.3.5: Steps for Using WLST

Setting Up Your Environment

To set up your environment for WLST:

1. Install and configure the WebLogic Server software.
2. Add WebLogic Server classes to the CLASSPATH environment variable and WL_HOME\server\bin to the PATH environment variable, where WL_HOME refers to the top-level installation directory for WebLogic Server.
3. You can use a WL_HOME\server\bin\setWLSEnv script to set both variables.
   On Windows, a shortcut on the Start menu sets the environment variables and invokes WLST (ToolsWebLogic Scripting Tool).
    

Invoking WLST

To invoke WLST:

1. If you will be connecting to a WebLogic Server instance through an SSL listen port on a server that is using the demonstration SSL keys and certificates, invoke WLST using the following command:
java -Dweblogic.security.SSL.ignoreHostnameVerification=true -Dweblogic.security.TrustKeyStore=DemoTrust weblogic.WLST
Otherwise, at a command prompt, enter one of the following commands:
• java weblogic.WLST
• java weblogic.WLST -loadProperties propertyFilename

Running WLST from Ant

The wlst Ant task is predefined in the version of Ant shipped with WebLogic Server and enables you to run WLST scripts from within your Ant build file.

Note:

If you want to use the task with your own Ant installation, add the following task definition in your build file:

Note:

<taskdef name="wlst" classname="weblogic.ant.taskdefs.management.WLSTTask" />

To run WLST from an Ant script:

1. Set your environment in a command shell.
• On Windows NT, execute the setWLSEnv.cmd command, located in the directory WL_HOME\server\bin, where WL_HOME is the top-level directory of your WebLogic Server installation.
• On UNIX, execute the setWLSEnv.sh command, located in the directory WL_HOME/server/bin, where WL_HOME is the top-level directory of your WebLogic Server installation.
2. Add a call to the wlst Ant task to execute WLST commands. For example:

<target name="runwlst"> 
   <wlst fileName="./myscript.py" executeScriptBeforeFile="true"
    debug="false" failOnError="false"> 
     <script>
        connect('weblogic','weblogic','t3://localhost:7001') 
     </script>
   </wlst>
</target>

Oracle SOA 11.1.1.5 Transferring Metadata using WLST

Transferring Metadata using WLST

To use WLST to transfer metadata:

1. Export the metadata from the original partition using the exportMetadata command:
   

   exportMetadata(application='sampleApp', server='server1',
          toLocation='/tmp/myrepos/mypartition', docs='/**')
   

   This command exports a versioned stripe of the metadata documents from the metadata partition to a file system directory. Only customization classes declared in the cust-config element of adf-config.xml are exported. If there is no cust-config element declared in adf-config.xml, all customization classes are exported.
   To export all customizations, use the option restrictCustTo="%".
   
2. If the production application is on a different system, copy the exported metadata to that system.
   
3. Import the metadata to the other partition using the WLST importMetadata command:
   

   importMetadata(application='sampleApp', server='server1',
          fromLocation='/tmp/myrepos/mypartiton', docs='/**')
   

   The value of the fromLocation parameter must be on the same system that is running WLST or on a mapped network drive or directory mount. You cannot use direct network references such as \\mymachine\repositories\.
   Only customization classes declared in the cust-config element of adf-config.xml are imported. If there is no cust-config element declared in adf-config.xml, all customization classes are imported.
   To import all customizations, use the option restrictCustTo="%".
   

Enable the Identity Assertion provider

The Realm Adapter Authentication provider includes an Identity Assertion provider.The Identity Assertion provider provides backward compatibility for implementations of the weblogic.security.acl.CertAuthenticator class. The identity assertion is performed on X.509 tokens. By default, the Identity Assertion provider is not enabled in the Realm Adapter Authentication provider.
To enable identity assertion in the Realm Adapter Authentication provider:

1. If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit .
2. In the left pane, select Security Realms and click on the name of the security realm.
3.  
4. Select Providers > Authentication and click the name of the RealmAdapterAuthenticator.
5. Expand Configuration > Provider Specific. 
6. Select X.509 in the Active Types: Available list box and use the arrow button to move it to the Chosen box. This step enables the use of 6.x Cert Authenticators.
   
7. Click Save.
8. To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
9. 
   Not all changes take effect immediately—some require a restart