When I am playing around with Oracle Entitlements Server, sometimes it is good to send a dummy authorization request from an application and see the response. Also it is a quick and dirty way to test model policy as you build an application.
In this article I will describe how to setup WebLogic SM. A secondary goal is to build a simple app which can run simple authorization requests. We will use this example to understand how Oracle Entitlements Server policies work and eventually the mystic art of policy modeling. Before you start please make sure that you have run Java SM example described here.
WebLogic SM is different from Java, Web Services and RMI SMs because multiple applications can run in the same JVM. My recommendation is to map every Java EE application to an Oracle Entitlements Server application. This will simplify overall design of policies.
Defining WLS SM
As you probably figured out, SM definition (Oracle Entitlements Server Admin UI) is the same irrespective of the SM you want to create. Follow the regular steps to create an SM with name “Sample-WLS-SM” and distribute the policies.
Creating WLS Instance and creating a new WebLogic domain
You can configure a WLS SM for an existing WLS domain. But for this example, to keep things simple we will create a new WLS domain.
1) Cd to “Oracle-Home/Middleware/OES-Client-Home/oessm/SMConfigTool”
2) Copy the original wls config file to a new name “cp smconfig.wls.controlled.prp my-wls.prp”
3) Edit file my-wls-prp and set the following parameters. “clientPort” needs to match SSL port picked during WLS domain creation
4) Cd to ../bin
5) Run the WLS SM Config command (remember it will create a new wls domain) “./config.sh -smConfigId Sample-WLS-SM -prpFileName Oracle-Home/Middleware/OES-Client-Home/oessm/SMConfigTool/my-wls.prp -serverLocation Oracle-Home/Middleware/wlserver_10.3”
6) Select “Create a new domain” and click next
7) Select “Oracle Entitlements Server (OES_client)”, don’t select any other Oracle Entitlements Server options
8 ) Name you new domain “oes_examples”
9) Use “Weblogic” for user name and pick a password (remember this password)
10) Select Sun JDK
11) Select “Administration Server”, you will need to change the listener port numbers to 8001 and 8002 (https). This is because you probably picked default ports 7001 (http) and 7002 (https) while setting up Oracle Entitlements Server Administration Server.
12) Set http port to 8001 and SSL port to 8002
13) Verify information and click “Create”
14) You should see the following completion screen, click “done”
15) Output from SM config tool will be something like
16) Your SM should have been created at “Oracle-Home/Middleware/OES-Client-Home/oes_sm_instances/Sample-WLS-SM”
17) Your Domain should have been created at “Oracle-Home/Middleware/user_projects/domains/oes_examples”
Starting up the new domain
1) Cd to “Oracle-Home/Middleware/user_projects/domains/oes_examples”
2) Run “startWebLogic.sh” and wait until you see “Running”
3) Log into Oracle Entitlements Server Admin UI and check the “Policy Distribution”, you should see “Sample-WLS-SM” which indicates that WLS SM successfully registered with the Admin
Now we are sure that SM is able to talk to Admin. Finally we need to see this in action to know that it works.
Deploy sample app
I have created a simple Oracle Entitlements Server WebLogic project in Eclipse. You can get the EAR file from here. The download includes source files:
1) Welcome.html: main entry page
2) AuthzRequest.html: collects authorization request information
3) AuthzResponse.jsp: has ORACLE ENTITLEMENTS SERVER API calls to do the authorization
4) Web.xml is setup such that container forces authentication for most pages except for welcome.html and login.jsp
5) Weblogic.xml: maps local role to WebLogic Administrator group
To deploy the web application:
1) Log into WebLogic console (e.g. http://localhost:8001/console)
2) Click on “Deployments” on left pane
3) Click on Install
4) Browse to /home/oes/oes-wls-sample
5) Select oes-wls-example
6) Click on Next
7) Select “install this deployment as an application”
8 ) Click on Next
9) Leave the defaults and click on Next
10) Leave the defaults and click on Finish
Running the application:
1) Open examples welcome page (e.g. http://10.0.0.3:8001/oes_examples/welcome.html), you should see:
2) Click on Authorization Query
3) Enter user-name and password
4) Fill-in data about the authorization request and click on get Authorization
5) You will see authorization result
We will use this sample in subsequent blog articles to model policies
[…] Server architecture. For this article I will deploy the web app from previous blog post WebLogic SM into Oracle Entitlements Server Administration Server. We will use this setup as a quick-and-dirty […]
In this excercise url resources(oes_examples/*) are not protected using OES. Does that mean by default weblogic authorization provider was invoked?
What steps are needed if application urls are to be protected with OES Authorizer instead of default(weblogic) ?
I see chapter 18 in OPSS 11g guide(http://download.oracle.com/docs/cd/E21764_01/core.1111/e10043/toc.htm) to utilize OPSS stack as security service , does that remain valid for OES environment ?
Hi Rakesh,
In this sample we are not tying the Web App with container security. i.e. OES will not act as a PEP. I will post another article on how to use OES as container’s authorization provider (i.e. container’s PEP). I initially planned to call this article as “WLS SM Part 1 of 3”. In a couple of weeks I will cover OES JSP tags and then OES as PEP for WLS.
If you need immediate help, please contact support and I am sure they will provide you required assistance.
Thanks,
Subbu Devulapalli
Thanks.
I will wait(no immediate need) for your next posts to address “OES for container security”.
I think I got tempted in writing comment as I was comparing OES 11g with OES 10g :)-
Rakesh
Hi Rakesh,
there is subtle but importance difference between OES 10g WebLogic SM and OES 11g WebLogic SM. In 10g primary role of OES was to secure the container and authorization APIs were an extension. For E.g. in 10g OES APIs will not work correctly unless it is configured as an authorization provider in WebLogic Security Realm.
OES 11g does not have this tight coupling. So you can just use OES APIs without making any changes to security realm (like what we have in this article). OES 11g authorization provider needs to be configured only if you explicitly want to use OES for container security.
Thanks,
Subbu Devulapalli
Hi,
It’s been awhile since this blog post. Are you still planning to provide an article about using OES as a PEP in WebLogic?
Thanks!
I am just back from a 3 week trip :-). I plan to post an article in the next couple of weeks. BTW, if this is urgent please file an SR ask help from Oracle Support
Bye,
Subbu Devulapalli
[…] us go back to our museum analogy. All painting in the museum have security sensors, an alarm goes off when a person comes too close […]
Hi,
Thanks for this post! I may be getting “greedy”, but, are you also planning to describe how to deploy a WL SM into an already-existing WL domain, at some point, rather than creating a WL domain with the SM as above? At least for us, that would be a more typical situation.
HI,
getting feed back helps me lot, because I can tailor articles based on what you are interested. I am happy when I get requests because it motivates me to post new articles 🙂
I have not tried this my self, but adding OES to an existing WLS server instance should be simple. When following the setup procedure, select “Extend an existing WebLogic domain”, shown in Red box below. The rest of the procedure should be fairly identical.
Bye,
Subbu Devulapalli
hello subbu,
After clicking on Extend an existing weblogic domain, it shows me the products specified in it. At that point which product should i be choosing?
Hi,
How should the set up be if my web app is deployed for WLS 10.3 while my OES is 11g setting on wls 11g.
thx.
Yong,
WLS 10.3.5 (WLS 11g) is certified with OES 11g. For other container version, you will need to use XACML request/response.
Bye,
Subbu Devulapalli
Hi Subbu – I am eagerly waiting for any details on OES as PEP for WLS . Much appreciated if you could provide some details .
Mukesh Khattar
Hi Mukesh,
thanks for letting me know, I will create a blog post in the next two weeks.
Bye,
Subbu Devulapalli
Subbu,
I finally got to try extending the WL domain with the SM, but when I get to the screen after the one where I select Create or Extend, I am not seeing a choice for “oes_client” at all. I am running the config.sh from the oessm/bin directory.
Any idea why it’s not offering me the choice for oes_client?
Thanks.
I wanted to clarify:
– I have a pre-existing WL server instance with a domain created.
– I got the SM zip file, unzipped it, then ran runInstaller to lay down the SM files
– I followed your steps, where I edited the .prp file
– I ran the config.sh command with the appropriate parameters per your blog
– I get the configuration window, then I select the domain directory (base_domain)
On the next screen, there is no choice for “oes_client”, whether I select “create” or “extend” domain.
I’ve tried all kinds of things, i.e., when I run the runInstaller, pointing it to various directories, but no joy yet (been trying all weekend :(!)…
I am not sure why you are unable to see “oes_client” option. Do you have the installation in separate directories like what I mentioned. There might be some other corruption.
Bye,
Subbu Devulapalli
Extending exiting domain with OES SM tested/ Is it certified?
Yes, you can extend a WLS 10.3.5 domain with OES SM
Bye,
Subbu devulapalli
hi
Hi Rakesh, did you have any question
Hi Subbu,
I also dont see the oes_client option anywhere. After a lot of hit and trials, I found out the option is available only if we install the OES Client inside the Middeware Home. eg. /opt/oracle/Oracle/Middleware/OESClient
regards
– Udit Sharma
Hi Udit,
thanks for letting me know.
Bye,
Subbu
I also do not see the oes client option anywhere. I installed a separate instance of weblogic server under c:\oracle\middleware\mywls and a new OES Client under c:\oracle\middlware still cannot the oes client option. Where does these options show from ?
Samita,
I think some of the directory paths might be messed up. Can you install the product exactly as I have in the installation worksheet and see if that helps.
Thanks,
Subbu
Hi Subbu,
I would like to try the following configuration for this tutorial:
1) Weblogic server running in my MacBook Pro
2) OES server running in a VMWare image in the same Macbook Pro
I would like to try a situation which is very close to the real world.
What I’m trying to understand is :
1) How can I deploy the SM in the Standalone Weblogic running in the Macbook?
2) Shall I install IAM 11.1.1.5 whole package in the MacBook to run the config.sh and install the SM module ?
thanks
regards
Giovanni
Hi Giovanni,
I have seen several people use MacBook to run OES 11g from within Oracle-Linux/RedHat-Linux VM image.
OES is not supported on native Mac OS. That being said if you want to be adventurous, go ahead and try. But remember to backup the installation folders first 🙂
Bye,
Subbu
Hi Subbu,
We are eagerly waiting for an article about using OES as a PEP in WebLogic.
Hi Sunil,
thanks for letting me know. I want to prioritize OES – ADF first and then I will post an article about using OES as PEP within Weblogic
Thanks again,
Subbu
Hi Subbu,
That would be great!! I am looking forward to it.
Thanks,
Sunil
Hi Subbu,
I have few doubts in case of implementation of Weblogic SM in OES. As per the oracle documentation, “The WebLogic Security Module is a custom made Java Security Module that includes both a PDP and a PEP. It can receive requests directly from the WebLogic Server without the need for explicit authorization API calls. It only runs on the WebLogic Server container.” So it means weblogic itself should verify the policy rather than we making use of OES API. But what i have observed is, we are making OES API calls from the JSP page. So how is exactly this behaviour?
Hi,
It was difficult for me to answer in a short comment. So I wrote a new blog article. Let me know if you still need additional information.
Bye,
Subbu
Hi Subbu,
Thanks for the detailed blog about Weblogic SM behaviour. I am checking on Weblogic SM in interceptor mode. And will keep you posted if i get anything on this.
I want to know 1 more thing, in the above sample vanilla application example, on the login page, where we are giving the inputs like, application name, resource type, resource, etc. Currently it is a text field and we are doing manual entry. Is it possible to make it LOV field? for example:clicking on the box for list of values corresponding to application textbox, gives all the application names present in OES, and user can choose accordingly. Similarly for other text boxes as well.
Bye,
Piyush
Hi Piyush,
I have included the source code. You can try changing the application to use LOV.
It is a little more difficult that what you think, because the application needs to use MAPI to query for application and resource names.
Bye,
Subbu
Hi Subbu,
I raised an SR with Oracle on Weblogic SM in interceptor mode. i got the response as below,
” Please describe “interceptor” mode for your case.
I was unable to find anything about this type of setup in our official documentation.
I this is not specified in our documentation we cannot provide you support.
Please check the link in the research section bellow form more information about Access Control in OES 11g.
Thank you.”
So, can you help me out with the correct oracle documentation where i can find the way to setup weblogic SM in interceptor mode?
Hi,
Sorry for the confusion. I have update the blog with new info to make it consistent with OES product documentation. Also I have added a link into the official documentation. let me know if you have more questions.
Bye,
Subbu
[…] the OES gateway in a another domain configured to be a WLS SM. You must ensure that the jps-config.xml file therein is configured to allow access to the identity […]
I tried installing weblogic sm from a oes client install of 11.1.1.6 to weblogic 10.3.6 (installed from fusion 11.1.1.6). As per the documentation it should be a supported configuratlon but the installation fails with a message that the weblogic server has to be 10.3.4.
So pointed to a new weblogic install of 10.3.5 version and it installs fine. Can I install ADF libraries on the weblogic SM install ? Which version will be supported ? Any help will be appreciated.
Is it possible to install the oes client on a seperate machine from the oes server ?
was able to install weblogic sm on a windows machine. Had issues because of weblogic.policy not having the right grants
Hi Subbu,
I would like to set up a test program in Java for testing OES policy evaluation.
The idea would be to build a JUnit test case making invocations to a OES wrapper library without the need to deploy anything to a weblogic application server.
Can this be achieved? What SM/ wrapperlibrary combination would be needed?
This would also be interesting for using the OES from java processes not deployed in application servers
Hi Subbu,
Thanks for the wonderful post. Can you please tell me if it is possible to create WLS SM instance in silent mode? I could not see any option for config.sh for creating SM instance.
Thanks
Mahendra.
hi
can anyone tell how to set up all these settings in windows environment to perform authorization
[…] Use Web App from WebLogic SM and verify authorization requests in this table. You can log into the web app as weblogic and test […]
Hi Subbu,
I am configuring Weblogic security module for multiple managed servers.
I have used below link for creating managed servers.
https://docs.oracle.com/cd/E21764_01/install.1111/e12002/oes.htm#INOIM98156
Now my server is not getting registered in OES policy distribution console.Getting following error
Dec 09, 2015 1:21:27 AM oracle.security.jps.az.internal.runtime.pd.register.PDPRegister run
INFO: Can not access PD server web service during PDP registration, will retry later.
Dec 09, 2015 1:23:17 AM oracle.security.jps.az.internal.runtime.pd.register.PDPRegister run
INFO: Can not access PD server web service during PDP registration, will retry later.
Dec 09, 2015 1:25:07 AM oracle.security.jps.az.internal.runtime.pd.register.PDPRegister run
INFO: Can not access PD server web service during PDP registration, will retry later.
Dec 09, 2015 1:26:57 AM oracle.security.jps.az.internal.runtime.pd.register.PDPRegister run
INFO: Can not access PD server web service during PDP registration, will retry later.
Can you please advice.
Check the port, review the jps config file in new domain