D Additional Configuration Steps for WebLogic Server

D.1 Configuring External LDAP

This section describes the following steps to set up application security by using external LDAP store for WebLogic Server 9.2:

• Step 1: Create an Authentication Provider

• Step 2: Confirguring LDAP in WebLogic Server

Step 1: Create an Authentication Provider

1. Log in to http://localhost:8001/console, using weblogic as the username and password.

2. Select Security Realms -> myrealm -> Providers -> Authentication.

3. Click the Lock & Edit button in the Change Centre pane to activate all the buttons on this page.

4. Click New to create a new authentication provider, for example, LDAP Authenticator. The Create a New Authentication Provider page is displayed.

5. Enter a name of the authentication provider in the Name field (for example, LDAP_1)and select LDAPAuthenticator in the Type drop-down.

6. Click OK. The Authentication Providers table displays the name of the LDAP provider that you created.

Step 2: Confirguring LDAP in WebLogic Server

WebLogic Server does not support or certify any particular LDAP server. Any LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The LDAP authentication providers, in this release of WebLogic Server (v9.2), are configured to work with the SunONE (iPlanet), Active Directory, Open LDAP, and Novell NDS LDAP servers.

You can use an LDAP authentication provider to access other types of LDAP servers. Choose either the LDAP Authentication provider (LDAPAuthenticator) or the existing LDAP provider that most closely matches the new LDAP server and customize the existing configuration to match the directory schema and other attributes for your LDAP server. The server comes with the following authentication providers, which help to configure different LDAP servers:

• iPlanet authentication provider

• Active Directory authentication provider

• Open LDAP authentication provider

• Novell authentication provider

• Generic LDAP authentication provider

If you select the LDAP authentication provider, then every LDAP authentication provider has the following attributes:

• Enable communication between the LDAP server and the LDAP Authentication provider. For a more secure deployment, BEA recommends using the SSL protocol to protect communications between the LDAP server and WebLogic Server. Enable SSL with the SSLEnabled attribute only if the SSL is enabled for LDAP server. This is referenced by the Hostname and Port (default: 389) attributes.

• Configure options that control how the LDAP Authentication provider searches the LDAP directory. This is referenced by User name attribute and the Static Group User name attribute.

• Specify where in the LDAP directory structure users are located. This is referenced by the User Base DN (Distinguished Name) attribute.

• Specify where in the LDAP directory structure groups are located. This is referenced by the Group Base DN attribute.

• Define how members of a group are located.

Perform the following steps to configure LDAP in WebLogic Server:

1. Edit the provider-specific attributes of the LDAP authentication provider through the Administration Console.

   1. Log in to http://localhost:8001/console, using weblogic as the username and password.

   2. Select Security Realms -> myrealm -> Providers -> LDAP_1. The Settings of LDAP_1 page is displayed.

   3. Click Provider Specific.

   4. Click the Lock & Edit button in the Change Centre pane to activate all the buttons on this page.

   5. Edit the required attributes in the Provider Specific page.

   6. Click Save.

2. Edit performance options that control the cache for the LDAP server.

   1. Click the Performance tab.

   2. Edit Max Group Hierarchies in Cache. The maximum size of the LRU cache for holding group membership hierarchies if caching is enabled. The default is 100.

   3. Edit Group Hierarchy Cache TTL.The maximum number of seconds a group membership hierarchy entry is valid in the LRU cache. The default is 60.

   4. Click Save.

Failover

You can configure an LDAP provider to work with multiple LDAP servers and enable failover, if one LDAP server is not available. To enable failover, change the Host attribute in the security_realm > Providers > provider_specific page, to contain a list of hostnames and ports, for example, hostname1:389, hostname2:389. When using failover, the Parallel Connect Delay and Connect Timeout attributes have to be set for the LDAP authentication provider:

• Parallel Connect Delay: Specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for an unacceptably long time, if a host is down. If the value is greater than 0, then another connection setup thread is started after the specified number of delay seconds has passed. If the value is 0, then connection attempts are serialized.

• Connection Timeout: Specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the value is 0, there is no maximum time limit and WebLogic Server waits until the TCP/IP layer times out to return a connection failure. Set to a value over 60 seconds depending upon the configuration of TCP/IP.

D.2 ESB System Configurations

Ensure that the system information for the ESB services deployed are as follows:

• Virtual Host: The hostname of ESB design-time instance

• Port: The port number of ESB design-time instance

• Topic Location: ESB_JAVA_DEFERRED

The value of the 'Connection Factory Location' parameter does not matter for ESB on WebLogic 9.2, since ESB, by default, uses AQ messaging and uses the AQ JMS API to connect to the AQ Messaging topics.

D.3 Changing to File-based Slide Repository

By default, ESB on WebLogic 9.2 is configured to use database-based slide as the metadata repository. Perform the following steps configure ESB on WebLogic 9.2 to use file-based slide repository:

1. Rename Domain_file.xml to Domain.xml in the <SOA_HOME>/integration/esb/config directory.

2. Rerun IRCA for ORAESB schema from the<SOASuite 10.1.3.1 Installation pack>\install\soa_schema\irca\irca oraesb directory.

3. Execute the following script against ORAESB schema to upgrade it to 10.1.3.4: <SOASuite 10.1.3.4 Patchset Installation pack>\install\soa_schema_upgrade\esb\sql\oracle\upgrade_10131_10134_oracle.sql

4. Edit the Weblogic_SOA10134_Base/ESB_data.aq.sql file and update the values for the following:

   • ESB_PARAMETER properties

   • DT_OC4J_HOST

   • DT_OC4J_PORT

5. Execute the following script against ORAESB schema to modify it for WebLogic Server:

   Weblogic_SOA10134_Base/ESB_data.aq.sql

D.4 Human WorkFlow API Clients

Clients for invoking the Human WorkFlow APIs should include the following additional system properties on the Client side:

-Djavax.xml.parsers.DocumentBuilderFactory=oracle.xml.jaxp.JXDocumentBuilderFactory
-Djavax.xml.parsers.SAXParserFactory=oracle.xml.jaxp.JXSAXParserFactory
-Djavax.xml.transform.TransformerFactory=oracle.xml.jaxp.JXSAXTransformerFactory
-Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl
-Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl
-Djavax.xml.soap.SOAPConnectionFactory=oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnectionFactory
-Djavax.xml.soap.SOAPElementFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl

D.5 Identify Service Configuration

The identity service in the default installation leverages the same model as the SOA Suite deployment on OC4J to obtain users from the Jazn.com realm. This can be changed by configuring the SOA_HOME/bpel/system/services/config/is_config.xml file. Refer to

http://download.oracle.com/docs/cd/B31017_01/integrate.1013/b28982/service_config.htm

for more details. Also, refer to the is_config.xml example files provided at SOA_HOME/bpel/system/services/config/ldap to connect to the external LDAP providers.