Wednesday, August 22, 2012

OIM 11g R2 & X.509 authentication

OIM 11g R2 is out! This release brings a lot of new features and also improvements to existing features.

OIM authentication providers are among the ones that were improved. The improvements make easier to integrate OIM with SSO solutions (for both SSO products and custom SSO solutions).

The integration with OpenSSO is documented here. The integration with OAM is still a powerful solution for SSO and password management and it is documented here.

The improvements also bring the support to X.509 based user authentication. In previous 11g release, one would need to leverage a SSO solution like OAM to do such authentication. In R2, X.509 authentication can be directly configured in WebLogic. This post describes how to configure this authentication.


But before starting, as a disclaimer, it is important to mention that this post does not give any recommendation or best practices, it just describes how one can configure X.509 authentication using WebLogic/OIM. The decision on what authentication mechanism shall be used and how such authentication will be achieved depends on business requirements like SLA, security and others.

The post also does not dive into the concepts around X.509 certificates and how they are used for end user authentication.

In order to achieve this authentication, the OIM WebLogic managed server must be configured with SSL. Another requirement is to have the OIM user login as the 'CN' field in the certificates issued to the end users.

The first step to achieve X.509 authentication is to import into the WebLogic trusted store the certificate chain that will be used. The root CA certificate must be imported as well as the intermediate certificates if any. This example uses a root certificate only (no intermediate certificates) and the default WebLogic keystore. The screenshot below depicts the use of 'keytool' command line to import the CA root certificate:


The next step is to configure WebLogic server to request certificate on SSL connections. This configuration is done directly in the OIM managed server through the WebLogic administration console. On the left menu click on 'Environment > Servers', then on the main page click on 'oim_server1', then click on 'SSL' tab and on the 'Advacend' link that shows up in the SSL configuration page. The screenshot below shows the section that must be configured.


With the configurations above, whenever a request reaches the SSL port in the managed server, a certificate will be request. Keep in mind that, depending on how it is configured, it may break the SOA-OIM communication, so when configuring this make sure that OIM managed server is also listening on non-SSL port and that SOA is using this port to communicate to OIM.

The next step is to configure the WebLogic authentication providers to understand that there is a certificate in the request and that the user information must be extracted from this certificate. On the left menu, click on 'Security Realms' and then 'myrealm'. Click on 'Providers' tab and then in the 'Reorder'  button. Reorder the authentication providers to the order shown in the picture below.


Now the 'DefaultIdentityAsserter' needs to be configured to assert the username from the X.509 certificate. Click on 'DefaultIdentityAsserter' and then on 'Active Types' section, move the 'X.509' from the  'Available' list to the 'Chosen' list and save it. The screenshot below depicts this action.


And as last step, some details need to be configured in the 'DefaultIdentityAsserter'. Click on 'Provider Specific' tab. The following fields must be configured:
  • 'Default User Name Mapper Attribute Delimiter': in this example this must be blank as there is no delimiter in the username field (CN).
  • 'Default User Name Mapper Attribute Type': this example uses CN as username attribute
  • 'Use Default User Name Mapper': this must be checked as this example uses the mappers shipped along with WebLogic.

The picture below shows this configuration:


The certificate used in this example was issued to 'xelsysadm. The picture below shows the subject details:


 With the configurations above, one should be able to access OIM using X.509 certificate.

Of course there is a lot of different configurations that can be done to achieve the same result. It is possible, by using custom username mappers, to extract the username from different certificate fields. it is possible to configure WebLogic managed server to allow SSL connections without certificates, in this case the request will fallback to the standard OIM authentication.

2 comments:

  1. Thanks Daniel for this new & usefull info.

    We are trying to authenticate users of our OIM 11g R2 using OVD Authenticator. To achieve this, we have created a OVDAuthenticator in the 'Providers' & made it as required and OIMAuthenticator as "Default". After that I can see the authentication of OIM user is happening properly from OVDAuthenticator.

    Issue we are facing: While restarting OIM server we can see the error as "Authentication for xelsysadm failed.." and "The Sceduled Task execution is not happening".

    Please help how to resolve the issue "Authentication for xelsysadm failed.." during OIM managed Server startup.

    Regards,
    Abhishek

    ReplyDelete
    Replies
    1. Abishek,

      I believe you have to add the OIM digital signature authenticator to the authentication chain.

      Also check in the OIM documentation, but I believe you should not set the control flag to 'required', try set it to 'sufficient'

      Delete

Note: Only a member of this blog may post a comment.