WebCenter Portal Security Layers

WebCenter Portal Security Layers

WebCenter Portal applications share the same four bottom security layers (WebCenter Security Framework, ADF Security, OPSS, and WebLogic Server Security). The application layer will, of course, depend on the implementation.

1. WebCenter Portal Application Security
WebCenter Portal provides support for:
• Application role management and privilege mapping
• Self-registration
• Portal-level security management
• External application credential management

2. WebCenter Portal Security Framework
The WebCenter Portal Security Framework provides support for:
• Service Security Extension Framework (a common permission-based and role-mapping based model for specifying the security model for services)
• Permission-based authorization
• Role-mapping based authorization
• External applications and credential mapping
3. ADF Security
ADF Security provides support for:
• Page authorization
• Task flow authorization
• Secure connection management
• Credential mapping APIs
• Logout invocation, including logout from SSO-enabled configurations with Oracle Access Manager and Oracle SSO
• Secured login URL for ADF Security-based applications (the adfAuthentication servlet)

5. Oracle Platform Security Services (OPSS)
OPSS provides support for:
• Anonymous-role
• Authenticated-role
• Identity store, policy store, and credential store
• Identity Management Services
• Oracle Web Service Manager Security
• Authorization
• Policy and Credential Lifecycle

6. WebLogic Server Security
WebLogic Server Security provides support for:
• WebLogic authenticators
• Identity asserters
• J2EE container security
• SSL

LIBOVD-40066 javax.naming.NamingException: LDAP response read timed out, timeout used:15000ms

The below error coming after integrating the LB of OVD in the OAM identity store provider.

<Nov 24, 2016 5:48:37 AM PST> <Warning> <oracle.ods.virtualization.exception> <LIBOVD-40066> <Remote Server Failure:{0}.

javax.naming.NamingException: LDAP response read timed out, timeout used:15000ms.; remaining name “cn=users,o=external firms,dc=xyz,dc=xyz,dc=xyz”

        at com.sun.jndi.ldap.Connection.readReply(Connection.java:452)

        at com.sun.jndi.ldap.LdapClient.getSearchReply(LdapClient.java:611)

        at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:534)

        at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1965)

        at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1827)

        at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1752)

        at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)

        at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)

        at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:257)

        at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.search(ConnectionHandle.java:272)

        at oracle.ods.virtualization.engine.backend.jndi.JNDIEntrySet.initialize(JNDIEntrySet.java:221)

        at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.get(BackendJNDI.java:759)

        at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:303)

        at oracle.ods.virtualization.engine.chain.BasePlugin.get(BasePlugin.java:91)

        at oracle.ods.virtualization.engine.chain.plugins.usermanagement.UserManagement.get(UserManagement.java:908)

        at oracle.ods.virtualization.engine.chain.Chain.nextGet(Chain.java:314)

        at oracle.ods.virtualization.engine.chain.PluginChain.runGet(PluginChain.java:210)

        at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:355)

        at oracle.ods.virtualization.engine.chain.PluginManager.runGet(PluginManager.java:320)

        at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.getByAdapter(AdapterServiceInterface.java:589)

       

 Solution:

1. In OAM console, Configuration -> Data Sources / User Identity Stores -> "Inactivity Timeout" field

For example, please set the 'Inactivity Timeout (seconds)' to a value less than the Firewall or Load-Balancer idle connection timeout value.

The standard idle connection timeout settings for Firewalls and/or Load-Balancers is typically 60 minutes (to be verified in your case and based on your environment specific).

For example, In this case (of 60 minutes for FWs/LBs timeout), then a suitable setting would be for example:

Inactivity Timeout (seconds): 3300

So, This will configure OAM to gracefully remove the LDAP connection from the connection pool after 55 minutes if No activity occurring.

The 'socket.readtimeout' parameter. This has to be changed manually in the oam-config.xml file by adding the following line in the Identity Store configuration :

 <Setting Name="socket.readtimeout" Type="xsd:String">value in milliseconds</Setting>

The socket.readtimeout is specific to every deployment and need to be adjusted based on firewall, i.e. it needs to be less than the firewall timeout.

Currently this UI configuration as well as corresponding WLST is missing, and thus you can only manually configure it in the oam-config.xml file by adding the following line in the relevant idstore configuration:

 <Setting Name="socket.readtimeout" Type="xsd:String">value in milliseconds LESS THAN FIREWALL TIMEOUT IN MILLISECONDS</Setting>

PS: PLEASE DO NOT FORGET to also update the Version number of the oam-config.xml file.
That is after adding this line, you would need to go to the top of the oam-config.xml file, and to search/locate for the first "Version" entry (with an Upper case "V"). Then to increment the integer value of the "Version" by +1.

  Note:     For example, in case where you might have the actual value being set to "67" for example, then you would/should have something like this, after incrementing it by +1:
                         <Setting Name="Version" Type="xsd:integer">68</Setting>

PS: Again, the values provided for those 2 parameters above should be less than the firewall timeout.

2. add the below parameter in the oam-config.xml file
      
             <Setting Name="LdapReadTimeout" Type="xsd:string">120000</Setting>
      
        Link for reference - https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=197729438912796&id=1496120.1&_afrWindowMode=0&_adf.ctrl-state=9qsrt9v4d_369

How to check applied patches on weblogic

To check the applied patches on weblogic execute the below command,

1. Using the "java weblogic.version" command:

cd <gc_inst>\user_projects\domains\GCDomain\bin
. ./setDomainEnv.sh
which java
java weblogic.version -verbose


2. Using BSU:

cd <MIDDLEWARE_HOME>\utils\bsu
./bsu.sh -report

ORA-28001 the password has expired

Search for the password expired user in a oracle database and change a new password.

To search all the users in a  database execute the below query as Sys user.


set serveroutput on
BEGIN
for rr in(select USERNAME from dba_users)loop
--execute IMMEDIATE 'alter user '||rr.USERNAME||' identified by abc12345';
dbms_output.put_line('alter user '||rr.USERNAME||' identified by abc12345 ;');
end loop;
end;
/

Above query gives you a all user in database with a password you want change it.

Execute the output of above query to change a password.

Caused by: javax.naming.NameNotFoundException: While trying to lookup 'ejb.bpm.services/BPMUserAuthenticationServiceBean' didn't find subcontext 'bpm'. Resolved 'ejb'

Caused by: javax.naming.NameNotFoundException: While trying to lookup 'ejb.bpm.services/BPMUserAuthenticationServiceBean' didn't find subcontext 'bpm'. Resolved 'ejb'

        at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1139)

        at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)

        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

        ... 9 more

Caused by: javax.naming.NameNotFoundException: While trying to lookup 'ejb.bpm.services/BPMUserAuthenticationServiceBean' didn't find subcontext 'bpm'. Resolved 'ejb'

        at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1139)

        at weblogic.jndi.internal.BasicNamingNode.lookupHere(BasicNamingNode.java:247)

        at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:182)

Solution:-

We faced this issue after extend a domain for process-space-extension.

After importing the portal template. Trying to login on webcenter portal then we got this error on portal server.

Configure the Policy store for both soadomain and webcenter domain.

For SOA domain while creating a datasource enable a "Emulate TwoPhase Commit".Caused by: javax.naming.NameNotFoundException: While trying to lookup 'ejb.bpm.services/BPMUserAuthenticationServiceBean' didn't find subcontext 'bpm'. Resolved 'ejb'

        at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1139)

        at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)

        at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)

        ... 9 more

Caused by: javax.naming.NameNotFoundException: While trying to lookup 'ejb.bpm.services/BPMUserAuthenticationServiceBean' didn't find subcontext 'bpm'. Resolved 'ejb'

        at weblogic.jndi.internal.BasicNamingNode.newNameNotFoundException(BasicNamingNode.java:1139)

        at weblogic.jndi.internal.BasicNamingNode.lookupHere(BasicNamingNode.java:247)

        at weblogic.jndi.internal.ServerNamingNode.lookupHere(ServerNamingNode.java:182)

Solution:-

We faced this issue after extend a domain for process-space-extension.

After importing the portal template. Trying to login on webcenter portal then we got this error on portal server.

Configure the Policy store for both soadomain and webcenter domain.

For SOA domain while creating a datasource for policy store enable a "Emulate TwoPhase Commit".

javax.transaction.xa.XAException: JDBC driver does not support XA, hence cannot be a participant in two-phase commit

aused by: javax.transaction.xa.XAException: JDBC driver does not support XA, hence cannot be a participant in two-phase commit. To force this participation, set the GlobalTransactionsProtocol attribute to LoggingLastResource (recommended) or EmulateTwoPhaseCommit for the Data Source = OPSSDS
        at weblogic.jdbc.wrapper.JTSXAResourceImpl.prepare(JTSXAResourceImpl.java:83)
        at weblogic.transaction.internal.XAServerResourceInfo.prepare(XAServerResourceInfo.java:1343)
        at weblogic.transaction.internal.XAServerResourceInfo.prepare(XAServerResourceInfo.java:513)
        at weblogic.transaction.internal.ServerSCInfo.startPrepare(ServerSCInfo.java:392)
        at weblogic.transaction.internal.ServerTransactionImpl.localPrepare(ServerTransactionImpl.java:2633)
        at weblogic.transaction.internal.ServerTransactionImpl.globalPrepare(ServerTransactionImpl.java:2281)
        at weblogic.transaction.internal.ServerTransactionImpl.internalCommit(ServerTransactionImpl.java:307)


Solution:
This error occured when we configured database policy store with SOA domain.

Enable the "Emulate TwoPhase Commit" instead of "one-Phase commit" for the OPSS data source

nested exception is: java.rmi.ConnectException: This RJVM has already been shutdown

INFO: Found persistence provider "org.eclipse.persistence.jpa.PersistenceProvider". OpenJPA will not be used.
<Jun 9, 2016 11:52:48 PM PDT> <Warning> <oracle.jbo.uicli.mom.JUApplicationDefImpl> <BEA-000000> <The definition at oracle.webcenter.webcenterapp.bindings.DataBindings.cpx, uses a pagemap pattern match that hides other cpx files.>
oracle.bpm.client.common.BPMServiceClientException: javax.naming.NamingException [Root exception is java.rmi.UnexpectedException: Marshalling: ; nested exception is:
        java.rmi.ConnectException: This RJVM has already been shutdown 4882431698259664306S:admvhn:[7001,-1,-1,-1,-1,-1,-1]:soadomain:AdminServer]
        at oracle.bpm.client.BPMServiceClientFactory.getBPMUserAuthenticationService(BPMServiceClientFactory.java:250)
        at oracle.bpm.web.security.AuthenticationUtil.initBPMContextInSession(AuthenticationUtil.java:117)
        at oracle.bpm.web.security.LoginBean.initSSOSession(LoginBean.java:105)
        at oracle.bpm.web.security.AuthenticationUtil.authenticateModule(AuthenticationUtil.java:206)
        at oracle.bpm.web.security.faces.AuthenticationPhaseListener.authenticate(AuthenticationPhaseListener.java:73)
        at oracle.bpm.web.security.faces.AuthenticationPhaseListener.authenticatePhase(AuthenticationPhaseListener.java:63)
        at oracle.bpm.web.security.faces.AuthenticationPhaseListener.afterPhase(AuthenticationPhaseListener.java:54)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:520)
        at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:207)
        at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
        at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
     
Solution:

Check the DNS names resolution and AdminServer listen address.
If you have enabled a cross domain trust then AdminServer listen address should not be same

Repalace the Listen Address with IP address for Admin and SOA server.    

Framework Folders version on Oracle WebCenter Content Server is not supported for Oracle WebCenter Portal. The supported versions are 2.1 and later.

<Jun 9, 2016 8:36:03 AM PDT> <Error> <oracle.webcenter.doclib.internal.spaces.UCMSpacesUtils> <WCS-07926> <Framework Folders version on Oracle WebCenter Content Server is not supported for Oracle WebCenter Portal. The supported versions are 2.1 and later.
oracle.webcenter.doclib.core.UCMCoreException: Framework Folder version (2.0) not supported.
        at oracle.webcenter.doclib.core.UCMCoreRepositoryLogic.validateFrameworkFoldersVersion(UCMCoreRepositoryLogic.java:221)
        at oracle.webcenter.doclib.core.UCMCoreRepositoryLogic.setDocLibFolderingService(UCMCoreRepositoryLogic.java:158)
        at oracle.webcenter.doclib.internal.spaces.UCMSetupHandler.setDocLibFolderingService(UCMSetupHandler.java:1538)
        at oracle.webcenter.doclib.internal.spaces.UCMSetupHandler.getCurrentInstance(UCMSetupHandler.java:135)
        at oracle.webcenter.sharepoint.servlet.ContextListener.contextInitialized(ContextListener.java:40)
        at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
        at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1870)
        at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3155)
        at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
        at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:487)

Solution:

Install WebCenter Content Patch 18088049 and restart the WebCenter Content managed server.

java.io.IOException NodeManager shows inactive in WebLogic console

Add the below parameter in the nodemanager.properties file

SecureListner=true

restart the nodemanager

WebLogic patch with Smart Update Utility

Below are the steps to apply patches on weblogic using the smart update utility.

1. Stop all WebLogic servers.

2.  unzip patch to {MW_HOME}/utils/bsu/cache_dir or any local directory
 
   Note: You must make sure that the target directory for unzip has required write and executable permissions
         for "user" with which the component being patched is installed.

3. Navigate to the {MW_HOME}/utils/bsu directory.
 To Apply patch -
 - Execute bsu.sh -install -patch_download_dir={MW_HOME}/utils/bsu/cache_dir -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}
   Where, WL_HOME is the path of the WebLogic home
 
 To Remove patch -
 - Stop all WebLogic Servers
 - Navigate to the {MW_HOME}/utils/bsu directory.
 - Execute bsu.sh -remove -patchlist={PATCH_ID} -prod_dir={MW_HOME}/{WL_HOME}

4. Check WebLogic Version -

 The following command is a simple way to determine the application of WebLogic Server PSU.

  $ . $WL_HOME/server/bin/setWLSEnv.sh
  $ java weblogic.version