Configuring ActiveVOS Identity Service Using LDAP

Transcription

1 Configuring ActiveVOS Identity Service Using LDAP Overview The ActiveVOS Identity Service can be set up to use LDAP based authentication and authorization. With this type of identity service, users and groups can easily be managed in an enterprise wide deployment of ActiveVOS. Using sample users and groups defined in a Microsoft active directory, this technical note describes configuration of ActiveVOS identity service in Apache Tomcat and Oracle WebLogic application servers. Legal Notice Copyright (c) 2011 Active Endpoints Incorporated. Document Revision History Revision Date Author Changes May 2011 AEI First Release

2 Table of Contents ActiveVOS Identity Service Introduction... 3 LDAP Identity Service... 3 Connection Setting Tab... 3 User Tab 4 Groups Tab... 5 User and Group Attribute Mapping... 5 To add an attribute mapping... 6 To delete an attribute mapping... 6 ActiveVOS LDAP Identity Service Configuring ActiveVOS Identity Service with LDAP and Tomcat Setting up Identity Service in ActiveVOS Console Configuring ActiveVOS Identity Service with LDAP and Weblogic Add Active Directory Provider to Default Realm (myrealm) Configure New LDAP Provider Verify LDAP configuration Mapping User Roles and Policies Setting up Identity Service in ActiveVOS Console Human Approval Completed Sample Appendix A Sample server.xml /19

3 ActiveVOS Identity Service Introduction An identity service provides a way for a BPEL process to look up users and groups in an enterprise directory service or database. The ActiveVOS Server identity service is based on one of the following: XML or LDIF Identity Service JDBC Identity Service LDAP Identity Service By providing the communication details for look-up access to your identity service, you can do the following: Run BPEL processes that implement identity-based activities. When a process runs, the person or group specified in the process is looked up in your identity service. Identitybased activities use a system-supplied WSDL, as described in ActiveVOS Designer documentation. For the BPEL for People functionality, specify users or groups to receive tasks into their ActiveVOS or other task client. LDAP Identity Service As mentioned in ActiveVOS help center documentation: erprise.help/html/svrug6-7-2.html While setting the identity service in ActiveVOS console, be sure to map the ActiveVOS Central security role, abtaskclient, to each user that will login to ActiveVOS Central. You can update identity service settings as shown in the following table. Connection Setting Tab Enter the provider-specific connection settings used to establish connectivity to your identity store. Provider Configuration Enable Add a checkmark to use the identity service. Initially the service is disabled since it is not configured and ready for use. Configure the remaining settings, enable the service, and select Update. Provider Type Select LDAP from the drop-down list: Host Enter the LDAP server s DNS name such as ldap1.my-domain-name.com or IP address such as Port Enter the port to use for communications between the ActiveVOS server 3/19

4 Use SSL Trusted keystore file location on the server User DN Password and the LDAP server. The default value is 389. (Optional) Enable this checkbox to provide encrypted transport communication between ActiveVOS and the LDAP service. If you enable this, you must enter a trusted keystore file location in the next field. (Optional) Enter the full path to the aetrustedca.ks file for the Trusted Keystore Path. This file must be accessible by all instances of the server when deployed in a clustered environment. This path is required if SSL is enabled. Enter the user distinguished name. Most directory servers do not allow anonymous access, therefore the username and password is required. The username should be the distinguished name of the user. For Microsoft Active Directory, an example of the user distinguished name is: CN=Administrator, CN=Users, DC=domainname, DC=com (or local) Enter the administrator password for access to the directory service, and confirm it. User Tab Fill in the values as described in the table. User Search Configuration User Enter the root distinguished name to indicate the base search criteria for search authenticated users and groups. base DN For Microsoft Active Directory, an example is: CN=Users, DC=domainname, DC=com (or local) User search filter Users search scope Enter the parameters needed to query the service for users. These parameters should exclude directory objects such as printers, servers, other non-user computers. For Microsoft Active Directory, an example is: &(objectclass=person)(!(objectclass=computer)) To make a directory search efficient, select the appropriate level to search for entries. One Level. Select if the user entries are all at the same level in the directory structure, for example in a folder called Users. Subtree. Select this if user entries are nested in a directory structure. 4/19

5 Groups Tab Fill in the values as described in the table. Group Search Configuration Group Enter the directory tree where you want to start the search. search base For Microsoft Active Directory, an example is: DN CN=Users, DC=domainname, DC=com (or local) Group search filter Group search scope Enter the parameters needed to query the service for groups. These parameters should exclude directory objects such as printers, servers, other non-user computers. For Microsoft Active Directory, an example is: (objectclass=group) To make a directory search efficient, select the appropriate level to search for entries. One Level. Select if the group entries are all at the same level in the directory structure, for example in a folder called Groups. Subtree. Select this if groups are nested in a directory structure. User and Group Attribute Mapping In looking up a user or group in an LDAP or JDBC-based Identity service, ActiveVOS uses a search model that includes several basic identity attributes, including: Users o person o memberof (recommended, if Identity service supports it) o username (required) o o firstname o lastname Groups o groupname (required) o member (required for LDAP) This generic model applies to any Identity service, and you can use it as is, or delete the optional attributes from the model. The memberof Users attribute is recommended for making searches for group members more efficient, especially for cases where a user is a member of multiple groups. Be sure to map a user as memberof all relevant groups and add the user as a member in relevant Groups. If desired, you can add many other search attributes to the basic model, and then use these attributes in LDAP or JDBC people queries from within a BPEL process People activity. When you 5/19

6 add a search attribute from your Identity service, you must map it to a new attribute that gets added to the ActiveVOS search model. For example, if your Identity service includes a logincount attribute, you can add that to the Users or Groups attribute mapping page. The attributes can be loaded into the ActiveVOS Designer Process Deployment Descriptor Editor, where a developer has access to them for creating Logical People Group queries. To add an attribute mapping 1. On the Users or Groups tab of the Identity Service, select Add Attribute. 2. In the Provider Attribute/Column Name column, type in the name of an existing attribute that is in your identity store. 3. In the Model Attribute column, type in the same name or alias for the attribute. 4. Select the data Type from the list. The list contains all types defined by the search model, based on the Higgins Open Source Identity Framework. (ActiveVOS uses Higgins to enable the adding of identity attributes to the search model.) Note that the list also contains two custom types, GroupReference and PersonReference. Use one of these types if you want to reference a group or user by name, rather than by the full distinguished name or primary key defined in the data store. To delete an attribute mapping 1. Select the checkbox next to the Model Attribute field. 2. Select Update. The attribute is removed. The following screenshot shows a sample user setup in Microsoft Active directory, when viewed using apache LDAP browser: 6/19

7 7/19

8 And here are the screenshots that show how a group can be set up. For explanation purposes, two sample groups (loanreps and abtaskclient) have been shown: and 8/19

9 9/19

10 ActiveVOS LDAP Identity Service As mentioned in ActiveVOS help center documentation, you can install ActiveVOS server and Central components by running the installer utility and during this process, you can secure your admin console so that only the authenticated users have access to the ActiveVOS Server and the deployed processes. Also, the ActiveVOS central is by default secured. To provide permission to required groups of users to access ActiveVOS Central, you would need to set identity service in ActiveVOS console. The links below provide more information on ActiveVOS security setup: erprise.help.serverguide/html/svrug3-3.html ladmin.enterprise.help.serverguide/html/svrug3-4.html Configuring ActiveVOS Identity Service with LDAP and Tomcat If you need Tomcat to retrieve usernames, passwords, and roles from an LDAP directory, you can use JNDIRealm. It is a flexible realm implementation it allows you to authenticate users against your LDAP directory of usernames, passwords, and roles, while allowing many schema layouts for that data. To secure ActiveVOS with LDAP, you can follow the steps as listed below: Stop Tomcat. Comment out any sections of the server.xml (located in <Tomcat_HOME> \conf) that references the tomcat-users.xml file. Add a JNDI realm element to the engine element in server.xml, similar to the following: <Realm classname="org.apache.catalina.realm.jndirealm" debug="99" connectionurl="ldap://ldap_server:<port>" connectionname="cn=aeadmin,cn=users,dc=aedomain,dc=activeendpoints,dc=local" connectionpassword="aeadmin" authentication="simple" referrals="follow" usersubtree="true" userbase="dc=aedomain,dc=active-endpoints,dc=local" usersearch="(& (samaccountname={0})(objectclass=user))" userrolename="memberof" rolesubtree="true" rolebase="dc=aedomain,dc=active-endpoints,dc=local" rolename="cn" rolesearch="(& (member={0})(objectclass=group))" /> Start the tomcat server. 10/19

11 Note: The above is just a sample realm. Users will need to modify that as per their Ldap configuration. It is also suggested that the user look up the tomcat documentation (for example: for any help on the configuration. A sample server.xml is included in Appendix A at the end of this Technote. Setting up Identity Service in ActiveVOS Console Once the required users, groups and roles have been setup in LDAP and server.xml properly configured, login to ActiveVOS console as a user who is a member of abadmin role. Navigate to Admin > Identity Service, setup the LDAP based identity service and test it. Sample screenshots are shown below: 11/19

12 12/19

13 13/19

14 You can find the help information regarding configuration ladmin.enterprise.help/html/svrug6-7-2.html. Once configured and tested, navigate to ActiveVOS central ( and login as a user who is a member of abtaskclient. Configuring ActiveVOS Identity Service with LDAP and Weblogic For explanation purpose, the instructions below describe how to configure Weblogic to use Microsoft Active directory for authentication. This provider will be used in addition to the default authenticator. When using multiple providers, you need to change the control flag on the default provider to 'OPTIONAL' instead of 'REQUIRED'. With all providers set to 'OPTIONAL', a user must authenticate with at least one provider, but it doesn't matter which one. Start Admin Server and login to console Navigate to Security Realms Select default realm (typically 'myrealm') Select the 'Providers' tab On the 'Authentication' tab, choose the 'DefaultAuthenticator'. Change the Control Flag from 'REQUIRED' to OPTIONAL Add Active Directory Provider to Default Realm (myrealm) Navigate to Security Realms Select default realm (typically 'myrealm') Select the 'Providers' tab On the 'Authentication' tab, choose 'New' to add a new provider. Enter a name for the provider. Something like 'aeserver' or 'LDAP' is fine. Select 'ActiveDirectoryAuthenticatior' as the type. Choose OK to save new provider. This will return you to the listing of providers. Configure New LDAP Provider Select the new provider you just created On the 'Common' tab, make sure you leave the Control Flag set to 'OPTIONAL'. On the 'Provider Specific' tab, provide values specific to your directory server. Save the changes and restart the weblogic admin server. You may also need to restart the managed server(s) also. Verify LDAP configuration After restarting, login to the console again and navigate back to Security Realms- >myrealm Choose the 'Users and Groups' tab Under Users, you should see users from your LDAP. Under Groups, you should see groups from your LDAP. 14/19

15 Go back to Users and select a user from the LDAP provider. Select the 'Groups' tab for the user and you should see the groups from your LDAP. Mapping User Roles and Policies To use Roles and Policies (e.g. abadmin, abtaskclient, etc.) you first need to have a Security Realm set up, and should have some Users and Groups defined as mentioned above. To add roles and policies you need to do the following: Select Home\Security Realm\<realm name>\roles and Polices. Expand the Global Roles node. Click on the Roles link to add new roles. Select New and enter a role name (e.g. abadmin). Click ok to save. Go back to the Roles and Policies (Select Home\Security Realm\<realm name>\roles and Polices\Global Roles) Expand the Roles node. o - If no conditions have been added to a role, there will be a radio button next to the role name. Select the radio button and click the Edit Role button. o - If there are already conditions added to the role, click the View Role Conditions link. Select the Add Conditions link to add a new condition. Select the predicate List (e.g. Group or User) and click next. Enter the argument name (user or group) and click Add. Click Finish to have that user\group listed as a Role Condition. Click Save to save the role condition. Restart the managed server(s). Setting up Identity Service in ActiveVOS Console Once, the required users, groups and roles have been setup in weblogic admin console, login to ActiveVOS console as a user who is a member of abadmin role. To setup the identity service to be able to login to the central and look up the task information, Navigate to Admin > Identity Service, setup the LDAP based identity service and test it. Please refer to the sample screenshots shown earlier for tomcat setup. You can find the help information regarding configuration at ladmin.enterprise.help/html/svrug6-7-2.html Once configured and tested, navigate to ActiveVOS central ( and login as a user who is a member of abtaskclient. 15/19

16 Human Approval Completed Sample Human Approval Completed is a sample application that is packaged with ActiveVOS designer. You can create an orchestration project in the designer based on this template using File > New > orchestration project > Name your project > Select Human Approval Completed > Finish. This application comes packaged with a couple of sample groups - loanreps, loanmgrs. For testing purposes, you can define these sample groups along with a couple of sample users such as loanrep1, loanmgr1 in your LDAP setup and test your identity service as well as ActiveVOS central. The screenshots shown earlier in this technote should be helpful in this case. 16/19

17 Appendix A Sample server.xml <?xml version='1.0' encoding='utf-8'?> Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Note: A "Server" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/server.html <Server port="8005" shutdown="shutdown"> APR library loader. Documentation at /docs/apr.html <Listener classname="org.apache.catalina.core.aprlifecyclelistener" SSLEngine="on" /> Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html <Listener classname="org.apache.catalina.core.jasperlistener" /> Prevent memory leaks due to use of particular java/javax APIs <Listener classname="org.apache.catalina.core.jrememoryleakpreventionlistener" /> JMX Support for the Tomcat server. Documentation at /docs/non-existent.html <Listener classname="org.apache.catalina.mbeans.serverlifecyclelistener" /> <Listener classname="org.apache.catalina.mbeans.globalresourceslifecyclelistener" /> Global JNDI resources Documentation at /docs/jndi-resources-howto.html <GlobalNamingResources> Editable user database that can also be used by UserDatabaseRealm to authenticate users <Resource name="userdatabase" auth="container" type="org.apache.catalina.userdatabase" description="user database that can be updated and saved" factory="org.apache.catalina.users.memoryuserdatabasefactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> A "Service" is a collection of one or more "Connectors" that share a single "Container" Note: A "Service" is not itself a "Container", so you may not define subcomponents such as "Valves" at this level. Documentation at /docs/config/service.html <Service name="catalina"> The connectors can use a shared executor, you can define one or more named thread pools <Executor name="tomcatthreadpool" nameprefix="catalina-exec-" maxthreads="150" minsparethreads="4"/> 17/19

18 A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-ssl HTTP/1.1 Connector on port 8080 <Connector port="8080" protocol="http/1.1" connectiontimeout="20000" redirectport="8443" /> A "Connector" using the shared thread pool <Connector executor="tomcatthreadpool" port="8080" protocol="http/1.1" connectiontimeout="20000" redirectport="8443" /> Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation <Connector port="8443" protocol="http/1.1" SSLEnabled="true" maxthreads="150" scheme="https" secure="true" clientauth="false" sslprotocol="tls" /> Define an AJP 1.3 Connector on port 8009 <Connector port="8009" protocol="ajp/1.3" redirectport="8443" /> An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html You should set jvmroute to support load-balancing via AJP ie : <Engine name="catalina" defaulthost="localhost" jvmroute="jvm1"> <Engine name="catalina" defaulthost="localhost"> For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) <Cluster classname="org.apache.catalina.ha.tcp.simpletcpcluster"/> The request dumper valve dumps useful debugging information about the request and response data received and sent by Tomcat. Documentation at: /docs/config/valve.html <Valve classname="org.apache.catalina.valves.requestdumpervalve"/> This Realm uses the UserDatabase configured in the global JNDI resources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by the Realm. <Realm classname="org.apache.catalina.realm.userdatabaserealm" resourcename="userdatabase"/> <Realm classname="org.apache.catalina.realm.jndirealm" debug="99" 18/19

19 connectionurl="ldap://your_server:<port>" connectionname="cn=aeadmin,cn=users,dc=aedomain,dc=active-endpoints,dc=local" connectionpassword="your_password" authentication="simple" referrals="follow" usersubtree="true" userbase="dc=aedomain,dc=active-endpoints,dc=local" usersearch="(& (samaccountname={0})(objectclass=user))" userrolename="memberof" rolesubtree="true" rolebase="dc=aedomain,dc=active-endpoints,dc=local" rolename="cn" rolesearch="(& (member={0})(objectclass=group))" /> Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. <Host name="localhost" appbase="webapps" unpackwars="true" autodeploy="true" xmlvalidation="false" xmlnamespaceaware="false"> SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html <Valve classname="org.apache.catalina.authenticator.singlesignon" /> Access log processes all example. Documentation at: /docs/config/valve.html <Valve classname="org.apache.catalina.valves.accesslogvalve" directory="logs" prefix="localhost_access_log." suffix=".txt" pattern="common" resolvehosts="false"/> </Host> </Engine> </Service> </Server> 19/19