Agile superadmin authentication during Weblogic startup

In Agile PLM, we all know superadmin account is used to start Weblogic server, this account is authenticated against Agile database. In previous version before 9.3.2, we define the username and its plain password in startAgile script. In 9.3.2 and 9.3.3, we move the user account information to a separate file which is specified by -Dweblogic.system.BootIdentityFile parameter, of course the username and password are encrypted. Since it is a database authentication, by default we shall use SQLAuthenticator to do user validation in Weblogic Security, but Agile uses its own security provider, that is AgileAuthenticator, a customized extension. Let's see how it works during Weblogic start up.


AgileAuthenticator

From config.xml, we see the default authenticator is agile-authenticatorType. The xsi type is ext, not wls, and xsd implements weblogic/security/extension, not weblogic/security.


It is a "unnamed" authentication provider (with no sec:name definition), so Weblogic will lookup a provider named "AgileAuthenticator". The definition of AgileAuthenticator could be found in agileSecurityProviders.jar file which locates in WLS_HOME/server/lib/mbeantypes/. If extract this file, we will find this provider's XML Schema Definition like element, namespace, and type. Also we see AgileAuthenticator.xml has below java implementation definition.


The definition clearly show us the implementation is AgileAuthenticationProviderImpl.class, so if we look at the class file and check what type of Login class wrapped in AppConfigurationEntry to be sent to Java Authentication and Authorization Service (JAAS), we get the concrete login class, that is "WLSLoginModule"

  
  private AppConfigurationEntry getConfiguration(HashMap paramHashMap)
  {
    paramHashMap.put("database", this.database);
    return new AppConfigurationEntry("com.agile.admin.security.weblogic.WLSLoginModule", this.controlFlag, paramHashMap);
  }

JAAS then transfers the authentication to WLSLoginModule.class to manage. The module then check the superadmin user account (need to decrypt the username and password first if Agile is 9.3.2 and 9.3.3) against the database.


DB Connection

Many people are confused why Agile defines db connection parameters in two places. One is in agile.properties and the other one is in which is defined in CP-AgileContentPool-jdbc.xml as a Connection Pool.

agile.properties definition

CP-AgileContentPool-jdbc.xml definition

This is a correct design, not a redundance. During superadmin authentication, many Weblogic components are not initialized that connection pool is not ready. So WLSLoginModule cannot get a connection from the AgileContentPool. In this case, WLSLoginModule set up a direct jdbc connection to remote database with parameters from agile.properties, we call it a LocalConnection, which uses the traditional register function listed below.

  
Class.forName("oracle.jdbc.driver.OracleDriver");


Comments:

Hi Jie Chen,

I am See Xiang from Singapore, I having some trouble about weblogic deployer automation script, everytime issue a command for weblogic deployer, I will set the -username and password on the script. for Example. java weblogic.... -username $username -password $password ...... However, is it possible to grant Domain user(from computer) as a superadmin for weblogic access so that I don't need to key in user name and password.. And everytime when i running this command, it will recognized this domain user and grant access?

Posted by Taymindis on February 24, 2015 at 10:59 PM CST #

You can use weblogic.system.BootIdentityFile parameter to specify a boot.properties file with username and password in it.

Posted by Jie Chen on February 25, 2015 at 03:03 PM CST #

I have imported another database into the Agile 9.3.3 schema. I am not able to start Agile. Weblogic fails to start citing problems in boot.properties.

Below is the log from the server. How to update the boot.properties file. I know the superadmin password (essentially which should not have changed).

Something has changed in the database. Where to find this authentication is located in the Database?

-----------------------------------------------------------------------------

<Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
weblogic.security.SecurityInitializationException: Authentication denied: Boot identity not valid; The user name and/or password from the boot identity file (boot.properties) is not valid. The boot identity may have been changed since the boot identity file was created. Please edit and update the boot identity file with the proper values of username and password. The first time the updated boot identity file is used to start the server, these new values are encrypted.
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:960)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
at weblogic.security.SecurityService.start(SecurityService.java:148)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.LoginException: Login Failure: all modules ignored
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:913)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:690)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:688)
at java.security.AccessController.doPrivileged(Native Method)
Truncated. see log file for complete stacktrace
>
<May 10, 2015 12:02:29 AM EDT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down.>

Posted by Sumit. on May 10, 2015 at 12:10 PM CST #

Hi Sumit,
Check this please.
https://blogs.oracle.com/jiechen/entry/recover_keystore_for_agile_9

Thanks
Jie

Posted by Jie Chen on October 19, 2015 at 03:05 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« May 2016
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
    
       
Today
Bookmarks