Open ESB Tip : Configuring WLM SE to use OpenDS

Moving on from the traditional Java CAPS Work List Manager functionality Open ESB, and hence JBI, are providing a replacement Work List Manager Service Engine in the WLM SE. Previously I have blogged about Java CAPS 6 WLM functionality and how to link BPEL with this traditional Java CAPS functionality; see:
Within those entries I discussed the Part 3 entry that would be the same project implemented using pure Open ESB and the WLM SE. Therefore this blog entry is the first in the Sub-Thread associated with building the VRMP using only Open ESB.

WLM SE Trail
  1. Configuring WLM SE to use Open DS.
  2. Implementing a Vendor Relationship Management Portal (Part 3) (VRMP Build Video).
  3. Developing the Worklist Interface using Visual Web Pack.
  4. Developing the Worklist Interface with ICEfaces.
  5. Adding Security Using OpenSSO.


WLM SE and OpenDS (LDAP)

OpenDS can be used with the WLM SE to provided User Management, Authentication and Authorization. The User Management features will provide:
  • Management / Group Escalation and Assignment.
  • Email to User / Group / Manager
  • WLM XPath access to these function.
The Authentication and Authorization is provided by integrating the GlassFish (hence JEE) Security to an LDAP Realm mapped onto the OpenDS structure.

Configuring OpenDS

For the sack of this blog entry I will assume specific naming and configuration information for the LDAP structure. Therefore before we start we will need to do the following:

  1. Download OpenDS
  2. Install OpenDS
  3. Create a new Base DN
    1. dc=wlm,dc=openesb,dc=com
    2. Import attached WLM LDIF
This will generate the structure below.


As an alternative you can replace all occurrences of dc=wlm,dc=openesb,dc=com with your LDAP structure and modify the configuration as appropriate.

LDAP Structure

The LDAP Structure created from the imported wlm.ldif file will create two Organizational Units, Groups and People, below the Domain dc=wlm,dc=openesb,dc=com. I will briefly described the sub-elements for each of these Organizational Unit is used for and where appropriate how each of their Attributes are used.


This OU contains all the all the People (Users) that can use the WLM SE application. The key attributes that are required by the WLM SE are :
  • uid : Unique Id that will be used to identify the User
  • mail : The email address used by the WLM email functionality
  • manager : If this optional attribute exists it is used to identify escalation information. The value within this attribute must be a fully qualified DN.
Each user within the imported LDIF file has the same password (adminadmin) and will be allowed to log into the WLM SE application.



This OU defines groupings of users and the imported LDIF contains two nominal groups. As you can see below the FAST Group is essentially a full list of all the entries within the People OU. The attributes contained within each of the Groups are used as follows:
  • cn : Used to unequally identify the group and allow WLM SE to search for Groups based on this name. When processing a group the WLM SE will process all unique members.
  • uniqueMember : List of fully qualified DNs that point to the appropriate People within this group.


Authentication / Authorization Configuration GlassFish LDAP Realm

I will create the realm information using the using the standard GlassFish admin console but you can do this using the command-line if you feel this is easier. To create the Realm you will need to follow the steps below.
  1. Start the admin console (http://localhost:4848) and login
  2. Open Common Tasks->Configuration->Security->Realms


  3. Select New Realm
    1. Name : OpenDSRealm
    2. Class Name :
    3. Properties : Within GlassFish the LDAP Realms have a number of mandatory properties and a number of optional properties.

    • directory :  The URL to your OpenDS Server (ldap://localhost:2389)
    • base-dn :  The Dase Distinguished Name (DN) identifying where the user data is located. As usual this can be at any level above the actual usr information but small the search the better (dc=wlm,dc=openesb,dc=com)
    • jaas-context :  This is the type of login modual to be used and for GlassFish it MUST be ldapRealm.


    • search-filter : Search filter to use to find the user. The default value is uid=%s where %s expands to the subject name.
    • search-bind-dn :  Optional DN to be used for authorisation if your Open DS is not configured for anonymouse search.
    • search-bind-password : Password associated with the DN in search-bind-dn
    • group-base-dn : Base DN identifying the location of the Group data. This can be the same as base-dn or tune (ou=Group,dc=wlm,dc=openesb,dc=com).
    • group-target :  This is the LDAP attribute name that contains the group neame entries, the default is cn.
    • group-search-filter : Search filter used to find group memberships for a given user. The default = uniquemember=%d where %d would expand to the full user dn (cn=ahopkinson,ou=People,dc=wlm,dc=openesb,dc=com).

      New Realm
  4. Select Ok

WLM SE Configuration

During the installation of the WLM SE, into the GlassFish Application Server, we can configure the connection parameters for the JBI component. To install the WLM SE you will need t do the following:
  1. Start you GlassFish instance
  2. From within NetBeans Right Click GlassFish->JBI->Service Engine->Install
  3. Navigate to the worklistmanagerse.jar and Select. This will open the installation dialog below.

    WLM SE Config

    Configure as above to connect to OpenDS.
    I have changed the default LDAP Port and LDAPS Port because I have a number of Directories installed.
  4. Once configured you can start the sun-wlm-engine.
    If you have not created / deployed a WLM SE application then you will see an Error message specifying that the JDBC connection can not be found.  Follow the instructions in the database section below.

    Having started the wlm-engine check that the properties are still correct. In some of the earlier versions they are initially reset to the default values.

Configure Worklist Client Application to use GlashFish LDAP Realm

The WLM SE provides a generic web console that can be used to display / edit the WLM SE Task (if the user chooses not to created their own console). If you decided to use the generic web console then the security access will need to be modified to use the OpenDS server for Authentication. To configure the Authentication you will need to edit the web.xml file and modify the Sercurity setting so that the login configuration point to your previously created LDAP Realm. In our case we will modify the web.xml file as indicated bolow and set the Realm name to "OpenDSRealm".

Web App Config 1

In the example above you can see that their are two Sercurity Roles :
  • Manager
  • CustomerServiceRep
These are abstract Roles and do not map directly to those specified in the LDAP Structure (Groups). To map these to their actual LDAP Groups we will need to modify the sun-web.xml file, as below, and specify within the Security tab the actual LDAP Groups.
  • Manager Role = Manager Group
  • CustomerServiceRep Role = FAST Group
Web App Config 1

Configuring the WLM Database

For this blog entry I will assume that we are using MySQL as a database and hence this section gives the specific instruction for MySQL. Therefore if you choose to use an alternative database please check the WLM SE Wiki.

We first need to create a database named WORKFLOW within MySQL and this can be done throw the MySQL Administrator.

MySQL Database

Once this has been done you can either create the JDBC Resources through the GlassFish Admin GUI or execute the command below.

asadmin create-jdbc-connection-pool --host localhost --port 4848 --datasourceclassname com.mysql.jdbc.jdbc2.optional.MysqlDataSource --restype javax.sql.DataSource --allownoncomponentcallers=true --property portNumber=3306:user=root:password=adminadmin:serverName=localhost:databaseName=WORKFLOW WorkflowMySQLPool 

asadmin create-jdbc-resource --host localhost --port 4848 --connectionpoolid WorkflowMySQLPool jdbc/__workflowMySQL

Connection Pools / JDBC Resource

JDBC Connection

JDBC Connection

JDBC Resource


Post a Comment:
Comments are closed for this entry.

As a member of the Oracle A-Team we specialise in enabling and supporting the Oracle Fusion Middleware communities.


« July 2016