Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers
5.9.3 Configuring a P-Asserted-Identity Assertion Provider
Follow these steps to configure a security provider used to support the P-Asserted-Identity header. Note that one of two providers can be selected, as described in Section 5.9.2, Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers . In addition to configuring one of the above providers, configure a secondary, fallback login method for example, using DIGEST or CLIENT-CERT authentication. To configure a P-Asserted-Identity provider:1. Log in to the Administration Console for the Oracle WebLogic Communication
Services domain you want to configure.2. In the left pane of the Console, select the Security Realms node.
3. Select the name of your security realm in the right pane of the Console. for
example, myrealm.4. Click New.
5. Enter a name for the new provider, and select one of the following options for the
Type: ■ PAssertedIdentityAsserter—Select this option to configure a provider that does not throw an exception when the P-Asserted-Identity header is invalid or is received from a non-trusted host and an anonymous user is substituted. ■ PAssertedIdentityStrictAsserter—Select this option to configure a provider that throws an exception when the P-Asserted-Identity header is invalid or is received from a non-trusted host and an anonymous user is substituted. See Section 5.9.2, Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers for more information.6. Click OK.
7. Select the name of the provider you just created.
8. Select the Configuration Provider Specific tab.
9. Fill in the fields of the configuration tab as follows: ■ Trusted Hosts : Enter one or more host names that the provider will treat as trusted hosts. You can enter a list of IP addresses or DNS names, and wildcards are supported. ■ User Name Mapper Class Name : Enter the name of a custom Java class used to map user names in the P-Asserted-Identity header to user names in the default security realm. A custom user name mapper is generally used if user names are received from two or more different domains. In this case additional logic may be required to map usernames received from each domain. A custom user name mapper class is required if you want to map usernames in the P-Asserted-Identity header to WebLogic usernames. See Oracle Fusion Middleware Securing Oracle WebLogic Server for more information. Note: The provider does not use trusted hosts configured in the sipserver.xml file. 5-26 Oracle WebLogic Communications Server Administration Guide Alternately, leave this field blank to use the default user name mapper. The default mapper simply discards the domain name and takes the resulting user name without applying any additional logic.10. Click Save.
5.9.4 Understanding Identity Assertion with the Identity and Identity-Info Headers
Oracle WebLogic Communication Services can also perform identity assertion using the Identity and Identity-Info headers, as described in RFC 4474. As with the p-asserted-identity assertion mechanism, Identity header assertion requires that you first configure the appropriate security provider the IdentityHeaderAsserter provider in Oracle WebLogic Communication Services. When asserting the identity of inbound requests having the Identity and Identity-Info headers, Oracle WebLogic Communication Services considers the values of the identity-assertion and identity-assertion-support elements in sip.xml as well as the presence of a configured security provider. Figure 5–6 describes how incoming messages are processed using this assertion mechanism.Parts
» Oracle Fusion Middleware Online Documentation Library
» Messaging Oracle WebLogic Communication Services
» Telephony Oracle WebLogic Communication Services
» Presence Oracle WebLogic Communication Services
» WebLogic Server 10.3 Platform with support for SIP and converged applications
» Shared Configuration Tasks for Oracle WebLogic Communication Services and Oracle WebLogic Server
» Diameter Configuration Oracle WebLogic Communication Services Configuration Overview
» Administration Console Methods and Tools for Performing Configuration Tasks
» WebLogic Scripting Tool WLST
» Editing Configuration Files Additional Configuration Methods
» Setting Log Levels You can set log levels by manually editing the
» Starting and Stopping Servers
» Administration Server Best Practices Common Configuration Tasks
» Overview of SIP Container Configuration
» Locking and Persisting the Configuration
» Managing Configuration Locks Configuring Container Properties Using WLST JMX
» Locating the Oracle WebLogic Communication Services MBeans
» Invoking WLST WLST Configuration
» Configuring Timer Affinity Optional
» Configuring NTP for Accurate SIP Timers
» IPv4 and IPv6 Overview of Network Configuration
» Multiple Load Balancers and Multi-homed Load Balancers
» Enabling Domain Name Service DNS Support
» Creating a New SIP or SIPS Channel
» Configuring Custom Timeout, MTU, and Other Properties
» Configuring SIP Channels for Multi-Homed Machines
» Configuring Engine Servers to Listen on Any IP Interface
» Static Port Configuration for Outbound UDP Packets
» Multi-homed Server Configurations Overview
» Multi-homed Servers Listening On All Addresses IP_ANY
» Understanding the Route Resolver
» IP Aliasing with Multi-homed Hardware
» Single Load Balancer Configuration
» IP Masquerading Alternative to Source NAT If you choose not to enable source
» Example Network Topology Example Network Configuration
» Oracle WebLogic Communication Services Configuration
» NAT-based configuration Load Balancer Configuration
» maddr-Based Configuration Load Balancer Configuration
» rport-Based Configuration Load Balancer Configuration
» Authentication Providers Authentication for SIP Servlets
» Identity Assertion Support Oracle Fusion Middleware Online Documentation Library
» Role Assignment for SIP Servlet Declarative Security
» Security Event Auditing Oracle Fusion Middleware Online Documentation Library
» Common Security Configuration Tasks
» What Is Digest Authentication?
» Digest Authentication Support in Oracle WebLogic Communication Services
» Prerequisites for Configuring LDAP Digest Authentication
» Using Unencrypted Passwords If you are using an RDBMS, or if your LDAP
» Using Precalculated Hash Values If you want to use precalculated hash values,
» Using Reverse-Encrypted Passwords Oracle WebLogic Communication Services
» Reconfigure the DefaultAuthenticator Provider
» Configure an Authenticator Provider
» In the left pane of the Console, select the Security Realms node.
» Select the Providers Authentication tab.
» Click New. Configure an LDAP Digest Identity Asserter Provider Follow these instructions to
» Click OK. Configure an LDAP Digest Identity Asserter Provider Follow these instructions to
» Select the Configuration Provider Specific tab in the right pane.
» Click Save to save your changes. Select the Performance tab in the right pane.
» Select the Providers Authentication tab. Click New.
» Click OK. Select the Configuration Provider Specific tab in the right pane.
» Click Save to save your changes.
» Store User Password Information in the Description Field
» Set the Embedded LDAP Password
» Configure the Digest Identity Asserter Provider
» Configuring the Default Identity Asserter
» Select the Configuration Provider Specific tab.
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Configuring Oracle WebLogic Communication Services to Use WL-Proxy-Client-Cert
» Supporting Perimeter Authentication with a Custom IA Provider
» Understanding Trusted Host Forwarding with P-Asserted-Identity
» Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers
» Configuring the Identity Header Assertion Provider
» Configuring a X-3GPP-Asserted-Identity Provider
» Configuring Basic Authentication for HTTP Servlets
» Add Oracle WebLogic Communication Services
» Configuring Oracle Internet Directory Add a New Oracle WebLogic Communication Services
» Grant Verifier Privileges to the Oracle WebLogic Communication Services Instance
» Create a Group Assign Group Memberships to Users
» datatier.xml Configuration File Configuration Requirements and Restrictions
» SIP Data Tier with One Partition
» SIP Data Tier with Two Partitions
» SIP Data Tier with Two Partitions and Two Replicas
» Requirements and Restrictions Storing Long-Lived Call State Data In A RDBMS
» Steps for Enabling RDBMS Call State Storage
» Modify the JDBC Datasource Connection Information
» Configure JDBC Resources Configuring RDBMS Call State Storage by Hand
» Configure Oracle WebLogic Communication Services Persistence Options
» Situations Best Suited to Use Geo-Redundancy
» Situations Not Suited to Use Geo-Redundancy
» Geo-Redundancy Considerations: Before Your Begin
» Example Domain Configurations Using Geographically-Redundant SIP Data Tiers
» Requirements and Limitations Using Geographically-Redundant SIP Data Tiers
» Steps for Configuring Geographic Persistence
» Installing and Configuring the Primary Site
» Installing the Secondary Site
» Configuring JDBC Resources Primary and Secondary Sites
» Configuring Persistence Options Primary and Secondary Sites
» Configuring JMS Resources Secondary Site Only
» Call State Replication Process Call State Processing After Failover
» Removing Backup Call States Monitoring Replication Across Regional Sites
» Configuring Engine Tier Caching Monitoring and Tuning Cache Performance
» Launching Sash from the Command Line
» Viewing Subcommands Viewing Available Commands
» Creating a User from the Sash Command-Line Prompt
» Creating a User with the Command Service MBean
» Provisioning XDMS User Accounts Using the CommandService MBean
» Provisioning XDMS User Accounts from the Sash Prompt
» Provisioning XDMS User Accounts
» Adding XDMS Users Using xcap Commands
» Overview of Sash Scripting with Sash
» Overload Protection Failure Prevention and Automatic Recovery Features
» Redundancy and Failover for Clustered Services
» Automatic Restart for Failed Server Instances
» Managed Server Independence Mode
» Automatic Migration of Failed Managed Servers
» Geographic Redundancy for Regional Site Failures
» Enabling Automatic Configuration Backups
» Storing the Domain Configuration Offline
» Backing Up Server Start Scripts
» Backing Up Logging Servlet Applications
» Backing Up SerializedSystemIni.dat and Security Certificates All servers create a
» Backing Up the WebLogic LDAP Repository The default Authentication,
» Backing Up Additional Operating System Configuration Files
» Restarting an Administration Server on the Same Machine
» Restarting an Administration Server on Another Machine
» Restarting Failed Managed Servers
» WlssEchoServer Failure Detection Overview of Failover Detection
» Forced Shutdown for Failed Replicas
» Starting WlssEchoServer on SIP Data Tier Server Machines
» Files for Troubleshooting Understanding and Responding to SNMP Traps
» Recovery Procedure If this trap occurs in isolation from other traps indicating
» Recovery Procedure See connectionReestablishedToPeer
» Recovery Procedure See the Recovery Procedure for
» Recovery Procedure Follow this recovery procedure:
» Additional Overload Information If you set the queue length as an incoming call
» Recovery Procedure This trap is generated during normal startup procedures
» Recovery Procedure Restart the engine tier server. Repeated occurrences of
» Recovery Procedure If this trap is generated as a result of a server instance
» Additional Shutdown Information The Administration Console generates SNMP
» Recovery Procedure This trap is generated during normal deployment
» Recovery Procedure During normal shutdown procedures this alarm should
» Recovery Procedure The typical failure is caused by an invalid sip.xml
» Watches and Notifications Using the WebLogic Diagnostics Framework WLDF
» Image Capture Using the WebLogic Diagnostics Framework WLDF
» Configuring Server-Scoped Monitors Instrumentation
» Configuring Application-Scoped Monitors Instrumentation
» Defining Logging Servlets in sip.xml Configuring the Logging Level and Destination
» Using XML Documents to Specify Logging Criteria
» Using Servlet Parameters to Specify Logging Criteria
» Adding Tracing Functionality to SIP Servlet Code
» Order of Startup for Listeners and Logging Servlets
» Modifying JVM Parameters in Server Start Scripts
» Tuning Garbage Collection with JRockit
» Using Oracle JRockit Real Time Deterministic Garbage Collection
» Using Oracle JRockit without Deterministic Garbage Collection
» Tuning Garbage Collection with Sun JDK
» Avoiding JVM Delays Caused By Random Number Generation
» Overview of Presence Oracle Fusion Middleware Online Documentation Library
» Configuring XDMS Configuring Presence
» Command Service XDMS Provisioning
» Aggregation Proxy Configuring Presence
» PresenceSupplierWebService PresenceConsumerWebService Configuring Presence Web Services
» MessagingWebServiceConfig Configuring Presence Web Services
» Overview of Diameter Protocol Configuration
» Steps for Configuring Diameter Client Nodes and Relay Agents
» Installing the Diameter Domain
» Enabling the Diameter Console Extension
» Configuring Two-Way SSL for Diameter TLS Channels
» Configuring and Using SCTP for Diameter Messaging
» Creating a New Node Configuration General Node Configuration
» Configuring the Sh Client Application
» Configuring the Rf Client Application Configuring the Ro Client Application
» Configuring a Diameter Relay Agent
» Configuring the Sh and Rf Simulator Applications Enabling Profile Service using an Sh backend
» Configuring Peer Nodes Configuring Routes
» Example Domain Configuration Oracle Fusion Middleware Online Documentation Library
» Troubleshooting Diameter Configurations Oracle Fusion Middleware Online Documentation Library
» Components Architecture User Messaging Service Overview
» Introduction to Oracle User Messaging Service Configuration
» How to Set the Storage Method
» Adding Business Terms How to Add or Remove User Messaging Preferences Business Terms
» About Driver Properties How to Configure a Driver
» Securing Passwords How to Configure a Driver
» E-Mail Driver Interoperability This section details interoperability features of the
» Common Properties These are common driver properties that are indicative of
» Email Custom Properties These are properties specific to this driver and are
» Client API MessageInfo Support These properties are message delivery related
» SMPP Driver Interoperability This section details interoperability features of the
» Custom Properties These are properties specific to this driver and are
» About XMPP XMPP is an open, XML-based protocol for Instant Messaging
» XMPP Driver Interoperability This section details interoperability features of the
» XMPP Custom Properties The XMPP Driver includes the custom properties
» VoiceXML Driver Interoperability This section details interoperability features of
» Click Browse, and navigate to ORACLE_
» Common Properties The following common driver properties are indicative
» Custom Properties The following custom property is available:
» Client API MessageInfo Support This table shows if the protocol or driver
» Web Service Security on Notification
» Enabling UMS Service Security
» Enabling Client Security Securing User Messaging Service
» Keystore Configuration Client Aliases
» Troubleshooting Oracle User Messaging Service
» Configuring Logging Log Files
» Using WebLogic Server Administration Console
» Metrics and Statistics Undeploying and Unregistering Drivers
» Click Invoke. Oracle Fusion Middleware Online Documentation Library
» Proxy Registrar Oracle Fusion Middleware Online Documentation Library
» STUN Service Oracle Fusion Middleware Online Documentation Library
» Goals of the Oracle WebLogic Communication Services Base Platform Load Balancer
» Example of Writing and Retrieving Call State Data
» RDBMS Storage for Long-Lived Call State Data
» Engine Tier Geographically-Redundant Installations
» Example Hardware Configurations Oracle Fusion Middleware Online Documentation Library
» Alternate Configurations Oracle Fusion Middleware Online Documentation Library
» Single-node Topologies OWLCS Deployment Topologies
» Runtime Processes Introduction to OWLCS Enterprise Deployment Topology
» Request Flow Introduction to OWLCS Enterprise Deployment Topology
» Client Connections Introduction to OWLCS Enterprise Deployment Topology
» SIP Containers OWLCS extends the core WebLogic Server platform with a
» Third-Party Load Balancer A third-party load balancer balances the load of
» Proxy Registrar The OWLCS Proxy Registrar combines the functionality of a
» Presence Web Services OWLCS enables Web Service clients to access
» Third-Party Call Control Web Services The Third Party Call Parlay X 2.1
» Aggregation Proxy The Aggregation Proxy authorizes web service calls and
» Authentication Proxy The Authentication Proxy is a SIP application that upon
» File Transfer Service OWLCS includes an Oracle-proprietary file transfer
» Messaging Services Messaging Services implements support for a subset of
» STUN Service The OWLCS STUN Service implements STUN Simple
» DAR Configuration DAR Configuration. Application Router is a SIP
» Oracle Communicator Client Oracle Communicator is a client communication
» State Tier The Oracle WebLogic Communication Services SIP state tier node
» User Dispatcher The User Dispatcher enables the Presence and XDMS
» Oracle RAC Database Oracle RDBMS should be installed and operational in
» Overview of SIP State Tier Configuration
» SIP State Tier with One Partition A single-partition, two server SIP state tier
» SIP State Tier with Two Partitions Multiple partitions can be created by defining
» SIP State Tier with Two Partitions and Two Replicas Replicas of the call state can
» Storing Long-Lived Call State Data in an RDBMS
» Geographic Redundancy Oracle WebLogic Communication Services Enterprise Deployment Topology
» Stateless User Dispatcher and Even Distribution The most basic approach is to
» Presence Application Broadcast Another solution is to have the Presence
» OWLCS Presence Failover Standby Server Pool
» Fatal Failures If the failure is fatal all state information is lost and established
» Temporary Failures A temporary failure is one where none or little data is lost
» Broadcasting Fail-Over Events In this approach each dispatcher instance have
» Shared State If all dispatcher nodes in the cluster share the same state from a
» Updating the Node Set Depending on the algorithm used to find the server
» Migrating Presentities When the node set has been updated some Presentites
» One Presence Server Overloaded for 60 Seconds The cluster consists of four
» One Presence Server Overloaded Multiple Times for Five Seconds This use case
» Overload Policy Triggered by an OWLCS Software Failure A failure in the OWLCS
» A Presence Server Hardware Failure The cluster consists of four Presence
» Expanding the Cluster with One Presence Node The cluster consists of 3 Presence
» Terminology Overview of SIP Application Upgrades
» Requirements and Restrictions for Upgrading Deployed Applications
» Steps for Upgrading a Deployed SIP Application
» Defining the Version in the Manifest
» Deploy the Updated Application Version
» Undeploy the Older Application Version
» Architecture of Web Service Client Applications
» Enabling Client Security Web Service Security
» Keystore Configuration Web Service Security
» Client Aliases Web Service Security
Show more