Set the Embedded LDAP Password
3. Select Security Embedded LDAP in the right pane.
4. Enter the password you would like to use in the Credential and Confirm Credential fields.5. Click Save.
6. Reboot the server.5.7.5.3 Configure the Digest Identity Asserter Provider
Example 5–1 shows the security provider configuration in config.xml for a domain that uses LDAP implementation embedded in Oracle WebLogic Communication Services. Note that such a configuration is recommended only for testing or development purposes. Example 5–1 highlights values that you must define when configuring the provider using the instructions in Section 5.7.4.4.1, Configure an LDAP Digest Identity Asserter Provider . Example 5–1 Sample Security Provider Configuration with Embedded LDAP sec:authentication-provider xmlns:ext=http:www.bea.comnsweblogic90securityextension xsi:type=ext:ldap-digest-identity-asserterType sec:namemyrealmLdapDigestIdentityAssertersec:name ext:user-base-dnou=people, ou=myrealm, dc=mydomainext:user-base-dn ext:credential-attribute-namedescriptionext:credential-attribute-name ext:digest-realm-namewlss.oracle.comext:digest-realm-name ext:hostmyserver.mycompany.comext:host ext:port7001ext:port ext:principalcn=Adminext:principal sec:authentication-provider5.8 Configuring Client-Cert Authentication
Client-Cert authentication uses a certificate or other custom tokens in order to authenticate a user. The token is mapped to a user present in the Oracle WebLogic Communication Services security realm in which the Servlet is deployed. SIP Servlets that want to use Client-Cert authentication must set the auth-method element to CLIENT-CERT in their sip.xml deployment descriptor. The token used for Client-Cert authentication can be obtained in several different ways: ■ X509 Certificate from SSL —In the most common case, an X509 certificate is derived from a client token during a two-way SSL handshake between the client and the server. The SIP Servlet can view the resulting certificate in the javax.servlet.request.X509Certificate request attribute. This method for performing Client-Cert authentication is the most common and is described in the SIP Servlet specification JSR-116. Oracle WebLogic Communication Services provides two security providers that can be used to validate the X509 certificate; see Section 5.8.1, Configuring SSL and X509 for Oracle WebLogic Communication Services . ■ WL-Proxy-Client-Cert Header —Oracle WebLogic Communication Services provides an alternate method for supplying a Client-Cert token that does not 5-16 Oracle WebLogic Communications Server Administration Guide require a two-way SSL handshake between the client and server. Instead, the SSL handshake can be performed between a client and a proxy server or load balancer before reaching the destination Oracle WebLogic Communication Services. The proxy generates the resulting X509 certificate chain and encrypts it using base-64 encoding, and finally adds it to a special WL-Proxy-Client-Cert header in the SIP message. The server hosting the destination SIP Servlet then uses the WL-Proxy-Client-Cert header to obtain the certificate. The certificate is also made available by the container to Servlets via the javax.servlet.request.X509Certificate request attribute. To use this alternate method of supplying client tokens, you must configure Oracle WebLogic Communication Services to enable use of the WL-Proxy-Client-Cert header; see Section 5.8.2, Configuring Oracle WebLogic Communication Services to Use WL-Proxy-Client-Cert . You must also configure an X509 Identity Asserter provider as described in Section 5.8.1, Configuring SSL and X509 for Oracle WebLogic Communication Services . SIP Servlets can also use the CLIENT-CERT auth-method to implement perimeter authentication. Perimeter authentication uses custom token names and values, along with a custom security provider, to authenticate clients. See Section 5.8.3, Supporting Perimeter Authentication with a Custom IA Provider for a summary of steps required to implement perimeter authentication.5.8.1 Configuring SSL and X509 for Oracle WebLogic Communication Services
Oracle WebLogic Communication Services includes two separate Identity Assertion providers that can be used with X509 certificates. The LDAP X509 Identity Asserter provider receives an X509 certificate, looks up the LDAP object for the user associated with that certificate in a separate LDAP store, ensures that the certificate in the LDAP object matches the presented certificate, and then retrieves the name of the user from the LDAP object. The Default Identity Asserter provider maps the user according to its configuration, but does not validate the certificate. With either provider, Oracle WebLogic Communication Services uses two-way SSL to verify the digital certificate supplied by the client. You must ensure that a SIPS transport SSL has been configured in order to use Client-Cert authentication. See Managing Oracle WebLogic Communication Services Network Resources in Configuring Network Resources if you have not yet configured a secure transport. See Section 5.8.1.1, Configuring the Default Identity Asserter to configure the Default Identity Asserter provider. In most production installations you will have a separate LDAP store and will need to configure the LDAP X509 Identity Asserter provider to use client-cert authentication; see Section 5.8.1.2, Configuring the LDAP X509 Identity Asserter .5.8.1.1 Configuring the Default Identity Asserter
The Default Identity Asserter can be configured to verify an X509 certificate passed to it by a client over a secure SSL connection. The Default Identity Asserter requires a separate user name mapper to map the associated client certificate to a user configured in the default security realm. You can use the default user name mapper installed with Oracle WebLogic Communication Services, or you can create a custom user name mapper class as described in Oracle Fusion Middleware Securing Oracle WebLogic Server. Follow these instructions to configure the Default Identity Asserter: 1. Log in to the Administration Console for the Oracle WebLogic Communication Services domain you want to configure.Parts
» Oracle Fusion Middleware Online Documentation Library
» Messaging Oracle WebLogic Communication Services
» Telephony Oracle WebLogic Communication Services
» Presence Oracle WebLogic Communication Services
» WebLogic Server 10.3 Platform with support for SIP and converged applications
» Shared Configuration Tasks for Oracle WebLogic Communication Services and Oracle WebLogic Server
» Diameter Configuration Oracle WebLogic Communication Services Configuration Overview
» Administration Console Methods and Tools for Performing Configuration Tasks
» WebLogic Scripting Tool WLST
» Editing Configuration Files Additional Configuration Methods
» Setting Log Levels You can set log levels by manually editing the
» Starting and Stopping Servers
» Administration Server Best Practices Common Configuration Tasks
» Overview of SIP Container Configuration
» Locking and Persisting the Configuration
» Managing Configuration Locks Configuring Container Properties Using WLST JMX
» Locating the Oracle WebLogic Communication Services MBeans
» Invoking WLST WLST Configuration
» Configuring Timer Affinity Optional
» Configuring NTP for Accurate SIP Timers
» IPv4 and IPv6 Overview of Network Configuration
» Multiple Load Balancers and Multi-homed Load Balancers
» Enabling Domain Name Service DNS Support
» Creating a New SIP or SIPS Channel
» Configuring Custom Timeout, MTU, and Other Properties
» Configuring SIP Channels for Multi-Homed Machines
» Configuring Engine Servers to Listen on Any IP Interface
» Static Port Configuration for Outbound UDP Packets
» Multi-homed Server Configurations Overview
» Multi-homed Servers Listening On All Addresses IP_ANY
» Understanding the Route Resolver
» IP Aliasing with Multi-homed Hardware
» Single Load Balancer Configuration
» IP Masquerading Alternative to Source NAT If you choose not to enable source
» Example Network Topology Example Network Configuration
» Oracle WebLogic Communication Services Configuration
» NAT-based configuration Load Balancer Configuration
» maddr-Based Configuration Load Balancer Configuration
» rport-Based Configuration Load Balancer Configuration
» Authentication Providers Authentication for SIP Servlets
» Identity Assertion Support Oracle Fusion Middleware Online Documentation Library
» Role Assignment for SIP Servlet Declarative Security
» Security Event Auditing Oracle Fusion Middleware Online Documentation Library
» Common Security Configuration Tasks
» What Is Digest Authentication?
» Digest Authentication Support in Oracle WebLogic Communication Services
» Prerequisites for Configuring LDAP Digest Authentication
» Using Unencrypted Passwords If you are using an RDBMS, or if your LDAP
» Using Precalculated Hash Values If you want to use precalculated hash values,
» Using Reverse-Encrypted Passwords Oracle WebLogic Communication Services
» Reconfigure the DefaultAuthenticator Provider
» Configure an Authenticator Provider
» In the left pane of the Console, select the Security Realms node.
» Select the Providers Authentication tab.
» Click New. Configure an LDAP Digest Identity Asserter Provider Follow these instructions to
» Click OK. Configure an LDAP Digest Identity Asserter Provider Follow these instructions to
» Select the Configuration Provider Specific tab in the right pane.
» Click Save to save your changes. Select the Performance tab in the right pane.
» Select the Providers Authentication tab. Click New.
» Click OK. Select the Configuration Provider Specific tab in the right pane.
» Click Save to save your changes.
» Store User Password Information in the Description Field
» Set the Embedded LDAP Password
» Configure the Digest Identity Asserter Provider
» Configuring the Default Identity Asserter
» Select the Configuration Provider Specific tab.
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Configuring Oracle WebLogic Communication Services to Use WL-Proxy-Client-Cert
» Supporting Perimeter Authentication with a Custom IA Provider
» Understanding Trusted Host Forwarding with P-Asserted-Identity
» Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers
» Configuring the Identity Header Assertion Provider
» Configuring a X-3GPP-Asserted-Identity Provider
» Configuring Basic Authentication for HTTP Servlets
» Add Oracle WebLogic Communication Services
» Configuring Oracle Internet Directory Add a New Oracle WebLogic Communication Services
» Grant Verifier Privileges to the Oracle WebLogic Communication Services Instance
» Create a Group Assign Group Memberships to Users
» datatier.xml Configuration File Configuration Requirements and Restrictions
» SIP Data Tier with One Partition
» SIP Data Tier with Two Partitions
» SIP Data Tier with Two Partitions and Two Replicas
» Requirements and Restrictions Storing Long-Lived Call State Data In A RDBMS
» Steps for Enabling RDBMS Call State Storage
» Modify the JDBC Datasource Connection Information
» Configure JDBC Resources Configuring RDBMS Call State Storage by Hand
» Configure Oracle WebLogic Communication Services Persistence Options
» Situations Best Suited to Use Geo-Redundancy
» Situations Not Suited to Use Geo-Redundancy
» Geo-Redundancy Considerations: Before Your Begin
» Example Domain Configurations Using Geographically-Redundant SIP Data Tiers
» Requirements and Limitations Using Geographically-Redundant SIP Data Tiers
» Steps for Configuring Geographic Persistence
» Installing and Configuring the Primary Site
» Installing the Secondary Site
» Configuring JDBC Resources Primary and Secondary Sites
» Configuring Persistence Options Primary and Secondary Sites
» Configuring JMS Resources Secondary Site Only
» Call State Replication Process Call State Processing After Failover
» Removing Backup Call States Monitoring Replication Across Regional Sites
» Configuring Engine Tier Caching Monitoring and Tuning Cache Performance
» Launching Sash from the Command Line
» Viewing Subcommands Viewing Available Commands
» Creating a User from the Sash Command-Line Prompt
» Creating a User with the Command Service MBean
» Provisioning XDMS User Accounts Using the CommandService MBean
» Provisioning XDMS User Accounts from the Sash Prompt
» Provisioning XDMS User Accounts
» Adding XDMS Users Using xcap Commands
» Overview of Sash Scripting with Sash
» Overload Protection Failure Prevention and Automatic Recovery Features
» Redundancy and Failover for Clustered Services
» Automatic Restart for Failed Server Instances
» Managed Server Independence Mode
» Automatic Migration of Failed Managed Servers
» Geographic Redundancy for Regional Site Failures
» Enabling Automatic Configuration Backups
» Storing the Domain Configuration Offline
» Backing Up Server Start Scripts
» Backing Up Logging Servlet Applications
» Backing Up SerializedSystemIni.dat and Security Certificates All servers create a
» Backing Up the WebLogic LDAP Repository The default Authentication,
» Backing Up Additional Operating System Configuration Files
» Restarting an Administration Server on the Same Machine
» Restarting an Administration Server on Another Machine
» Restarting Failed Managed Servers
» WlssEchoServer Failure Detection Overview of Failover Detection
» Forced Shutdown for Failed Replicas
» Starting WlssEchoServer on SIP Data Tier Server Machines
» Files for Troubleshooting Understanding and Responding to SNMP Traps
» Recovery Procedure If this trap occurs in isolation from other traps indicating
» Recovery Procedure See connectionReestablishedToPeer
» Recovery Procedure See the Recovery Procedure for
» Recovery Procedure Follow this recovery procedure:
» Additional Overload Information If you set the queue length as an incoming call
» Recovery Procedure This trap is generated during normal startup procedures
» Recovery Procedure Restart the engine tier server. Repeated occurrences of
» Recovery Procedure If this trap is generated as a result of a server instance
» Additional Shutdown Information The Administration Console generates SNMP
» Recovery Procedure This trap is generated during normal deployment
» Recovery Procedure During normal shutdown procedures this alarm should
» Recovery Procedure The typical failure is caused by an invalid sip.xml
» Watches and Notifications Using the WebLogic Diagnostics Framework WLDF
» Image Capture Using the WebLogic Diagnostics Framework WLDF
» Configuring Server-Scoped Monitors Instrumentation
» Configuring Application-Scoped Monitors Instrumentation
» Defining Logging Servlets in sip.xml Configuring the Logging Level and Destination
» Using XML Documents to Specify Logging Criteria
» Using Servlet Parameters to Specify Logging Criteria
» Adding Tracing Functionality to SIP Servlet Code
» Order of Startup for Listeners and Logging Servlets
» Modifying JVM Parameters in Server Start Scripts
» Tuning Garbage Collection with JRockit
» Using Oracle JRockit Real Time Deterministic Garbage Collection
» Using Oracle JRockit without Deterministic Garbage Collection
» Tuning Garbage Collection with Sun JDK
» Avoiding JVM Delays Caused By Random Number Generation
» Overview of Presence Oracle Fusion Middleware Online Documentation Library
» Configuring XDMS Configuring Presence
» Command Service XDMS Provisioning
» Aggregation Proxy Configuring Presence
» PresenceSupplierWebService PresenceConsumerWebService Configuring Presence Web Services
» MessagingWebServiceConfig Configuring Presence Web Services
» Overview of Diameter Protocol Configuration
» Steps for Configuring Diameter Client Nodes and Relay Agents
» Installing the Diameter Domain
» Enabling the Diameter Console Extension
» Configuring Two-Way SSL for Diameter TLS Channels
» Configuring and Using SCTP for Diameter Messaging
» Creating a New Node Configuration General Node Configuration
» Configuring the Sh Client Application
» Configuring the Rf Client Application Configuring the Ro Client Application
» Configuring a Diameter Relay Agent
» Configuring the Sh and Rf Simulator Applications Enabling Profile Service using an Sh backend
» Configuring Peer Nodes Configuring Routes
» Example Domain Configuration Oracle Fusion Middleware Online Documentation Library
» Troubleshooting Diameter Configurations Oracle Fusion Middleware Online Documentation Library
» Components Architecture User Messaging Service Overview
» Introduction to Oracle User Messaging Service Configuration
» How to Set the Storage Method
» Adding Business Terms How to Add or Remove User Messaging Preferences Business Terms
» About Driver Properties How to Configure a Driver
» Securing Passwords How to Configure a Driver
» E-Mail Driver Interoperability This section details interoperability features of the
» Common Properties These are common driver properties that are indicative of
» Email Custom Properties These are properties specific to this driver and are
» Client API MessageInfo Support These properties are message delivery related
» SMPP Driver Interoperability This section details interoperability features of the
» Custom Properties These are properties specific to this driver and are
» About XMPP XMPP is an open, XML-based protocol for Instant Messaging
» XMPP Driver Interoperability This section details interoperability features of the
» XMPP Custom Properties The XMPP Driver includes the custom properties
» VoiceXML Driver Interoperability This section details interoperability features of
» Click Browse, and navigate to ORACLE_
» Common Properties The following common driver properties are indicative
» Custom Properties The following custom property is available:
» Client API MessageInfo Support This table shows if the protocol or driver
» Web Service Security on Notification
» Enabling UMS Service Security
» Enabling Client Security Securing User Messaging Service
» Keystore Configuration Client Aliases
» Troubleshooting Oracle User Messaging Service
» Configuring Logging Log Files
» Using WebLogic Server Administration Console
» Metrics and Statistics Undeploying and Unregistering Drivers
» Click Invoke. Oracle Fusion Middleware Online Documentation Library
» Proxy Registrar Oracle Fusion Middleware Online Documentation Library
» STUN Service Oracle Fusion Middleware Online Documentation Library
» Goals of the Oracle WebLogic Communication Services Base Platform Load Balancer
» Example of Writing and Retrieving Call State Data
» RDBMS Storage for Long-Lived Call State Data
» Engine Tier Geographically-Redundant Installations
» Example Hardware Configurations Oracle Fusion Middleware Online Documentation Library
» Alternate Configurations Oracle Fusion Middleware Online Documentation Library
» Single-node Topologies OWLCS Deployment Topologies
» Runtime Processes Introduction to OWLCS Enterprise Deployment Topology
» Request Flow Introduction to OWLCS Enterprise Deployment Topology
» Client Connections Introduction to OWLCS Enterprise Deployment Topology
» SIP Containers OWLCS extends the core WebLogic Server platform with a
» Third-Party Load Balancer A third-party load balancer balances the load of
» Proxy Registrar The OWLCS Proxy Registrar combines the functionality of a
» Presence Web Services OWLCS enables Web Service clients to access
» Third-Party Call Control Web Services The Third Party Call Parlay X 2.1
» Aggregation Proxy The Aggregation Proxy authorizes web service calls and
» Authentication Proxy The Authentication Proxy is a SIP application that upon
» File Transfer Service OWLCS includes an Oracle-proprietary file transfer
» Messaging Services Messaging Services implements support for a subset of
» STUN Service The OWLCS STUN Service implements STUN Simple
» DAR Configuration DAR Configuration. Application Router is a SIP
» Oracle Communicator Client Oracle Communicator is a client communication
» State Tier The Oracle WebLogic Communication Services SIP state tier node
» User Dispatcher The User Dispatcher enables the Presence and XDMS
» Oracle RAC Database Oracle RDBMS should be installed and operational in
» Overview of SIP State Tier Configuration
» SIP State Tier with One Partition A single-partition, two server SIP state tier
» SIP State Tier with Two Partitions Multiple partitions can be created by defining
» SIP State Tier with Two Partitions and Two Replicas Replicas of the call state can
» Storing Long-Lived Call State Data in an RDBMS
» Geographic Redundancy Oracle WebLogic Communication Services Enterprise Deployment Topology
» Stateless User Dispatcher and Even Distribution The most basic approach is to
» Presence Application Broadcast Another solution is to have the Presence
» OWLCS Presence Failover Standby Server Pool
» Fatal Failures If the failure is fatal all state information is lost and established
» Temporary Failures A temporary failure is one where none or little data is lost
» Broadcasting Fail-Over Events In this approach each dispatcher instance have
» Shared State If all dispatcher nodes in the cluster share the same state from a
» Updating the Node Set Depending on the algorithm used to find the server
» Migrating Presentities When the node set has been updated some Presentites
» One Presence Server Overloaded for 60 Seconds The cluster consists of four
» One Presence Server Overloaded Multiple Times for Five Seconds This use case
» Overload Policy Triggered by an OWLCS Software Failure A failure in the OWLCS
» A Presence Server Hardware Failure The cluster consists of four Presence
» Expanding the Cluster with One Presence Node The cluster consists of 3 Presence
» Terminology Overview of SIP Application Upgrades
» Requirements and Restrictions for Upgrading Deployed Applications
» Steps for Upgrading a Deployed SIP Application
» Defining the Version in the Manifest
» Deploy the Updated Application Version
» Undeploy the Older Application Version
» Architecture of Web Service Client Applications
» Enabling Client Security Web Service Security
» Keystore Configuration Web Service Security
» Client Aliases Web Service Security
Show more