Digest Authentication Support in Oracle WebLogic Communication Services
1. The client makes an unauthorized request for a protected application resource.
SIP Servlet resources can be protected by specifying security constraints in the sip-xml deployment descriptor.2. The Digest Identity Asserter provider generates a challenge string consisting of the
nonce value, realm name, and encryption algorithm either MD5 or MD5-sess. The SIP container delivers the challenge string to the client.3. The client uses the encryption algorithm to create a Digest consisting of the
username, password, real name, nonce, SIP method, request URI, and other information described in RFC 2617.4. The Digest Identity Asserter verifies the client Digest by recreating the Digest
value using a hash of the A1 value, nonce, SIP method, and other information. To obtain a hash of the A1 value, the Identity Asserter either generates HA1 by retrieving a clear-text password from the store, or the Identity Asserter retrieves the pre-calculated HA1 from the store. Note: The Digest Identity Asserter maintains a cache of used nonces and timestamps for a specified period of time. All requests with a timestamp older than the specified timestamp are rejected, as well as any requests that use the same timestampnonce pair as the most recent timestampnonce pair still in the cache. 5-6 Oracle WebLogic Communications Server Administration Guide 5. The generated Digest string is compared to the clients Digest to verify the users identity. 6. If the users identity is verified, an authentication provider then determines if the user exists and if it does, the authentication provider populates the javax.security.auth.Subject with the configured group information. This step completes the authentication process. After authentication is complete, the SIP Servlet container performs an authorization check for the logged in javax.security.auth.Subject against the declarative security-constraints defined in the Servlets sip.xml deployment descriptor. The LDAP Digest Identity Asserter and the configured Authentication provider can either use the same LDAP store or different stores. Figure 5–2 Multiple LDAP Servers5.7.3 Prerequisites for Configuring LDAP Digest Authentication
In order to configure Digest authentication you must understand the basics of LDAP servers and LDAP administration. You must also understand the requirements and restrictions of your selected LDAP server implementation, and have privileges to modify the LDAP configuration as well as the Oracle WebLogic Communication Services configuration. Note: If you do not require user existence checking or group population, you can use the special no-op Identity Assertion Authenticator to avoid an extra connection to the LDAP Server; see Section 5.7.4.3, Configure an Authenticator Provider for more information. Note: If you use multiple LDAP stores, you must also create some infrastructure to keep both stores synchronized in response to adding, removing, or changing user credential changes, as shown in Figure 5–2 . Maintaining LDAP stores in this manner is beyond the scope of this documentation. Administering Security Features 5-7 Table 5–1 summarizes all of the information you will need in order to fully configure your LDAP server for Digest authentication with Oracle WebLogic Communication Services. Note that the LDAP authentication provider and the Digest Authentication Identity Asserter provider can be configured with multiple LDAP servers to provide failover capabilities. If you want to use more than one LDAP server for failover, you will need to have connection information for each server when you configure Digest Authentication. See Section 5.7.4, Steps for Configuring Digest Authentication . Section 5.12, Provisioning Resources in Oracle Internet Directory describes how to provision the correct resources for Oracle Internet Directory.5.7.4 Steps for Configuring Digest Authentication
Follow these steps to configure Digest authentication with Oracle WebLogic Communication Services: 1. Section 5.7.4.1, Configure the LDAP Server or RDBMS . 2. Section 5.7.4.2, Reconfigure the DefaultAuthenticator Provider . Table 5–2 Digest Identity Asserter Checklist Item Description Sample Value Host The host name of the LDAP server. MyLDAPServer Port The port number of the LDAP server. Port 389 is used by default. 389 Principal A Distinguished Name DN that Oracle WebLogic Communication Services can use to connect to the LDAP Server. cn=ldapadminuser Credential A credential for the above principal name generally a password. ldapadminuserpassword LDAP Connection Timeout The configured timeout value for connections to the LDAP server in seconds. For best performance, there should be no timeout value configured for the LDAP server. If a timeout value is specified for the LDAP server, you should configure the Digest Identity Asserter provider timeout to a value equal to or less than the LDAP servers timeout. 30 seconds User From Name Filter An LDAP search filter that Oracle WebLogic Communication Services will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema. cn=uobjectclass=person User Base DN The base Distinguished Name DN of the tree in the LDAP directory that contains users. cn=users,dc=mycompany,dc=com Credential Attribute Name The credential attribute name used for Digest calculation. This corresponds to the attribute name used to store unencrypted passwords or pre-calculated hash values. See Section 5.7.4.1, Configure the LDAP Server or RDBMS . hashvalue Digest Realm Name The realm name to use for Digest authentication. mycompany.com Digest Algorithm The algorithm that clients will use to create encrypted Digests. Oracle WebLogic Communication Services supports both MD5 and MD5-sess algorithms. MD5 is used by default. MD5 Digest Timeout The Digest authentication timeout setting. By default this value is set to 2 minutes. 2Parts
» Oracle Fusion Middleware Online Documentation Library
» Messaging Oracle WebLogic Communication Services
» Telephony Oracle WebLogic Communication Services
» Presence Oracle WebLogic Communication Services
» WebLogic Server 10.3 Platform with support for SIP and converged applications
» Shared Configuration Tasks for Oracle WebLogic Communication Services and Oracle WebLogic Server
» Diameter Configuration Oracle WebLogic Communication Services Configuration Overview
» Administration Console Methods and Tools for Performing Configuration Tasks
» WebLogic Scripting Tool WLST
» Editing Configuration Files Additional Configuration Methods
» Setting Log Levels You can set log levels by manually editing the
» Starting and Stopping Servers
» Administration Server Best Practices Common Configuration Tasks
» Overview of SIP Container Configuration
» Locking and Persisting the Configuration
» Managing Configuration Locks Configuring Container Properties Using WLST JMX
» Locating the Oracle WebLogic Communication Services MBeans
» Invoking WLST WLST Configuration
» Configuring Timer Affinity Optional
» Configuring NTP for Accurate SIP Timers
» IPv4 and IPv6 Overview of Network Configuration
» Multiple Load Balancers and Multi-homed Load Balancers
» Enabling Domain Name Service DNS Support
» Creating a New SIP or SIPS Channel
» Configuring Custom Timeout, MTU, and Other Properties
» Configuring SIP Channels for Multi-Homed Machines
» Configuring Engine Servers to Listen on Any IP Interface
» Static Port Configuration for Outbound UDP Packets
» Multi-homed Server Configurations Overview
» Multi-homed Servers Listening On All Addresses IP_ANY
» Understanding the Route Resolver
» IP Aliasing with Multi-homed Hardware
» Single Load Balancer Configuration
» IP Masquerading Alternative to Source NAT If you choose not to enable source
» Example Network Topology Example Network Configuration
» Oracle WebLogic Communication Services Configuration
» NAT-based configuration Load Balancer Configuration
» maddr-Based Configuration Load Balancer Configuration
» rport-Based Configuration Load Balancer Configuration
» Authentication Providers Authentication for SIP Servlets
» Identity Assertion Support Oracle Fusion Middleware Online Documentation Library
» Role Assignment for SIP Servlet Declarative Security
» Security Event Auditing Oracle Fusion Middleware Online Documentation Library
» Common Security Configuration Tasks
» What Is Digest Authentication?
» Digest Authentication Support in Oracle WebLogic Communication Services
» Prerequisites for Configuring LDAP Digest Authentication
» Using Unencrypted Passwords If you are using an RDBMS, or if your LDAP
» Using Precalculated Hash Values If you want to use precalculated hash values,
» Using Reverse-Encrypted Passwords Oracle WebLogic Communication Services
» Reconfigure the DefaultAuthenticator Provider
» Configure an Authenticator Provider
» In the left pane of the Console, select the Security Realms node.
» Select the Providers Authentication tab.
» Click New. Configure an LDAP Digest Identity Asserter Provider Follow these instructions to
» Click OK. Configure an LDAP Digest Identity Asserter Provider Follow these instructions to
» Select the Configuration Provider Specific tab in the right pane.
» Click Save to save your changes. Select the Performance tab in the right pane.
» Select the Providers Authentication tab. Click New.
» Click OK. Select the Configuration Provider Specific tab in the right pane.
» Click Save to save your changes.
» Store User Password Information in the Description Field
» Set the Embedded LDAP Password
» Configure the Digest Identity Asserter Provider
» Configuring the Default Identity Asserter
» Select the Configuration Provider Specific tab.
» Click Save. Oracle Fusion Middleware Online Documentation Library
» Configuring Oracle WebLogic Communication Services to Use WL-Proxy-Client-Cert
» Supporting Perimeter Authentication with a Custom IA Provider
» Understanding Trusted Host Forwarding with P-Asserted-Identity
» Overview of Strict and Non-Strict P-Asserted-Identity Asserter Providers
» Configuring the Identity Header Assertion Provider
» Configuring a X-3GPP-Asserted-Identity Provider
» Configuring Basic Authentication for HTTP Servlets
» Add Oracle WebLogic Communication Services
» Configuring Oracle Internet Directory Add a New Oracle WebLogic Communication Services
» Grant Verifier Privileges to the Oracle WebLogic Communication Services Instance
» Create a Group Assign Group Memberships to Users
» datatier.xml Configuration File Configuration Requirements and Restrictions
» SIP Data Tier with One Partition
» SIP Data Tier with Two Partitions
» SIP Data Tier with Two Partitions and Two Replicas
» Requirements and Restrictions Storing Long-Lived Call State Data In A RDBMS
» Steps for Enabling RDBMS Call State Storage
» Modify the JDBC Datasource Connection Information
» Configure JDBC Resources Configuring RDBMS Call State Storage by Hand
» Configure Oracle WebLogic Communication Services Persistence Options
» Situations Best Suited to Use Geo-Redundancy
» Situations Not Suited to Use Geo-Redundancy
» Geo-Redundancy Considerations: Before Your Begin
» Example Domain Configurations Using Geographically-Redundant SIP Data Tiers
» Requirements and Limitations Using Geographically-Redundant SIP Data Tiers
» Steps for Configuring Geographic Persistence
» Installing and Configuring the Primary Site
» Installing the Secondary Site
» Configuring JDBC Resources Primary and Secondary Sites
» Configuring Persistence Options Primary and Secondary Sites
» Configuring JMS Resources Secondary Site Only
» Call State Replication Process Call State Processing After Failover
» Removing Backup Call States Monitoring Replication Across Regional Sites
» Configuring Engine Tier Caching Monitoring and Tuning Cache Performance
» Launching Sash from the Command Line
» Viewing Subcommands Viewing Available Commands
» Creating a User from the Sash Command-Line Prompt
» Creating a User with the Command Service MBean
» Provisioning XDMS User Accounts Using the CommandService MBean
» Provisioning XDMS User Accounts from the Sash Prompt
» Provisioning XDMS User Accounts
» Adding XDMS Users Using xcap Commands
» Overview of Sash Scripting with Sash
» Overload Protection Failure Prevention and Automatic Recovery Features
» Redundancy and Failover for Clustered Services
» Automatic Restart for Failed Server Instances
» Managed Server Independence Mode
» Automatic Migration of Failed Managed Servers
» Geographic Redundancy for Regional Site Failures
» Enabling Automatic Configuration Backups
» Storing the Domain Configuration Offline
» Backing Up Server Start Scripts
» Backing Up Logging Servlet Applications
» Backing Up SerializedSystemIni.dat and Security Certificates All servers create a
» Backing Up the WebLogic LDAP Repository The default Authentication,
» Backing Up Additional Operating System Configuration Files
» Restarting an Administration Server on the Same Machine
» Restarting an Administration Server on Another Machine
» Restarting Failed Managed Servers
» WlssEchoServer Failure Detection Overview of Failover Detection
» Forced Shutdown for Failed Replicas
» Starting WlssEchoServer on SIP Data Tier Server Machines
» Files for Troubleshooting Understanding and Responding to SNMP Traps
» Recovery Procedure If this trap occurs in isolation from other traps indicating
» Recovery Procedure See connectionReestablishedToPeer
» Recovery Procedure See the Recovery Procedure for
» Recovery Procedure Follow this recovery procedure:
» Additional Overload Information If you set the queue length as an incoming call
» Recovery Procedure This trap is generated during normal startup procedures
» Recovery Procedure Restart the engine tier server. Repeated occurrences of
» Recovery Procedure If this trap is generated as a result of a server instance
» Additional Shutdown Information The Administration Console generates SNMP
» Recovery Procedure This trap is generated during normal deployment
» Recovery Procedure During normal shutdown procedures this alarm should
» Recovery Procedure The typical failure is caused by an invalid sip.xml
» Watches and Notifications Using the WebLogic Diagnostics Framework WLDF
» Image Capture Using the WebLogic Diagnostics Framework WLDF
» Configuring Server-Scoped Monitors Instrumentation
» Configuring Application-Scoped Monitors Instrumentation
» Defining Logging Servlets in sip.xml Configuring the Logging Level and Destination
» Using XML Documents to Specify Logging Criteria
» Using Servlet Parameters to Specify Logging Criteria
» Adding Tracing Functionality to SIP Servlet Code
» Order of Startup for Listeners and Logging Servlets
» Modifying JVM Parameters in Server Start Scripts
» Tuning Garbage Collection with JRockit
» Using Oracle JRockit Real Time Deterministic Garbage Collection
» Using Oracle JRockit without Deterministic Garbage Collection
» Tuning Garbage Collection with Sun JDK
» Avoiding JVM Delays Caused By Random Number Generation
» Overview of Presence Oracle Fusion Middleware Online Documentation Library
» Configuring XDMS Configuring Presence
» Command Service XDMS Provisioning
» Aggregation Proxy Configuring Presence
» PresenceSupplierWebService PresenceConsumerWebService Configuring Presence Web Services
» MessagingWebServiceConfig Configuring Presence Web Services
» Overview of Diameter Protocol Configuration
» Steps for Configuring Diameter Client Nodes and Relay Agents
» Installing the Diameter Domain
» Enabling the Diameter Console Extension
» Configuring Two-Way SSL for Diameter TLS Channels
» Configuring and Using SCTP for Diameter Messaging
» Creating a New Node Configuration General Node Configuration
» Configuring the Sh Client Application
» Configuring the Rf Client Application Configuring the Ro Client Application
» Configuring a Diameter Relay Agent
» Configuring the Sh and Rf Simulator Applications Enabling Profile Service using an Sh backend
» Configuring Peer Nodes Configuring Routes
» Example Domain Configuration Oracle Fusion Middleware Online Documentation Library
» Troubleshooting Diameter Configurations Oracle Fusion Middleware Online Documentation Library
» Components Architecture User Messaging Service Overview
» Introduction to Oracle User Messaging Service Configuration
» How to Set the Storage Method
» Adding Business Terms How to Add or Remove User Messaging Preferences Business Terms
» About Driver Properties How to Configure a Driver
» Securing Passwords How to Configure a Driver
» E-Mail Driver Interoperability This section details interoperability features of the
» Common Properties These are common driver properties that are indicative of
» Email Custom Properties These are properties specific to this driver and are
» Client API MessageInfo Support These properties are message delivery related
» SMPP Driver Interoperability This section details interoperability features of the
» Custom Properties These are properties specific to this driver and are
» About XMPP XMPP is an open, XML-based protocol for Instant Messaging
» XMPP Driver Interoperability This section details interoperability features of the
» XMPP Custom Properties The XMPP Driver includes the custom properties
» VoiceXML Driver Interoperability This section details interoperability features of
» Click Browse, and navigate to ORACLE_
» Common Properties The following common driver properties are indicative
» Custom Properties The following custom property is available:
» Client API MessageInfo Support This table shows if the protocol or driver
» Web Service Security on Notification
» Enabling UMS Service Security
» Enabling Client Security Securing User Messaging Service
» Keystore Configuration Client Aliases
» Troubleshooting Oracle User Messaging Service
» Configuring Logging Log Files
» Using WebLogic Server Administration Console
» Metrics and Statistics Undeploying and Unregistering Drivers
» Click Invoke. Oracle Fusion Middleware Online Documentation Library
» Proxy Registrar Oracle Fusion Middleware Online Documentation Library
» STUN Service Oracle Fusion Middleware Online Documentation Library
» Goals of the Oracle WebLogic Communication Services Base Platform Load Balancer
» Example of Writing and Retrieving Call State Data
» RDBMS Storage for Long-Lived Call State Data
» Engine Tier Geographically-Redundant Installations
» Example Hardware Configurations Oracle Fusion Middleware Online Documentation Library
» Alternate Configurations Oracle Fusion Middleware Online Documentation Library
» Single-node Topologies OWLCS Deployment Topologies
» Runtime Processes Introduction to OWLCS Enterprise Deployment Topology
» Request Flow Introduction to OWLCS Enterprise Deployment Topology
» Client Connections Introduction to OWLCS Enterprise Deployment Topology
» SIP Containers OWLCS extends the core WebLogic Server platform with a
» Third-Party Load Balancer A third-party load balancer balances the load of
» Proxy Registrar The OWLCS Proxy Registrar combines the functionality of a
» Presence Web Services OWLCS enables Web Service clients to access
» Third-Party Call Control Web Services The Third Party Call Parlay X 2.1
» Aggregation Proxy The Aggregation Proxy authorizes web service calls and
» Authentication Proxy The Authentication Proxy is a SIP application that upon
» File Transfer Service OWLCS includes an Oracle-proprietary file transfer
» Messaging Services Messaging Services implements support for a subset of
» STUN Service The OWLCS STUN Service implements STUN Simple
» DAR Configuration DAR Configuration. Application Router is a SIP
» Oracle Communicator Client Oracle Communicator is a client communication
» State Tier The Oracle WebLogic Communication Services SIP state tier node
» User Dispatcher The User Dispatcher enables the Presence and XDMS
» Oracle RAC Database Oracle RDBMS should be installed and operational in
» Overview of SIP State Tier Configuration
» SIP State Tier with One Partition A single-partition, two server SIP state tier
» SIP State Tier with Two Partitions Multiple partitions can be created by defining
» SIP State Tier with Two Partitions and Two Replicas Replicas of the call state can
» Storing Long-Lived Call State Data in an RDBMS
» Geographic Redundancy Oracle WebLogic Communication Services Enterprise Deployment Topology
» Stateless User Dispatcher and Even Distribution The most basic approach is to
» Presence Application Broadcast Another solution is to have the Presence
» OWLCS Presence Failover Standby Server Pool
» Fatal Failures If the failure is fatal all state information is lost and established
» Temporary Failures A temporary failure is one where none or little data is lost
» Broadcasting Fail-Over Events In this approach each dispatcher instance have
» Shared State If all dispatcher nodes in the cluster share the same state from a
» Updating the Node Set Depending on the algorithm used to find the server
» Migrating Presentities When the node set has been updated some Presentites
» One Presence Server Overloaded for 60 Seconds The cluster consists of four
» One Presence Server Overloaded Multiple Times for Five Seconds This use case
» Overload Policy Triggered by an OWLCS Software Failure A failure in the OWLCS
» A Presence Server Hardware Failure The cluster consists of four Presence
» Expanding the Cluster with One Presence Node The cluster consists of 3 Presence
» Terminology Overview of SIP Application Upgrades
» Requirements and Restrictions for Upgrading Deployed Applications
» Steps for Upgrading a Deployed SIP Application
» Defining the Version in the Manifest
» Deploy the Updated Application Version
» Undeploy the Older Application Version
» Architecture of Web Service Client Applications
» Enabling Client Security Web Service Security
» Keystore Configuration Web Service Security
» Client Aliases Web Service Security
Show more