Oracle Weblogic server : Creating a new SQL authentication provider

DefaultAuthenticator(which is created by defult) authenticates the users and groups stored in the internal LDAP mechanism on the WebLogic Server. The Administration Server runs the master LDAP and the Managed Servers run the LDAP as replicas.


In this recipe, a new SQL authentication provider named PRODSQLProvider will be configured and added to the PROD_DOMAIN domain to store and handle the users and groups in an Oracle database.
A new data source, ds-Provider, will be created. The database runs at the dbhost hostname and listens to the port 1521. The listener accepts requests to the service name dbservice. The database username is dbuser, and the password is dbpwd.

Create the tables needed in your database:
  1. Run the following script to create the tables in your Oracle database:
    CREATE TABLE USERS
    (
    U_NAME VARCHAR(200) NOT NULL,
    U_PASSWORD VARCHAR(50) NOT NULL,
    U_DESCRIPTION VARCHAR(1000)
    );
    ALTER TABLE USERS
    ADD CONSTRAINT PK_USERS PRIMARY KEY (U_NAME);
    CREATE TABLE GROUPS
    (
    G_NAME VARCHAR(200) NOT NULL,
    G_DESCRIPTION VARCHAR(1000) NULL
    );
    ALTER TABLE GROUPS
    ADD CONSTRAINT PK_GROUPS PRIMARY KEY (G_NAME);
    CREATE TABLE GROUPMEMBERS
    (
    G_NAME VARCHAR(200) NOT NULL,
    G_MEMBER VARCHAR(200) NOT NULL
    );
    ALTER TABLE GROUPMEMBERS
    ADD CONSTRAINT PK_GROUPMEMS PRIMARY KEY ( G_NAME, G_MEMBER );
    ALTER TABLE GROUPMEMBERS
    ADD CONSTRAINT FK1_GROUPMEMBERS FOREIGN KEY ( G_NAME ) REFERENCES GROUPS (
    G_NAME) ON DELETE CASCADE;
2.Populate the tables with the default WebLogic groups:

INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('AdminChannelUsers','AdminChannelUsers can access the admin channel.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Administrators','Administrators can view and modify all resource attributes and start and stop servers.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('AppTesters','AppTesters group.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('CrossDomainConnectors','CrossDomainConnectors can make inter-domain calls from foreign domains.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Deployers','Deployers can view all resource attributes and deploy applications.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Monitors','Monitors can view and modify all resource attributes and perform operations not restricted by roles.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('Operators','Operators can view and modify all resource attributes and perform server lifecycle operations.');
INSERT INTO GROUPS (G_NAME,G_DESCRIPTION) 
VALUES ('OracleSystemGroup','Oracle application software system group.');COMMIT;


Access the Administration Console to create the new data source ds-Provider:
  1. Access the Administration Console by pointing your web browser to http://adminhost.domain.local:7001/console.
  2. Click on the Lock & Edit button to start a new edit session.
  3. Expand the Services tree to the left, and then click on Data Sources.
  4. Click on the New button and then click on Generic Data Source.
  5. Enter ds-Provider in the Name field and jdbc/ds-Provider in the JNDI Name field. Leave the Database Type drop-down menu with the Oracle option selected. Click on the Next button.
  6. Choose *Oracle's Driver (Thin) for Service connections; Versions:9.0.1 and later from the Database Driver drop-down menu. Click on the Next button.
  7. Leave Transaction Options with the default values and click on the Next button.
  8. On the Connection Properties page, enter dbservice in the Database Name field, dbhost in the Host Name field, and 1521 in the Port field. Fill the Database User Name, Password, and Confirm Password fields with dbuser and dbpwd. Click on the Next button.
  9. Click on the Next button on the Test Database Connection page.
  10. Select the PROD_AdminServer checkbox and the All servers in the cluster radio button from the PROD_Cluster cluster. Click on the Finish button.
  11. Click on the Activate Changes button.
Create a new security provider, PRODSQLProvider:
  1. Click on the Lock & Edit button to start a new edit session.
  2. Click on the Security Realms option (shown in the following screenshot) in the left-hand navigation box and then click on the myrealm link.
    How to do it...
  3. On the Settings for myrealm page, click on the Providers tab.
  4. Click on the New button on the Authentication Providers page.
  5. Enter PRODSQLProvider in the Name text field and choose SQLAuthenticator in the Type drop-down menu. Click on the OK button.
  6. Click on PRODSQLProvider and then click on the Provider Specific tab.
  7. Enter ds-Provider in the Data Source Name text field (as shown in the following screenshot) and click on the Save button. Leave all other options at their default values.
    How to do it...
  8. Click on the Activate Changes button.
  9. Restart all instances of PROD_DOMAIN.
Create a new user, wlsadmin, for your new provider:
  1. Access the Administration Console again by pointing your web browser to http://adminhost.domain.local:7001/console.
  2. Click on the Security Realms option in the left-hand navigation box, and then click on the myrealm link.
  3. Click on the Users and Groups tab.
  4. On the Users page, click on the New button.
  5. Enter wlsadmin in the Name text field, choose the PRODSQLProvider from the Provider drop-down menu, and enter wlspwd123 in the Password and Confirm Password text fields. Click on the OK button, as shown in the following screenshot:
    How to do it...
  6. Click on the previously created wlsadmin user for PRODSQLProvider and click on the Groups tab.
  7. Associate the Administrators group with the user by selecting the Administrators checkbox in the Available: table and then clicking on the > button (as shown in the following screenshot). Click on the Save button.
    How to do it...
Assign PRODSQLProvider as the first provider and leave DefaultAuthenticator as the second provider. To do this, follow the steps mentioned below:
  1. Click on the Lock & Edit button to start a new edit session.
  2. Click on the Security Realms option in the left-hand navigation box and then click on the myrealm link.
  3. On the Settings for myrealm page, click on the Providers tab.
  4. Click on the Reorder button.
  5. Select the PRODSQLProvider checkbox in the Available table and click on the upper arrow on the right to move PRODSQLProvider to the top of the list (as shown in the following screenshot). Click on the OK button.
    How to do it...
  6. Click on PRODSLQProvider again. Change the Control Flag drop-down menu to SUFFICENT. Click on the Save button.
  7. Go back to the Providers page and click on DefaultAuthenticator. Change the Control Flag drop-down menu selection to SUFFICENT. Click on the Save button.
  8. Click on the Activate Changes button.
  9. Shut down the Administration Server and all instances of the PROD_DOMAIN.
Change the boot.properties file of the Administration Server to look up for the user PRODSQLProvider wlsadmin by following these steps:
  1. Go to the Administration Server root folder:
    [wls@prod01]$ cd $DOMAIN_HOME/servers/PROD_AdminServer/security


  • Recreate the boot.properties file to match the wlsadmin user created:
    [wls@prod01]$ echo -ne "username=wlsadmin\npassword=wlspwd123" > boot.properties
    [wls@prod01]$ cat boot.properties username=wlsadmin password=wlspwd123
  • Start the Administration Server.