Installing on Oracle WebLogic Server
Previous		Next
iKnowBase Quickstart embedded web server		Installing on GlassFish Server

Installing on Oracle WebLogic Server

Installation on Oracle WebLogic Server has the following tasks:

Install the Oracle-software
Configure WebLogic
Create a data source and deploy to the target
Deploy the Resource-directory and java web applications to the WebLogic Server

Installation and configuration of WebLogic

Install a domain containing

a cluster
one or more managed servers supporting the cluster
a virtual host exclusively for WebDav backed by one managed server (typically YOURHOSTNAME-webdav.YOURDOMAINNAME)
- WebDav does NOT support clustering and must be deployed to a single managed server or virtual host targeting a single managed server.

WebDav must be deployed to context root / and since ikbViewer also typically is deployed to /, we recommend creating a WebLogic virtual host and target WebDav to this virtual host. A web request to / on the WebDav virtual host will be routed to WebDav, and on all other hosts be routed to the Viewer.

Create and deploy data source

From the administrative console (http://localhost:7001/console), create a data source with

Name: iknowbaseDS
JNDI Name: jdbc/iknowbaseDS
Supports Global Transactions: Disable
Target: The cluster where the applications will be deployed.

Configure a user repository (realm)

Create groups in the default realm for each of the iknowbase roles user, developer and sysadmin. The groups must be named after the roles, e.g. IKB_USERS, IKB_DEVELOPERS and IKB_SYSADMINS.

Deploy applications

For each of the application archives, deploy using the WebLogic console:

Select “deployments” in the domain structure.
Select “install” in the “Summary of deployments” screen
Select the relevant web archive.
Choose to deploy as an application (and not as a library)
Target applications:
- All applications except iKnowBase WebDav should be targeted to the cluster.
- iKnowBase WebDav should be targeted to the webdav virtual host
If you want, go to the tab “Configuration, Ressurs”, and set the context root.
If you make configuration changes, and need to save a deployment plan, store it in a safe directory.

Clusters and session replication

The iKnowBase web applications are configured to replicate HTTP sessions when they are targeted to an application server cluster. This enhances support for failover and reduces impact for the user during a failover scenario.

The session replication mechanism configured is

<session-descriptor>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
</session-descriptor>

The persistent-store-type “replicated_if_clustered” requires a homogeneous deployment to the cluster. You cannot target applications with this setting to selected parts of the cluster.

The persistent-store-type can be changed with deployment plans. See weblogic.xml session descriptor element for available options.

Note: ikbWebdav does not support clustering and is not configured with persistent-store-type.

Configure user realms (authentication)

Using Oracle Internet Directory for authentication

WebLogic allows simple configuration of authentication providers. Configure as appropriate by following this procedure:

Chose the realm to change
Under “Providers”, “Authentication”, add the Oracle Internet Directory provider
Set the control flag as required, normally to “sufficient” to allow users to log in if they exist in this provider
Add further configuration values as required by your OID-configuration.

Using the iKnowBase user repository for authentication

It is possible to authenticate directly against the iKnowBase user tables, through the custom IKBAuthenticationPlugin supplied as part of iKnowBase.

Overview

When installed, this provider will lookup usernames and passwords from the IKB_USER-table in the iKnowBase database schema, where the passwords are stored in encrypted form (SHA1-hash algorithm). A user will be authenticated if the username matches the one in the database, and the hashed password from the database matches what the user enters.

Further, the provider will provide group information to the WebLogic server. The list of group names is the union of all external keys in all groups the user is a member of. For proper use with the iKnowBase-applications, you should have groups with external keys “IKB_USERS”, “IKB_DEVELOPERS” and “IKB_SYSADMINS”, matching the users roles required for the java applications to work.

Installation

To install the plugin, perform the following steps:

Install “iknowbase-weblogic-plugin-VERSION.jar” on your server, for example in the directory "/app/oracle/Middleware/wlserver_12.1/server/ext"
Change “bin/setDomainEnv.sh” (or .bat), and add the plugin to the PRE_CLASSPATH.

PRE_CLASSPATH=/app/oracle/Middleware/wlserver_12.1/server/ext/iknowbase-weblogic-plugin-VERSION.jar

Edit the weblogic realm definition, and add a new authentication provider of type “CustomDBMSAuthenticator”. Be sure to configure the following properties:
- The “Control flag” should normally be “SUFFICENT”, to make sure that it is sufficient for the user to be authenticated through this provider only.
- “Plaintext Passwords Enabled” should be set to false, since all passwords in the iknowbase database are encrypted.
- “Data Source Name” should be set to a preconfigured data source, which points to the iKnowBase database. Note that this is the name of the data source, not the jndi name.
- “Group membership searching” should be set to “limited”.
- “Plugin class name” must be set to "com.iknowbase.weblogic.IKBAuthenticationPlugin"
Make sure that there are no other providers installed above this one that are marked as “REQUIRED”. Typically, install this provider on top.
Make sure that the data source you referred to above is deployed to all servers in the domain, since all servers will be using this new authenticator.

Troubleshooting

By default, the plugin does not write any log information. However, if the java system property “com.iknowbase.weblogic.IKBAuthenticationPlugin.log” is set to the value “true”, the plugin will log operations to standard out, which is normally captured into the server log file (AdminServer.log for the admin server). Enable the system property in the startup script, like this (note that this is two lines only; they are broken into multiple lines here for layout purposes).

PRE_CLASSPATH=/app/oracle/Middleware/wlserver_12.1/server/ext/iknowbase-weblogic-plugin-VERSION.jar
EXTRA_JAVA_PROPERTIES="-Dcom.iknowbase.weblogic.IKBAuthenticationPlugin.log=true"

With this, you will see log output matching this:

<Sep 25, 2009 7:05:30 PM CEST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.> 
IKBAuthenticationPlugin.lookupPassword: username=weblogic
IKBAuthenticationPlugin.lookupPassword: Found password for user=weblogic
IKBAuthenticationPlugin.userExists: Searching for username=weblogic
IKBAuthenticationPlugin.userExists: Search for username=weblogic returns true
IKBAuthenticationPlugin.lookupUserGroups: Searching for username=weblogic
IKBAuthenticationPlugin.lookupUserGroups: Search for username=weblogic returns[]

Configure SSL

We strongly recomment using SSL (https) for all production sites.

Terminating SSL in the application server

The procedures for terminating SSL directy in the application server can be found in the WebLogic documentation.

Terminating SSL in an external proxy

If you terminate SSL in an external proxy, that proxy will typically use HTTP (an unsecured connection) to talk to the application server. Then, the application server will not be aware that the browser sees a secure connection, and will by default generate links to an unsecure site. To avoid this, note the following items:

Configure the load balancer to generate a HTTP header called “WL-Proxy-SSL” with the value "true"
Configure the WebLogic application server domain to detect WebLogic Plugin headers. From the WebLogic console, select your domain, and then Configuration -> WebApplications. Here, enable the “WebLogic Plugin Enabled” setting.
Verify this setup by loading /ikb$console/java/request using from a secure connection; the value “Requested URL” should indicate a https-scheme
For more information, see http://fusionsecurity.blogspot.no/2011/04/ssl-offloading-and-weblogic-server.html.

If using Apache httpd for ssl-termination, the following configuration in httpd.conf should set the required header:

<Virtualhost ...>
...
RequestHeader set WL-Proxy-SSL true
...
</Virtualhost>

In the WebLogic domain configuration (config.xml), you would find the following snippet:

<web-app-container>
  <weblogic-plugin-enabled>true</weblogic-plugin-enabled>
</web-app-container>