Installing on Oracle WebLogic Server

NOTE: This chapter assumes the iKnowBase database repository has been created, as outlined in Quick Installation and upgrade overview .

Installation on Oracle WebLogic Server has the following tasks:

• Install the Oracle-software
• Configure WebLogic
• Create a data source and deploy to the target
• Configure web application security
• Deploy the Resource-directory and java web application to the WebLogic Server

Installation and configuration of WebLogic

Non-clustered:

Install a domain containing one or more managed servers.

Clustered:

Install a domain containing

• a cluster
• one or more managed servers supporting the cluster
• The WebDav and Instant module does not support clustering. This requires an additional virtual host, separate managed server or a cluster containing only one managed server. Do one of
  • Route by vhost: a virtual host exclusively for the non clustered modules backed by one managed server (typically YOURHOSTNAME-nocluster.YOURDOMAINNAME, YOURHOSTNAME-webdav.YOURDOMAINNAME or YOURHOSTNAME-instant.YOURDOMAINNAME)
  • Route by server: a managed server not part of the cluster and route traffic to this instance using a reverse proxy.

JDBC drivers for WebLogic <= 12.1.2

iKnowBase requires JDBC for Oracle Database with SQL XML support. This feature is not enabled in WebLogic by default and must be installed by adding xmlparserv2_sans_jaxp_services.jar and xdb6.jar to the application server classpath.

WebLogic is distributed with JDBC drivers and the additional JDBC SQL XML drivers MUST match the database version for the installed JDBC drivers, which MUST be equal to or greater than your installed Oracle Database version.

The jar files can be found on the Oracle web page, or in the product directory of your database (check ${ORACLE_HOME}/jdbc/lib, ${ORACLE_HOME}/rdbms/jlib and ${ORACLE_HOME}/xdk/lib).

NOTE: WebLogic 12.1.3 does not require any modifications for JDBC SQL XML support.

For Oracle Database 11g and higher

For Oracle Database 11g and higher, we recommend installing the Oracle Database 12c JDBC driver set with SQL XML support.

If you are upgrading an existing installation, read Oracle’s documentation regarding JDBC client upgrade to 12c for WebLogic and backwards compatibility.

The set consists of the following files:

• ojdbc7.jar
  • NOTE JDK6: use ojdbc6 if running with JDK6
  • NOTE Dynamic Monitoring Service (DMS): If you need support for DMS in your application server (iKnowBase does not), use ojdbc7dms.jar
• ucp.jar
• ons.jar
• orai18n.jar
• orai18n-mapping.jar
• oraclepki.jar
• osdt_cert.jar
• osdt_core.jar
• xmlparserv2_sans_jaxp_services.jar
• orai18n-collation.jar
• xdb6.jar

Make the libraries available to WebLogic by uploading them to a directory on the Weblogic server, i.e. ${WL_HOME}/server/lib/db12c/, and add them to the classpath by editing setDomainEnv.sh:

# Database 12c client
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/ojdbc7.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/ucp.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/ons.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/orai18n.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/orai18n-mapping.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/oraclepki.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/osdt_cert.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/osdt_core.jar"
# Database 12c - SQL XML support
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/xmlparserv2_sans_jaxp_services.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/orai18n-collation.jar"
PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/lib/db12c/xdb6.jar"

Create and deploy data source

From the administrative console (http://localhost:7001/console), create a data source with

• Name: iknowbaseDS
• JNDI Name: jdbc/iknowbaseDS
• Supports Global Transactions: Disable
• Target: The cluster where the applications will be deployed.

Configure web application security

The default web application security mode for iKnowBase deployed to WebLogic is container mode, which means we’ll rely on WebLogic for authentication. You may change to the other web application security modes at any time.

See iKnowBase Installation Guide > Web Application Security for additional explanations.

If you are using container mode for authentication, start with adding the orcladmin user to the default realm’s user repository (WebLogic internal is default, but may be set to other supported user repositories).

iKnowBase does not require any roles for these users, as authorization will be done based on the mapped user in the iKnowBase User Repository.

Deploy applications

Non-clustered

Deployment example using the WebLogic console:

• Select “deployments” in the domain structure.
• Select “install” in the “Summary of deployments” screen
• Select the relevant web archive.
• Choose to deploy as an application (and not as a library)
• Target applications:
  • A managed server or vhost
    • You may enable all modules on a single deployment, but if you use multiple non clustered managed servers, you must ensure that the WebDav and Instant modules is enabled on only one manager server.

Clustered

Deployment example using the WebLogic console:

• Select “deployments” in the domain structure.
• Select “install” in the “Summary of deployments” screen
• Select the relevant web archive.
• Choose to deploy as an application (and not as a library)
• Target applications:
  • Deploy iknowbase-webapp to the cluster on / with all required modules except WebDav and Instant.
  • Deploy iknowbase-webapp with a different name like “iknowbase-webapp-nocluster” to the vhost/managed server on / with the WebDav and Instant modules enabled (all the other modules may be disabled).
    • Configure WebDav to respond to webdav specific hostnames (see WebDav configuration)
    • Instant will respond to the /ikbInstant path.
• If you want, go to the tab “Configuration, General”, and set the context root.
• If you make configuration changes, and need to save a deployment plan, store it in a safe directory.

Clusters and session replication

The iKnowBase web application is configured to replicate HTTP sessions when targeted to an application server cluster. This enhances support for failover and reduces impact for the user during a failover scenario.

The session replication mechanism configured is

<session-descriptor>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
</session-descriptor>

The persistent-store-type “replicated_if_clustered” requires a homogeneous deployment to the cluster. You cannot target applications with this setting to selected parts of the cluster.

The persistent-store-type can be changed with deployment plans. See weblogic.xml session descriptor element for available options.

Configure user realms (authentication)

See iKnowBase Installation Guide > Web Application Security for additional authentication options provided by iKnowBase.

The next sections discuss WebLogic Container Mode for authentication.

Using Oracle Internet Directory for authentication

WebLogic allows simple configuration of authentication providers. Configure as appropriate by following this procedure:

• Chose the realm to change
• Under “Providers”, “Authentication”, add the Oracle Internet Directory provider
• Set the control flag as required, normally to “sufficient” to allow users to log in if they exist in this provider
• Add further configuration values as required by your OID-configuration.

Using the iKnowBase user repository for authentication

If you do not require WebLogic container mode for authentication, we recommend switching to iKnowBase’s own authentication modules, see iKnowBase Installation Guide > Web Application Security for additional explanations.

If you require WebLogic container mode it is possible to authenticate directly against the iKnowBase User Repository, through the custom IKBAuthenticationPlugin supplied as part of iKnowBase.

Overview

When installed, this provider will lookup usernames and passwords from the IKB_USER-table in the iKnowBase database schema, where the passwords are stored in encrypted form (SHA1-hash algorithm). A user will be authenticated if the username matches the one in the database, and the hashed password from the database matches what the user enters.

Installation

To install the plugin, perform the following steps:

• Install “iknowbase-weblogic-plugin-6.7.jar” on your server, for example in the directory "/app/oracle/Middleware/wlserver_12.1/server/ext"
• Change “bin/setDomainEnv.sh” (or .bat), and add the plugin to the PRE_CLASSPATH.

PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/ext/iknowbase-weblogic-plugin-6.7.jar"

• Edit the weblogic realm definition, and add a new authentication provider of type “CustomDBMSAuthenticator”. Be sure to configure the following properties:
  • The “Control flag” should normally be “SUFFICENT”, to make sure that it is sufficient for the user to be authenticated through this provider only.
  • “Plaintext Passwords Enabled” should be set to false, since all passwords in the iknowbase database are encrypted.
  • “Data Source Name” should be set to a preconfigured data source, which points to the iKnowBase database. Note that this is the name of the data source, not the jndi name.
  • “Group membership searching” should be set to “limited”.
  • “Plugin class name” must be set to "com.iknowbase.weblogic.IKBAuthenticationPlugin"
• Make sure that there are no other providers installed above this one that are marked as “REQUIRED”. Typically, install this provider on top.
• Make sure that the data source you referred to above is deployed to all servers in the domain, since all servers will be using this new authenticator.

Troubleshooting

By default, the plugin does not write any log information. However, if the java system property “com.iknowbase.weblogic.IKBAuthenticationPlugin.log” is set to the value “true”, the plugin will log operations to standard out, which is normally captured into the server log file (AdminServer.log for the admin server). Enable the system property in the startup script, like this (note that this is two lines only; they are broken into multiple lines here for layout purposes).

PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/ext/iknowbase-weblogic-plugin-6.7.jar"
EXTRA_JAVA_PROPERTIES="-Dcom.iknowbase.weblogic.IKBAuthenticationPlugin.log=true"

With this, you will see log output matching this:

<Sep 25, 2009 7:05:30 PM CEST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.> 
IKBAuthenticationPlugin.lookupPassword: username=weblogic
IKBAuthenticationPlugin.lookupPassword: Found password for user=weblogic
IKBAuthenticationPlugin.userExists: Searching for username=weblogic
IKBAuthenticationPlugin.userExists: Search for username=weblogic returns true
IKBAuthenticationPlugin.lookupUserGroups: Searching for username=weblogic
IKBAuthenticationPlugin.lookupUserGroups: Search for username=weblogic returns[]

Configure SSL

We strongly recommend using SSL (https) for all production sites.

Terminating SSL in the application server

The procedures for terminating SSL directly in the application server can be found in the WebLogic documentation.

Terminating SSL in an external proxy

If you terminate SSL in an external proxy, that proxy will typically use HTTP (an unsecured connection) to talk to the application server. Then, the application server will not be aware that the browser sees a secure connection, and will by default generate links to an unsecure site. To avoid this, note the following items:

• Configure the load balancer to generate a HTTP header called “WL-Proxy-SSL” with the value "true"
• Configure the WebLogic application server domain to detect WebLogic Plugin headers. From the WebLogic console, select your domain, and then Configuration -> WebApplications. Here, enable the “WebLogic Plugin Enabled” setting.
• Verify this setup by loading /ikb$console/java/request using from a secure connection; the value “Requested URL” should indicate a https-scheme
• For more information, see http://fusionsecurity.blogspot.no/2011/04/ssl-offloading-and-weblogic-server.html.

If using Apache httpd for ssl-termination, the following configuration in httpd.conf should set the required header:

<Virtualhost ...>
...
RequestHeader set WL-Proxy-SSL true
...
</Virtualhost>

In the WebLogic domain configuration (config.xml), you would find the following snippet:

<web-app-container>
  <weblogic-plugin-enabled>true</weblogic-plugin-enabled>
</web-app-container>

Troubleshooting

Database connections through firewall or on an unreliable network

When accessing a database through a firewall or on an unreliable network, use the Oracle Net connection descriptor syntax with ENABLE=BROKEN instead of the standard JDBC URL syntax as the database connection string.

Default JDBC URL:

jdbc:oracle:thin:@//localhost:1521/ORCL

Using Oracle Net connection descriptor syntax:

jdbc:oracle:thin:@(DESCRIPTION = (ENABLE = BROKEN)(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ORCL)(FAILOVER_MODE =(TYPE = SESSION)(METHOD = BASIC))))

WARN – BEA-101388 – The ServletContext was passed to the ServletContextListener.contextInitialized method of a ServletContextListener that was neither declared in web.xml or web-fragment.xml, nor annotated with javax.servlet.annotation.WebListener

Related to activation of the iKnowBase Instant module on WebLogic. This warning can be ignored.

iKnowBase tracking reference: IKB-2893

WebServices: java.lang.NoSuchMethodError: oracle.xml.parser.v2.XMLDocument.setSkipNodeNameValidate

WebLogic 12.1.3 JDBC driver conflict. Note that 12c database drivers for JDBC SQL XML support are not required for 12.1.3.