Installing on Oracle WebLogic Server

NOTE: This chapter assumes the iKnowBase database repository has been created, as outlined in Quick Installation and upgrade overview .

Installation on Oracle WebLogic Server has the following tasks:

Install the Oracle-software
Configure WebLogic
Create a data source and deploy to the target
Configure web application security
Deploy the Resource-directory and java web application to the WebLogic Server

Installation and configuration of WebLogic

Non-clustered:

Install a domain containing one or more managed servers.

Clustered:

Install a domain containing

a cluster
one or more managed servers supporting the cluster
The WebDAV and Instant module does not support clustering. This requires an additional virtual host, separate managed server or a cluster containing only one managed server. Do one of
- Route by vhost: a virtual host exclusively for the non clustered modules backed by one managed server (typically YOURHOSTNAME-nocluster.YOURDOMAINNAME, YOURHOSTNAME-webdav.YOURDOMAINNAME or YOURHOSTNAME-instant.YOURDOMAINNAME)
- Route by server: a managed server not part of the cluster and route traffic to this instance using a reverse proxy.

Create and deploy data source

From the administrative console (http://localhost:7001/console), create a data source with

Name: iknowbaseDS
JNDI Name: jdbc/iknowbaseDS
Supports Global Transactions: Disable
Target: The cluster where the applications will be deployed.

Configure web application security

The default web application security mode for iKnowBase deployed to WebLogic is container mode, which means we’ll rely on WebLogic for authentication. You may change to the other web application security modes at any time.

See iKnowBase Installation Guide > Web Application Security for additional explanations.

However, some of WebLogic’s authentication modules like SPNEGO and SAML2 require special deployment descriptor and role protection not included in the standard web
archive to function properly. Contact support for assistance if you require use of these WebLogic authentication modules. Note that iKnowBase’s set of authentication modules includes both SPNEGO and SAML2.

If you are using container mode for authentication, start with adding the orcladmin user to the default realm’s user repository (WebLogic internal is default, but may be set to other supported user repositories).

iKnowBase does not require any roles for these users, as authorization will be done based on the mapped user in the iKnowBase User Repository.

Deploy applications

Non-clustered

Deployment example using the WebLogic console:

Select “deployments” in the domain structure.
Select “install” in the “Summary of deployments” screen
Select the relevant web archive.
Choose to deploy as an application (and not as a library)
Target applications:
- A managed server or vhost
  - You may enable all modules on a single deployment, but if you use multiple non clustered managed servers, you must ensure that the WebDAV and Instant modules is enabled on only one manager server.

Clustered

Deployment example using the WebLogic console:

Select “deployments” in the domain structure.
Select “install” in the “Summary of deployments” screen
Select the relevant web archive.
Choose to deploy as an application (and not as a library)
Target applications:
- Deploy iknowbase-webapp to the cluster on / with all required modules except WebDAV and Instant.
- Deploy iknowbase-webapp with a different name like “iknowbase-webapp-nocluster” to the vhost/managed server on / with the WebDAV and Instant modules enabled (all the other modules may be disabled).
  - Configure WebDAV to respond to WebDAV specific hostnames (see WebDAV configuration)
  - Instant will respond to the /ikbInstant path.
If you want, go to the tab “Configuration, General”, and set the context root.
If you make configuration changes, and need to save a deployment plan, store it in a safe directory.

Clusters and session replication

The iKnowBase web application is configured to replicate HTTP sessions when targeted to an application server cluster. This enhances support for failover and reduces impact for the user during a failover scenario.

The session replication mechanism configured is

<session-descriptor>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
</session-descriptor>

The persistent-store-type “replicated_if_clustered” requires a homogeneous deployment to the cluster. You cannot target applications with this setting to selected parts of the cluster.

The persistent-store-type can be changed with deployment plans. See weblogic.xml session descriptor element for available options.

Configure user realms (authentication)

See iKnowBase Installation Guide > Web Application Security for additional authentication options provided by iKnowBase.

The next sections discuss WebLogic Container Mode for authentication.

Using Oracle Internet Directory for authentication

WebLogic allows simple configuration of authentication providers. Configure as appropriate by following this procedure:

Chose the realm to change
Under “Providers”, “Authentication”, add the Oracle Internet Directory provider
Set the control flag as required, normally to “sufficient” to allow users to log in if they exist in this provider
Add further configuration values as required by your OID-configuration.

Using the iKnowBase user repository for authentication

If you do not require WebLogic container mode for authentication, we recommend switching to iKnowBase’s own authentication modules, see iKnowBase Installation Guide > Web Application Security for additional explanations.

If you require WebLogic container mode it is possible to authenticate directly against the iKnowBase User Repository, through the custom IKBAuthenticationPlugin supplied as part of iKnowBase.

Overview

When installed, this provider will lookup usernames and passwords from the IKB_USER-table in the iKnowBase database schema, where the passwords are stored in encrypted form (SHA1-hash algorithm). A user will be authenticated if the username matches the one in the database, and the hashed password from the database matches what the user enters.

Installation

To install the plugin, perform the following steps:

Install “iknowbase-weblogic-plugin-7.0.4.jar” on your server, for example in the directory "/app/oracle/Middleware/wlserver_12.1/server/ext"
Change “bin/setDomainEnv.sh” (or .bat), and add the plugin to the PRE_CLASSPATH.

PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/ext/iknowbase-weblogic-plugin-7.0.4.jar"

Edit the weblogic realm definition, and add a new authentication provider of type “CustomDBMSAuthenticator”. Be sure to configure the following properties:
- The “Control flag” should normally be “SUFFICENT”, to make sure that it is sufficient for the user to be authenticated through this provider only.
- “Plaintext Passwords Enabled” should be set to false, since all passwords in the iknowbase database are encrypted.
- “Data Source Name” should be set to a preconfigured data source, which points to the iKnowBase database. Note that this is the name of the data source, not the jndi name.
- “Group membership searching” should be set to “limited”.
- “Plugin class name” must be set to "com.iknowbase.weblogic.IKBAuthenticationPlugin"
Make sure that there are no other providers installed above this one that are marked as “REQUIRED”. Typically, install this provider on top.
Make sure that the data source you referred to above is deployed to all servers in the domain, since all servers will be using this new authenticator.

Troubleshooting

By default, the plugin does not write any log information. However, if the java system property “com.iknowbase.weblogic.IKBAuthenticationPlugin.log” is set to the value “true”, the plugin will log operations to standard out, which is normally captured into the server log file (AdminServer.log for the admin server). Enable the system property in the startup script, like this (note that this is two lines only; they are broken into multiple lines here for layout purposes).

PRE_CLASSPATH="${PRE_CLASSPATH}${CLASSPATHSEP}${WL_HOME}/server/ext/iknowbase-weblogic-plugin-7.0.4.jar"
EXTRA_JAVA_PROPERTIES="-Dcom.iknowbase.weblogic.IKBAuthenticationPlugin.log=true"

With this, you will see log output matching this:

<Sep 25, 2009 7:05:30 PM CEST> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.> 
IKBAuthenticationPlugin.lookupPassword: username=weblogic
IKBAuthenticationPlugin.lookupPassword: Found password for user=weblogic
IKBAuthenticationPlugin.userExists: Searching for username=weblogic
IKBAuthenticationPlugin.userExists: Search for username=weblogic returns true
IKBAuthenticationPlugin.lookupUserGroups: Searching for username=weblogic
IKBAuthenticationPlugin.lookupUserGroups: Search for username=weblogic returns[]

Configure SSL

We strongly recommend using SSL (https) for all production sites.

Terminating SSL in the application server

The procedures for terminating SSL directly in the application server can be found in the WebLogic documentation.

Terminating SSL in an external proxy

If you terminate SSL in an external proxy, that proxy will typically use HTTP (an unsecured connection) to talk to the application server. Then, the application server will not be aware that the browser sees a secure connection, and will by default generate links to an unsecure site. To avoid this, note the following items:

Configure the load balancer to generate a HTTP header called “WL-Proxy-SSL” with the value "true"
Configure the WebLogic application server domain to detect WebLogic Plugin headers. From the WebLogic console, select your domain, and then Configuration -> WebApplications. Here, enable the “WebLogic Plugin Enabled” setting.
Verify this setup by loading /ikb$console/java/request using from a secure connection; the value “Requested URL” should indicate a https-scheme
For more information, see http://fusionsecurity.blogspot.no/2011/04/ssl-offloading-and-weblogic-server.html.

If using Apache httpd for ssl-termination, the following configuration in httpd.conf should set the required header:

<Virtualhost ...>
...
RequestHeader set WL-Proxy-SSL true
...
</Virtualhost>

In the WebLogic domain configuration (config.xml), you would find the following snippet:

<web-app-container>
  <weblogic-plugin-enabled>true</weblogic-plugin-enabled>
</web-app-container>

Terminating SSL using Apache with WebLogic Plugin

If you use the Oracle WebLogic Plugin for Apache, also set this parameter WLProxySSLPassThrough On to pass on the SSL information to Oracle WebLogic Server.

Troubleshooting

Database connections through firewall or on an unreliable network

When accessing a database through a firewall or on an unreliable network, use the Oracle Net connection descriptor syntax with ENABLE=BROKEN instead of the standard JDBC URL syntax as the database connection string.

Default JDBC URL:

jdbc:oracle:thin:@//localhost:1521/ORCL

Using Oracle Net connection descriptor syntax:

jdbc:oracle:thin:@(DESCRIPTION = (ENABLE = BROKEN)(ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521)))(CONNECT_DATA =(SERVER = DEDICATED)(SERVICE_NAME = ORCL)(FAILOVER_MODE =(TYPE = SESSION)(METHOD = BASIC))))

WARN – BEA-101388 – The ServletContext was passed to the ServletContextListener.contextInitialized method of a ServletContextListener that was neither declared in web.xml or web-fragment.xml, nor annotated with javax.servlet.annotation.WebListener

Related to activation of the iKnowBase Instant module on WebLogic. This warning can be ignored.

iKnowBase tracking reference: IKB-2893

WebServices: java.lang.NoSuchMethodError: oracle.xml.parser.v2.XMLDocument.setSkipNodeNameValidate

WebLogic 12.1.3 JDBC driver conflict. Note that 12c database drivers for JDBC SQL XML support are not required for 12.1.3. iKnowBase 6.6 and 6.7 documented JDBC SQL XML additions required for WLS 12.1.1 and 12.1.2, but that is not a required installation step for WLS 12.1.3.