Welcome!

Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Java IoT, Weblogic

Java IoT: Article

WLST and Security Configuration

Using WLST to configure some of the latest security provisions

WebLogic Server Scripting Tool (WLST) provides powerful command-line capability for system administrators and developers to configure WebLogic server environments. However, its usage and adoption does not reach its full potential, seen at many working places, due to various reasons. This article gives a detailed example of using WLST to configure some of the latest security provisions (SAML 2.0) of WebLogic server, and provides insights on how to overcome the possible hurdles which prevent one from using the tool.

Why WLST and What's Stopping You?
Now it's not difficult to do a little research yourself and find out WLST is useful for configuring WebLogic server and Jython/Python itself is a popular scripting language, so why WLST is not used, or at least not consistently used, in many WebLogic projects, considering it has existed for quite some time.

After all, the benefits of using a scripting language in the task of setting up a server seem very appealing, in comparison to doing it using GUI console:

  • Do it once, and use the same script for multiple servers or multiple project environments, e.g. development, integration testing, staging, production;
  • Script runs faster than manual configuration;
  • Script is less error-prone;
  • Script can be easily source controlled;
  • Script is more apt to be consolidated into enterprise standard.

So what's stopping you?

The first reason is Jython. To do WLST, you need to create Jython scripts. However, that's a gray area between system administration and programming. It involves knowing physical environment, WebLogic server structure and internal objects (MBeans), application needs and structures, and most importantly putting everything together using Jython script. Neither administrators nor developers are very comfortable with handling this task alone.

Another reason is why scripting if there's an easy to use GUI console. Even so, when you navigate the object tree within WLST, some objects or operations are not easily found. While within WebLogic GUI console, what you're looking for is more handily available.

Furthermore, although there's some information on using the tool, including a detailed command list within WebLogic document, you still need to do your own research to figure out the details when scripting specific components you want.

The following sections address those concerns, as well as walking through an example on setting up SAML 2.0 related security components.

Learning Jython (or Not)
Jython is the Java implementation of the Python scripting language. Scripting language usually provides a faster to development programming environment and has a task oriented nature.

But do you really need to spend the next several months learning a new language (if you don't already know) before using WLST? It's actually not necessary if you're already programming savvy (Java, Shell, etc.). As you will see from the example, the essential functions for configuration are easy to understand, and with the help of WebLogic documentation, the WLST commands can be easily practiced with WLST interactive mode to get familiar with. You may also do some recording at the same time so the commands can later be put into a script file. With that experience, it should help you to learn details of the Jython language more easily should the need arise.

Console or Scripting or Both
WebLogic GUI console is a convenient tool for making configurations. However, when it comes time to move configuration from one environment to another, it becomes cumbersome. Writing scripts, on the other hand, can help you easily add a specific component across various enterprise environments without much hassle.

But you're not familiar with navigating through the object tree within WLST yet. Sometimes you feel it's difficult to find an object or operation.

The trick here is to use console as guidance when writing scripts. The navigation sequence in GUI console doesn't match totally to that of the command line, but close enough in many cases. You can also use ls() and cmo() (WLST commands) constantly in combination with hints got from GUI console to guess what path you should take to write the next piece of script.

A Real Example
If you can read a little about WebLogic MBean structure and SAML 2.0 technology, e.g. through the references listed in the end, it may help you to understand this section better. However, it's not necessary if you just want to have more understanding of WLST and get confident to start your own script. The example here assumes WebLogic 10.3, but the same idea should apply to other versions as well. Also, it only covers SAML token consumer, and not the identity provider.

Let's start by defining some common variables:

user = ‘administrator'

pwd = 'password'

serverPath = 't3://localhost:7001'

domainName = ‘TestDomain'

idpMetaFile = '/idp/security/metadata.xml'

Note: the metadata.xml is provided by SAML identity provider, which could be another WebLogic server, or a third-party provider.

Next, connect to the server:

connect(user, pwd, serverPath)

Now, create the essential SAML identity asserter and authenticator:

edit()

rlmPath = ‘/SecurityConfiguration/' + domainName + ‘/Realms/myrealm'

cd(rlmPath)

startEdit()

saml2iaName = "SAML2IdentityAsserter"

samlauthName = "SAMLAuthenticator"

cmo.createAuthenticationProvider(saml2iaName, "com.bea.security.saml2.providers.SAML2IdentityAsserter")

cmo.createAuthenticationProvider(samlauthName, "weblogic.security.providers.saml.SAMLAuthenticator")

cd(‘AuthenticationProviders/SAMLAuthenticator')

cmo.setControlFlag(‘SUFFICIENT')

cd(‘../DefaultAuthenticator')

cmo.setControlFlag(‘SUFFICIENT')

save()

activate(block='true')

Tip: in the above script, it changes WLST scripting mode to EDIT before continuing with the real setup. Although it's not absolutely accurate, you can get the clue when you need to click "Lock & Edit" before making the same configuration in GUI console.

The configuration you just made requires server restart, do it using script or manually, depending on how you customized your server startup script. Reconnect to server within WLST console after server restarts.

Now let's configure a WEB SSO partner for the SAML identity asserter created earlier:

iaPath = 'SecurityConfiguration/' + domainName + '/Realms/myrealm/AuthenticationProviders/SAML2IdentityAsserter'

cd (iaPath)

metapartner = cmo.consumeIdPPartnerMetadata(idpMetaFile)

metapartner.setName('WebSSO-IdP-Partner-01')

metapartner.setEnabled(true)

cmo.addIdPPartner(metapartner)

Then setup federation service, which is required when using SAML tokens:

edit()

startEdit()

cd ('/Servers/AdminServer/SingleSignOnServices/AdminServer')

cmo.setContactPersonGivenName('administrator')

cmo.setContactPersonType('administrative')

cmo.setContactPersonCompany('ABC')

cmo.setOrganizationName('ABC')

cmo.setOrganizationURL('www.abc.com')

cmo.setPublishedSiteURL('http://abc.com/saml2')

cmo.setEntityID('AbcServicesProvider')

cmo.setServiceProviderEnabled(true)

cmo.setServiceProviderPreferredBinding('HTTP/POST')

save()

activate(block='true')

Tip: in the above script, the path to the SSO object is not very obvious. If you look at GUI console, it's "Federation Services / SAML 2.0 General". A little imagination helps here.

Great, now you got SAML 2.0 security setup! Configure security policy for your application and you're good to go.

WLST Better than Console
Since WLST is a more direct way to configure WebLogic server, it actually provides the benefit of more accurate results as well. Weblogic console is an application by itself and naturally can contain defects. When you keep on scratching your head because you cannot figure out why a seemingly correct configuration does not work, check it using WLST to find out the reason.

One example is when configuring WSS partner for SAML identity asserter, the "bearer" confirmation method is set but does not work. When checking using WLST, This turns out to be a GUI console defect in WebLogic 10.3.

Summary
Hopefully by now you understand WLST is an important tool for enterprise server configuration and most importantly you can start using it at any point during your project life cycle. You probably already have the necessary knowledge to start using the tool.

This article provides you with some guidance and tips on how to use WLST. It does so by giving an example of configuring SAML 2.0 SSO security, which is more recent technology and there's less examples on it. It shall give you more confidence to start writing scripts on other components as well.

References

More Stories By John Yu

John Yu has worked many years in the software industry mainly using Java/J2EE and related technologies. He has served various roles and is passionate about writing structured high performing software applications.

IoT & Smart Cities Stories
In today's enterprise, digital transformation represents organizational change even more so than technology change, as customer preferences and behavior drive end-to-end transformation across lines of business as well as IT. To capitalize on the ubiquitous disruption driving this transformation, companies must be able to innovate at an increasingly rapid pace.
Predicting the future has never been more challenging - not because of the lack of data but because of the flood of ungoverned and risk laden information. Microsoft states that 2.5 exabytes of data are created every day. Expectations and reliance on data are being pushed to the limits, as demands around hybrid options continue to grow.
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The explosion of new web/cloud/IoT-based applications and the data they generate are transforming our world right before our eyes. In this rush to adopt these new technologies, organizations are often ignoring fundamental questions concerning who owns the data and failing to ask for permission to conduct invasive surveillance of their customers. Organizations that are not transparent about how their systems gather data telemetry without offering shared data ownership risk product rejection, regu...
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things'). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing. IoT is not about the devices, its about the data consumed and generated. The devices are tools, mechanisms, conduits. This paper discusses the considerations when dealing with the...
Machine learning has taken residence at our cities' cores and now we can finally have "smart cities." Cities are a collection of buildings made to provide the structure and safety necessary for people to function, create and survive. Buildings are a pool of ever-changing performance data from large automated systems such as heating and cooling to the people that live and work within them. Through machine learning, buildings can optimize performance, reduce costs, and improve occupant comfort by ...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, @CloudEXPO and DXWorldEXPO are two of the most important technology events of the year. Since its launch over eight years ago, @CloudEXPO and DXWorldEXPO have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, we provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading...