Monday, February 28, 2011

Look Inside WebLogic Server Embedded LDAP with an LDAP Explorer

This blog was originally posted on http://blogs.oracle.com/jamesbayer when I worked for Oracle.

Today a question came up on our internal WebLogic Server mailing lists about an issue deleting a Group from WebLogic Server. The group had a special character in the name. The WLS console refused to delete the group with the message a java.net.MalformedURLException and another message saying “Errors must be corrected before proceeding.” as shown below. The group aa:bb is the one with the issue. Click to enlarge.

specialName

WebLogic Server includes an embedded LDAP server that can be used for managing users and groups for “reasonably small environments (10,000 or fewer users)”. For organizations scaling larger or using more high-end features, I recommend looking at one of Oracle’s very popular enterprise directory services products like Oracle Internet Directory or Oracle Directory Server Enterprise Edition. You can configure multiple authenicators in WebLogic Server so that you can use multiple directories at the same time.

I am not sure WebLogic Server supports special characters in group names for the Embedded LDAP server, but in this case both the console and WLST reported the same issue deleting the group with the special character in the name. Here’s the WLST output:

wls:/hotspot_domain/serverConfig/SecurityConfiguration/hotspot_domain/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator> cmo.removeGroup('aa:bb')

Traceback (innermost last):

  File "<console>", line 1, in ?

weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090296]invalid URL ldap:///ou=people,ou=myrealm,dc=hotspot_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=aa:bb,ou=groups,ou=myrealm,dc=hotspot_domain))

        at weblogic.security.providers.authentication.LDAPAtnGroupMembersNameList.advance(LDAPAtnGroupMembersNameList.java:254)

        at weblogic.security.providers.authentication.LDAPAtnGroupMembersNameList.<init>(LDAPAtnGroupMembersNameList.java:119)

        at weblogic.security.providers.authentication.LDAPAtnDelegate.listGroupMembers(LDAPAtnDelegate.java:1392)

        at weblogic.security.providers.authentication.LDAPAtnDelegate.removeGroup(LDAPAtnDelegate.java:1989)

        at weblogic.security.providers.authentication.DefaultAuthenticatorImpl.removeGroup(DefaultAuthenticatorImpl.java:242)

        at weblogic.security.providers.authentication.DefaultAuthenticatorMBeanImpl.removeGroup(DefaultAuthenticatorMBeanImpl.java:407)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

        at java.lang.reflect.Method.invoke(Method.java:597)

        at weblogic.management.jmx.modelmbean.WLSModelMBean.invoke(WLSModelMBean.java:437)

        at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)

        at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)

        at java.security.AccessController.doPrivileged(Native Method)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)

        at weblogic.management.mbeanservers.internal.JMXContextInterceptor.invoke(JMXContextInterceptor.java:263)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$16.run(WLSMBeanServerInterceptorBase.java:449)

        at java.security.AccessController.doPrivileged(Native Method)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.invoke(WLSMBeanServerInterceptorBase.java:447)

        at weblogic.management.mbeanservers.internal.SecurityInterceptor.invoke(SecurityInterceptor.java:444)

        at weblogic.management.jmx.mbeanserver.WLSMBeanServer.invoke(WLSMBeanServer.java:323)

        at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11$1.run(JMXConnectorSubjectForwarder.java:663)

        at java.security.AccessController.doPrivileged(Native Method)

        at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder$11.run(JMXConnectorSubjectForwarder.java:661)

        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

        at weblogic.management.mbeanservers.internal.JMXConnectorSubjectForwarder.invoke(JMXConnectorSubjectForwarder.java:654)

        at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427)

        at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)

        at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265)

        at java.security.AccessController.doPrivileged(Native Method)

        at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1367)

        at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)

        at javax.management.remote.rmi.RMIConnectionImpl_WLSkel.invoke(Unknown Source)

        at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:667)

        at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:522)

        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)

        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)

        at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:518)

        at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)

        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:207)

        at weblogic.work.ExecuteThread.run(ExecuteThread.java:176)

Caused by: java.net.MalformedURLException

        at netscape.ldap.LDAPUrl.readNextConstruct(LDAPUrl.java:651)

        at netscape.ldap.LDAPUrl.parseUrl(LDAPUrl.java:277)

        at netscape.ldap.LDAPUrl.<init>(LDAPUrl.java:114)

        at weblogic.security.providers.authentication.LDAPAtnGroupMembersNameList.advance(LDAPAtnGroupMembersNameList.java:224)

        ... 41 more


It’s fairly clear that in order to work that the : character needs to be URL encoded to %3A or similar. But all is not lost, there is another way. You can configure an LDAP Explorer like JXplorer to WebLogic Server Embedded LDAP and browse/edit the entries.

Follow the instructions here, being sure to change the authentication credentials to the Embedded LDAP server to some value you know, as by default they are some unknown value. You’ll need to reboot the WebLogic Server Admin Server after making this change.

Now configure JXplorer to connect as described in the documentation. I’ve circled the important inputs. In this example, my domain name is “hotspot_domain” which listens on the localhost listen address and port 7001. The cn=Admin user name is a constant identifier for the Administrator of the embedded LDAP and that does not change, but you need to know what it is so you can enter it into the tool you use.

ldapExplorer

Once you connect successfully, you can explore the entries and in this case delete the group that is no longer desired.

ldap2

Wednesday, February 23, 2011

Exalogic–The One Day Installation Challenge

This blog was originally posted on http://blogs.oracle.com/jamesbayer when I worked for Oracle.

It’s a really exciting time for the extended WebLogic community as we are enjoying seeing the impressive results of Exalogic deployments. At Oracle Open World, a lot of people I spoke with came away impressed with the raw performance. However, Exalogic offers a lot more than just raw performance. I had the pleasure of working with Ram Sivaram during one of the Exalogic training sessions in Santa Clara. In this video diary, he shows the Exalogic machine arrive on the shipping dock, get unpacked, wired up, powered on, configured, and installed with a WebLogic Server cluster in just about 10 hours. I’ve worked with customers in the past that have taken several weeks or longer to get an environment ready after the hardware arrives. This typically involves many different specialized teams in their organization. Mohamad Afshar just wrote a great explanation of the benefit of Engineered Systems and contrasting that to the status quo. Being able to streamline deployment of middleware capacity will have a lot of value for customers shortening time to deployment. Thanks for the video Ram, you’ve set a high bar, we’ll see if anyone can top your time!