If you are using an RDBMS, or if your LDAP server's schema allows storing unencrypted passwords in the user's password attribute, no additional configuration is needed. The Digest Identity Asserter provider looks for unencrypted passwords in the password field by default.

If the schema does not allow unencrypted passwords in the password attribute, you have two options:

• Store the unencrypted password in an existing, unused credential attribute in the LDAP directory.

• Create a new credential attribute to store the unencrypted password.

See your LDAP server documentation for more information about credential attributes available in the schema. Regardless of which method you use, record the exact attribute name used to store unencrypted passwords. You must enter the name of this attribute when configuring the LDAP Digest Identity Asserter provider.

If you want to use precalculated hash values, rather than unencrypted passwords, you can store the hash values in one of two places in your LDAP directory:

• In an existing, unused credential attribute.

• In a new credential attribute that you create for the hash value.

See your LDAP server documentation for more information using or creating new credential attributes.

For RDBMS stores, you can place the hash values in any column in your schema; you will define the SQL command used to obtain the hash values when configuring the RDBMS Identity Assertion Provider.

Converged Application Server provides a simple utility (PreCalculatedHash) to generate a hash of the A1 value from a given username, realm name, and unencrypted password. The utility is packaged as com.bea.wcp.sip.security.utils.PreCalculatedHash. Use the syntax:

java com.bea.wcp.sip.security.utils.PreCalculatedHash user_name realm_name password

You can use also use 3rd-party utilities for generating the hash value, or create your own method using information from RFC 2617.

Note that you must also create the necessary infrastructure to update the stored hash value automatically when the user name, password, or realm name values change. Maintaining the password information in this manner is beyond the scope of this documentation.

Converged Application Server provides a utility to help you compute the Encryption Key, Encryption Init Vector, and Encrypted Passwords values used when you configure the Digest Authorization Identity Asserter provider. The utility is named com.bea.wcp.sip.security.utils.JSafeEncryptionUtil and is packaged in the wlss.jar file in the WebLogic_Home/sip/server/lib directory, where WebLogic_Home is the directory where the WebLogic Server component of Converged Application Server is installed.

To view usage instructions and syntax:

1. Add wlss.jar to your classpath. The default path is:

   export CLASSPATH=$CLASSPATH:~/oracle/Middleware/Oracle_Home/wlserver/sip/server/lib/wlss.jar
   

2. Execute the utility without specifying options:

   java com.bea.wcp.sip.security.utils.JSafeEncryptionUtil

Follow these instructions to create a new LDAP Digest Identity Asserter Provider:

1. Log in to the Administration Console for the Converged Application Server domain you want to configure.
2. In the left pane of the Console, select the Security Realms node.
3. Select the name of your security realm in the Realms table in the right pane of the Console.
4. Select Providers, then select the Authentication subtab.
5. Click New.
6. Enter a name for the new provider, and select LdapDigestIdentityAsserter from the Type drop down list.
7. Click OK.
8. Select the name of the new provider from the list of providers.
9. Select Configuration, then select the Provider Specific subtab in the right pane.
10. On the configuration page, enter LDAP server and Digest authentication information into the fields as follows (use the information from Table 3-1):

    • User From Name Filter: Enter an LDAP search filter that Converged Application Server will use to locate a given username. If you do not specify a value for this attribute, the server uses a default search filter based on the user schema.

    • User Base DN: Enter the base Distinguished Name (DN) of the tree in the LDAP directory that contains users (for example, cn=Users,dc=example,dc=com).
    • Credential Attribute Name: Enter the credential attribute in the LDAP directory that stores either the pre-calculated hash value or the unencrypted password (for example, authpassword;wlss). By default Converged Application Server uses the password attribute of the user entry. If you use a pre-calculated has value instead of an unencrypted password, or if the unencrypted password is stored in a different attribute, you must specify the correct attribute name here.
    • Group Attribute Name: Enter the group attribute in the LDAP directory that stores a the set of group names to which the user belongs.
    • Password Encryption Type: Select the format in which the password is stored: PLAINTEXT, PRECALCULATEDHASH, or REVERSIBLEENCRYPTED.
    • Encryption Algorithm: If you have stored encrypted passwords, enter the encryption algorithm that the Digest identity assertion provider will use for reverse encryption.
    • Encryption Key and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encoded key used as part of the reverse encryption algorithm.

    • Encryption Init Vector and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encoded init vector string used as part of the reverse encryption algorithm.

    • Digest Realm Name: Enter the realm name to use for Digest authentication (for example, example.com).
    • Digest Algorithm: Select either MD5 or MD5-sess as the algorithm to use for encrypting Digests.
    • Digest Timeout: This value defines the nonce timeout value for the digest challenge. If the nonce timeout is reached before the client responds, the client is re-challenged with a new nonce. By default, the Digest Timeout is set to 120 seconds.
    • Host: Enter the host name of the LDAP server to use for Digest verification. If you are using multiple LDAP servers for failover capabilities, enter the host_name:port value for each server separated by spaces. For example: ldap1.mycompany.com:1050 ldap2.mycompany.com:1050

      See Oracle Fusion Middleware Securing Oracle WebLogic Server for more information about configuring failover.

    • Port: Enter the port number of the LDAP server.
    • SSL Enabled: Select this option if you are using SSL to communicate unencrypted passwords between Converged Application Server and the LDAP Server.
    • Principal: Enter the name of a principal that Converged Application Server uses to access the LDAP server (for example, orclApplicationCommonName=WLSSInstance1,cn=WLSS,cn=Products,cn=OracleContext,dc=example,dc=com).
    • Credential and Please type again to confirm: Enter the credential for the above principal name (generally a password).
    • OIDSupportEnabled: Select this checkbox if you are using Oracle Internet Directory as your LDAP provider. This checkbox is necessary when using a precalculated hash value because Oracle Internet Directory prefixes the hash value with {SASL/MD5} as described in RFC 2307. Other LDAP providers may omit the prefix.
11. Click Save to save your changes.
12. Select the Performance tab in the right pane.
13. On the Performance page, enter the caching and connection information into the fields as follows:
    • LDAP Connection Pool Size: Enter the number of connections to use for connecting to the LDAP Server. This value should be equal to or less than the total number of execute threads configured for Converged Application Server. To view the current number of configured threads, right-click on the Converged Application Server name in the left pane of the Administration Console and select View Execute Queues; the SIP Container uses the Thread Count value of the queue named sip.transport.Default. The default value of LDAP Connection Pool Size is 10.

      Note that stale connections (for example, LDAP connections that are timed out by a load balancer) are automatically removed from the connection pool.

    • Cache Enabled: Specifies whether a cache should be used with the associated LDAP server.
    • Cache Size: Specifies the size of the cache, in Kilobytes, used to store results from the LDAP server. By default the cache size is 32K.
    • Cache TTL: Specifies the time-to-live (TTL) value, in seconds, for the LDAP cache. By default the TTL value is 60 seconds.
    • Results Time Limit: Specifies the number of milliseconds to wait for LDAP results before timing out. Accept the default value of 0 to specify no time limit.
    • Connect Timeout: Specifies the number of milliseconds to wait for an LDAP connection to be established. If the time is exceeded, the connection times out. The default value of 0 specifies no timeout value.
    • Parallel Connect Delay: Specifies the number of seconds to delay before making concurrent connections to multiple, configured LDAP servers. If this value is set to 0, the provider connects to multiple servers in a serial fashion. The provider first tries to connect to the first configured LDAP server in the Host list. If that connection attempt fails, the provider tries the next configured server, and so on.

      If this value is set to a non-zero value, the provider waits the specified number of seconds before spawning a new thread for an additional connection attempt. For example, if the value is set to 2, the provider first tries to connect to the first configured LDAP server in the Host list. After 2 seconds, if the connection has not yet been established, the provider spawns a new thread and tries to connect to the second server configured in the Host list, and so on for each configured LDAP server.

    • Connection Retry Limit: Specifies the number of times the provider tries to reestablish a connection to an LDAP server if the LDAP server throws an exception while creating a connection.
14. Click Save to save your changes.
15. Restart the server.

Follow these instructions to create a new RDBMS Digest Identity Asserter Provider:

1. Log in to the Administration Console for the Converged Application Server domain you want to configure.
2. In the left pane of the Console, select the Security Realms node.
3. Select the name of your security realm in the Realms table in the right pane of the Console.
4. Select Providers, then select the Authentication subtab.
5. Click New.
6. Enter a name for the new provider, and select DBMSDigestIdentityAsserter as the type.
7. Click OK.
8. Select the name of the new provider from the Authentication Providers table.
9. Select Configuration, then select the Provider Specific subtab in the right pane.
10. In the configuration tab, enter RDBMS server and Digest authentication information into the fields as follows:
    • Data Source Name: Enter the name of the JDBC DataSource used to access the password information.
    • SQLGet Users Password: Enter the SQL statement used to obtain the password or hash value from the database. The SQL statement must return a single record result set.
    • SQLList Member Groups: Enter a SQL statement to obtain the group information from a specified username. The username is supplied as a variable to the SQL statement, as in SELECT G_NAME FROM groupmembers WHERE G_MEMBER = ?.
    • Password Encryption Type: Select the format in which the password is stored: PLAINTEXT, PRECALCULATEDHASH, or REVERSIBLEENCRYPTED.
    • Encryption Algorithm: If you have stored encrypted passwords, enter the encryption algorithm that the Digest identity assertion provider will use for reverse encryption.
    • Encryption Key and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encoded key used as part of the reverse encryption algorithm.
    • Encryption Init Vector and Please type again to confirm: If you have stored encrypted passwords, enter the base-64 encoded init vector string used as part of the reverse encryption algorithm.
    • Digest Realm Name: Enter the realm name to use for Digest authentication.
    • Digest Algorithm: Select either MD5 or MD5-sess as the algorithm to use for encrypting Digests.
    • Digest Timeout: This value defines the nonce timeout value for the digest challenge. If the nonce timeout is reached before the client responds, the client is re-challenged with a new nonce. By default, the Digest Timeout is set to 120 seconds.
11. Click Save to save your changes.
12. Restart the server.