Steps for Configuring Digest Authentication

Follow these steps to configure Digest authentication with Converged Application Server:

  1. Configure the LDAP Server or RDBMS.

  2. Reconfigure the DefaultAuthenticator Provider.

    Note:

    DefaultAuthenticator is set up as a required authentication provider by default. If the DefaultAuthentication provider, which works against the embedded LDAP store, is not used for authentication decisions, you must change the Control Flag to "SUFFICIENT".

  3. Configure an Authenticator Provider.

  4. Configure a New Digest Identity Asserter Provider.

The sections that follow describe each step in detail.

Configure the LDAP Server or RDBMS

The LDAP server or RDBMS used for Digest verification must store either unencrypted, clear text passwords, pre-calculated hash values, or passwords encrypted by a standard encryption algorithm (3DES_EDE/CBC/PKCS5Padding by default). The sections below provide general information about setting up your LDAP server or RDBMS to store the required information. Be aware that LDAP server uses different schemas and different administration tools, and you may need to refer to your LDAP server documentation for information about how to perform the steps below.

If you are using multiple LDAP servers to enable failover capabilities for the security providers, you must configure each LDAP server as described below.

Using Unencrypted Passwords

If you are using an RDBMS, or if your LDAP server's schema allows storing unencrypted passwords in the user's password attribute, no additional configuration is needed. The Digest Identity Asserter provider looks for unencrypted passwords in the password field by default.

If the schema does not allow unencrypted passwords in the password attribute, you have two options:

  • Store the unencrypted password in an existing, unused credential attribute in the LDAP directory.

  • Create a new credential attribute to store the unencrypted password.

See your LDAP server documentation for more information about credential attributes available in the schema. Regardless of which method you use, record the exact attribute name used to store unencrypted passwords. You must enter the name of this attribute when configuring the LDAP Digest Identity Asserter provider.

Using Precalculated Hash Values

If you want to use precalculated hash values, rather than unencrypted passwords, you can store the hash values in one of two places in your LDAP directory:

  • In an existing, unused credential attribute.

  • In a new credential attribute that you create for the hash value.

See your LDAP server documentation for more information using or creating new credential attributes.

For RDBMS stores, you can place the hash values in any column in your schema; you will define the SQL command used to obtain the hash values when configuring the RDBMS Identity Assertion Provider.

Converged Application Server provides a simple utility (PreCalculatedHash) to generate a hash of the A1 value from a given username, realm name, and unencrypted password. The utility is packaged as com.bea.wcp.sip.security.utils.PreCalculatedHash. Use the syntax: 

java com.bea.wcp.sip.security.utils.PreCalculatedHash user_name realm_name password

You can use also use 3rd-party utilities for generating the hash value, or create your own method using information from RFC 2617.

Note that you must also create the necessary infrastructure to update the stored hash value automatically when the user name, password, or realm name values change. Maintaining the password information in this manner is beyond the scope of this documentation.

Using Reverse-Encrypted Passwords

Converged Application Server provides a utility to help you compute the Encryption Key, Encryption Init Vector, and Encrypted Passwords values used when you configure the Digest Authorization Identity Asserter provider. The utility is named com.bea.wcp.sip.security.utils.JSafeEncryptionUtil and is packaged in the wlss.jar file in the WebLogic_Home/sip/server/lib directory, where WebLogic_Home is the directory where the WebLogic Server component of Converged Application Server is installed.

To view usage instructions and syntax:

  1. Add wlss.jar to your classpath. The default path is: 

    export CLASSPATH=$CLASSPATH:~/oracle/Middleware/Oracle_Home/wlserver/sip/server/lib/wlss.jar

  2. Execute the utility without specifying options:

    java com.bea.wcp.sip.security.utils.JSafeEncryptionUtil

Reconfigure the DefaultAuthenticator Provider

In most production environments you will use a separate Identity and Access Management solution for storing password information, and therefore the DefaultAuthenticator, which works against the embedded LDAP store, will not be required for authentication. Follow the instructions in this section to change the provider's control flag to "sufficient".

Note:

DefaultAuthenticator is set up as a required authentication provider by default. If the DefaultAuthentication provider, which works against the embedded LDAP store, is not used for authentication decisions, you must change the Control Flag to "SUFFICIENT".

To reconfigure the DefaultAuthenticator provider:

  1. From the Edit Tree of the Remote Console, click Security, and then Realms, and then the specific realm you created, and then Authentication Providers.
  2. Select the DefaultAuthenticator provider.
  3. Under the Common subtab, set Control Flag to Sufficient.
  4. Click Save, click the shopping cart, and then Commit Changes.
  5. Restart the server.

Configure an Authenticator Provider

In addition to the Digest Identity Asserter providers, which only validate the client digest, you must configure an authentication provider, which checks for a user's existence and populates the user's group information. Follow the instructions provided in Oracle Fusion Middleware Securing Oracle WebLogic Server to create an authentication provider for your server. Use the information from Table 3-1 to configure the provider.

If you do not require user existence checking or group population, then, in addition to a Digest Identity Asserter provider, you can configure and use the special "no-op" authentication provider, packaged by the name "IdentityAssertionAuthenticator." This provider is helpful to avoid an extra round-trip connection to the LDAP server. Note that the provider performs no user validation and should be used when group information is not required for users.

To configure the "no-op" authorization provider:

  1. From the Edit Tree of the Remote Console, click Security, and then Realms, and then the specific realm you created, and then Authentication Providers.
  2. Click New.
  3. Enter a name for the new provider, and set Type to Identity Assertion Authenticator.
  4. Click Create.
  5. On the next screen, set Control Flag to Sufficient.
  6. Click Save, click the shopping cart, and click Commit Changes.
  7. Restart the server.

Configure a New Digest Identity Asserter Provider

Follow these instructions to create the Digest Identity Asserter provider and associate it with your LDAP server or RDBMS store: