End-user authorization and authentication for migrating Java apps on WebLogic Server to Azure

This guide will help you to enable enterprise grade end-user authentication and authorization for Java apps on WebLogic Server using Azure Active Directory.

Java EE developers expect the standard platform security mechanisms to "just work", even when moving their workloads to Azure. Oracle WebLogic Server (WLS) Azure Applications let you populate the built-in security realm with users from Azure Active Directory Domain Services (Azure AD DS). Use the standard <security-role> element, in your Java EE on Azure applications; the user information flows from Azure AD DS through Lightweight Directory Access Protocol (LDAP).

This guide is divided into two parts. If you already have Azure AD DS with secure LDAP exposed, you may skip straight to the second part.

In this guide you learn how to:

  • Create and configure an Azure Active Directory Domain Services managed domain
  • Configure secure Lightweight Directory Access Protocol (LDAP) for an Azure AD DS managed domain
  • Enable WebLogic Server to access LDAP as its default security realm

This guide doesn't help you reconfigure an existing Azure AD deployment, but it should be possible to follow along with this guide and see which steps can be skipped.

Prerequisites

Migration context

Here are some things to consider about migrating on-premise WLS installations and Azure AD.

Azure Active Directory configuration

This section walks you through all the steps to stand up an Azure AD DS instance integrated with WLS. Azure Active Directory doesn't support the Lightweight Directory Access Protocol (LDAP) protocol or Secure LDAP directly. Instead, support is enabled through the Azure AD Domain Services (Azure AD DS) instance within your Azure AD tenant.

Note

This guide uses the "cloud-only" user account feature of Azure AD DS. Other user account types are supported, but not described in this guide.

Create and configure an Azure Active Directory Domain Services managed domain

This section walks you through a separate tutorial to stand up an Azure AD DS managed domain.

Complete the tutorial Create and configure an Azure Active Directory Domain Services managed domain up to but not including the section Enable user accounts for Azure AD DS. That section requires special treatment in the context of this tutorial, as described in the next section. Be sure to complete the DNS actions completely and correctly.

Note down the value you specify when completing the step "Enter a DNS domain name for your managed domain." You'll use it later in this article.

Create users and reset passwords

This section includes steps to create users and change their password, which is required to cause the users to propagate successfully through LDAP. If you have an existing Azure AD DS installation, this step may not be necessary.

  1. Within the Azure portal, ensure the directory corresponding to the Azure AD tenant is the currently active directory. To learn how to select the correct directory see Associate or add an Azure subscription to your Azure Active Directory tenant. If the incorrect directory is selected, you either won't be able to create users, or you'll create users in the wrong directory.
  2. In the search box at the top of the Azure portal, enter "Users".
  3. Select New user.
  4. Ensure Create user is selected.
  5. Fill in values for User name, name, First name, and Last name. Leave the remaining fields at their default values.
  6. Select Create.
  7. Select the newly created user in the table.
  8. Select Reset password.
  9. In the panel that appears, select Reset password.
  10. Note down the temporary password.
  11. In an "incognito" browser window, visit the Azure portal and log in with the user's credentials and password.
  12. Change the password when prompted. Note down the new password. You'll use it later.
  13. Log out and close the "incognito" window.

Repeat the steps from "Select New user" through "Log and out close" for each user you want to enable.

Allow LDAP in Azure AD DS

This section walks you through a separate tutorial to extract values for use in configuring WLS.

First, open the tutorial Configure secure LDAP for an Azure Active Directory Domain Services managed domain in a separate browser window so you can look at the below variations as you run through the tutorial.

When you reach the section, Export a certificate for client computers, take note of where you save the certificate file ending in .cer. We'll use the certificate as input to the WLS configuration.

When you reach the section, Lock down secure LDAP access over the internet, specify Any as the source. We'll tighten the security rule with a specific IP address later in this guide.

Before you execute the steps in Test queries to the managed domain, do the following steps to enable the testing to succeed.

  1. In the portal, visit the overview page for the Azure AD Domain Services instance.
  2. In the Settings area, select Properties.
  3. In the right of the page, scroll down until you see Admin group. Under this heading should be a link for AAD DC Administrators. Select that link.
  4. In the Manage section, select Members.
  5. Select Add members.
  6. In the Search text field, enter some characters to locate one of the users you created in a preceding step.
  7. Select the user, then activate the Select button.
  8. This user is the one you must use when executing the steps in the Test queries to the managed domain section.

Note

Here are some tips about querying the LDAP data, which you'll need to do to collect some values necessary for WLS configuration.

  • The tutorial advises use of the Windows program LDP.exe. This program is only available on Windows. For non-Windows users, it's also possible to use Apache Directory Studio for the same purpose.
  • When logging in to LDAP with LDP.exe, the username is just the part before the @. For example, if the user is alice@contoso.onmicrosoft.com, the username for the LDP.exe bind action is alice. Also, leave LDP.exe running and logged in for use in subsequent steps.

In the section Configure DNS zone for external access, note down the value for Secure LDAP external IP address. You'll use it later.

If the value of the Secure LDAP external IP address is not readily apparent, follow these steps to get the IP address.

  1. In the portal, find the resource group that contains the Azure AD Domain Services resource.
  2. In the list of resources, select the public IP resource for the Azure AD Domain Services resource, as shown next. The public IP will likely start with aads. Browser showing how to select the public IP.
  3. The public IP is shown next to the label, IP address.

Do not execute the steps in Clean-up resources until instructed to do so in this guide.

With the above variations in mind, complete Configure secure LDAP for an Azure Active Directory Domain Services managed domain. We can now collect the values necessary to provide to the WLS Configuration.

Note

Please wait for the secure LDAP configuration to complete processing before moving on to the next section.

Disable weak TLS v1

By default, Azure Active Directory Domain Services (Azure AD DS) enables the use of TLS v1, which is considered weak and not supported in WebLogic Server 14 and later.

This section walks you through how to disable TLS v1 cipher.

First, get the resource ID of the Azure Domain Service instance that enables LDAP. The following example gets the ID of an Azure Domain Service instance named aaddscontoso.com in a resource group named aadds-rg.

AADDS_ID=$(az resource show --resource-group aadds-rg --resource-type "Microsoft.AAD/DomainServices" --name aaddscontoso.com --query "id" --output tsv)

Run the following command to disable TLS v1:

az resource update --ids $AADDS_ID --set properties.domainSecuritySettings.tlsV1=Disabled

The output will display "tlsV1": "Disabled" for domainSecuritySettings, as shown in the following example:

"domainSecuritySettings": {
      "ntlmV1": "Enabled",
      "syncKerberosPasswords": "Enabled",
      "syncNtlmPasswords": "Enabled",
      "syncOnPremPasswords": "Enabled",
      "tlsV1": "Disabled"
}

For more information, see Disable weak ciphers and password hash synchronization to secure an Azure Active Directory Domain Services managed domain.

WLS Configuration

This section helps you collect the parameter values from the Azure AD DS deployed earlier.

When you deploy any of the Azure Applications listed in Oracle WebLogic Server Azure Applications, you can choose to have the deployment automatically connect to a pre-existing LDAP server. Alternatively, you can configure the LDAP connection later by invoking the Active Directory integration subtemplate. This approach is described in Appendix A of the official documentation. Either way, you must have the necessary parameter values to pass to the ARM template.

Parameter name Description Details
aadsServerHost Server Host This value is the public DNS name you saved when completing Create and configure an Azure Active Directory Domain Services managed domain.
aadsPublicIP Secure LDAP external IP address This value is the Secure LDAP external IP address you saved in the Configure DNS zone for external access section.
wlsLDAPPrincipal Principal Return to LDP.exe. Do the following steps to obtain additional value for wlsLDAPPrincipal.
  1. In the View menu, select Tree.
  2. In the Tree View dialog, leave BaseDN blank and select OK.
  3. Right-click in the right side pane and select Clear output.
  4. Expand the tree view on the left and select the entry that starts with "OU=AADDC Users".
  5. In the Browse menu, select Search.
  6. In the dialog that appears, accept the defaults and select Run.
  7. After output appears in the right side pane, select Close, next to Run.
  8. Scan the output for the Dn entry corresponding to the user you added to the "AAD DC Administrators" group. It will start with Dn: CN=<user name>OU=AADDC Users.
wlsLDAPGroupBaseDN and wlsLDAPUserBaseDN User Base DN and Group Base DN For the purposes of this tutorial, the values for both of these properties are the same: the part of the wlsLDAPPrincipal after the first comma.
wlsLDAPPrincipalPassword Password for Principal This value is the password for the user that has been added to the AAD DC Administrators group.
wlsLDAPProviderName Provider Name This value can be left at its default. It's used as the name of the authentication provider in WLS.
wlsLDAPSSLCertificate Public key for Azure AD DS LDAPS connection This value .cer file you were asked to save aside when you completed the step, Export a certificate for client computers.

Integrating Azure AD DS LDAP with WLS

With the above configuration values in hand, and the Azure AD DS LDAP deployed, it's now possible to launch the configuration. There are two approaches to complete this process.

During WLS deployment

Visit Oracle WebLogic Server Azure Applications and select the admin or either of the cluster offers. While deploying the offer, one of the tabs in the deployment process will be Azure Active Directory. Toggle the Connect to Azure Active Directory to Yes. Fill out the values based using the information collected in the preceding section. For the certificate, you must upload the .cer file directly.

After WLS deployment

If you didn't toggle the Connect to Azure Active Directory to Yes at deployment time, you can use the values you collected in the preceding section to do the configuration later. More details are in the official documentation.

Validate the deployment

After deploying WLS and configuring LDAP using one of the above two methods, follow these steps to verify the integration was successful.

  1. Visit the WLS Admin console.
  2. In the left navigator, expand the tree to select Security Realms -> myrealm -> Providers.
  3. If the integration was successful, you'll find the Azure AD provider for example AzureActiveDirectoryProvider.
  4. In the left navigator, expand the tree to select Security Realms -> myrealm -> Users and Groups.
  5. If the integration was successful, you'll find users from the Azure AD provider.

Lock down and secure LDAP access over the internet

While standing up the secure LDAP in the preceding steps, we had set the source as Any for the AllowLDAPS rule in the network security group. Now that the WLS Admin Server has been deployed and connected to LDAP, obtain its public IP address using the Azure portal. Revisit Lock down secure LDAP access over the internet and change Any to the specific IP address of the WLS Admin server.

Clean up resources

Now it's time to follow the steps on the Clean up resources section in Configure secure LDAP for an Azure Active Directory Domain Services managed domain.

Next steps

Explore other aspects of migrating WebLogic Server apps to Azure.