IBM Support

LDAP configuration for Rule Execution Server on WebLogic

Question & Answer


Question

How to configure LDAP users and groups for Rule Execution Server on WebLogic?

Cause

Like any other Java EE application, Rule Execution Server relies on the application server for security.

If you use a third-party security repository, such as LDAP, you must configure it properly with the application server so that Rule Execution Server can use the group and user credentials that that third party provides.

Rule Execution Server requires only that all the groups or users that are allowed to access it be each mapped to one of the three mandatory roles: resAdministrators, resDeployers, and resMonitors.

For the WebLogic application server, those Rule Execution Server roles are mapped by default to the users in the weblogic.xml application. The JRules documentation explains how to use the WebLogic Authentication Provider (default realm) to create those users: resDeployers, resDeployer, and resAdmin.

However, if your business requires to have only LDAP accounts defined to facilitate their maintenance, create your own groups and users directly in your LDAP repository and define your own mapping in the WebLogic console.

WebLogic provides different preconfigured LDAP Realm (Active Directory, OpenLDAP,etc...): create one and use it in place of the default realm.

See the Weblogic documentation for information about Configuring Authentication Providers.

Answer

The section "Configuring Security" of the documentation to install Rule Execution Server on WebLogic provides step-by-step instructions to install Rule Execution Server from the default WebLogic realm. This realm uses the WebLogic Authentication Provider, where you create users and groups within the WebLogic console.

Skip that section but follow all the other installation steps listed in "Installing on WebLogic > Installing Rule Execution Server > Installing Rule Execution Server on WebLogic X.y".

Here are the few steps to emphasize to integrate your LDAP repository with Rule Execution Server on a WebLogic Application server:

  1. Deploy the Execution Unit (XU) RAR as specified in the documentation. If no resMonitor user is created in the security realm:
    • Go to "Summary of Deployments > <XU application name> > Security > Principals", where <XU application name> is the name given to the XU application at deployment, jrules-res-xu-WL<version> by default.
    • Set "Manage as Principal" to "Use Anonymous".

  2. Deploy the Rule Execution Server Management EAR as described in the documentation, but do not select the "DD Only: ..." option (Deployment Descriptor) in the deployment mode. Any other value lets you define your own mapping.

  3. Define your own mapping between your LDAP users/groups and the Rule Execution Server roles in "Summary of Deployments":
    • Click jrules-res-management-WL<version>(or the name you gave to the Rule Execution Server console application at deployment)
    • In the Security tab under Roles, for each of the three groups (resAdministrators, resDeployers, resMonitors), map the LDAP users or LDAP groups.

Note: The resAdministrators group members should be granted the two other roles as well.

[{"Product":{"code":"SS6MTS","label":"WebSphere ILOG JRules"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Modules:Execution Server (BRES \/ RES)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.1;7.1;7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"Enterprise","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21497512

Page Feedback