WebSphere Application Server & Liberty

WebSphere Application Server & Liberty

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

More than one basic registry in WebSphere Liberty

  • 1.  More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 06:40 AM
    Hello,

    isn't is possible to define more than one basicRegistry in the server.xml of a WebSphere Liberty? I tried to define two basicRegistry entries with a differnt id and realmName for two different RP applications, but when I login, I first get the login form of Liberty OP, but then I'm not redirected to the restricted page of the RP application but to the login form of the RP application.
    The registry definitions looks like this:

    <basicRegistry id="sampleApps" realm="SampleApps">
        <user name="Jackson" password="Password"/>
        <user name="Andrea" password="Password"/>
         <group name="TestUsers">
            <member name="Andrea" />
        </group>
    <basicRegistry>

    Am I missing something?
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------


  • 2.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 08:17 AM
    Hello Thomas,

    I don't know if I'm completely following you. Can you send screen shoots showing what you are getting when login?

    You can define multiple Basic registries and federate them as you can see here:

    Federation of user registries

    https://www.ibm.com/docs/en/was-liberty/base?topic=authentication-federation-user-registries

    How did you do the user to role mapping in the applications? Did you follow next instructions:
    Example: Using BasicRegistry and role mapping on Liberty
    https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-example-using-basicregistry-role-mapping
    Could you please share your complete server.xml?

    Best Regards

    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------

    Original Message


  • 3.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 10:09 AM
    It seems you are trying to configure and OIDC provider and client and it seems it is not correctly configured.

    Check the following link too:

    Getting started: Configuring an OpenID Connect Provider and Client in Liberty


    https://www.ibm.com/docs/en/was-liberty/base?topic=uoc-getting-started-configuring-openid-connect-provider-client-in-liberty

    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------

    Original Message


  • 4.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 10:59 AM
    Hi Miguel,

    my OpenID Provider and RP applications are working well when I remove the second  base registry from the server.xml!

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------

    Original Message


  • 5.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 12:16 PM
    Can you please upload the traces with trace string

    *=info:com.ibm.ws.security.oidc.*=all:com.ibm.ws.security.openidconnect.*=all:com.ibm.ws.security.openid20.*=all:com.ibm.ws.security.web.*=all:com.ibm.ws.security.*=all:com.ibm.ws.webcontainer.security.*=all

    from server start up? Upload them when adding the second basicregistry and when you have just one for comparison if possible.

    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------

    Original Message


  • 6.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 02:16 PM
    Hello Miguel,

    here the requested log files and the server.xml. The scenario is as follows:

    1. I navigate to the welcome page: http://localhost:9080/SSOIDP/index.jsp
    2. I navigate to a protected page: http://localhost:9080/SSOIDP/restricted/idpRestrictedPage.jsp
    3. I am redirected to the Liberty OP login page
    4. I enter username Andrea and Password
    5. I am redirected to the login page of the RP application: http://localhost:9080/SSOIDP/login.jsp
    Step 5 is wrong! I should be redirected to the restricted page selected in step 2.

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------

    Attachment(s)

    zip
    logs_DefaultCell01_DefaultNode01_server1.zip   410 KB 1 version
    xml
    server.xml   7 KB 1 version
    log
    messages.log   24 KB 1 version
    log
    trace.log   4.55 MB 1 version
    Original Message


  • 7.  RE: More than one basic registry in WebSphere Liberty

    Posted Wed March 02, 2022 09:55 AM
    Could you please try adding to the server.xml

    <federatedRepository>
    <primaryRealm name="PrimaryRealm">
        <participatingBaseEntry name="o=KISSRegistry"/>
        <participatingBaseEntry name="o=BasicRegistry"/>
    </primaryRealm>
</federatedRepository>


    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------

    Original Message


  • 8.  RE: More than one basic registry in WebSphere Liberty

    Posted Wed March 02, 2022 10:48 AM
    Hi Miguel,

    the problem remains the same. I uploaded the trace and the server.xml

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------

    Attachment(s)

    log
    trace.log   4.26 MB 1 version
    log
    messages.log   24 KB 1 version
    xml
    server.xml   7 KB 1 version
    Original Message


  • 9.  RE: More than one basic registry in WebSphere Liberty

    Posted Wed March 02, 2022 03:11 PM
    Edited by Teddy Torres Wed March 02, 2022 03:20 PM
    Hi,

    The traces in logs_DefaultCell01_DefaultNode01_server11646161481911.txt show that the OIDC flow with the OP was successful, but there was a problem mapping the user,

    3/1/22 19:02:25:283 UTC] 000000ad WebAuthentica 3 Username retrieved from TAI is [Andrea]
    [3/1/22 19:02:25:283 UTC] 000000ad WebAuthentica 3 Map credentials for Andrea.
    [3/1/22 19:02:25:288 UTC] 000000ad FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/IBM/WebSphere/AppServer/profiles/AppSrv01/logs/ffdc/server1_9d48ffb0_22.03.01_19.02.25.2847681192626960899497.txt com.ibm.ws.security.server.lm.wsMapDefaultInboundLoginModule.login 1114

    This causes a redirection to the login page,

    [3/1/22 19:02:25:306 UTC] 000000ad WebAuthentica < handleRedirect Exit
    Redirecting to a login formhttp://localhost:9080/SSOIDP/login.jsp
    [3/1/22 19:02:25:306 UTC] 000000ad WebAuthentica < authenticate 3 Exit
    AuthenticationResult.REDIRECT

    The ffdc file indicated in the error will contain more details.

    Please ensure that the steps 10 and 11 of https://www.ibm.com/docs/en/was-nd/9.0.5?topic=users-configuring-openid-connect-relying-party were performed. Since the realm from the id_token is KISSRegistry, please ensure this is the realm used in those steps.

    Regards,
    Teddy

    ------------------------------
    Teddy Torres
    ------------------------------

    Original Message


  • 10.  RE: More than one basic registry in WebSphere Liberty

    Posted Wed March 02, 2022 03:35 PM
    Edited by Teddy Torres Wed March 02, 2022 03:35 PM
    Hi,

    The finished Subject after login in at the OP is using the KISSRegistry realm and therefore it includes it in the realm claim. I need to confirm why the realm name is this one instead of BasicRegistry.

    Regards,
    Teddy

    ------------------------------
    Teddy Torres
    ------------------------------

    Original Message


  • 11.  RE: More than one basic registry in WebSphere Liberty

    Posted Wed March 02, 2022 03:56 PM
    We are reviewing this issue. It appears that the wrong realm was selected for the user when it logged in at the OP.

    Regards,
    Teddy

    ------------------------------
    Teddy Torres
    ------------------------------

    Original Message


  • 12.  RE: More than one basic registry in WebSphere Liberty

    Posted Wed March 02, 2022 04:01 PM
    We reviewed with an SME and all users from the federated repository all have the same realm, regardless of what registry they come from. That is why it is always KISSRegistry when a primary realm was not set.

    I will review the traces for when the primary realm was set.

    Regards,
    Teddy

    ------------------------------
    Teddy Torres
    ------------------------------

    Original Message


  • 13.  RE: More than one basic registry in WebSphere Liberty

    Posted Wed March 02, 2022 04:28 PM
    Hi,

    I reviewed the trace.log traces for when the primary realm is specified and the realmName claim is now set to,

    realmName=PrimaryRealm

    Please ensure that the steps 10 and 11 of https://www.ibm.com/docs/en/was-nd/9.0.5?topic=users-configuring-openid-connect-relying-party were performed using this realm.

    Regards,
    Teddy

    ------------------------------
    Teddy Torres
    ------------------------------

    Original Message


  • 14.  RE: More than one basic registry in WebSphere Liberty

    Posted Thu March 03, 2022 07:26 AM
    Hi Teddy,

    with the PrimaryRealm as trusted realm and in the group mappings it works. However, this is not my intendend solution. This is the same as to insert all users and groups in the basic repository. I wannted to have two completely separated  repositories for differnt "application families".

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------

    Original Message


  • 15.  RE: More than one basic registry in WebSphere Liberty

    Posted Thu March 03, 2022 08:02 AM
    Hi Thomas,

    It wouldn't be easier having two different liberty servers for the two different Oauth Providers instead of mixing two of them in the same server?
    Do you have any limitation to do it?

    Best Regards

    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------

    Original Message


  • 16.  RE: More than one basic registry in WebSphere Liberty

    Posted Thu March 03, 2022 10:57 AM
    Hi Miguel,

    this issue is not so important, because currently I us it only in my local development environment. So I can live with this limitation. I just wondered why this should not be possible because I also can define different openidConnectProvider entries for different SSO "application families".

    Is it at least possible to configure a baseRepository and a customRepository in the same server?

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------

    Original Message


  • 17.  RE: More than one basic registry in WebSphere Liberty

    Posted Mon March 07, 2022 02:33 AM
    Hello Thomas,

    You can define multiple repositories but they will get federated as if they were just one.

    As far as I know, what you can't do is mapping an individual repository you are defining with an specific openidConnectProvider.

    Best Regards

    ------------------------------
    MIGUEL ANGEL CAMACHO CABRERA
    ------------------------------

    Original Message


  • 18.  RE: More than one basic registry in WebSphere Liberty

    Posted Mon March 07, 2022 03:25 AM
    Hello Miguel,

    thank you for this clarification. We can live with this limitation, that we can configue only one reigstry per Liberty OP. I just don't understand why this limitation exists. Perhaps this can be improved in a future release.

    Thank you for your investigations and kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------

    Original Message


  • 19.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 12:18 PM
    Hi Thomas,

    Please ensure that each of the basic registries in the RP contain unique entries.  If they do, then we can examine the openidConnectClient and openidConnectProvider configurations.

    Regards,
    Teddy

    ------------------------------
    Teddy Torres
    ------------------------------

    Original Message


  • 20.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 12:18 PM
    Hi Thomas,

    Do you get access to the restricted page of the RP application when using only one registry? If no, please confirm if you are trying a modified version of https://www.ibm.com/docs/en/was-liberty/nd?topic=uoc-getting-started-configuring-openid-connect-provider-client-in-liberty based on the information provided.

    Regards,
    Teddy

    ------------------------------
    Teddy Torres
    ------------------------------

    Original Message


  • 21.  RE: More than one basic registry in WebSphere Liberty

    Posted Tue March 01, 2022 01:51 PM
    Hi Teddy,

    I can confirm, that the Liberty OP works with two other RP applications deployed on atraditional WebSphere in a SSO scenario with only one basic registry.

    Kind regards
    Thomas

    ------------------------------
    Thomas Mayr
    ------------------------------

    Original Message


Related Content