Monday, November 14, 2011

Security and Authentication in JCA FTP File Adapter

I have setup a Credential Mapping to be able to do a Opaque FTP Put with the JCA FTP Adapter, as documented here

It maps a WebLogic user into a FTP EIS User.

I still get an authentication error:



####<13-Nov-2011 22:26:29 o'clock CET> <Error> <WliSbTransports> <pierrepc> <osb_server1> <[ACTIVE] ExecuteThread: '17' for queue: 'weblogic.kernel.Default (self-tuning)'> <<anonymous>> <BEA1-07F5BFB39FA8A589D5FB> <9218d6466d04a9d6:4f7d3afe:1339e75d3c7:-8000-00000000000000e4> <1321219589928> <BEA-381502> <Exception in JmsInboundMDB.onMessage: com.bea.wli.sb.transports.TransportException: <jca-transport-application-error xmlns="http://www.bea.com/wli/sb/transports/jca">
<jca-transport-error-message>Invoke JCA outbound service failed with application error</jca-transport-error-message>
<jca-runtime-fault-detail>
<eis-error-code>501</eis-error-code>
<eis-error-message>501 Syntax error</eis-error-message>
<exception>com.bea.wli.sb.transports.jca.JCATransportException: oracle.tip.adapter.sa.api.JCABindingException: oracle.tip.adapter.sa.impl.fw.ext.org.collaxa.thirdparty.apache.wsif.WSIFException: servicebus:/WSDL/Phoenix_PurchaseOrder/WriteToWMOS_FTP [ Put_ptt::Put(opaque) ] - WSIF JCA Execute of operation 'Put' failed due to: Error in logging in.
Error in logging in.
Unable to log in to the server.
; nested exception is:
BINDING.JCA-11439
Error in logging in.
Error in logging in.
Unable to log in to the server.
Please ensure userid and password specified to login to the server is correct.




To understand what is going on, I enable debug flag alsb-jca-framework-adapter-debug as explained here



All I get is :




Caused by: BINDING.JCA-11439
Error in logging in.
Error in logging in.
Unable to log in to the server.
Please ensure userid and password specified to login to the server is correct.

at oracle.tip.adapter.ftp.FTPClient.regularLogin(FTPClient.java:1630)
at oracle.tip.adapter.ftp.FTPClient.login(FTPClient.java:1593)
at oracle.tip.adapter.ftp.FTPAgent.login(FTPAgent.java:1170)
at oracle.tip.adapter.ftp.FTPAgent.preCall(FTPAgent.java:1632)
at oracle.tip.adapter.ftp.FTPAgent.validateOutputDir(FTPAgent.java:1230)
at oracle.tip.adapter.file.outbound.FileInteraction.validateDirectory(FileInteraction.java:2676)
at oracle.tip.adapter.file.outbound.FileInteraction.executeFileWrite(FileInteraction.java:547)
at oracle.tip.adapter.ftp.outbound.FTPInteraction.execute(FTPInteraction.java:251)
at oracle.tip.adapter.sa.impl.fw.wsif.jca.WSIFOperation_JCA.performOperation(WSIFOperation_JCA.java:529)
... 62 more





and there is no way to log the actual username/password it is using to login into the FTP server


I am using Filezilla Server, I disable the Miscellaneous/Don't show password in logs, and I enable logging on the server.

What I find is disconcerting:


(000033) 13-11-2011 21:46:48 - (not logged in) (127.0.0.1)> USER
(000033) 13-11-2011 21:46:48 - (not logged in) (127.0.0.1)> 501 Syntax error


while the normal sequence should be:


(000037) 13-11-2011 21:57:07 - (not logged in) (fe80::5950:1b46:fefe:aa61)> USER someuser
(000037) 13-11-2011 21:57:07 - (not logged in) (fe80::5950:1b46:fefe:aa61)> 331 Password required for someuser
(000037) 13-11-2011 21:57:07 - (not logged in) (fe80::5950:1b46:fefe:aa61)> PASS somepassword
(000037) 13-11-2011 21:57:07 - someuser (fe80::5950:1b46:fefe:aa61)> 230 Logged on


normally after USER I should see a username.... this means that the mapping fails.

The case is reported here


I notice that the log statement reports "anonymous". If you go to deployment, FtpAdapter, Security, Principal you can set "weblogic" and principal, and make sure that you also use weblogic in the Credential Mapping.
This is not enough.

In the $inbound of the OSB request I notice:


<con:security>
<con:transportClient>
<con:username><anonymous></con:username>
</con:transportClient>
</con:security>



so I create a weblogicServiceAccount for username weblogic, associate it to the Proxy JMS Service Account (hoping to make the OSB proxy "run as" the weblogic username, but I get this in the logs:


ServiceAccountRuntimeManagerImpl.getUsernamePasswordCredential = this: com.bea.wli.sb.svcacct.ServiceAccountRuntimeManagerImpl@17d3da

Could not find credentials on admin server: java.lang.IllegalArgumentException: com.bea.wli.sb.management.configuration.ServiceAccountRuntime is not an interface

com.bea.wli.sb.svcacct.ServiceAccountRuntimeCache@1e49c6b$ServiceAccountRuntimeCache.get(Acme_PurchaseOrder/weblogicServiceAccount)

ServiceAccountRuntimeCache.get(Acme_PurchaseOrder/weblogicServiceAccount) returned ServiceAccountRuntime[Acme_PurchaseOrder/weblogicServiceAccount]



and the $inbound still shows anonymous user


Anyway, at the end I do:

Deployments/FtpAdapter/Security/Credential Mapping/New/Unauthenticated User and I map it to the FTP user.... works like magic!


The alternative is to specify a username/password in the JCA Outbound Connection Pool instance properties (there are 55 properties, only 10 shown in the first page... they are in alphabetical order, so yuoi must go to the last page)





One day I will figure out how to attach a WebLogic principal to an incoming JMS request... security has always been my Achilles' heel

1 comment:

Unknown said...

Hi PIERLUIGI VERNETTO,

I have came across your blog and found that the issue which is mentioned here is quite similar to the issue which we are in right now.

We are using FTP syncread operation to read a file from the FTP location in binary format and we have created the credential mapping where wls user is weblogic,eis user eis password ,but we are observing that some soa instance are able to login with and are able to login to FTP and read the file but some of other soa instances are using weblogic to login to the FTP server and we are getting the below error in logs

Caused by: BINDING.JCA-11439
Error in logging in.
Error in logging in.
Unable to log in to the server.
Please ensure userid and password specified to login to the server is correct.

at oracle.tip.adapter.ftp.FTPClient.regularLogin(FTPClient.java:1630)
at oracle.tip.adapter.ftp.FTPClient.login(FTPClient.java:1593)
at oracle.tip.adapter.ftp.FTPAgent.login(FTPAgent.java:1170)
at oracle.tip.adapter.ftp.FTPAgent.preCall(FTPAgent.java:1632)
at oracle.tip.adapter.ftp.FTPAgent.validateOutputDir(FTPAgent.java:1230)
at oracle.tip.adapter.file.outbound.FileInteraction.validateDirectory(FileInteraction.java:2676)
at oracle.tip.adapter.file.outbound.FileInteraction.executeFileWrite(FileInteraction.java:547)
at oracle.tip.adapter.ftp.outbound.FTPInteraction.execute(FTPInteraction.java:251)
at oracle.tip.adapter.sa.impl.fw.wsif.jca.WSIFOperation_JCA.performOperation(WSIFOperation_JCA.java:529)
... 62 more

Also it is not desired that weblogic should be send to the FTP server as username for login,as it is a WLS user and on the FTP server side there is no user weblogic.the behavior is also not uniform and there is no pattern.

Please advice us on this issue.

Thanks,
Harender Singh